bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-05-16

Browse source 
1 changes to exploits/shellcodes

JasperReports - Authenticated File Read

Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell Shellcode (96 Bytes)
Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (96 Bytes)
This commit is contained in:
Offensive Security 2018-05-16 05:01:47 +00:00
parent 2d5885c58b
commit daa3579622
3 changed files with 46 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
exploits/multiple/webapps/44623.txt Normal file
View file

@ -0,0 +1,44 @@
TIBCOs JasperReports (<=6.2.4, 6.3.0, 6.3.2-3, 6.4.0, 6.4.2, CE/ActiveMatrix BPM and Jaspersoft AWS with Multi-Tenancy/Reporting and Analytics for AWS <=6.4.2) is vulnerable to an authenticated file read and inclusion vulnerability by means of directory traversal. It is possible for an attacker, regardless of user permissions, to access or include files from within the filesystem hosting the application.
CVSS v3 Base Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
- - -
## Bypassing JasperReports Access Controls
The following example allowed us to include an administrator JSP from a low privileged user (joeuser):
/jasperserver/flow.html?_flowId=sampleFlow&page=../../../jsp/modules/administer/adminImport
Which took us from:
getAttribute() @ HttpServletRequestParameterMap.java:57
> string[] = wrapper.getParameterValues("page")
To:
getResource() @ DirResourceSet.java:101
> file = new File(/home/rhino/jasperreports...mcat/webapps/jasperserver,"/WEB-INF/jsp/modules/administer/adminImport.jsp")
Due to a lack of input validation we found ourselves with the capability to traverse paths to a destination of our choice. Below you will find more Proof of Concepts (PoCs) of the the attack in question:
## Accessing Administrator Export Functions
/jasperserver-pro/___________?{param}=..
## Accessing AWS Configuration Functions
/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../jsp/modules/administer/awsConfiguration
The above issue allowed us to load privileged portions of the application geared towards the Administrator, thus bypassing access controls.
## Local File Read
The following command allowed us to read configuration files on the server, taking advantage of an unsanitized page perimeter and reading configuration files. An attacker would use these credentials to further pivot across application and services. Although the above screenshot provides a randomly generated password for the occasion, we decided to blur it out of habit.
/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../js.jdbc.properties;
## Local File Inclusion (JSP)
And in the event of a post-intrusion scenario, an attacker would need to upload an arbitrary JSP file, masqueraded as a regular file (sans .jsp) to the victims filesystem and execute something like the following via a local file inclusion:
/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../jsp/modules/administer/file;
NOTE: Since the application appends .jsp to the page paramater value, normally you would end up with ../../../jsp/modules/administer/file.jsp. However, if we want to read configuration files we need to trick Java to read our desired file, and ignore the .jsp addition. NULL bytes (%00) do not work, however we were able to bypass the problem by adding a semicolon to our desired file.

1
files_exploits.csv
View file

@ -39308,3 +39308,4 @@ id,file,description,date,author,type,platform,port
44618,exploits/php/webapps/44618.txt,"WUZHI CMS 4.1.0 - 'tag[pinyin]' Cross-Site Scripting",2018-05-13,jiguang,webapps,php,
44621,exploits/php/webapps/44621.txt,"Monstra CMS 3.0.4 - Remote Code Execution",2018-05-14,JameelNabbo,webapps,php,
44622,exploits/php/webapps/44622.txt,"XATABoost 1.0.0 - SQL Injection",2018-05-14,MgThuraMoeMyint,webapps,php,
44623,exploits/multiple/webapps/44623.txt,"JasperReports - Authenticated File Read",2018-05-03,"Hector Monsegur",webapps,multiple,

Can't render this file because it is too large.

2
files_shellcodes.csv
View file

@ -883,4 +883,4 @@ id,file,description,date,author,type,platform
44594,shellcodes/linux_x86/44594.c,"Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes)",2018-05-06,"Nuno Freitas",shellcode,linux_x86
44602,shellcodes/linux_x86/44602.c,"Linux/x86 - Bind TCP (9443/TCP) Shell + fork() + Null-Free Shellcode (113 bytes)",2018-05-09,"Amine Kanane",shellcode,linux_x86
44609,shellcodes/linux_x86/44609.c,"Linux/x86 - Read /etc/passwd Shellcode (62 bytes)",2018-05-10,"Nuno Freitas",shellcode,linux_x86
44620,shellcodes/linux_x86/44620.c,"Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell Shellcode (96 Bytes)",2018-05-14,"Paolo Perego",shellcode,linux_x86
44620,shellcodes/linux_x86/44620.c,"Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (96 Bytes)",2018-05-14,"Paolo Perego",shellcode,linux_x86

1 id file description date author type platform
883 44594 shellcodes/linux_x86/44594.c Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes) 2018-05-06 Nuno Freitas shellcode linux_x86
884 44602 shellcodes/linux_x86/44602.c Linux/x86 - Bind TCP (9443/TCP) Shell + fork() + Null-Free Shellcode (113 bytes) 2018-05-09 Amine Kanane shellcode linux_x86
885 44609 shellcodes/linux_x86/44609.c Linux/x86 - Read /etc/passwd Shellcode (62 bytes) 2018-05-10 Nuno Freitas shellcode linux_x86
886 44620 shellcodes/linux_x86/44620.c Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell Shellcode (96 Bytes) Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (96 Bytes) 2018-05-14 Paolo Perego shellcode linux_x86