noraj (50)

Last Login: June 23, 2022
Assessments
21
Score
50

noraj's Latest (20) Contributions

Sort by:
Filter by:
1
Ratings
Technical Analysis

It gives GLPI version, the list of all plugins and their version, and some system info like the database used and its version, sometimes the webserver engine, the PHP version and the list of all PHP modules loaded, the OS distro and version + the kernel name and version.

2
Ratings
Technical Analysis

iTop is a common ITIL software, it gives access to tons of information on the IT department, IP ranges, machine information, support tickets, username, it’s often plugged to AD LDAP, etc. Having RCE on the server allows to read configuration files containing LDAP service account credentials, retrieve local users password hashes for password spraying, obtain web admin credentials to access the information gold mine, etc.
Any low privilege account will work for the exploit, in general every employee have an account.

1
Ratings
Technical Analysis

It is exposing PII (Personally Identifiable Information) from registered events in the calendar but also usernames and password hashes for offline crack.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

HackTricks

The OMI server receives configuration management messages via the /wsman endpoint. Typically, an Authentication header is passed along with the message and the OMI server will ensure the client is authorized communicate. In this case the vulnerability is that when there is no Authentication header the server incorrectly accepts the message and executes the instruction under the root user.

By posting an “ExecuteShellCommand” SOAP payload to the server with no Authentication header specified, it will execute the command as root.

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
   ...
   <s:Body>
      <p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
         <p:command>id</p:command>
         <p:timeout>0</p:timeout>
      </p:ExecuteShellCommand_INPUT>
   </s:Body>
</s:Envelope>
1
Ratings
Technical Analysis

Qualys says:

CVE-2021-42013 was introduced as the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient as it did not cover double URL encoding, therefore the vulnerable configurations remained the same, but payload used in 2.4.49 was double URL encoded in 2.4.50 to administer the same path traversal and remote code execution attack.

The attack in 2.4.49 initially encoded the second dot (.) to %2e and the same was double URL encoded into %%32%65 for version 2.4.50

1
Ratings
Technical Analysis

Trivial to detect and use.

1
Ratings
Technical Analysis

The prerequisites are important:

  1. need encryptionKey from typo3conf/LocalConfiguration.php exposed
  2. need to have and identify a valid deserialization gadget chain (eg. with phpggc)
  3. need to identify the target PHP version (5.6, 7.2, 7.4, 8.1, etc ?) to be able to serialize the gadget chain and it to be executed correctly; is not leaked it may required to try all major versions manually

so weaponizing is difficult and requires luck and lot of technical informations

1
Ratings
Technical Analysis

IP restriction bypass via X-REAL-IP HTTP header then SSRF and RCE on admin route with LUA code executed via scripts

1
Ratings
Technical Analysis

I found many many servers, during penetration testing, on corporate environment that have an integrated HPE iLO 4.
It seems the default version of the firmware shipped with the server is 2.50 which make it vulnerable by default because it’s rarely patched.
Then it’s a mater of seconds to get an administrator account on the iLO.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

Patch : update to OTRS 6.0.2 to fix this specific issue but updating to 6.0.32 is recommended.

1
Ratings
Technical Analysis

All exploits linked except the gist one have artifacts (3D and \n) making it unusable so use the gist cleaned version.

To patch update to v2.8+.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis
2
Ratings
Technical Analysis
2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This plugin is not that commonly deployed on Wordpress installations and to detected it you need the aggressive plugin mode of Wpscan enabled else wpDiscuz won’t be even detected.

1
Ratings
Technical Analysis

The file upload is totally unrestricted but an account is required.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

The uploaded file must have an image magic byte (eg. GIF) in order to match getimagesize (code) then you can easily have a reverse shell on the machine.

2
Ratings
Technical Analysis

This gives the ability to create an administrator account while being unauthenticated. The admin account is rather useless because all other vulnerabilities (unrestricted file upload, information leakage) are unauthenticated too so and admin account is not required.

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Technical Analysis

Be careful it actually modifies the code of the application.

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Technical Analysis

Be careful it actually modifies the code of the application.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Unauthenticated RCE with default config, this is critical.