normal user
http://Aria-Security.Net
-------------------------------------
CodeWidgets.Com Online Event Registration
Poc
Normal User account: (login.asp)
Email address: ' UNION SELECT * FROM users
password: Aria-Security.Net
Admin Panel: (admin_login.asp)
Email address: ' UNION SELECT * FROM admin
> If you are considering this "Remote Code Execution" then why
> not just have the victim run an .exe from the "complete
> anonymous share" you've managed to get people connected to
> and save all the trouble? This would still run as the user
> context, and if the hijacked DLL tried to do something a
> normal user couldn't do then it too would be blocked or fail anyway.
>
>
>
> t
>
I've tested loading a library from an application that requires admin privileges from a normal user and it will prompt for UAC if needed or fail. I understand where the jacking takes place, but you are making it seem like you can bypass user permissions when you can't. At least that's what I got from your OP. IOW, even if the original app you run doesn't require UAC, if the jacked .dll requires escalated permissions, which would be just about anything interesting you could do, then it will fail (or prompt depending on how you write it).
The main point is that you've got to get people to not only connect up to your remote share, but you've got to get them to execute the file, etc. So I'm just wondering what makes this anything more than any other "put a malicious link here to make the user execute it" or email attachment business, particularly when you say "Remote Code Execution."
t
>Have you tested out the actual exploit method in a lab environment yet to see just what can be done as I have?
>
>On Oct 25, 2010 5:34pm, "Thor (Hammer of God)" <thor@hammerofgod.com> wrote:
>>
a source URI that corresponds to a file with a binary content type,
which is downloaded even though it cannot contain usable pingback data.
[no CVE name yet]
Insufficient input sanitising caused an attacker with a normal user
account to access the administrative interface.
For the stable distribution (etch), these problems have been fixed in
version 2.0.10-1etch2.
{
$this->msg('Logged in with an admin session', 1);
$this->exec_code();
}
# Normal user ?
else
{
$this->msg('Logged in with a user session', 1);
$this->msg('You can log in using the cookie session_id', 1);
accomplished by providing a link to the malicious page in an e-mail or
instant message.
On Windows Vista, Internet Explorer 7 runs in "Protected Mode". Since
"Protected Mode" processes web pages with lower privileges than a
normal user, it lessens the impact of this vulnerability. However, it
does not prevent arbitrary code execution on the affected system.
IV. DETECTION
As of April 5th, 2007, iDefense testing shows that Internet Explorer 6.0
Affected Software: Openblog< v1.2.1
2. Technical Details
The most dangerous vulnerability resides on session module of OpenBlog.
Exploiting this vulnerability, hacker can sign in a normal user' account but
obtain administrator' privileges. This is due to the weakness in user's
rights checking and authenticating mechanism, resulting in the high
possibility of faking administrators' privileges.
Besides, Bkis also found some XSS and CSRF vulnerabilities on the following
arbitrary code in the context of the user running Internet Explorer. In
order to be successful, a targeted user must render a maliciously
crafted web page.
On Vista, Internet Explorer 7 runs in Protected Mode, which has less
privileges than a normal user. It somewhat mitigates the impact of this
vulnerability, but does not prevent arbitrary code execution.
IV. DETECTION
iDefense testing shows that Internet Explorer 6.0 and Internet Explorer
curl -v "http://www.example.com/cacti/index.php/sql.php" -d \
"login_username=cacti'#&action=login"
If a 302 response code with Location "index.php" is returned then it is
the administrator, in the other case with a Location of
"graph_view.php" we have discovered a normal user.
Again: this vulnerability is exploitable ONLY with magic quotes OFF and
any value of register globals.
$ curl -v "http://www.example.com/cacti/index.php/sql.php" -d \
around CVE-2011-1126 but two other bugs also mentioned in the paper (one of
which I released the advisory NDSA20110310 for) are potentially more useful so
I've written PoC to exploit them:
1) http://www.nth-dimension.org.uk/downloads.php?id=83 - Privesc attack using
DB2 from normal user to root, the PoC is for Linux but based on testing the
AIX version looks iffy too although I couldn't get gcc to generate a valid
library to exploit it.
2) http://www.nth-dimension.org.uk/downloads.php?id=80 - Generic attack on the
QNX runtime linker which abuses an arbitrary file overwrite and race condition
to get root.
CVEs have now been assigned to the two previously reported bugs as follows:
> 1) http://www.nth-dimension.org.uk/downloads.php?id=83 - Privesc attack
> using DB2 from normal user to root, the PoC is for Linux but based on
> testing the AIX version looks iffy too although I couldn't get gcc to
> generate a valid library to exploit it.
CVE-2011-4061. FWIW I now have a version of the exploit for this working on
AIX, based on a copy of kbbacf1 from IBM Tivoli Monitoring 6.1.0.6. It
therefore appears that the vulnerable version of kbbacf1 isn't just shipped
I have tested this vuln successfully on:
* Webmin 1.370
* Usermin 1.300 (as a normal user)
It seems to work under every search box or open file box!!!
may
force the users of a web application to execute actions of the
attacker's
choosing. A successful CSRF exploit can compromise end user data and
operation
in case of normal user. If the targeted end user is the administrator
account,
this can compromise the entire web application.
IV. SAMPLE CODE
_______________
A) Multiple Blind SQL Injection
1 - Login as a normal user.
2 - Go to index.php?act=controlPanel
Try the following code as "Display Name" or "E-mail":
' OR (SELECT(IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)))#
|
