brandonprry

// Submitted by: Brandon Perry
// wtreef.cpp : Defines the entry point for the console application.
//

//Quick run:
/*
brandon.perry@BRANPERRY-X64 ~
$ time '/cygdrive/c/Users/brandon.perry/Documents/Visual Studio 2013/Projects/wtreef/Release/wtreef.exe'
Created a valid binary tree, but invalid BST. The tree was fixed and verified for 10 nodes.
Created a valid binary tree, but invalid BST. The tree was fixed and verified for 2010 nodes.

brandonprry

Module options (auxiliary/gather/wp_photogallery_users_sqli):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   GALLERYID                   no        Gallery ID to use. If not provided, the module will attempt to bruteforce one.
   Proxies                     no        Use a proxy chain
   RHOST      172.31.16.30     yes       The target address
   RPORT      80               yes       The target port
   TARGETURI  /wordpress       yes       Relative URI of Wordpress installation
   VHOST                       no        HTTP server virtual host

brandonprry

=begin
McAfee ePolicy Orchestrator Authenticated XXE and Credential Disclosure
Trial available here:
https://secure.mcafee.com/apps/downloads/free-evaluations/survey.aspx?mktg=ESD1172&cid=ESD1172&eval=A0C692FB-8E29-4D47-BBF1-43CAB5F10069&region=us


McAfee ePolicy Orchestrator suffers from an authenticated XXE vulnerability, available to any authenticated user. The Server Task Log option in the upper left menu is where the vulnerability lies. When creating a custom filter, a bit of XML is passed from the client to the server to create the said filter. This parameter is called 'conditionXML' and is vulnerable to an XXE attack. The attack seems a bit limited however, as you can only fit up to 255 characters in the 'value' field.

However, a file in the web server installation configuration directory called 'keystore.properties' is less than the size we need, and contains an encrypted passphrase that is set during installation. When installing, an initial admin user is created (with 'admin' as the default userna

brandonprry

Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation → Remote Code Execution


Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to create an administrator user due to a lack of permissions check in the handler/securityService.rpc endpoint. The following HTTP request can be made by any authenticated user, even those with a single role of Monitor.

POST /mmc-3.5.1/handler/securityService.rpc HTTP/1.1
Host: 192.168.0.22:8585
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5

brandonprry

require 'rubygems'
require 'nexpose'
require 'msfrpc-client'

nx_host = 'nxhost'
nx_port = 3780
nx_user = 'nxadmin'
nx_pass = 'nxpassword'

msf_host = 'msfprohost'

brandonprry

brandons-imac:tmp bperry$ ruby alexa_test.rb 
aliexpress.com acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header
wordpress.org acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header
gmw.cn acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header
godaddy.com acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header
kickass.to acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header
fiverr.com acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header
ameblo.jp acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header
secureserver.net acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header
weather.com acts differently with sqlmap vs ie/chrome header and acts differently than the iphone header

brandonprry

# This module requires Metasploit: http//metasploit.com/download
##
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

brandonprry

Dell Scrutinizer 11.01 several vulnerabilities
http://www.mysonicwall.com has a trial available.


Dell Sonicwall Scrutinizer suffers from several SQL injections, many of which can end up with 
remote code execution. An attacker needs to be authenticated, but not as an administrator. 
However, that wouldn’t stop anyone since there is also a privilege escalation vulnerability in that 
any authenticated user can change any other user’s password, including the admin. One SQL 
injection, which a Metasploit module was provided for, requires this privilege escalation to reach 
since it exists in the new user mechanism only available to admins.

brandonprry

InvGate Service Desk v4.2.36 multiple vulnerabilities
http://www.invgate.com/en/service-desk/
http://www.invgate.com/en/service-desk/on-premise-trial/

Invgate Service Desk suffers from many SQL injections as an authenticated, but non-privileged
(end-user role) user. Most are also stacked injections, so an attacker also has the ability to
modify any of the data in the database. The payloads used to determine exploitability are in the
sqlmap payload output, but each was verified to be able to enumerate the current database,
current user, and an assortment of other things. These were tested with an ‘end-user’ user.

brandonprry

bperry@w00den-pickle:~/tools/msf_dev$ ./msfconsole 
  +-------------------------------------------------------+
  |  METASPLOIT by Rapid7                                 |
  +---------------------------+---------------------------+
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |""""""""""""|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |